During the last few weeks and months, as the Olympics faded from view, the story of Lance Armstrong has distracted us from the political and economic headlines. For many of us, either as fans of cycling or as those affected by cancer, either as victims, survivors, friends or family–Armstrong’s story has been more than a distraction; it has been a frequent companion at the dinner table, in the living room, and in our daily engagements with our circles of friends and family.
For myself, the Armstrong story has been perhaps even more provocative. First—a blogger’s disclaimer: as someone who loves cycling and found inspiration in Armstrong’s earliest successes over a decade ago, I own and still display above my desk amidst other cycling posters and photographs, an autographed jersey, signed by Armstrong, from the 2001 Tour de France. But that souvenir does not blind me to the complexity of the story; indeed, it remains a source of inspiration against the challenges that life presents. In fact, the jersey only makes the entire situation more provocative—am I a fool for continuing to display an artifact of someone that cheated to win?
But the history of events and competing testimonies have never contradicted one important feature of the story: during the times Armstrong competed, the rules of the sport disqualified athletes on one basis, and only one basis: the return of a positive test result produced by qualified technical laboratories indicating the presence of quantities of substances in an athlete that exceeded specified levels. Those results could only be obtained from samples provided by the athlete under specified conditions, collected by qualified technicians trained to control the collection event.
The report published on October 10, 2012 by the United States Anti-Doping Agency, available here, documents substantial activity involving performance enhancing drugs, conspiracies, a “Code of Silence”, and many other activities that many consider offensive. But not once, across more than 1,000 pages of evidence and testimony, did USADA conclusively demonstrate that Armstrong violated the rules of the sport that were in effect and got away with it. Not once.
Many have observed that, with subsequent advances in technology, detection, and monitoring of the athletes, the conduct attributed to Armstrong (and acknowledged by others) would not go un-detected. Our tests are better; our equipment is more sensitive; our understanding of how doping and chemicals can enhance performance is more comprehensive; and our understanding of the potential roles trainers, doctors, and clinicians can play in manipulating blood values is more complete.
But, during the times Armstrong raced, those advances did not exist. Within the then-current technologies and rules, not once did USADA provide evidence that Armstrong violated the rules of the sport that were in effect and got away with it. Not once. Admittedly, the full report documents many “near misses”, including a back-dated doctor’s prescription, the smuggling of saline water into Armstrong while technicians waited outside the door to collect a sample, and the admissions of team members that they used doping techniques. But USADA never provided evidence of adverse test results that violated the rules.
So, for several weeks, following the conclusion of the Olympics, while the drumbeats by USADA became louder and the results of their report inevitable, I held off writing this post. The entire history places under scrutiny much more than one athlete, one team, or one sport. Instead, the story provoked for me different questions, for which I needed to think through my answers:
· What role do rules play in enabling sports (and commerce) to be played with enthusiasm?
· How do rules engage and inspire each of us to be cheering fans, taking sides, but ultimately enjoying the game itself?
· When conduct is not prohibited by the rules, are there any ethical limits to constrain the participants in sport (and in commerce) from engaging in that conduct if it yields competitive advantage?
· Under the United States Constitution, ex post facto laws are expressly prohibited. One cannot be prosecuted or convicted for conduct that was not illegal at the time the conduct occurs. In sport, should we prosecute and discipline participants on a different basis, allowing investigations and sanctions for conduct, however offensive, that did not result in a violation of the rules in effect at the time the conduct occurred?
· When are there enough rules? In any sport, the will to win will always inspire athletes, coaches, doctors, and sponsors to seek out and use any competitive advantage they can obtain. What limits, if any, should exist on how the balances between regulation and competition are to be struck?
· Should not innovation be encouraged if the innovation contributes to winning? When do innovations become unfair, and the target for regulation? When should we celebrate the success that innovation delivers? When should the innovation be protected against duplication, adaptation, and use by others who are trying to catch up?
Answering these questions serves another purpose, of course. As we look at the digital world that is shaping itself around us—becoming the global infrastructure through which human communication, knowledge, commerce, wealth creation and crime will be conducted far beyond my lifetime—how will we write the rules?
All of the preceding questions apply equally to how we construct our governance of the Net and the digital assets that fuel our existence. All of the preceding questions—and the answers that emerge—may provoke us to think differently about how we proceed to write the rules for the Net, and how we enable and govern competition on a global basis amidst unprecedented innovation and opportunities to achieve commercial conquests.
Obviously, instead of answering these questions in a single post, I think several will be required over the coming days. I welcome your interest, and encourage your comments. Now, instead of surfing any further, perhaps its time to go and get some exercise. Maybe even ride a bike! After all, as Albert Einstein said on the theory of relativity, “I thought of that while riding my bicycle.”
On Saturday, my son-in-law described his passion and interest in the neurosciences of fear. As a black belt martial artist, he is skilled in knowing how to defend and, when necessary, attack. But he explained that there is a real difference between the emotions of worry and fear. The skilled martial artist knows how to avoid fear, in part because they control the way they react to risk—what might be truly fearsome to most of us is, to the trained fighter, merely a worry. Action is required to avoid injury, but the action is not fear-based. There are certainly times when we need to react because we truly fear some outcome—but often the reaction can be ill-considered and, sadly, ineffective at deterring what has made us afraid. How does one evaluate the situation at a particular instance in time and control the fear? This question is his focus—absolutely fascinating.
