Breaking the Rules: Temptation and Risk

Establishing control policies and procedures is critical for a successful IT shop, but as our Datamation columnist points out, that's only the first step.
Posted September 24, 2004
By

George Spafford

George Spafford


(Page 1 of 2)

Wile many businesses and IT enterprises these days are placing increased emphasis on policies and procedures, few are looking at why their policies and procedures are so routinely bypassed.

Certainly, perceptions of practitioners play a large role, but so too does the tone from the top and pressures placed on the organization. If groups fail to understand the pressures that cause people to bypass the rules, then no amount of policies and procedures will make any difference.

Carefully planned and implemented policies and procedures, along with the right people in the right positions, create a control framework that enables an IT organization to meet objectives while managing risks. The goal of the control framework and IT in general must be to assist the organization by adding value, not simply creating policies and procedures.

The All-too-Often Reality

Unfortunately, the intentional bypassing of policies and procedures too often is reinforced from the top. In other words, senior management creates an environment which rewards the violation of controls: "Just get it done." Those four words can do more damage to a control framework than an explosion.

As Dietrich Dorner points out in his excellent book, The Logic of Failure, the bypassing of standard protocols rarely results in an explosion, and bypassing them often has a positive outcome. In other words, it is very easy to skip or change the steps in a process to yield a result that is faster and/or cheaper.

This creates fertile grounds for the mindset that it is acceptable to cut corners, especially when management lauds the results. Regardless of the perceived benefit, the margin of safety was reduced by the action.

Applying this to IT, how often are policies and procedures bypassed to gain an advantage? For example, how often are changes introduced into production by well-meaning people? Odds are that many of those changes go into production just fine. There likely also are many cases, both known and unknown, where changes brought the same systems down or had negative consequences.

In bypassing change management, the seemingly positive incentive is faster deployment to production. The negative is that there are always risks associated with changing the state of anything and sooner or later an applied change will create an undesirable result.


Page 1 of 2

 
1 2
Next Page





0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.