These are the three goods of business -- the three and only three reasons for expending money, effort and attention.
To increase revenue, companies either attract new customers or sell
more to the customers it already has. As an alternative, some companies
acquire another company to buy its revenue ... usually for more than
it's worth.
To cut costs, businesses can eliminate "non-value-adding" activities
-- those that have no impact on revenue, cost control, or risk
management. Or (or, better, and) they can become more effective at the
activities they undertake to increase revenue, control costs, and
manage risks.
Regrettably, some still follow in the footsteps of Chainsaw Al
Dunlop, stupidly and blindly cutting costs in ways that create
permanent, and sometimes unrecoverable damage to the business.
That leaves risk. You can reduce the odds (prevent), reduce the damage (mitigate), or shift the costs (insure).
Insurance, though, is expensive ... insurers have to make a profit,
after all ... and since revenue requires risk-taking, companies that
place too much emphasis on prevention and mitigation damage their
ability to attract and retain customers.
When you lock the gates, you keep customers out along with the riff-raff.
Another angle:
Entrepreneurial start-up companies live on risk. Or, looking through
the other end of the telescope, they rely on luck. Why not? In round
numbers 70% fail in the first three years anyway. What's a little more
risk here and there?
The problem, of course, is that luck eventually runs out, so as
start-ups mature they have to start plugging the holes. Too often,
though, as companies grow hole-plugging takes over. "What can go
wrong?" and "How can we prevent it?" replace "How will we benefit?" and
"How can we leverage it?" as the most important questions executives
ask about possible opportunities.
The bigger the company the more this attitude takes over. The
reason: With size, executives gain elevation and distance from the
actual work of the enterprise. They move out of their entrepreneurial
roles of creator and promoter, becoming reviewers and critics instead.
When the questions are what can go wrong and how to prevent it, the answers tend to be controls, controls, and more controls.
Which brings us to the state of the IT industry as of the end of
2009: Too much emphasis on controls; not enough emphasis on
opportunity. That's what passes for "best practice" in IT circles these
days: Lock down the desktop because you don't trust your antimalware
technologies (and certainly not your end-users); insist on hard-dollar,
provable returns on investment for all projects; implement SOA
Governance to regulate the creation of software services.
Some control is, of course, necessary: The more technology you have
in place that the company relies on to keep the joint running, the more
moving parts you have that can jam up or break. To take just one
example: As the number of applications you have in production
increases, and as you integrate them better to facilitate a smooth flow
of work, the more interfaces you'll have to keep track of that can
break if a developer sneezes, let alone installs code that hasn't been
thoroughly regression tested.
The question is how much control is too much control. Just as
requiring overly secure passwords worsens security by ensuring
end-users will write them down in easily-found places (such as Post-Its
stuck to their monitors), so locked-down desktops ensure end-users will
buy iPhones and Droids, melding sensitive corporate data with "there's
an app for that."
(I-told-you-so department: I did a pretty good job of predicting this with "Why PDAs will be huge - sellers, that is" which ran in InfoWorld 12/8/1997.)
Not all that many years ago we didn't have Service Oriented
Architecture. We had "web services." The big philosophical difference
between the two is that web services emphasized entrepreneurship and
innovation, while SOA, which supplanted it, is strongly oriented toward
controls.
The same story applies to The Cloud. Sure there's hype. Sure there
are skeptics. Most of their arguments are about whether it can replace
your existing computing infrastructure. It's the wrong conversation:
Replacing your existing infrastructure means a conversion -- something
companies should not undertake lightly.
What The Cloud provides, for companies with the wit to see it, is
opportunity -- a way to reduce the cost and risk of trying out service
innovations. Focusing on IT's ability to manage it ... to control it
... is a great way to make sure only your competitors take advantage of
what it has to offer.
Controls are about preventing problems. But preventing everything
that might go wrong from going wrong doesn't result in anything going
right.
It results in nothing going anywhere.
