Wednesday, December 30, 2009

How Risk Management Sucked the Joy Out of IT

It was 1986, and I was a young programmer at a little company nobody would ever hear of, writing firmware for an automated employee time clock system. Among other things, I was responsible for the code that rolled over the date at midnight:  so the 31st became the 1st, December became January, and eventually, in a single instruction that would only ever be executed once, 1999 became 2000.

As I wrote that bit of code, I realized its significance:  as I recall, I tagged that line with the comment: "Holy crap, I'm 37!"  I was young, and 37 seemed a long way off.  And now?  Well, a child born the day I typed that comment would be about as old today as I was then.

Plenty has changed in all those years.  For IT, the biggest change has been the rapidly growing emphasis on risk management, to the point that today it is indisputably the top priority for IT organizations.

From the earliest days of data processing, through the 80s, the key role of the IT leader was automation.  Primarily, our job was to take existing processes and computerize them, thereby enabling greater volumes and lower error rates. In the 90s, thanks to the Internet and the dot-com boom spawned by its emergence, the focus began to shift at last to the creation of new business models enabled by technology and the Web.  If I had my way, that's where things would have remained.

But, as the new century approached, a threat emerged: Y2K. The arguments continue as to whether or not the billions of dollars and hundreds of thousands of man-hours spent on remediating that problem were actually necessary;  I tend to think they were.  But there's no question that Y2K introduced risk management as a key function of corporate IT organizations.

After the Y2K scare passed, it's conceivable that IT organizations could have returned to the business of automating processes and creating new business models.  Sadly, though, that was not to be.  Before we even had time to utter a short prayer of thanks that nuclear power plants, hospital life-support systems, and cable TV had survived the four-digit date change,  the tech bubble collapsed, the September 11th attacks took place, and, perhaps most impactful in terms of corporate IT, Enron collapsed.

Each of these circumstances had a distinct impact on IT, and each contributed to the ultimate takeover of that area by risk-averse, bean-counting, wannabe laywer control freaks... er, I mean, "risk management professionals".

  1. Tech Bubble Collapse.

    The failure in early 2000 of the dot-com world seemed to have a simple moral: don't believe the hype. The IT-enabled "new business models" were speculative nonsense that couldn't stand up to scrutiny. The smart money was now on brick and mortar, and as for the web, well, it was going to be overrun by spam.

    Never mind that, in the long run, technology enabled business models would prove their worth.  At the close of 2009, is worth nearly eight times what it was at the end of 2000. And it is the rare brick-and-mortar business indeed that does not have a significant e-commerce or other web-enabled revenue source today.  Still, the turn-of-the-century meltdown of the NASDAQ and the exposure of so many web-based businesses as little more than dreams left a lasting impression on American corporate leadership.

  2. September 11th.

    We'd had tornadoes in the Midwest, hurricanes in the South, and even the occasional earthquake in Silicon Valley. But nothing illustrated the fragility of our infrastructure like the terrorist attacks of September 11, 2001.

    As the towers collapsed, the retaining wall holding back the waters of the Hudson River was breached.  As a result, the basement of the AT&T building across Vesey Street from the towers began to flood; by evening, there was no phone service in lower Manhattan.  Worse, data services were also impacted, including those relied upon by the great trading houses of Wall Street. Markets, which had closed early on September 11th, were in danger of not reopening for a long time.

    Through a herculean effort, which included running data and power cables along surface street gutters and sidewalks, markets did reopen the following Monday. American business had learned in the hardest possible way about the value of disaster recovery planning, alternate sites, and backups.

  3. Enron and the Creation of the Regulatory State.

    In America, whenever a bunch of crooks (or a single, really big crook) makes off with people's money, the call goes forth from Washington: more regulation! Never mind that existing regulations, if enforced properly, would have prevented the crime in the first place.

    And so it was with Enron, upon whose collapse was built perhaps the most burdensome regulatory framework since the Great Depression, the Sarbanes–Oxley Act, affectionately known as SOX. SOX changed everything, by making corporate executives personally liable for financial and other material statements made by the company. It didn't take long for CEOs to recognize that the greatest threats to the accuracy of their statements (and therefore to their own freedom and fortune) lie within the systems maintained by IT; thus, in short order, it became the primary job of the IT organization to keep the CEO out of jail.

Don't get me wrong: risk management is vital, as these examples all illustrate.  What's more, it's got to be a part of every segment of the business: finance, operations, sales, and yes, IT.  But when I look back, it seems to me that in the time that has passed since I wrote that single instruction, to the moment at which it was executed, along through another decade to today,  much of the fun has gone out of the IT role in large companies. And why?  Because that position no longer demands an emphasis on innovative and clever technical solutions building competitive advantage, but focuses instead on controls, audits, and reviews meant to ensure that the company's behind -- and that of its CEO -- remain safely covered at all times.

And so, I have moved on from big corporate IT to work with small companies.  In these ventures, technology is still all about competitive advantage and user experience.  It's about wowing customers and creating an "Aha!" moment for stakeholders.  It's about building teams and building value.  And it's about the best place I can think of to be if you are animated more by leadership, technology, and innovation than regulation, compliance, and audit.


Jim Hart - mavSolve inc. said...

Excellent perspective Scott!

Perhaps, adding another word to the mantra would help. Maybe the new practice, going forward, should be risk/REWARD management. In other words, rather than merely managing risk, perhaps we should consider the reward for taking the risk as well.

In almost every life-situation, those who can will, and those who can't (or won't) will figure a way to regulate those who can in order to survive. These relationships are not symbiotic, but parasitic. If the current state continues, it won't be long before all the "cans" will stop doing, or die. Where will that leave the risk management professionals?

Happy new year.

E. Scott Menter said...

Good point.

The problem seems to be that, given a limited budget for technology, corporations have opted, not without reason, to focus on risk management. That leaves no room for real innovation, for which, as it turns out, companies have little appetite anyway, for the reasons I listed.

So, you're right. If companies can refocus on the reward side of the equation, then the risk side, while given its due, will not control the budget. One can only hope.

In the meantime, I'm happy to be working with entrepreneurs like yourself who understand the upside potential of technology and pursue it eagerly.