There's a bit of comment discussion going on in Metricon Slides, and Viewed as PR about counting vs. selling, in which the major point of agreement seems to be that even at a metrics conference there weren't a lot of metrics presented that were strategic and business-like.
Let's assume for a moment that we have such metrics, and listen to Peter Sandman, whose website motto is Risk = Hazard + Outrage:
Sometimes, of course, senior management is as determined as you are to take safety seriously. And sometimes when it’s not, its reservations are sound: The risk is smaller than you’re claiming, or the evidence is weak, or the precautions are untested or too expensive. But what’s going on when a senior manager nixes your risk reduction recommendation even though you can prove that it’s cost-effective, a good business decision? Assume the boss isn’t too stupid to get it. If the evidence clearly supports the precautions you’re urging, and the boss isn’t dumb, why might the boss nonetheless have trouble assessing the evidence properly?
As a rule, when smart people act stupid, something emotional is usually getting in the way. I use the term “outrage” for the various emotion-laden factors that influence how we see risk. Whether or not a risk is actually dangerous, for example, we are all likely to react strongly if the risk is unfamiliar and unfair, and if the people behind it are untrustworthy and unresponsive. Factors like these, not the technical risk data, pretty much determine our response. Risk perception researchers can list the “outrage factors” that make people get upset about a risk even if it’s not very serious.
— The Boss’s Outrage (Part I): Talking with Top Management about Safety by Peter M. Sandman, The Peter Sandman Risk Communication Web Site, 7 January 2007
He goes on to outline several reasons management might get upset.
guilt/responsibility (hey, it might be managment's fault!),
ego/stature ("Let’s face it: Compared to other important management tasks, safety is low-status."),
hostility/contempt (who really cares about the cannon fodder?),
fear/denial (my favorite),
performance anxiety ("If you can think of things I ought to do that I haven’t thought of, then I must not be very good at my job.")
He goes into more detail on these items, and he has a much longer list, as well.Then he recommends some strategies for dealing with safety outrage, including:
Suppose your VP half-thinks safety is beneath her. On the other hand, she realizes that a bad safety record can really hurt the bottom line. She’s ambivalent. So she does what ambivalent people do – she goes to whichever seat on the seesaw you leave vacant. If you tell her that safety needs more of her attention, she’s likely to feel her stature/ego reservations that much more strongly. “I don’t do safety. I’m a VP.” So instead you might want to say something like this: “Look, you’re much too busy for this stuff. I figure the most I deserve is ten minutes of your time to brief you on what I want to do. You’re a VP and safety is not your main thing.” The odds are pretty good that she’ll answer: “I need much more information than that. I want to give much more attention to safety than that.”
So, can you see the average "just want to count" security professional going to a VP with that humble attitude? Or being willing to spend any time on learning such emotional management skills?
And I don't recommend that ISTJs try to become ENFPs. That way lies a manipulative cult, not a healthy company. Rather, this communication problem makes Jack Jones' elaborate risk decision making organizational structure look more attractive. Personally, I find it hard to go for quite that much bureaucracy, yet there probably does need to be a layer or two of bridging personalities between the hardcore introverted thinking counting crew and the extraverted emoting executives.
Still, the counting crew needs to come to realize this communication problem, namely that presenting a hazard without outrage won't convince anybody it's a risk. Or, that abstraction plus emotion is not the same as lying. Then they will have a chance of producing strategic and business-like metrics.
Do please read Peter Sandman: that's well worth everyone's time.
-jsq
Hi John,
Note that Jack's structure, as presented, is designed to be as complex as possible. It is a reductionist approach, a mind-mapping of all elements that should/might be beneficial.
Now 100% of organizations out there are performing all of those functions listed, they just are doing it in a rather ad-hoc method, or the analysis is done by "blink" or "gut".
I, like yourself, read Sandman as soon as Phil posted it to the mailing list (that may make us both geeks, but so be it). Two things come to mind:
1.) Outrage x Hazard may be a means to express risk within the context of the organization, but I like probability of loss event x probable magnitude of loss better for quantitative analysis.
2.) The term "Outrage" suggests that risk cannot or should not be discussed in a rational manner. One thing about FAIR and Jack specifically is the desire to drop a FUD approach. Maybe this reflects an optimists view of the abilities of data/business owners, but in the long run I think it's more beneficial to our profession than, as you term it, manipulation.
Also, bravo on the application of personality types. This is brilliant, and something maybe we can talk about at more length at some point.
Posted by: Alex | August 14, 2007 at 12:02 PM
John, I think I agree that the Sandman proposals are good to see, but troubling. They hide the underlying problems. Manipulation begets manipulation.
Short of actual psychological counselling (and, Sandman concurs in not recommending we say that to our bosses ;) I've only ever seen one approach to break out of that trap, which is the fifth discipline stuff.
Also, I thought he missed one important reason: if the VP can guess it won't happen on her watch, why should she spend her budget to return investment to the her successor?
It's really tough. I wish I'd been at the metrics shindig, tho!
Posted by: Iang | August 14, 2007 at 03:06 PM