Organizing to Reduce the Vulnerabilities of Complexity

This paper from Charles Perrow explored organisational design, and interactive complexity and coupling.

Too much to cover (hence why the paras will appear disjointed, since I skipped a lot).

Perrow draws on his previous work by arguing that “some systems are sufficiently complex to allow the unexpected interactions of failures in such a way that safety systems are defeated and sufficiently tightly coupled to allow a cascade of increasingly serious failures, sufficient to bring the whole system down”.

Nobody purposefully tries to bring down the system, but “has an inherent vulnerability because nothing is perfect, and rarely, but occasionally, no matter how hard one may try, the unanticipated interaction of errors will defeat the safety systems”.

Further, if the system has catastrophic potential then “one should either reduce the amount of hazardous materials, or re-design the system to be less complex and tightly coupled”. Nevertheless, taking these options will probably reduce the efficiency of the system.

Heightened processes bring about “laudable goals”, like higher speed, volume, efficiency and ability to operate in hostile environments. This also comes with higher interactive complexity and tighter coupling which reduces their operational reliability and their ability to withstand deliberate attacks.

Systems that grow large via accretion and acquisition are said to have “unplanned characteristics that one may be unaware of and that allow for the unexpected interactions of failures, failures that will inevitably show up”.

He refers to a study that found chemical plants with high complexity and tight coupling had more large accidents, “ apparently heightened as the result of incremental growth through add-ons and technological patches to older systems”.

He refers to the US Black Hawk friendly shoot down accident as per Scott Snook, and being related to “the difficulty of `cobbling together' the quite diverse army, air force and UN diplomatic corps systems”.

He suggests one solution could be to put limits of the size of the parts of systems that could be stand-alone parts, or link them via buses in the electrical sense; which are designed to buffer disturbances in each. If the systems must be connected, then means to monitor the interactivity is warranted.

The “seamless interactions” of telecommunications is provided as example, or the monitoring and control systems in nuclear plants “is efficient but vulnerable to a failure in either one”. Multi-divisional firms are said to have trouble at buffering their divisions from each other because of “coupling that is too tight”, or imposing similar structures, accounting or personnel systems.

The success multi-divisional firms are said to be the ones that are loosely linked stand-alone systems, allowing different technologies and different organisational structures.

He further argues that the “design of systems should be inelegant and robust, rather than elegant and sensitive” (emphasis added).

Perrow suggests that a robust design is one that “starts with the premise of fallibility on all parts, especially the designer”.

Then the inelegant design will minimise dual purpose components, and reducing common mode failures; it will also utilise off-the-self components, and giving operators well-tested and low maintenance parts, and in configurations that “may well be cluttered or space wasting in order to allow easy maintenance and replacement; will have signals for component failures rather than just the larger sub-system failures; and will allow bypassing and reverse flows in emergencies as much as possible”.

Hence, Perrow suggests that sometimes, we shouldn’t seek the simplest, easiest or most efficient designs.

Next he discusses the problems of add-on safety. He suggests that designers often start with the assumption that the system design and parts are largely “infallible”, so that they can maximise speed or output. Next they add in redundancies “just in case things and people are not infallible”. He says that these redundancies “constitute cheap fixes to elegant designs”.

The sources of failures in complex in complex, tightly coupled systems are “quite diverse”, and according to the author’s estimation, “redundancies and safety systems are the biggest single source of catastrophic failure in complex, tightly coupled systems”.

Further, robust inelegant design “require an inelegant command and control system; that is the organizational structure should not be lean, centralized and the positions in it too specialized”. A con of decentralised systems is that they’re slower to respond to widespread, multiple failures because “the units cannot be instantly and unquestion-ingly controlled from the top”.

Despite this, decentralised units are better able to handle the “ continual stream of small failures, forestalling the widespread, multiple failures”. They’re also said to learn quicker and develop multiple skills. He argues that “Decentralized structures with sub-group autonomy are inelegant” but many modern info processing and communication systems are generally designed to foster centralised control.

He next argues that his preference is for open communication channels to “let the nagging worry through”. But how? He says that whistleblowers and people warning of danger are always found after the fact, “, just as failures are always being predicted that never materialize, because there is no penalty for false predictions of failure”.

Systems that truly solicit scepticism are harder to find, but some successful approaches come from devil’s advocates, red teams and more. [*** Probably we’d also talk more about psychological safety and upwards voice now.]

Next he talks about the challenges organisations have in constructing timely, accurate and relevant perceptions of danger. He says “Organizations make up their history as they go along, dropping those events that do not make the present state appear to be an achieved goal and magnifying those events that do”.

Said differently, organisations “run backwards”. Part of these risk blindness processes “block, or at least intimidate, as in the Challenger launch decision, the communication channels that might provide disconfirming data”.

Referring to Challenger and Vaughan’s work, he says that having criticality thresholds which forbid launching “is not enough if they are routinely violated”. He ponders whether these processes of intimidation affected engineer decisions for launch.

Perrow talks about symbolic planning and fantasy planning, like with the extraordinary and unrealistic assumptions made in the oil spill contingency plan prior to the Exxo Valdez tanker spill. He says “Contingency plans are the nocturnal emissions of organizations, worse than unrealistic predictions of sales”.

He suggests some ways to counter some of these flaws. One is a greater network of interested parties involved in oversight. From industry groups, regulators, shareholders and more; e.g. “the more organizations and groups with defined interests and involved in protection, the more realistic the emergency planning and the less likely the cover-up”.

Here further states that “A rich organizational environment, even though partly adversarial, allows inputs that reduce the self- indulgent fiction of unrealistic `emergency plans' and meaningless drills”.

It is “these stand- alone organizations that do not have inputs from other stakeholders” and without these inputs, “fantasy documents' prevail”.

The decentralisation of large organisations shouldn’t be via a tightly coupled, mechanical grid, but rather a web where “the redundancy is fortuitous and substitutions inventive”. Nevertheless, he recognises that this isn’t always possible, or desirable, and that centralisation has its purposes.

He provides other suggestions on how to navigate the interactive complexity and tight coupling, which I’ve skipped.

Link in comments.

Author: Perrow, C. (1999). Organizing to reduce the vulnerabilities of complexity. Journal of contingencies and crisis management, 7(3), 150-155.