Platt Perspective on Business and Technology

Building a business for resilience 11 – open systems, closed systems and selectively porous ones 3

Posted in strategy and planning by Timothy Platt on April 6, 2016

This is my eleventh installment to a series on building flexibility and resiliency into a business in its routine day-to-day decisions and follow-through, so it can more adaptively anticipate and respond to an ongoing low-level but with time, significant flow of change and its cumulative consequences, that every business faces in its normal course of operation (see Business Strategy and Operations – 3 and its Page 4 continuation, postings 542 and loosely following for Parts 1-10.)

To briefly recap the key points of the last several postings in this series and put this continuation to their discussion into context:

• I offered a basic, simple systems model of how a business might be set up and run, with essentially completely open communications within the organization in Part 8. My goal there was to set up a minimal business systems friction baseline, as a point of comparison for discussion to come. (See Open Markets, Captive Markets and the Assumptions of Supply and Demand Dynamics 6 for an orienting discussion of economic and business systems friction.)
• I then began at least briefly exploring a first of three scenarios in which selectively developed and strategically planned out and maintained barriers to completely open information sharing would create overall value for the organization and reduce risk of loss faced. I briefly outlined a particular type of business acquisition in Part 9, where selective, strategically considered ongoing partitioning would make sense and offer such value.
• I turned to the second of those scenarios in Part 10, with a selective discussion of in-house research and development centers as they can be developed and maintained within a business. And I focused there on the negative example of what can happen when what begin as strategically planned, carefully selectively porous barriers to information sharing can become problematical – if these information barriers are not systematically, dynamically managed and kept functionally valuable as business resources.
• I turn here to consider a third such example and one that essentially anyone reading this posting should be at least somewhat familiar with, even if I might couch it in somewhat nonstandard terms:
• The need to wall off the collection and management and use of customer or employee personally identifiable information, to those who would need access to this for legally approved use and away from alternative use.
• And I will also address the issue of confidential and proprietary information that might be obtained from supply chain and other business-to-business collaboration partners, under circumstances where maintaining confidentiality is required.

I begin this with customer and employee personally identifiable information, and with a focus there on information that could be used for perpetrating identity theft as well as for violating personal privacy. I have written about this set of issues and about how businesses can respond to them as a matter of risk management, a number of times now in this blog. And to connect what I will add to this discussion here, with previous postings on it, I begin this posting by summarizing some of the key points already addressed elsewhere, relevant to this topic (couched here in customer information terms where a parallel presentation could readily be offered in terms of employee personal information too):

• A very large percentage of the overall global marketplace resides in countries and in larger regions governed by unifying international accords (e.g. the European Union) that have enacted and that enforce personal privacy protection laws.
• These laws are very complex and far-reaching in impact and they can significantly differ in detail from legal jurisdiction to legal jurisdiction, even as they seek to enforce the same basic protections and with the same overall goals.
• Businesses that seek to do business with customers who reside in, or who even just make purchases through a legal jurisdiction that has and enforces these laws needs to adhere to both the personal privacy protection laws in place where they operate out of, and those where their customers are located too. And if for example, a Canadian citizen in Canada were to make a purchase online through a French-based e-commerce web site to acquire goods sold through that site that would be shipped from an American business, the personal privacy laws in place in Canada, the United States, France as a specific country, and the European Union as a whole, as enforced in the specific court jurisdiction of that union that holds authority over France as a member nation, would all most likely have to be followed. This is because at least in principle, court challenges could be raised in any of those legal jurisdictions over alleged violations of the collection, storage, management, sharing and/or use of this information.
• These laws are not entirely consistent, even if they do address essentially the same issues with the same overarching goals, and that can significantly complicate compliance. But at least as importantly these laws are subject to change, and both legislatively and through case law decisions.

The laws that I make note of here and their enforcement, and the consequences that businesses face if found to have violated them are significant, and increasingly so as businesses essentially everywhere seek to do business online and with the global marketplace. So these issues are crucial.

I in effect, indicated my approach to addressing this complex of issues in this posting in its opening sentences when I focused on change and resiliency. And to clarify that more general term: change, I am referring here to both:

• The “ongoing low-level but with time, significant flow of change and its cumulative consequences that every business faces in its normal course of operation” of that opening statement, and more gradual evolutionary change, and
• More sudden change, as can arise when a higher level court in effect rewrites a law governing use or sharing of personally identifiable customer information, or employee information through a court ruling.

I am writing here of cost and risk and of value creation and opportunity as well, where information access and control are increasingly coming to significantly shape them. And understanding how information flow and its restrictions are formed and how they change are becoming basic and even fundamental to understanding and working in any real marketplace and for essentially any business – and certainly if it does business online. And I am writing here of issues that very few new business founders even begin to consider and even in passing as they begin to build their business ventures and their operational systems.

• What is the safest approach to dealing with this complex of issues and challenges? As a baseline extreme, that would in most cases mean
• Collect as little customer personally identifiable information as possible and still be able to effectively do business,
• Keep that information in only one place and carefully securely encrypted there,
• Keep it for as brief a period as possible before deleting it, then securely delete it,
• Only use it when and where it is absolutely necessary in fulfilling the specific transactions that call for it and with a minimum number of people in your business participating in carrying through on those transactions,
• And keep all of that in-house.

That is the baseline. And reality intrudes even as I write it out as the above briefly stated set of bullet points. First of all, business continuity means developing and storing and repeatedly using customer information as maintained in complex databases. Businesses need this if they are to effectively create and maintain customer relations and create any real potential for repeat customer business. And they need this information and recurring access to it as follow-through on transactions already entered into where customer support might be called for – including the possibility of dealing with customer dissatisfaction and the undoing of a sales transaction with the return of items sold for a refund. When warrantees and guarantees offered are good long-term, relevant customer information has to be maintained and available long-term too.

That means names and addresses and phone numbers and credit card information and a whole range of other personal information gained from and about the individual customers involved as well. And this all has to be done on an ongoing basis, as systematic due diligence considered deviation from the above simple baseline model approach. And it has to be done in the face of change, and both in what is required in collecting and managing and accessing this information, and in the determination of precisely what information is legally addressed here as requiring this type of protection. There was, for example, a time when businesses in the United States routinely collected US citizen social security numbers for use as customer identification. But changes in US law have long since made that explicitly illegal, for essentially all commercial enterprises.

And this only addresses the issues of personally identifiable customer information as would arise within a single business. Now let’s add in the complexities of supply chain participation and business-to-business collaborations, where that can mean a lot more than just sharing mailing address information with a shipping service. I will turn to consider that in my next series installment. And in that context I will also, as noted above, address more general issues of confidential and proprietary information that might be obtained from supply chain and other business-to-business collaboration partners, under circumstances where maintaining confidentiality is required. And to reiterate my closing notes for discussion to come, as offered at the end of Part 10 and with further elaboration added:

• After that I will switch my orientation here from a consideration of problems and potential problems, to one of solutions to them. In anticipation of that, I add that this means I will discuss intentionally controlling information access and the overall conversation in a business, and how that has to be seen as a dynamic process, to express this in terms of this posting’s discussion. And I will at least briefly look into information technology options and how they can be used to facilitate all of this. In anticipation of that, I will be discussing rules-based automated access control systems and how they can be developed as artificial intelligence systems.

Meanwhile, you can find this and related postings and series at Business Strategy and Operations – 4, and also at Page 1, Page 2 and Page 3 of that directory.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: