Agency Risk
Part Of
Reduced By Practices
- Contracts: Clearly defines roles, responsibilities, and expectations, reducing dependency issues.
- Estimating: Helps in planning and managing staff usage effectively.
- Monitoring: Monitoring the behaviour of agents, whether people or processes, helps identify when behaviour becomes counter-productive.
- Outsourcing: Accesses external resources and skills that may not be available internally.
- Review: Reviewing work or activity can ensure good behaviour.
- Security Testing: Make sure that agents don't exercise unwarranted control over resources.
- Stakeholder Management: Aligns the goals and expectations of various stakeholders, reducing conflicts.
Attendant To Practices
- Analysis: Creates dependencies on the availability and accuracy of information from stakeholders.
- Automation: Automated processes have their own agency and might not work as desired.
- Delegation: Can lead to a loss of control over task execution and quality.
- Estimating: Can put unnecessary pressure on staff to hit deadlines.
- Fundraising: Involves giving up a portion of ownership and control to investors.
- Outsourcing: Creates dependencies on third-party vendors and their reliability.
- Pair Programming: Staff might not like working in this arrangement.
- Pressure: Can negatively impact team morale and job satisfaction.
- Sales: Probably requires a dedicated sales team and resources.
- Security Testing: Likely requires security experts with specialist skills.
Coordinating a team is difficult enough when everyone on the team has a single Goal. But other people and organisations you might be involved with have their own goals too. Sometimes their goals harmlessly co-exist with yours, other times they don't. Even the software systems we employ can often have goals that run counter to our own.
In software development, we're not lending each other money, but we are being paid by the project sponsor, so they are assuming Agency Risk by employing us.
Agency Risk doesn't just apply to people: it can apply to running software or whole teams - anything which has agency over its actions.
"Agency is the capacity of an actor to act in a given environment... Agency may either be classified as unconscious, involuntary behaviour, or purposeful, goal directed activity (intentional action). " - Agency, Wikipedia
In this section, we are going to take a closer look at how Agency Risk arises, in particular we will:
- apply the concept of Agency Risk in software development
- define a model for understanding Agency Risk
- look at some common issues in software development, and analyse how they have their roots in Agency Risk
- look at how Agency Risk applies to not just to people, but whole teams and software agents
- look at the various ways to mitigate Agency Risk, irrespective of what type of agent we are looking at. (We'll specifically consider software agents, humans and cells in the body.)
The Principle-Agent Dilemma
To introduce Agency Risk, let's first look at the Principal-Agent Dilemma. This term comes from finance and refers to the situation where you (the "principal") entrust your money to someone (the "agent") in order to invest it, but they don't necessarily have your best interests at heart. They may instead elect to invest the money in ways that help them, or outright steal it.
"This dilemma exists in circumstances where agents are motivated to act in their own best interests, which are contrary to those of their principals, and is an example of moral hazard." - Principal-Agent Problem, Wikipedia
The less visibility you have of the agent's activities, the bigger the risk. However, the whole point of giving the money to the agent was that you would have to spend less time and effort managing it, hence the dilemma.
Worked Example
A the core of the Principal-Agent Problem is the issue that we want our agents to do work for us so we don't have the responsibility of doing it ourselves. However, we pick up the second-order responsibility of managing the agents instead.
The example above highlights an automatic trading algorithm. There is significant risk that this one day might stop working or behave erratically - causing huge losses in the process. This risk can be reduced by Monitoring. However, monitoring takes time and adds complexity to an operation, and maybe even kicks the can down the road as you'll need to figure out whether the monitoring is being done properly!
Example Threats
Agency risk arises when there is a conflict of interest between agents (e.g., managers, representatives, or intermediaries) and principals (e.g., shareholders, clients, or owners). Agents may prioritise their own interests over the principals', leading to potential risks. Here are some examples of threats related to agency risk:
1. Goal Misalignment
Threat: A contractor's work is sub-par because they prioritise their firm's interests over the interests of their client.
Threat: A developer chooses a software dependency because they want exposure to it, rather than for its fit with the problem.
Threat: A project manager rushes software out with bugs in to hit a performance target, irrespective of the reputational damage that will ensue.
2. Misuse of Resources
Threat: Employees use company assets or time for personal projects.
3. Lack of Transparency
Threat: A software company withholds critical information about security vulnerabilities to avoid it damaging sales.
4. Moral Hazard
Threat: An executive approves a risk merger without adequate due diligence to boost their reputation or ego.
5. Conflicts of Interest
Threat: a staff member recommends a contracting firm because they'll receive some kind of benefit if it is used.
In 2014, Uber (the taxi service) were in the spotlight due to the God View Scandal. "God View" was a tool used to track customer movements in real-time and Uber had granted employees the power to use this tool without oversight. Inevitably, this was misused by employees to spy on ex-partners and celebrities: out of curiosity and for darker reasons.
This led to a PR crisis and a change in data privacy policies for Uber and highlighted the danger of employee access to sensitive data in general. Similar scandals occurred at Snapchat and with Apple Siri too.