ARM 6 – Governance

The Anti-fragile Risk Management (ARM) Model has seven components; the sixth is Governance.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Governance may be thought of as the first step in a process.  However, for Risk Management, it has the least immediate impact.  Nevertheless, Governance is a bridge between Long Term ARM Components and the Enduring Components such as Purpose.

Anti-Fragile Risk Management

Governance: Strategic and leadership capacity to Change the Above?

Governance has a wee bit of the People component because it includes leadership capacity.  Leadership is typically thought of as the C-Suite, the board or some other clutch of silver-back leaders.  Certainly these organizational elements are part of this ARM component but personal leadership, group self-direction, and good command and control elements are just as important.

ARM’s Length Definition

Does the organization have Governance and Leadership Capacity so as to develop, implement, monitor and validate initiatives which are in support of the over-arching organizational objectives?

Why Does this Matter

ARM stands for ‘Anti-fragile Risk Management’.  Anti-fragile was coined by Nicholas Taleb and if you have read any of his books you know that he takes a dim view of things like governance or strategy (for more on this see my 2016 article, Anti-fragile Strategic Planning).

Notwithstanding Taleb’s distaste and bias against suits, MBAs and strategy – these are the reality of any organization and Governance and Strategy will influence organizational risk and its mitigation.

Not-for-profit and government organizations share this risk and likely more so.  History is replete with examples of unsavory characters getting themselves elected (or grabbing power) and causing havoc for an organization or country.  At the same time, a good board and a good government can greatly reduce risks and capitalize on opportunities.

Returning the Taleb for one last time, in his first book ‘Fooled by Randomness‘ he discusses the role that chance (luck, probability) plays in our lives.  One of the reasons he has such a dim perspective of suits, MBAs, etc. is because it is easy to take credit for luck.  While this is true, his book also discusses the importance of ‘making your own luck’ (what I call Managed Serendipity) by establishing circumstances that are less prone to chance (the basic premise of Anti-fragile).  Having strong and capable leadership is one such element.

ISO 31000 Context

ISO 31000:2009 has a strategic focus and the importance of Governance is front and center through out the standard.  The following are a few references:

  • 2.11 internal context‘: internal environment in which the organization seeks to achieve its objectives.  NOTE Internal context can include:
    • governance, organizational structure, roles and accountabilities;
    • ⎯ policies, objectives, and the strategies that are in place to achieve them.
  • 3 Principles‘: a) Risk management creates and protects value.
    • Risk management contributes to the demonstrable achievement of … governance and reputation.
  • 4.3.1 Understanding of the organization and its context‘: Before starting the design and implementation of the framework for managing risk, it is important to evaluate and understand … the organization:
    • governance, organizational structure, roles and accountabilities;
    • capabilities, understood in terms of resources and knowledge.

ISO 31000 Risk Assessment Technique

Measuring the leadership capabilities of your organization can be a delicate matter. What happens if the CEO is a SOB, the CFO a crook or the Deputy Minister a political hack.  Documenting such limitations would be a career limiting move. Assessment techniques could include the following to provide some objective measurements:

  • Anonymous staff surveys.
  • 360 surveys of key leaders.
  • Decision cycle time.
  • Competency assessments for positions relative to the skills of the individuals in the role.

Examples of Risks

Risk Identification: The organization lacks the senior leadership capacity to operate and provide long-term direction for the organization.

Risk Identification: Turn over in the board has reduced capacity to establish organizational direction and planning.

ARM 5 – Planning

The Anti-fragile Risk Management (ARM) Model has seven components; the fifth is Planning.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Planning may be a bit misplaced in the following diagram.  Certainly operational planning has an immediate (short-term impact) on risk.  Tactical planning has a longer time horizon.  Irrespective, good planning takes time to ramp up  and then implement the results.

Anti-Fragile Risk Management

Planning: Cliches, Babies and Bath Water

There are numerous maximums and clichés when it comes to planning:

  • Fail to plan, plan to fail.
  • An idea without a plan is a wish, a plan without execution is a good intention, a plan undebriefed is a future lesson to be re-learned.
  • Always plan ahead. It wasn’t raining when Noah built the ark.

