Adaptation in order to survive in the corporate world is nothing new. The risks associated with making new decisions depend on how that decision will impact the other persons, processes or systems in the enterprise. As a simple example, adapting a process for entering orders from the field sales force could have a dramatic effect on productivity and at the same time subject an enterprise to new found risks. How would your risk profile change if the following scenario took place at your business?
Sales reps are entering orders in the field via a web application that is protected by a user name and password. There is no VPN or encrypted connection. The application doesn't use SSL. The information on new customers includes name, address, phone number, credit card number, expiration date and the three or four digit security code. As the reps are entering their orders, the paper based sales forms are being put into a folder to be sent by Fedex to the home office. Each rep makes a copy for their files, to make sure that they have the right commission check at the end of the month. The VP of sales finds out that many of the orders are lacking the security code or that the consumer is giving them the wrong numbers. He asks for a change in the sales order process with the CFO in order to streamline the flow of orders and diminish the backlog. The CFO instructs the CIO to have her department change the business rules in the order entry system to eliminate the need for the security code in processing orders. Also, the lag time for the company hard copy to reach the accounting department is a problem and he asks for this step to be eliminated. Everything is completed and now the sales reps do not require this piece of information any longer to process an online sales order. Productivity increases and the backlog is eliminated.
What potential operational risks exist today with this particular business process?
1. The privacy of the customers personal identity and credit card information may be at risk if the sales rep is not securing the hard copies of the sales orders at their business office or home office.
2. The lack of the credit card security code could increase the number of fraudulent orders due to the high rate of identity theft with stolen credit card numbers with expiration dates.
3. The personal identifiable information being entered on each new customer could be compromised due the lack of controls on the network connection.
The new age of unreason is certainly upon us because simple changes like this are taking place by the dozens, hundreds or thousands every day in the largest enterprises. Making changes is also about learning what those changes will mean to everything that interfaces with that change. It means that testing must take place in a lab or compartmentalized area of the business to insure that the change doesn't impact the core operations. It means observing performance and measuring the results to determine if the change is worth the new risks that the organization is about to encounter.
In the words of Charles Handy:
"Learning is not finding out what other people already know, but is solving our own problems for our own purposes, by questioning, thinking and testing until the solution is a new part of our lives."
"If changing is, as I have argued, only another word for learning, then the theories of learning will also be theories of changing. Those who are always learning are those who can ride the waves of change and who see a changing world as full of opportunities rather than damages. They are the ones most likely to be the survivors in a time of discontinuity."