Risk and Performance Management

  • Are making progress towards our goals?
  • Do we need to make changes to our team?

Classifying security work for performance

Let’s discuss blue teams focused on avoiding large data breaches. This security work has the other end of all four of these classifications. It is infrequent, unexpected, indirect, and often unobservable.

  1. Articulate a problem
  2. Suggest a budget
  3. Propose a solution
  1. Write code to a specification.
  2. Follow a runbook for a procedure.
  3. Fulfill a delivery contract of goods from point a to point b.

Reasonably making progress with OKRs

The Objective and Key Result (OKR) plays well with the knowledge worker model. It allows the knowledge worker to define their key results, which may fluctuate depending on how they want to attack their objective. It also requires some form of testable measurement that lies within the overall effort to be successful. In addition to defining these OKRs, a knowledge worker should also behave like an expert.

  • An expert should not require substantial supervision in making their objectives.
  • An expert should not be constantly fluctuating Key Results with conveniently available pseudo-justifications they couldn’t foresee.
  • An expert should demonstrate that their knowledge is still developing from one performance cycle to the next.

Organizational Feedback

The need for peer review is elevated due to the friction involved with measuring a blue team’s performance. Blue team work being infrequent, unexpected, indirect, and unobservable means that the role of knowledge work is maximized. The Bay Area has some frameworks that focus on performance assessment of knowledge work.

When a measure becomes a target, it ceases to be a good measure.

Organizations already have a hard time deciding how to interpret the concept of measurement into overall performance… risk or not. As we discussed previously… the collection and dissemination of feedback through performance cycles is tough and expensive. The performance cycle at tech companies in the bay area is a famously overwhelming time sink for employees, and is a severe emotional drain. Managers desire objective measures of performance to save time and reduce debate.

  • Knowledge workers are paid to provide risk measurements.
  • Knowledge workers also measure the risks they mitigate.
  • Performance management can corrupt risk measurement.

Conclusions

  1. Risk based knowledge work resists simple performance measurement.
  2. Knowledge workers are trusted to measure and manage themselves.
  3. OKRs and peer reviews are crucial for evaluating a knowledge worker.
  4. Objective measurement is efficient, but risk is a subjective concern.
  5. Overly quantitative management becomes subjected to Goodhart’s Law.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan McGeehan

Ryan McGeehan

Writing about risk, security, and startups.