Like any cliché, they all have an origin of truth behind them.  Planning is central to risk mitigation; after all someone has to implement changes to mitigate risks.

This ARM Component asks the question, is the organization any good at planning and is it getting better or worse?  The time horizon is purposely non-strategic meaning that the overall objectives or purpose of the organization are assumed to be relatively constant.  Wholesale baby and bath water planning is the next blog on Governance.

Planning to Define Planning Definitions

Sometimes people get in a bit of a muddle when it comes to terms like operations, tactical or strategic.  As a result I am using these definitions (adapted from ITIL) to define these terms (as well as providing a multi-colour visual aide!).

  • Task: takes less than a day or perhaps a few days to complete.
  • Operations: live, ongoing or extending into about a month’s time horizon.
  • Tactical: Medium term plans required to achieve specific objectives, typically over a period of weeks to months but generally a year or less.
  • Strategic: Strategic Activities include Objective setting and long-term Planning to achieve the overall Vision.  At least a year in length and longer.
  • Vision/Purpose: A description of what the Organisation intends to become in the future.

ITIL Based Planning Time Horizons

ARM’s Length Definition

After that little definition interlude – back to the main definition for this ARM component: What is the organization’s ability to identify, prioritize, initiate, monitor, close and learn from its planning activities through the operational and tactical time frames?

Why Does this Matter

The whole point of a risk management process is to ultimately mitigate risks to an organization.  Invariably the organization will need to make at least minor adjustments to its operations, implement new processes to sustain its products or react to an external event (e.g. change in legislation, market turmoil, social disorder, etc.)  The better, faster and more efficiently it can carry out these changes – and learn from its mistakes in the process – the sooner it can get back to normal (errr, assuming such a state exists).

ISO 31000 Context

ISO 31000:2009 Principles and Guidelines contains numerous references and entreaties to the organization not to separate the risk management and organizational planning functions.  The following one example:

  • 3 Principles
    • b) Risk management is an integral part of all organizational processes.
      Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
    • c) Risk management is part of decision making.Risk management helps decision makers make informed choices, prioritize actions and distinguish
      among alternative courses of action.

ISO 31000 Risk Assessment Technique

Assessing an organization’s planning capacity is difficult but it can be measured indirectly.  Unfortunately the methods discussed in ISO 31010 Risk Assessment Techniques are of limited use (although they augment the analysis from the methods discussed below).  As a results, methods to measure planning capacity could include:

  • Budget cycle: how long does it take for the annual budget process, bonus points for continuous budgeting.
  • Capital planning cycle: ditto to budget.
  • New Market Uptake: how quickly has your organization being able to extend, re-position or create a whole new market for its products.
  • Response to the last emergency: how well did the organization respond to the last unplanned thing (outage, break in, flood, fire, hack, etc.).  How much faster could the response have been.
  • Disaster Planning: ditto to the above but under a controlled scenario.
  • Initiative List: Does an organization know what is in the hopper for its operational and tactical activities, can it effectively prioritize them without forcing its people to engage in Guerrilla Management?
  • Approval Cycle Time: If the organization does have a list of innitiatives, how long is the cycle time to approve the activities?

Examples of Risk Tests and Mitigation

Risk Identification: A request for a sudden and one time increase in a product to meet the unexpected demand of a customer.

  • Evaluation/Analysis: W.E. Coyote Corp has requested a large order of widgets to meet an unexpected demand.  Can ACME corporation ramp up production to meet this one time need for widgets.
  • Stakeholders: ACME Corporation, W.E. Coyote, current customers, staff.
  • Measure: The ability to meet unexpected sales or alternatively lost sales due to lack of operational and planning capacity.

Risk Identification: A northern city in Widget-land is threatened by Wildfires.

  • Evaluation/Analysis: How quickly can the Government of Widget-land mount a response to a rapidly changing wildfire scenario (or other disaster) that threatens are large population.
  • Stakeholders: Government of Widget-land, affected residents, citizens.
  • Measure/Example: Time to respond, scope of the response, comparison of times and effort .

ARM 4 – Product

The Anti-fragile Risk Management (ARM) Model has seven components; the fourth is Product.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Bringing a product or service to market can take seconds (if you are Amazon.com) to decades (if you are a drug company).

