Platt Perspective on Business and Technology

Building a business for resilience 18 – open systems, closed systems and selectively porous ones 10

Posted in strategy and planning by Timothy Platt on December 19, 2016

This is my 18th installment to a series on building flexibility and resiliency into a business in its routine day-to-day decisions and follow-through, so it can more adaptively anticipate and respond to an ongoing low-level but with time, significant flow of change and its cumulative consequences, that every business faces in its normal course of operation (see Business Strategy and Operations – 3 and its Page 4 continuation, postings 542 and loosely following for Parts 1-17.)

I focused in Part 17 of this series on automated and artificial intelligence based information access gatekeeper systems, and on the need at least as of this writing for ongoing human monitoring and supervisory control over these systems. And towards the end of that posting, I stated that I would focus here on:

• Human behavior and the development and enforcement of best business practices,
• And employee and management behavior that would support whatever type of information access system is in place, whether automated in some manner or strictly maintained in human hands.

I began addressing this area of discussion in Part 15 of this series, as noted in Part 17, but return to it again here, and for a simple reason:

• It does not matter what type of access management system is in place, and either for how it is set up and run or for what rules of access it offers if is it is not followed, and consistently.

What is the answer to that challenge? Any detailed answer to that question is going to have to be customized to meet the needs of the specific business, and with a precise implementation decided upon that is designed to meet the specific balance of outside regulatory and related requirements, and internal and supply chain-based operational and business process requirements that that business faces.

• And as both of these arenas of influence: outside regulatory and business-based factors change and evolve,
• And as the precise balance of personnel that is in place is adjusted to meet the evolving challenges and opportunities that this drives,
• This whole complex of issues and decisions will have to be reviewed and updated and on an ongoing basis.

But I offer here as a general, generic rule, a briefly noted detail that any effective information access and control system has to adhere to, and through any change and evolution faced:

• Effective information management systems are rules based, and their system of rules have to include in them, systems for permitting exceptions, managing them and reviewing the consequences of their being resorted to. This is definitely an area of activity where ad hoc can only be expected to lead to disasters, and certainly if that approach is attempted long-term.
• And effective processes for accessing, using, storing and deleting sensitive and confidential information should be designed and implemented in ways that are effectively self-reinforcing for information access control. This means they should be easy to follow and nonintrusive so people do not cut corners in what they do that would create loss-of-control vulnerabilities.

I recently cited and briefly discussed a case in point example of how failures in the second of those two bullet points can play out and even when every reasonable attempt is being made to follow the first of them and to the letter. See When Expertise Becomes an Enemy of Quality Service 15, where I briefly outlined and discussed an approach for providing hard copy printing and copying resources to employees and managers in a business, in as cost-effective a manner as possible – with hardware distributed throughout the overall office space of the business (in their large home office) arrayed in accordance with actual observed levels of need. The idea there was that these resource islands be readily available while limiting both the costs of maintaining excess equipment and the costs of wasting available work space – where that was at a premium there too.

This system was set up and implemented and performance monitored from a facility resource perspective – but it turned out without consideration of information access considerations – including how its actual use might create vulnerabilities for loss of access control over information that this business might see as tremendously sensitive, and vital for it to effectively access-control.

In that particular example, this would not necessarily open up the business to explicit access control failures when usage demands on these facilities was low and when anyone making use of one of these shared printers was able to walk over to collect their printed hard copies as soon as they sent their files to the printer queue for printing. But in the real world, and certainly for this business, these resources faced peak demand periods where anything sent to their printer queues might stay there for a lengthy period while large print jobs ahead of them were being processed – and with the people clicking to print, busy on a number of other tasks at the same time so they would be delayed in collecting their printer output.

• Effective rules based systems for information access control need to be matched by equally effective operational implementations – including the incorporation of more localized “underutilized” printers and copiers for exclusive use of specific teams that handle information that should not go through a more openly public facility.
• And this, coordinately, means thinking through exceptions possibilities such as peak usage times of the type noted in this example, so awareness of them can be built into those information access rules.

I have been discussing a complex set of issues in this posting, in very general terms – even if by way of a specific (non)working but nevertheless very real example. I am going to continue this discussion in a next series installment where I will delve into at least some of the particulars of this as they commonly, recurringly arise. And that will mean examining the following set of to-address points, from the perspective of my discussion up to here:

• Thinking through a business’ own proprietary information and all else that it has to keep secure that it holds.
• And reducing avoidable friction where there are apparent trade-offs between work performance efficiency, and due diligence and risk remediation requirements. This, in anticipation of discussion to come, means consideration of both short-term and long-term value created and received.
• And this means thinking through the issues of who gathers and organizes what of this information flow, who accesses it and who uses it – and in ways that explicitly go beyond their specific work tasks at hand.
• What processes are this information legitimately used in, and who does that work? With the immediately preceding point in mind, what other, larger picture considerations have to be taken into account here too?
• And who legitimately sees and uses the results of this information as it is processed and used and with what safeguards for the sensitive raw data and the sensitive processed knowledge that are involved, where different groups of people might have legitimate need to see different sets of this overall information pool?
• Think in terms of business process cycles here, and of who does and does not enter into them.

I will at least begin addressing all of this in my next series installment. Meanwhile, you can find this and related postings and series at Business Strategy and Operations – 4, and also at Page 1, Page 2 and Page 3 of that directory.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: