Skip to end of metadata
Go to start of metadata

Despite the great enthusiasm around Enterprise 2.0, there are naturally also risks involved when an organization sets to transform its information and work environment. Some of these risks are Enterprise 2.0 specific, some apply to all change programs in general. Transformation schemes always come 'equipped' with possible pitfalls, that may jeopardize the success of the program. It is notably easier to try to prevent these problems in advance by careful planning and management, than to cope with the challenges only after the "shit already hit the fan". Thus, this section aims to collect an inclusive portrayal of the potential difficulties - draw a detailed map of the landscape, with its slopes and slides - to help managers clarify just what they are dealing with here.

CIO Magazine article: ABC: An Introduction to Enterprise 2.0 - risks has gathered the main risks and fears related to implementing E 2.0.

There are security questions: This is probably the biggest outstanding issue with Enterprise 2.0 technology. How do you open up your enterprise to share information without exposing your infrastructure to rogues, misfits and malcontents? If you allow people to upload files to your system, how will you prevent malicious files from entering your network? While sharing content is a laudable idea, you still have to protect your company in the process; an open system such as this makes it a challenge to maintain security.

Vendors are beginning to develop enterprise-level delivery platforms, and security issues should abate. This happened with instant messaging when it moved from individuals (often teenagers) to the enterprise. (Just recently, for instance, Google acquired Postini, an enterprise-class e-mail security firm that could help provide enterprise security for Gmail and other Google Web applications)

Not everyone is an expert: Some argue that expertise matters, and that not all content or opinions are created equal. While there are benefits related to opening up the conversation, not everyone actually knows what they are talking about, even if they pretend they do. Community policing does not always provide the necessary checks and balances to eliminate noise.

Losing control of content: One might argue that sharing content is, by definition, giving control of it to others. But lots of companies spend good money trying to create a message and to build a brand. Every word on the company website and in collateral publications is vetted and edited to maintain a consistent message. When you open up the conversation, for better or worse you lose control of that message, at least in ways you have previously defined it.

Losing IT control: Much of this technology happens outside the enterprise. It may be difficult for IT pros to give up control over the IT systems they depend on. Enterprise 2.0 is decentralized and ad hoc; it puts more control in the hands of the user and less in the IT department. It could be difficult for many to accept this cultural shift without some assurance that critical business systems will keep operating.



As said, security issues in Enterprise 2.0 have to be addressed with great caution, as always. However, there are already instruments available for handling these possible threats. Furthermore, the development in the field is running fierce, as bigger and bigger players, like IBM and Microsoft, enter the game. I won't dive deeper into the technological background of the subject, but rather concentrate on the people aspect of the problem. Will the new open and emergent structure create new opportunities for the "wrong people" (including competitors and dishonest employees willing to sell secrets if they had access to them) to gain access, and more importantly, exploit sensitive content? At least Harvard professor, Andrew McAfee, doesn't seem all that concerned, stating in his blog:

"At the risk of underplaying real security concerns, I want to make a case for a laid-back / laissez faire approach to security and Enterprise 2.0. The main reason this approach will work is a simple one: people already know how to behave appropriately, and they're not going to be driven suddenly wild by the appearance of the new platforms.

They've had access to phones, faxes, copiers, USB drives, email, and IM for a while now, and so have had plenty of opportunity to wreak havoc with security. Despite the existence of these tools, most companies haven't seen all their secrets made public or been sued out of existence. Shouldn't this tell us something about the extent to which people can be trusted to use communication tools appropriately?

Granted, Enterprise 2.0 platforms bring some new challenges. Foremost among them is probably the fact that contributions to these platforms are intended to be persistent over time and visible to all members. This implies that training and explicit policies about appropriate and inappropriate contributions might be useful. But I don't think it implies that Enterprise 2.0 represents a security risk so large that it should be shunned, or approached only with great caution.

I find it telling that the new communication and collaboration platforms have taken off most quickly in high tech industries despite the huge premium tech companies place on secrecy and protection of intellectual property. This is partly due to the fact that these companies are full of techies, but it's also because these firms operate in incredibly dynamic environments and so have particularly acute information sharing needs. It makes sense, then, that they'd be the first to adopt new tools that let people keep up to date with the latest developments, and with each other.