Anti-Fragile Risk Management Component Product impacts risks/opportunity in a medium term time frame.

Product: A product or service that the market/society wants?

On the one hand it may seem that this component is covered in prior ARM considerations such as Purpose, People or Process & Plant.  However, despite a good organization vision, fantastic staff and excellent processes – an organization’s product may still not sell.

The profit motive focuses the mind on which widget to sell or whether or not to exit a dying industry in a timely manner (with notable exceptions such Kodak).  Unfortunately for the volunteer and government sectors such signals may be less clear and as a result a decision to abandon a service, program or cause may be more difficult to make with vocal consumers of the service demanding its continuation at any price.  Governments in particular are at risk and may trudge on providing services rather than upset a  small but vocal minority.

ARM’s Length Definition

The ARM definition is simple to state but may be extremely complex and fickle to measure or plan for (ask your nearest Marketing professional how well they sleep the night before their next product launch): Does the organization have a product or service that the market/society wants and is this product the best way for the organization to use its resources to achieve its objectives?

Why Does this Matter

In a word, ‘cash-flow’.  Okay that is two words but it still is the biggest risk criteria.  If no one is buying your products – that risk trumps all.  If taxpayers are revolting because they do not see the value in the services being provided – that risk could be a change of government.  If donors have left in droves because you no longer speak to their social conscious – you got a big problem.

ISO 31000 Context

ISO 31000:2009 Principles and Guidelines references an organization’s products or services in with its overall risk management consideration.  In section ‘3 Principles‘, the principle that risk management exists to create and protect value is highlighted including contributing to organizational performance and product quality.  Section ‘2.10, external context‘ alludes to but does not overtly discuss the role of having viable products and services.

ISO 31000 Risk Assessment Technique

The methods discussed in ISO 31010 Risk Assessment Techniques can be used indirectly to estimate the viability of a product or service.  For the for-profit sector a good cost accounting system and an understanding of organizational brand or inter-relationship of one’s products in the market place is important.  For the volunteer or government sectors, detailed statistical analysis may give the reality or at least the illusion of evidence based decision making.  Ultimately, the final decision to provide, rescind or change a product is often political or socially driven – and thus the profound risk to these organizations.

Examples of Risk Tests and Mitigation

Risk Identification: The market for and profitability of widgets, ACME Corps primary product, is shrinking over the next five years.

  • Evaluation/Analysis: Relative unit profitability for each widget is declining and will continue to do so with foreign competitors entering the market and the ability to download for free widgets.
  • Stakeholders: Shareholders, ACME Corporation, current customers.
  • Measure: Direct and indirect unit cost as compared to price of the widgets, recent and anticipated sales volumes.
  • Example: A Delphi review was done in which future demand for widgets was estimated by leading industry experts.  This survey estimated a 50% decline in widget consumption over the next 5 years.

Risk Identification: The Widget subsidy program is now consuming 25% of all government revenues and is expected to climb to 300% in ten years.

  • Evaluation/Analysis: Due to an aging widget consuming population and generous allowance to purchase widgets, the Widget Subsidy Program is consuming an inordinate amount of current government revenues.  As the population ages, this proportion is expected to double each year over the next ten years.  Riots have already occurred in some cities of Widget-land in response to rumors of a reduction in Widget subsidies.
  • Stakeholders: Government of Widget-land, taxpayers, widget consuming seniors.
  • Measure/Example: Number of widgets consumed per capita, the widget subsidy as a proportion of all tax revenue.

ARM 3 – Process and Plant

The Anti-fragile Risk Management (ARM) Model has seven components; the third is Process & Plant.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Changing process, buying machinery, installing software – these all take time which is why the ARM Component People & Plant has a medium term impact.  While your staff may be constantly on the look out for risk/opportunity it takes longer to give them systems, procedures or policies when things change.  This is demonstrated in the following diagram.

Changes to Process & Plant takes a little longer to take effective and support Anti-Fragile Risk Management.

Process: Knowledge to operate the systems?

The story so far is that an organization has discovered its Purpose, hired the right People and now needs to know what the heck these people are doing and are they doing it right!  The following are all examples of organizational plant and equipment. Each one requires knowledge of how to operate it through procedures, policy and of course organizational adeptness:

  • Machinery, buildings and land.
  • Computers, firewalls, networks.
  • Patents, rights, licenses and royalty agreements.