Then, today I spoke with Jeff Lowder, president of the Society for Information Risk Analysts (SIRA). SIRA exists to improve how we analyze risks to information. In our discussion, we began to explore what it means to manage risk—what is one managing? Where did the idea originate that business management embraces managing risk? Is one managing the objectives of the business, or trying to manage the likelihood of events interfering with those objectives? If we accept that one cannot manage what cannot be measured (the essence of Six Sigma and other enduring management models), what must be measured to gain control of risks, and the likelihood of bad things happening?
These are surprisingly difficult questions to answer. But I wonder if those managing information risk can learn something by working out in the gym with a martial artist. When done well, both benefit from slowing down the passage of time, learning how to assess all of the surrounding circumstances, process and evaluate all of the relevant indicators and evidence, and then make rational, informed decisions. Yet, so often those addressing risk management in business act more on fear than on the actual evidence around them. The professionals develop extensive controls—both offensive and defensive—for responding to risks, but do not really try to calculate the real probabilities and make the controls proportionate to the probabilities.
One dominant method of organizing risk analysis is to grade the risks based on color—red for extreme risk, yellow for moderate risk, green for low risk. But, in a world in which we can measure and automate assessment of so many variables, why are we still relying on a methodology that is not much better than trying to fight with your eyes covered by a blindfold, unable to sense and evaluate all of the variables?
On Friday of last week, my wife was routinely reviewing our bank statement online and saw 12 transactions in four states within the preceding 24 hours. Of course, I had not left our home except to get groceries. Dang it—my debit card had been compromised, something we had suffered through last year when my wife’s card was compromised while we were travelling in France. Twice in one year! We were able to immediately call our bank, report the transactions, cancel the card, and already the credits are being restored. On the one hand, the risks to us were properly managed—and our bank provided terrific support. But it left me wondering—if we have been compromised twice in one year, are the risks being properly managed? Is the fact banks have fraud reporting hotlines some indication that, in martial arts parlance, not enough training is occurring?
Over the next few months, I will be exploring the questions and the answers.
In watching the Summer Olympic Games, I realized that there are only a few sports that have rules in place for temporarily removing a player after committing a violation. Water polo allows the official to remove a player, creating a “man down” advantage for the opposing team. Lacrosse is similar. During winter, in ice hockey, if a skater commits certain types of fouls, the official sends them to the penalty box for a measured time period. The opposing team has a “power play” opportunity to score.
Of course, in nearly every sport, there are rules that award sanctions against a player that violates the rules. In soccer, a single “red card” penalty can result in permanent removal (without substitution); in basketball, five or six fouls (depending on the level of play) can result in being expelled from a game. But why do only a few games have the “penalty box” concept?
Clearly, a “man down” creates advantages for the opposing team; in theory, the risk of these advantages being realized is intended to discourage the conduct.
Sometimes the threat of sanction is not enough; the player must be sat down for the officials to make their point that the rules will be enforced, and sanctions will be imposed. Those sanctions can be outcome determinative, such as additional goals being scored that change the final score.
But these “man down” and “penalty box” rules are fascinating. The rules allow the game to continue, with both teams still going for the win. Though sanctioned, the offending player has a chance to return to the game and re-engage in the competition. There is a synergy and inter-dependence of the game itself, and all of the participants, that is allowed to be sustained.
When drafting agreements, companies rarely consider introducing “penalty box” provisions for how to deal with violations of the rules. The contracts become playbooks for enabling the lawyers to have really big disputes after the relationship has been terminated. Rarely are the contracts authored to enable the game to go on, empowering everyone to continue to work toward the reason they are playing together in the first place.
But, in cloud services today, the game has changed. There are qualities of synergy, interdependence, and mutually shared objectives that transform how companies work with one another. Often, the dependence is so strong that it is difficult for the parties to just walk away, and leave the mess to the lawyers.
The next time you draft a contract for cloud services, consider using a “penalty box” concept. When someone does not follow the rules, sanctions may be appropriate, but they should be explicit, swift, certain, and allow everyone to get back to the game—working together to achieve new profits. Just like in water polo, lacrosse, or ice hockey, you need to trust that the continuation of the game is why everyone began doing business in the first place.
Beginning March 29, 2012, I will be joining 1SecureAudit in a new four part briefing series designed for in-house counsel on automating the management of legal risk. This series focuses on four risk areas where technology and best practices in managing risk can be innovatively applied to reduce the likelihood of adverse events. The remaining briefings are scheduled once per month during the next quarter. Together, these briefings will introduce a model for building a legal risk management program that works in the 21st century.
The first briefing is Managing the Legal Risks of Outside Counsel. Many corporate lawyers presume that their law firms know how to manage and protect digital information, including the sensitive records that may serve as evidence in lawsuits and government investigations. But do law firms really do the right thing? How can corporations better address the legal and business risks that exist when outside counsel is entrusted with valuable corporate records?
Those attending this webinar will walk away with a detailed RitterMap™ that presents a structure for conducting a dialogue with outside law firms on how the firms implement modern information security management practices, as well as a detailed checklist of issues to be addressed in the engagement letters under which a law firm is employed. Attendees will also receive a discount coupon for a future 1SecureAudit eDiscovery Survival Executive Briefing and Workshop.
Registration for each webinar and access to further information about the series can be done here.