It looked fair enough at first, this otherwise innocuous-seeming comment on a recent post of mine, over on LinkedIn:
Without information management capabilities how does the organization interact within itself and the broader shared-enterprise. For example the interaction between an organization and a regulator is a pure information exchange. The organization gathers the appropriate information that will demonstrate compliance and passes it on to the regulator.
Yet something about it felt… – I dunno, just kinda not-quite right? But I just couldn’t spot quite what it was.
Finally, though, the penny dropped, that that comment above is not merely “just kinda not-quite right”, it’s seriously wrong – an absolute howler of a mistake that no-one in business should make. Yet as an error, it’s still scarily common – but we’ll perhaps need to look at it somewhat sidewise to be able to see what it is that’s wrong, and why it’s so wrong.
It’s simplest to ignore the first sentence, “Without information capabilities…” and so on: it has some hidden booby-traps, but we don’t need to go into them here. The crucial error is in the second sentence:
For example the interaction between an organization and a regulator is a pure information exchange.
That looks fair enough, doesn’t it? But it’s actually a subtle yet really clear example of missing the point about values. And it’s the kind of mistake that is all too easy to make if we work in an information-centric world – as too often occurs around IT and the like.
The source of the mistake is failing to understand that information about a thing is not the same as the thing itself. It’s true that in many cases we can get away with that mistake, because the distinction may not matter all that much. But it does matter for this type of context, because it’s ‘the thing itself’ that is the real concern here – the information alone is not enough.
The key here is that what the regulator wants to know, and trust, is whether there has been valid alignment to respective principles and values – security, for example, or financial-probity, or business-ethics. The information is merely a proxy for that value, a suggested set of metrics for this. So in this context, what matters is the value itself – not merely the information about that value.
Hence this type of interaction between organization and regulator is most definitely not “a pure information exchange”: the information is just a sideshow, the anchor for what we really need to know. If we ever get this one wrong, we’re likely to find ourselves in serious trouble – but probably ‘without warning’, and quite possibly without ever understanding why, or what it was that went wrong.
And how we’re likely get it wrong – on both sides, probably – is nicely described in the third sentence of that comment:
The organization gathers the appropriate information that will demonstrate compliance and passes it on to the regulator.
What matters is not merely ‘compliance’ to a value, but living that value, embedding that value deeply into the organization, as part of its way of life and business.
Security doesn’t happen merely by following predefined processes, but much more by being aware of what security means, in every aspect of real-world practice – and taking action on awareness. Compliance-records are almost useless for that – not least because they focus only on the past, rather than the here-and-now.
Quality isn’t created by a cumbersome, expensive paper-trail – often quite the opposite, in fact, as anyone who’s suffered a botched ISO-9000 ‘quality-system’ implementation would know all too well. Instead, quality is a way of life – more about how and who we are, at work and elsewhere, rather than than something that we do.
And information about financials and purported business-ethics may tell a story that’s entirely false or misleading compared to the actual financials or ethics at play – as anyone on the wrong side of Enron‘s business-activities would likewise have discovered the hard way…
So no, the interaction between an organization and a regulator is not a pure information exchange. It’s more about trust, commitment, the value itself – all those human elements that don’t easily convert to information alone.
And yes, it may well be that the organization gathers the appropriate information and passes it on to the regulator. But the information itself is not what matters in that interaction – and mere information about purported compliance tells us almost nothing at all.
If we allow ourselves to think that a values-interaction is only about information, or compliance, then everyone in that context is missing the point about values.
And whether as enterprise-architects, executives or whatever, we get that one wrong at our peril. Not A Good Idea…?