Corporate policy and Reg 2.0

The real boon in coming across Nick Grossman‘s blog, is discovering all the work he’s done around “Regulation 2.0”, which he recently summarized in a whitepaper:

Regulation, The Internet Way

Nick’s main thesis is that large scale internet platforms (eBay, AirBnB, Uber, etc.) are utilizing a different paradigm in regulating user behavior on their platforms, compared to the paradigm used by “traditional” governing institutions. And now, it’s time for the traditional governing institutions to start adopting the new paradigm as well.

Under the old paradigm, trust, safety and security risks are managed using a permission-based model: who can act and how are being defined in detail and upfront; permission to operate needs to be granted explicitly, typically using a certification/licensing scheme. But once permission is granted, accountability/compliance is only weakly enforced, typically using periodic inspections.

Under the new paradigm, trust, safety and security risks are managed using an accountability-based model: accountability/compliance is strictly and continuously enforced using data on the player’s behavior. Open-access is the norm, and no explicit permission to operate is required, as long as the data to monitor behavior is being provided. Essentially, a higher up-front risk is accepted, as long as the cumulative risk exposure can be reduced through the data-driven learning.

reg20Nick points out that some of the regulatory friction around permission-to-operate that these internet platforms encountered in recent years (Uber, AirBnb) is an outcome of this paradigm clash.

A similar push towards an open-access data-driven regulation, is brewing up in slightly less-sexy domains of the regulatory space such as Energy Efficiency. In recent months, several thought leaders in the space (1, 2, 3, 4) have advocated for a move away from traditional “deemed savings” approaches, based primarily on statistical sampling, to more progressive M&V approaches based on real-time data coming from Smart Meters. Similar to the web platforms, it’s the technological innovation, Smart Meters in this case, which unlocks the ability to switch to the new paradigm.

Personally however, I am much more interested in considering the applicability of this new paradigm in shaping internal policy inside corporations. You can think of internal policy as an effort to try and regulate employee behavior and promote the same trust, safety and security objectives. The upside is that the change management effort required to drive this paradigm shift inside a company is orders of magnitude easier, compared to changing policy at the city, state or federal level. The downside is that the amount of available data, may not reach the critical mass  necessary to enable the new paradigm. But I agree with Nick that this is not a good enough reason to simply default to the old one.

Encouraging evidence already exists. Consider Facebook’s Release Management policy. It’s a pretty good example, of a data-driven open-access/high-accountability policy. The release engineering team (aka “the governing institution”), structured a system in which the responsibility to shepherding the code changes out to the world remains on the shoulders of the software engineer who introduced the change. Data from past-performance (some variation of mean-time-between-failures and mean-time-to-restore-service) on each engineer is collected and factored into a “push karma” score. Only if the score drops below a certain threshold, does the release management team intervene and put constraints on the developer’s ability to push code. The concept of “targeted transparency” applies as well: developers are aware of their “push karma” score and can take action to improve it. Is it a perfect policy? Probably not. But it’s sure a big step in the right direction.

The next frontier, in my mind, are more broadly applicable corporate policies. Consider a company’s expense policy, for example, where transactions are rather frequent and data is abundant. It seems like a prime candidate for a policy re-design under the new paradigm. Other corporate policies, like the ones meant to prevent sexual-harassment and discrimination or the ones meant to drive effective hiring/firing, seem like tougher nuts to crack, since data is scarce and the stakes around each transaction are much higher. Yet this shouldn’t discourage us from continuously pushing the envelope in that direction until we find solutions that work.




Corporate policy and Reg 2.0

One thought on “Corporate policy and Reg 2.0

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s