There are LOTS of books on not only risk relative to process but also on how to manage process.  Certainly one of the grand-daddies is the now classic ‘Balance Score Scorecard‘ by Kaplan and Nolan.  It introduces the concept of segregating (and measuring through key metrics) the business into four areas: finance, internal business, learning & growth and the customer.

No matter how your slice and dice your processes, this deductive process is the core of traditional risk management.  For Risk X, what process Y or asset Z is going to protect or mitigate the risk?

This ARM is Brought To You by Organizational Biology

Process & plant are all things you can drop on your foot or print off and drop on your foot.  Collectively all this foot dropping is called ‘Mass’ which brings us to our sponsor… ‘Organizational Biology‘ which describes how organizations work.  In a nutshell, organizations are composed of two parts, Mass and Adeptness:

Mass are the physical elements of an organization such as machinery, land, as well as intangibles such as patents and policies and procedures.  Adeptness is an ephemeral quality by which humans apply mass toward an organizational objective. For example, it can be the culture or gestalt that makes an organization attractive (or not) to work for and be associated with.

ARM’s Length Definition and Why Does this Matter?

The ARM definition for Process-Plant Component is: does the organizational have the tools to complete its objectives and do the people know how to properly use the tools?

This component strives to understand ‘How and What‘ processes an organization is engaged in and ‘Where‘ are the integration points between these processes.  A good first start is a listing of business functions that support an organization’s products and services (more on this in the next blog).  Quality processes will further define and articulate the business processes down to the point in which your staff are heartily sick and tired of being ISO-9001-compliant.

In other words, by spending time and effort on this ARM component, process and plant, the organization can better understand how its people are achieving the organizational purpose to deliver products and services.

ISO 31000 Context and Its Risk Assessment Techniques

ISO 31000:2009 Principles and Guidelines is full of managing process and plant including the following:

  • Section ‘2.11, internal context‘:
    • Policies, objectives, and the strategies that are in place to achieve them;
    • Information systems, information flows and decision-making processes (both formal and informal);
    • Standards, guidelines and models adopted by the organization; and
    • Form and extent of contractual relationships.
  • Section ‘3 Principles‘:
    • b) Risk management is an integral part of all organizational processes.
    • Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization.
    • Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
  • Section ‘4 Framework – 4.3.4 Integration into organizational processes’:
    • Risk management should be embedded in all the organization’s practices and processes in a way that it is relevant, effective and efficient.
    • The risk management process should become part of, and not separate from, those organizational processes.

Most of the ISO 31010 Risk Assessment Techniques can be used to estimate the impact of process and plan on risk.

Examples of Risk Tests and Mitigation

Risk Identification: Does the organization understand its internal business processes?

  • Evaluation/Analysis: It is not clear what functions staff are doing and how the contribute to the final product.  Staff claim to be very busy but the exact work tasks, the relative importance to organization objectives and authorization to complete them is unclear.
  • Stakeholders: Staff, contractors, management, the board.
  • Measure: Identify high level business functions, staff time reporting, production cycle time.
  • Example: Within the Ministry of Widgets, there is a constant request for more staff and contractors.  However the Deputy Minister is not quite sure what all his staff ‘do’.  Key services are identified and business functions are mapped to these services to determine which activities are of highest priority and which can be stopped, scaled back, outsourced or deferred.

Guns, Telephone Books and Risk?

At work I have been given the task of implementing a risk management strategy for an IT department.  The problem is that I am not convinced that Risk Management adds much value to organizations.  To be clear, I am all for pondering and evaluating risks when making decisions.  After all, if you are currently an adult, you are likely an expert on Risk Management having survived your childhood or possibly that first year of college (just saying).

Gun Shy of Risk Management

My point is that I am not a huge fan of is the Risk Management process.  I have worked for a few organizations in which Risk Management became a bit of a fad and organizational resources were poured into a very comprehensive list of risks.  The list was a fascinating read and many could have been the basis for either a cheap thriller or space-cowboy science fiction book.  Generally though, these lists were a compendium of obvious things covered by a few good operational plans or a comprehensive list of things that in all likelihood would never come to pass.

