This article from Astral Codex Ten is making rounds in my Twitter feed. It describes the lack of progress in society to the avoidance of — not just dangerous issues, or most danger issues — but all danger. That is, any danger that can possibly be quantified, lest lawyers get involved and sue.
I’ll go a step further. It’s probably not even important when or if lawsuits might happen. Rather, the really important thing to be avoided is the potential loss of face and embarrassment for not covering enough exposed buttocks to prevent it in the first place. More to the point: for not making every liability someone else’s problem.
When I worked in a psych ward, we used to use a short questionnaire to screen for bipolar disorder. I suspected the questionnaire didn’t work, and wanted to record how often the questionnaire’s opinion matched that of expert doctors. This didn’t require doing anything different – it just required keeping records of what we were already doing. “Of people who the questionnaire said had bipolar, 25%/50%/whatever later got full bipolar diagnoses” – that kind of thing. But because we were recording data, it qualified as a study; because it qualified as a study, we needed to go through the IRB. After about fifty hours of training, paperwork, and back and forth arguments – including one where the IRB demanded patients sign consent forms in pen (not pencil) but the psychiatric ward would only allow patients to have pencils (not pens) – what had originally been intended as a quick note-taking exercise had expanded into an additional part-time job for a team of ~4 doctors. We made a tiny bit of progress over a few months before the IRB decided to re-evaluate all projects including ours and told us to change twenty-seven things, including re-litigating the pen vs. pencil issue (they also told us that our project was unusually good; most got >27 demands). Our team of four doctors considered the hundreds of hours it would take to document compliance and agreed to give up. As far as I know that hospital is still using the same bipolar questionnaire. They still don’t know if it works.
Source: Book Review: From Oversight To Overkill
What I see here applies to IT departments in bluechip Fortune 250’s as well, and it makes working within them glacial. A half dozen different departments have to weigh in on every single project, no matter how large or small, and give their blessing on each aspect of the infrastructure. Every one of them has the institutional power to say, “Stop. We need to add X, Y, and Z to your project for ‘safety,'” and no one can say, “No, this is an acceptable risk for the data involved, the architecture of solution, and the benefit we can get from implementing it.”
I’ve watched this CYA-above-all-else attitude grow in society over the course of my career. All the way back in the early 90’s, even before Outlook, Microsoft implemented workflows in their email client. Someone at my company setup an automation to get capex proposals approved. There was a long-standing paper process that determined “how high” up the “food chain” a request had to go based on the value of the proposal. With the new system, you would write an email, select your department, give it the value of the proposal, and this automation would route it through the right chain of people for you. You could just sit back and wait for the green light to write the purchase order. Great, right?
Wrong.
Nothing moved through the system. Turns out, managers wouldn’t read the email. Approving that button meant a hard-and-fast commitment to put their name on something, and they all needed at least to have a conversation they could say they misunderstood or were lied to about, so the email would just sit. You’d have to go hunt them down, have that conversation, and then they’d hit the “approve” button in the email, and it would move to the next person in the chain. And then you’d have to go hunt them down, and repeat the process.
I asked a wise friend why this didn’t work as planned, and he pointed out that it took getting through a dozen people who could say “no,” when none of them could say, “yes,” and just be done with it. It was a light-bulb moment that has stuck with me ever since. It was the first time I would see an information system — not just support — but codify risk aversion in a company, but it surely wasn’t the last. Now the process of identifying risk and implementing a bunch of needless overhead to avoid it has become institutionalized, especially in IT.
Entire departments are separated by job function in a useless nod to the idea of “separation of duties” which external consultants tell upper management is required in IT departments. The problem is that none of these departments ever have enough operating knowledge about what the work they’re doing on behalf of other people, and just do what’s been requested. There’s no actual responsibility for that separation of duties; no understanding of what’s being asked in context. So no malfeasance would be prevented by it, making the whole thing a dog-and-pony show and a waste of time that slows down every single project in the company. No matter how small or focused a project might be, everyone in the organization has to get involved as if any problem or weakness in the effort would literally destroy the company. The bottom line is the process offers no improvement in delivered projects, but it makes them take at least an order of magnitude longer than they need to.