Let me end this post by suggesting a thought experiment. Imagine two competitors, one of which has the guiding principle "keep security risks and discoverability to a minimum," the other of which is guided by the rule "make it as easy as possible for people to collaborate and access each others' expertise." Both put in technology infrastructures appropriate for their guiding principles. Take all IT, legal, and leak-related costs into account. Which of these two comes out ahead over time? I know which one I'm betting on."



McAfee himself thought for a long time that especially Human Resources managers would be the ones most concerned about the risks of inappropriate behavior and exposure of sensitive content. However, he has noticed that this assumption might not be all that valid after all. For example his blog post of December, 2007 notes the following:

I asked the group (of senior human resources managers from very large organizations) to talk about the risks associated with E2.0, and they quickly brought up the concern of sensitive information jumping over the firewall. Then they stopped, and waited politely for me to move on to the next topic. Instead, I pressed them to think harder, and to imagine employees in their companies using the new platforms to harass coworkers, post hate speech or porn, rant about their bosses, etc. And the response I heard back was essentially "We suppose those things could happen, and to some extent they probably will, but we're not that concerned about them." This group of HR executives, in other words, seemed very comfortable trusting their companies' employees to do the right thing with E2.0 tools.




Granted too, not everyone is an expert, a reliable source of reliable information. However, isn't it true, that all information should always be viewed critically, no matter whose signature reads at the bottom of the page. The social aspect of all information in Enterprise 2.0 creates novel possibilities of assessing the quality of the statements by providing an easy channel to assess the expertise behind them. Colleagues can also comment on other's opinions and edit or remove false information. A truly functioning emergent structure should make sure that mainly liable information surfaces from the depths of the organization. Of course this might not always "provide the necessary checks and balances to eliminate noise", but it is a risk that has to be dealt with individually in each organization.

Losing control of content might seem like a significant threat, indeed. Vigilant "gardening" and "weeding" of inappropriate content is therefore essential to keep the content on track. Managers would no longer have the power to impose a structure serving their own ambitions and goals, but would rather have to open up their organizations to more transparency. The two biggest requests of most managers, when it comes to E2.0, are Governance and Security. This is not just about "control issues", instead there are also sound business reasons why ''some'' controls should be in place. However, the initiatives to dismantle all major information structures might experience strong faul wind simply because people are afraid of losing power, or that opening up poses a threat to their position and rank in the organization. McAfee describes the matter in his blog as follows:

Enterprise 2.0 tools have no inherent respect for organizational boundaries, hierarchies, or job titles. They facilitate self-organization and emergent rather than imposed structure. They require line managers, compliance officers, and other stewards to trust that users will not deliberately or inadvertently use them inappropriately. They require these stewards to become comfortable with collaboration environments that "practice the philosophy of making it easy to correct mistakes, rather than making it difficult to make them" as Jimmy Wales has said. They require, in short, the re-examination and often the reversal of many longstanding assumptions and practices. It is not in the least disrespectful or contemptuous of today's managers to say that it will take them some time to get used to this.



This has to be taken into careful consideration in the planning stage, as it is absolutely necessary to win the approval of the management for the implementation of E 2.0 to be successful. Managers are just another category of users that need to migrate over to new ways of working, but they are also responsible for distributing the culture and ways of working to other employees, and thus play a key-role in the process.

AIIM research, "Enterprise 2.0 - Agile, Emergent & Integrated" (available at AIIM.org, a study of 441 end users, also lists various reasons why Enterprise 2.0 hasn't yet spread more widely across all industries, and why companies still view the concept with caution and doubt:

As reinforced by respondents' opinions concerning impediments to Enterprise 2.0, "Lack of Understanding/ Appreciation" was the top response at 59%, followed closely by "Corporate Culture" and "Lack of a Business Case (ROI)". Given the nascence of Enterprise 2.0 as a concept, and the adoption curves seen earlier, this should be no surprise.
It is interesting to note that two of the more frequently ballyhooed sticking points with Enterprise 2.0 (particularly with blogs and wikis), "Potential Security Violations (Leaking)" and "Lack of Control (Loss of Control by IT and Management)" ranked 5th and 8th and both at less than a 50% response rate. Cost, technical complexity, security, and lack of control, typical stumbling points with new "enterprise software", do not seem to be the prime culprits in the lack of adoption of Enterprise 2.0. Again, this speaks to the low barriers and perhaps the low risk associated with experimentation and adoption of Enterprise 2.0.

