Friday, December 19, 2008

Risk and Policy in the Real World

Chandler Howell describes an interesting example of Risk and Policy in the Real World.

I have an interesting example of Policy actually making things worse for you all today. It’s not horrible, but it illustrates the point and I can talk about it, so I will.

Today someone asked me if I knew that one of the floors of a facility I visit from time to time is a “No Visitors” area. This is due to the fact that the marketing teams have product prototypes as well as all of their collateral and other materials displayed or in-progress on this floor. I had to confess that I did not realize that. Even worse, most of the people who don’t reside in the “No Visitors” zone, as well as some who do, also don’t seem to be aware of that fact.

Enforcement is, as you would imagine, non-existent. That would be rude, after all.

To make matters worse, not only is there is no access control (doors or guards), signage or other markings telling people that this floor is off-limits to visitors, but the canteen which is open longer hours than the main cafeteria (for coffee, snacks, etc.) is located on this floor. As a result, there’s a steady stream of people who, even if they are employees, really have no business wandering around this floor doing so at any given time.

So we have a situation where the people who need to display confidential information do so, safe behind the warm fuzzy blanket of their “No Visitors” policy. Everyone else wanders around their area in blissful ignorance that they shouldn’t bring their visitors through there on the way to the canteen.

My reading of this example is that Policy is being used as an ineffective patch for a failure of Architecture. In other words, there is a de facto physical architecture that involves visitors walking through this department, and an unenforced (and possibly unenforceable) policy saying they shouldn't.

If you want to protect the department, you probably need to change the physical architecture. Provide an alternative route to the canteen, and install enough barriers (like sleeping policemen) to discourage people taking short-cuts through the department. Or you move the marketing department to a different floor.

You still have the policy, but now the policy is used as a architectural design constraint rather than expecting the mere existence of a rule to alter people's behaviour.

Alternatively, you try to change the behaviour of the marketing department. After all, there are fewer of them. And they are the ones to whom it matters.