Once these telephone book’esque lists of risks were compiled, they were dumped on some poor unsuspecting line manager.  Called the risk owner, this poor sod now had to develop a treatise on how he or she would react to a cornucopia of risks.   The smart manager would generally set the telephone-book of risks to one side and get on with their day job… hoping the Risk Management fad had passed before they were asked for their response.

Audit Fodder

Of course auditors love risk management.  If auditors can’t find something juicy in the operations of an organization they know they can always get an observation or recommendation from criticizing the risk management process.  This is because no list of risks is ever complete; there can always be one more entry added.  The auditor can also examine the events affecting an organization over the past year.  In all likelihood an untoward event that occurred was not precisely described in the telephone book.  At this point the auditor shouts with glee: ‘AH-HA, your risk management process is flawed, pour more resources into it so I can make more observations next year! BRUHAHAH.. Cough, sputter…

Why is Risk Management so Hard?

Okay, I am being a bit harsh on auditors (some of my best friends are recovering auditors). So why is risk management so hard and why does it add so little value?  I have a few thoughts on why Risk Lists is an enumeration things that will never occur:

  • Identification is Mitigation:
    • Simply identifying a risk can help to mitigated the risk.
    • In economics this is known as the efficient information model meaning the organization has internalized and corrected for the risk – good Risk Management in action!
    • Example: cash controls are deemed a risk and internal controls are beefed up such that theft or fraud are no longer likely risks.
  • Easter Egg Effect
    • This effect states that if you tell a person that there are ‘X’ number of things, they will stop looking once they find that number.
    • In the same way, an organization may look at an ever growing list of risks and at some point say ‘that is good enough’.
    • As a result, an organization may have a beefy telephone book of lists which have low likelihood or occurance or of poor predictive power .
  • Post-Diction Focus:
    • Nicholas Taleb [see further reading section below] introduced the concept of ‘post-diction’ which is a play on the concept of prediction.
    • The ability to predict the occurrence of a past event improves after the event has occurred.  Post-diction is the certainty an individual or organization did in fact PREDICT something in retrospect.
    • This gives the organization an impression that it has better predictive powers than it really does have.
  • The Past as a Guide to the Future:
    • While one does not want to be doomed to repeat past mistakes by not reading history, the reality is that the past has only limited predictive power.
    • Certainly there are themes from the past that are enduring and can be used in the future.
    • Examples:
      • Given opportunity, even the most honest person may be tempted to steal if they believe the chances of being caught is nominal.
      • Eventually your organization will be hacked, cyber-ransomed or be a victim of a denial of service act if you have an online presence.
  • Social Blindness:
    • Risk identification can be politically or social driven/influenced.
    • Thus a risk may be ignored because of organizational desire to align with social norms.
    • In early September 2001, an organization renting real estate in the New York Trade Center would be disinclined to consider listing a catastrophic attack by Islamic extremists as a potential risk so as to not be accused of being Islamophobes.
  • Black Swan Events
    • Returning to Taleb, the risks that will have the greatest impact on your organization are by definition unpredictable.
    • Called Black Swans, they have are a positive or negative significant event that creates enormous upheaval in an eco-system.  Think of a comet striking the earth or the 2008 financial melt down.
      • Events that are extreme, unknown and very improbable (according to our current knowledge)”; adapted from p.xxvii, The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb, 2007.

Can Risk Management Be Value Added?

In general, can Risk Management add value?  Absolutely, evaluating risk is an inherent human trait; we are constantly calculating and estimating risk to our advantage. The fact that we are here shows its evolutionary success.

However, for organizations, I am proposing a strategy called ‘Anti-Fragile Risk Management‘ or ARM.  This concept builds on the ideas in my 2016 article, Anti-fragile Strategic Planning and builds on ISO 31000 – Risk Management.

Further Reading:

  1. Anti-fragile Strategic Planning, FMI Journal January 2016; Frank Potter.
  2. Managing Risks: A New Framework, HBR June 2012; Robert S. Kaplan, Anette Mikes.

