In this chapter
This chapter brings together the outcomes of the individual chapters of the book within a broad chronological sequence that considers the past, the current state of affairs and the future impact of workarounds and shadow IT. Potential areas for further research are suggested and recommendations made for the actions that organisations should take to keep the benefits and risks of workarounds and shadow IT in balance.
The past – how we got to where we are today
The starting point is the establishment of the due process of law in 1368, which for the first time set out that a process had a number of defined steps which had to be worked through sequentially to the conclusion of the court case. Since that time, lawyers have spent a considerable amount of time working out how to use the process of law to best prosecute or defend their client.
Exactly how and when the term ‘workaround’ was first used is lost in time but certainly it was in common usage in the US aerospace industry in the early 1960s, reaching a pinnacle of public awareness in the way in which NASA managed to bring the damaged Apollo 13 space craft safely back to earth.
The adoption of the concept from an academic research perspective dates back to 1984 and the work of Les Gasser on how the need to ‘work around’ (interestingly he did not use ‘workaround’ in his paper) the challenges of complex enterprise IT applications needed to be recognised and managed. The fact that there are currently over 750 citations to Gasser’s work is a testament to his appreciation of problems that users of enterprise IT applications would be faced with and the scale of subsequent research.
At around the same time the way in which office work would be changed by the advent of IT (notably personal computers at that time) was being considered, and concerns raised about the potential gaps between fitness to specification and fitness to purpose.
Little research was carried out into enterprise application implementation and use in the period between 1984 and around 2012. By then it was becoming painfully obvious that implementing enterprise-wide applications (notably for enterprise resource planning purposes) was a far from straightforward task. One summary of the situation referred to ‘clumsy implementations’ (Newall 2007) and that is a fair description.
These were also the early days of Enterprise Health Record (EHR) applications, initially mainly in the USA as a result of US Government support. Implementation issues were made more challenging as the change was effectively from paper to digital.
By this time there was an awareness that IT applications could be designed to meet a functional specification but meeting non-functional requirements (primarily related to adequate usability) was a much greater challenge. The gap between functional and non-functional was being met by workarounds and shadow IT. Workarounds were being developed by individual employees to enable them to achieve acceptable levels of productivity without the stress of working with an application which was difficult to use. The concept of shadow IT emerged in 2012 as the use of IT applications which had not been authorised by corporate IT. Arguably shadow IT is a workaround but a workaround might not involve shadow IT.
Two important pieces of research were being undertaken in the early 2010s by Van der Sharft-Bartis (2013) and Alter (2014). Alter was focusing on a definition for workarounds and whether the definitions could result in a classification of types of workaround that would enable IT managers to manage them. Sharft was also exploring approaches to the definition of workarounds but of perhaps greater importance was her analysis of the ways in which workarounds could be discovered, given that employees who had developed workarounds had incentives not to disclose them outside of a small group of colleagues. Among the discovery techniques was that of ethnography, which used carefully designed interviews with users to explore the extent and use of workarounds.
At the same time EHR applications were starting to be quite widely adopted in the USA and a substantial amount of research started to emerge about the use of these applications and the incidence of workarounds as users struggled with what, to them (and to hospital IT teams), were very novel IT systems.
In many respects EIS and EHR applications gave rise to similar problems but some important differences were starting to emerge. Among these were the much wider integration of text (in the form of notes on treatments and outcomes) and the role of nurses in particular as a source of innovation in not only driving application development but being aware of the implications on treatment outcomes. This contrasts with the situation in enterprise applications where there is little involvement in employee-supported development of systems and a sense that workarounds should not be tolerated. The enterprise focus is on conformance to corporate policies and especially on improving productivity.
A common thread through both is a concern about data privacy. This is of course a major concern in the clinical sector but is also an issue in the enterprise sector around the identification of specific employees being tracked through data logging. This is not so much a GDPR issue as about the level of proof that a data logging application can give about the activities of an individual employee and how this information might be used in assessing the performance and career development of the employee.
Interestingly the two communities seem to have no opportunity to learn from each other apart from the academic research literature which senior IT managers in enterprises are unlikely to have access to or an incentive to read.
It is in the nature of both workarounds and shadow IT that the incidence in the organisation will be unknown, though this is probably less of an issue in clinical applications because of a focus on supporting innovation. Any survey of a company is unlikely to arrive at even an approximate level of adoption. However, in the many case studies that have been undertaken, the choice of the employees to interview would have been made by the company as being representative of core business processes. It could be argued that this is close to a random sample and that if the interview programme reveals a substantial incidence of workarounds from a small group of employees then workarounds are likely to be endemic in the organisation.