Examination of the impact of Enterprise 2.0 on specific business goals and objectives solidifies a further aspect of the impediments to adoption. "Increased collaboration within the organization" and "increased capture of corporate knowledge" are notoriously difficult areas to measure with "hard benefits." Not every aspect of technology adoption can or should necessarily be directly tied to a measurement system. An attempt to measure the benefits and cost or time reductions of Enterprise 2.0 should not be avoided, but if the organizational culture is solely focused on "hard dollar" calculations, Enterprise 2.0 may be a near impossible sell. Again, however, the low technical and financial barriers to Enterprise 2.0 may make it easier to operate experiments under the radar of traditional business justification exercises.



However, one of the greatest threats to Enterprise 2.0, when a company has already decided to take the leap and begin the implementation process, might actually be the barriers of adoption of the new tools and culture. Enterprise 2.0 can not work if the employees aren't using the tools and adopting the work habits. Learn more about these barriers in Enterprise 2.0 - Implementation, or for a specific guide to wiki adoption see Advice on Wiki Adoption

To conclude, the risks related to Enterprise 2.0 include:

  • Security issues:
    • Does opening up information flows pose a threat?
    • Risk of people releasing information that is not supposed to be made public - either on purpose or by mistake
    • Public making offending or awkward statements on company platforms
    • Viruses or other malware
    • Lack of control
    • Evaluation of the technologies and vendors still mostly in its initial steps
  • Not everyone really knows what they are talking about
    • Will peer evaluation, commenting and editing eliminate the "noise"?
  • Personal opinions related to opening up the organization and removing significant structures<br>
    • Corporate culture


      Prof. McAfee has collected a list of Enterprise 2.0 risk FAQ in his blog:
      • What if employees use the their internal blogs to post hate speech or pornography, or to harass a co-worker?
      • What if blogs are used to denigrate the company itself, air dirty laundry, or talk about how misguided its leadership and strategy are?
      • What if nasty arguments break out in a discussion forum and the whole thing descends into name-calling and flame wars?
      • Won't people be tempted to use forums to talk about current events, review movies, ask for advice about camcorder purchases, and have other non work-related conversations?
      • What if people waste time filling up their employee profile pages with pictures of their kittens and vacations?
      • Will people just use social networking software to plan happy hour, rather than to get work done?
      • Don't Enterprise 2.0 platforms just yield another source of discoverable content - material that must be turned over as part of a lawsuit or other legal action?
      • If the information on these platforms really is valuable, won't it be harvested by spies and sold to the highest bidder?
      • Won't hackers break in to our Enterprise 2.0 platforms and steal their content?
      • Don't these technologies make it easier to deliberately or inadvertently leak secrets to the outside world?
      • Don't they make it too easy for confidential information to leap over our internal Chinese Walls?
      • If we give up tight control over our Intranet's content, how can we possibly avoid running afoul of all potentially relevant regulations and laws around information sharing in all the places we do business?

      The list of concerns grows when an organization also considers extending Enterprise 2.0 tools and approaches to external groups like prospective customers, actual customers, suppliers, and other community members:

      • What if an unhappy customer uses uses our community site to air their grievances, and to talk loudly and often about our lousy products or Kafkaesque customer service? Or a supplier uses them to complain about how we never pay on time?
      • Are we responsible and liable if people give incorrect information or bad advice on question and answer forums we host on our Web site?
      • If we try to take advantage of lead-user innovation and ask people to submit their ideas to us, who owns the resulting intellectual property - do we have to share resulting revenues and/or profits with the submitter?

These are all important questions that need to be thought through when planning to implement Enterprise 2.0. They may seem like major problems at first, but some of the "WHAT IFs" can also be viewed as opportunities to improve and stand out from the crowd of competitors. For example, take the hypothetical case of customers complaining that a company's product doesn't work as it should. The complaints, when done on the company platform, can be analyzed and then provided support that may also help other customers with similar problems. After all, how can a company fix flaws in its products if it's totally unaware of the problems. Or the case of employees whining about something publicly: well don't you think that if your employees have a problem with your company, you are just looking for trouble. Rather hear about it and address their concerns ASAP.
It is also good to remember that not all customer, partner or employee feedback will necessarily be negative, but instead may even promote commitment of stakeholders and the public image of the company.


See also