 

Beyond the Big Honkin’ Binder

Have you ever had the unenviable task of creating a procedure for something?  Maybe a high level set of policies or a hands on ‘How-To’ guide.  Great – now picture the end result in your mind.  Got it pictured?  Okay, where is it now?

Documentation is a Waste of Time

I am willing to bet your picture is of dozens or hundreds of hours work which ended up in  a dusty binder.  The binder was already obsolete when produced, dangerously wrong in a few places and generally ignored.

There are a number of reasons for documentation to be a waste of time (see below for a blog which discusses this).  One of the reasons can be the medium; how information is used, stored and communicated to the end user.  Wood fiber (aka paper) and binders have certain merits and wikis have others.

Read on for the Non-Big Honkin’ Binder Solution

Wikis are a social media or collaboration tool and Microsoft SharePoint comes equipped out of the box with Wikis.  How to use this feature is the subject of the January 2017 Financial Management Institute article: “Big Honkin’ Binder“.

Why SharePoint?  Because most organizations already have it installed and with a little bit of patience and effort you can make it do some cool things. The following links systematically walks an organization through creating a Wiki based procedure guide.  As a bonus, there are two side bars on minimalism and questions to ask before creating procedures.

Table of Contents and Links to Article’s Director’s Cut

A Ruling on 80, 90 and 99

Heuristics or rules of thumb are of great benefit in formulating approximations and quick decisions.  They can just as easily lead one astray through over simplification.  In thinking about heuristics as they apply to organizations, I have been pondering three: the 80/20 Rule, the 90 Rule, and the 99 Rule.

The 80/20 Rule or Pareto Principle

The Pareto Principle is a heuristic that estimates cause and effect, it is defined as:

Also known as the 80/20 rule, the law of the vital few, or the principle of factor sparsity; states that, for many events, roughly 80% of the effects come from 20% of the causes.  Named after Italian economist Vilfredo Pareto (adapted from wikipedia).

While the Pareto Principle has reasonably good statistic evidence of its validity in estimating cause and effect, it does not do so well in predicting effort.  In other words, 20% of your future actions will yield 80% of the future value.  Which of the four out of five things will you do that will have no or limited impact on the 80%?

The 90 Rule

This rule is based on the observation of contributions to social media sites.

In Internet culture, the 1% rule is a rule of thumb pertaining to participation in an internet community, stating that only 1% of the users of a website actively create new content, while the other 99% of the participants only lurk (adapted from Wikipedia). 

It may seem strange to invoke an internet rule but compare this to an organizational structure. What is the relative proportion of shop floor workers to middle to senior managers?  Typically there is about a 1:10 ratio of doers versus managers.

Consider an organization of 1,000 people; a reasonable sized government ministry or medium-sized enterprise.  Within such an organization, there would be about 10 senior leaders (Assistant/Deputy Ministers, CEOs, Vice Presidents), 90 middle level managers (Directors, Managers, Assistant Managers) and 900 shop floor staff and immediate supervisors (clerks, sales people, workers, supervisors, etc.).

In other words the 90 rule is a reasonable heuristic to predict the allocation of resources and effort.  1% or the allocated resources will have a disproportionate effect on the next 9% which in turns controls or influences the final 90% of an organization.

The 99/0.9/0.1 Rule

A more lean view of the 90 rule is that 99 rule.  The 90 rule is accurate in the allocation of operational resources but I believe underestimates the effect of more strategic or exceptional events.  The CEO’s decision to close an unprofitable factory is not made by 10 people in the above fictional organization, but instead by 1 person.  Certainly the other 9 people support and (hopefully) validate the decision but the impact is then disproportionate to the remaining 990 individuals in an organization.

The 99 rule is a better tool to estimate strategic decisions within an organization.

Recap of the Rules

  • Pareto: 20% of an organization’s actions account for 80% of its results.
  • 90 Rule: 1% of the operational decisions are enacted by 9% of the organization affecting the remaining 90%.
  • 99 Rule: 0.1% of the strategic decisions are enacted by 0.9% of the organization which impacts the remaining 99%.

What are your thoughts?  Are the above heuristics reasonable and  valuable tool when allocating organizational resources?  Is there too much variability and the rules are a meaningless average?  Do you have any anecdotal experience with any of the above rules in either their cause or effect?