In the case of both enterprise and clinical settings there is a strong commitment to reducing risks. In the enterprise these risks are related to conformance to internal standards and policies (such as ISO 27010 on information security) and to external audits for financial matters, as well as potentially an impact on corporate reputation. In a clinical situation patient wellbeing and positive treatment outcomes are monitored very carefully and reported to external agencies.
The problem for both environments is how the risks arising from invisible process workarounds and shadow IT can be quantified. This is especially the case with shadow IT which brings some substantial information security management implications – with workarounds this is less of a problem as the employee is using an approved application. It is important to realise that the risk from a workaround created by an employee may have a significant negative impact on a later stage of the process.
From an IT management perspective the implications for technical debt arising from workarounds has to be considered. Apparent issues with productivity or process integrity may catalyse development activity but if solutions have been developed as either workarounds or through the use of shadow IT then a change to the underlying application may not make any material difference and the opportunity to make such a change based on the experience of employees will be lost. Both will increase the technical debt of IT systems development.
A considerable amount of investment is now being made in Business Process Management (BPM) and Process Mining (PM) applications which track the course of processes in terms of chronology and keystrokes with the promise that the aggregated data will enable the enterprise to identify workarounds from differences in both.
There is a rule of thumb which suggests that 80% of the information in an organisation is unstructured text, video, social media, and images. The development of reports and other documents is far less about conformance to a process that accomplishing a task, working through a procedure or making a decision.
The present – where we are today
We are really no wiser than we were a decade ago! Although there has been a substantial research effort into identifying and categorising the reasons why employees adopt workarounds and/or shadow IT it remains very difficult to identify what the top level issues are in an organisation that might catalyse workarounds and shadow IT. Data logging applications can provide evidence to indicate the likelihood of a workaround being used, but it does not generate a solution at either an employee, role or department level.
Of greater importance is a lack of awareness of the principles of effective information management. Even in organisations with a commitment to product and service quality there are rarely information management policies for information quality, nor an overall information management strategy. Information is supposed to flow around an organisation but invariably it does not and remains located in silos and team repositories.
There is a gradual understanding of the impact that psychological safety has in pushing employees to find ways of reducing the stress of their role and its requirements. It is a issue that has only comparatively recently been a research topic.
At the heart of the matter is the usability of complex enterprise applications. No matter how close to the functional specification an application is able to be developed, the processes themselves will also change with time, business objectives, and now the large-scale adoption of generative AI applications.
Much of the credit for improving the usability of web applications lies with Don Norman and Jakob Nielsen, both of whom started working on user experience topics, coming together in 1998 to establish the Nielsen Norman Group. Employees are now well aware of what good usability looks like and are inevitably critical of enterprise applications that they judge to have poor usability.
The issues around identification and resolution are very rarely discussed at IT industry conferences and at conferences for the EHR community. There is certainly a significant amount of evidence and analysis in the academic literature, but only the clinical sector will have ready access to this research and the skills to read between the lines, and certainly no capacity at the present moment to undertake in-depth research into the situation inside their own organisation.
The clinical sector is marginally better placed than industry and the public sector because the risks related to patient outcomes are a daily concern to everyone in a hospital. Moreover the emerging emphasis on bringing nurses into the discussions around process improvement is very much a step in the right direction.
Meanwhile IT managers have to continue to support rapidly changing business requirements and competitive threats through investment in new information systems. The benefits of these are invariably presented as complex schematic graphics which make no reference to the impact on employees.
It is now over 20 years since the core principles of a digital workplace were set out by Jeffery Bier and 40 years since researchers such as Suchman and Ellison raised the issues about how work would be undertaken in a digital environment. Now that the digital workplace market is dominated by Microsoft there is an assumption that all the requirements of a digital workplace are being met. There is evidence that this is not the case and that mobile devices and social media applications such as Facebook and LinkedIn are being used as workarounds to ineffective implementations of Office 365.
Workarounds as a source of innovation
A significant difference in the attitudes of enterprise and clinical management to workarounds is that in a clinical setting the importance of seeing workarounds as a source of system and process innovation is widely recognised even though there are some substantial cultural and management challenges in doing so. As an example, there are many research projects that show the benefits of nurses being involved in system design.
In the enterprise process optimisation seems to be driven top-down by the quantitative outcomes of data logging. Workarounds represent bottom-up innovation that may be challenging for an IT team to accept after the time that has been taken in defining the processes and implementing the system. This argues for a much more agile development process and a much greater commitment to accessibility in its widest sense.
