I’ve written quite a few posts on ethics over the past few months. The question I got earlier this month however really threw me for a loop. I hadn’t thought about it, so I thought about it, talked with people I respect and gathered some thoughts and ideas.
The question is as follows: ”What is in the end the difference between doing the right thing and the right thing to do?” It is a decision that architects often have to make. One that takes consideration and sometimes more time than you get to make the decision.
It isn’t in the end a subtle difference. It is more of a brick and a bat kind of difference. The right thing to do in the end is something that transcends what you are doing now and encompasses a larger bigger picture view of what could happen. Determining the right thing to do is often about looking ahead to what will happen based on all the possible scenarios.
My favorite example is deploying a patch you know will blue screen 1/100 PC’s (a constant blue screen loop). The right thing to do would appear to be not deploy the patch. But if you leave the security vulnerability the patch fixes around you will cost the company a lot more than 100 helpdesk calls. The right to do is deploy the patch.
Reality is that many people choose to do the right thing and avoid the issue of a 1/100 blue screens by not deploying the patch. The difference in the end between the two ultimately the impact of the decision.
Accounting for vulnerability in making decisions is important. Considering the impact of vulnerabilities is critical. In my email exchange with the person that asked the question above I gave them the example above. She came back and asked me what if the number was 1/1000 or 1/10,000 PC’s would be forced into a constant blue screen loop. Would that change the answer? Which in the end was a great to ask is this a black and white issue or are there shades of gray.
Accounting for impact is also critical in making decisions. So as the question goes what is the threshold of failure the organization is willing to accept in doing the right thing? Are there shades of gray? Certainly given that we are discussing a system failure based on a vulnerability effectively we have to make sure that the system blue-screening isn’t mission critical. Taking down the accounting system servers with this patch the day before first quarter results are due would be catastrophic and would push us towards saying don’t deploy the patch.
But we won’t know if the patch takes out the servers the accounting system is on. We won’t even know that the patch causes blue screens. It becomes in the end an ethical decision. One that has to be both made and owned. If you choose the right path you deserve any credit due. If you choose the wrong path then it is the ethical architect that stands up and says in the end it was my decision.
I guess to finish out the original question the gray area is the architect making the decision not in the end the decision to be made.
An interesting question.
You’re examples seem to assume a perfect, or at least good, knowledge of the consequences. It is known that 10% PCs will suffer a blue screen. What if it is potentially 10 – 90%?
Often as architects we have to deal with situations where we knowledge is poor and the risk of unintended consequences is high. How do we deal with these circumstances?
I think Result Chains are a useful tool for this. There’s a good guide to their use in conservation here: http://www.ecologyandsociety.org/vol18/iss3/art22/
“We describe results chains, an important tool for helping teams clearly specify their theory of change behind the actions they are implementing. Results chains help teams make their assumptions behind an action explicit and positions the team to develop relevant objectives and indicators to monitor and evaluate whether their actions are having the intended impact”
I think this helps us to see the difference between “Doing the right thing” and “achieving the right thing, in the end.”
We have direct control over our actions. We can decide to do X, Y or Z. It is a clear choice that we can make.
We do not have direct control over the final outcome, the consequence of our action. How confident can we be that X will achieve A? Perhaps we do not know for certain because of a lack of knowledge or skill. Perhaps we are only one actor, and the outcome is dependent on the actions of others.
Another useful tool is the Cynefin framework: http://en.wikipedia.org/wiki/Cynefin
This framework places our context into one of 5 domains based on the relationship between cause and effect: obvious, complicated, complex, chaotic and disorder.
In the obvious domain we can be confident on action X achieving outcome A. In the complicated domain things are less clear, but with investigation we can find out. In the Chaotic domain randomness rules, but we can depend at least upon the rules of probability. The Complex domain often involves other agents who may seek to deceive us or game the system, so caution is required. The final domain, disorder, is not knowing which of the domains you are in.
The idea of “doing the right thing” is a strategy that belongs in the Complex domain.
In the Obvious domain we know that doing the right thing will get the intended consequence. In the complicated thing the right thing to do is to take the time to work out the best way to achieve our goal. In the chaotic domain we should manage our risks using methods such as insurance so that the right thing is achieved in aggregate.
In the complex domain no amount of research will give us the optimal solution. Efforts to manage risk are likely to be gamed. Here the decision is not simply cause and effect but other concepts such as trust and honor begin to play a part.
Consider, for example, a company that is threatened with legal action if they do not pay a patent license. Do you pay the license even if you believe that the patent claim is false and detrimental to the industry?
Is the right thing to perform a cost-benefit analysis and pay the license if it is cheaper than the cost of a legal defense? Could this lead to the industry being flooded with other spurious patents from those looking to make a quick profit?
Or is the right thing to stand up and defend yourself, in court if necessary, even if it brings the risk of an expensive failure?