The future – a watchlist for potential research and management action
As I write this chapter in April 2023 the last few months have seen some dramatic developments in the availability of generative AI applications, such as ChatGPT. OpenAI has been in the vanguard of these developments and Microsoft (which has a substantial investment in OpenAI) is rapidly adopting the OpenAI technology in applications such as Copilot. The speed of availability is a complete contrast to the somewhat glacial approach to product development from Microsoft over the last four decades.
From a workarounds perspective, applications such as Open AI ChatGPT and Microsoft Copilot have massive implications. If the promise is to enhance productivity then employee job security has to be under threat. It is unclear how employees are going to be trained in the effective use of what are now generically referred to as generative AI applications given that these applications have the potential to be implemented very widely across an organisation.
Nowhere will training be more important than in information management. This training will need to be placed in the context of information governance so that employees have a benchmark for the way that they can make use of generative applications and how this use should be identified in a document. The challenge here is that issues around information quality are not owned by a senior manager who can lead initiatives in assessing the potential benefits of generative applications. This is not a role for IT as to a significant extent employees will almost certainly be using applications which are not under the management of the organisation. ChatGPT and similar applications are in effect shadow IT and it is likely that younger employees will have a greater awareness of the potential of these applications through their widespread use of social media than senior managers using established applications and procedures.
The opportunities for research
In the course of searching through the research literature in writing this book a number of areas emerged where little, if any, research has been carried out.
Potential areas for research would include
- Making comparisons between the way in which workarounds are identified and managed in enterprise and clinical organisations.
- Considering the potential impact of psychological stress on the propensity for employees to adopt workarounds.
- Understanding how employees with neurodiverse conditions adopt workarounds.
- Undertaking case studies that focus on the background and experience of employees who are using workarounds and shadow IT
- Assessing the value of data logging applications in identifying procedural workarounds where there are few data points for the way in which the content item progresses through the procedure.
- How best to integrate quantitative and qualitative discovery outcomes to arrive at an estimation of the scale and depth of workaround adoption.
- Understanding if EHR managers have the incentives and time to monitor the outcomes of academic research.
Recommendations for organisations
The management of workarounds and shadow IT is rarely discussed in industry conferences and in the computer press despite the likely scale of use in organisations of all sizes and in all sectors. This applies to both enterprise and clinical practice. However, based on my experience in enterprise IT over several decades I would like to suggest some actions that organisations should consider taking.
- Recognise the value of combining top-down business process management routines with bottom-up process innovation from workarounds and shadow IT.
- Establish channels of communication through which employees and managers at all levels in the organisation can exchange views on the ways in which the need for workarounds and the adoption of shadow IT applications have emerged and track the way in which the benefits and risks can be assessed and managed.
- Create an environment that supports and rewards innovation in process design, implementation and adoption.
- Introduce usability assessments of existing and pending enterprise applications.
- Agree a corporate information management strategy, with a senior manager (ideally reporting to the Board) tasked with ensuring that the strategy is implemented.
- Assess the potential risks of workarounds and shadow IT on customer-facing processes and on processes that are subject to external audits.
- Consider how to quantify risk and technical debt arising from workarounds and shadow IT within the risk management protocols of the organisation and its risk appetite.
An innovative starting point to assess the prevalence, nature and management of workarounds is a book from The Art of Service, an Australian publisher of a wide range of self-assessment books. The Workarounds edition (Blokdyke 2021) runs to over 1200 questions that map against a seven-point framework of Recognise, Define, Measure, Analyze, Improve, Control and Sustain.
The bottom line
When I started work on this book I had little idea about the scale of adoption of workarounds and shadow IT nor about the significant amount of research that has been conducted on these topics. It has been a fascinating journey into areas that are rarely discussed at either IT industry events or events for EHR managers.
It is important to note that the outcomes of this research may well be largely invisible to enterprise IT managers who usually have limited access to this research (most of which is behind a subscription paywall) and equally limited time to consider the research in detail and take advantage of the outcomes in their organisation. This may be less of a problem in the clinical sector where the managers of EHR applications will be familiar with research.
The timing of the publication of this book could be fortuitous, in that during the course of writing it the role of AI in the work environment has been changed dramatically by the launch of generative AI applications such as ChatGPT. It is too early (perhaps by several years!) to assess whether these applications will increase or decrease the adoption of workarounds and shadow IT.
The only certainty is that unless organisations start to pay attention to understanding the extent to which employees have had to adopt unofficial ways to achieve their objectives they will have no baseline to know in which direction, and why, the usage has changed.