What’s the point of publishing rules if company leaders aren’t going to enforce those rules? What purpose do they serve in deterring unacceptable conduct? Should we simply do away with organisational policies entirely and just hope for the best?
How do you know which rules your organisation takes seriously and which ones they only give lip service to? This is important. Every organisation has policies, regulations, or mandated behaviours. Some of these are dictated by laws. Some by industry regulations or best-practices. Some are entirely home-grown. Most of those rules are written with good intent but are not consistently followed. This can be because the organisation’s leaders don’t believe in them, because they’ve become obsolete, because users aren’t aware of them, or because it’s too much of a hassle to enforce them. No matter the cause, the end result of ‘only-on-paper rules’ is a natural erosion in worker faith in all of the organisation’s rules … which leads, inevitably, to common flaunting of rules. Every observed instance of an ‘only-on-paper’ rule being violated without consequences reinforces the idea that company rules are strictly optional.
The antidote to this syndrome is direct confrontation and enforcement. When a leader sees a rule being broken, then call out the violation, correct everyone’s understanding of the associated rule, and act as required. In the military, we called this an ‘on-the-spot correction.’ It was the duty of every leader at every echelon to reinforce and clarify standards. This holds just as true inside a corporate culture. Business leaders don’t have to act like shouty angry drill sergeants. They do, however, have to enforce the standards that they’ve set. If they don’t, those standards collapse.
Again: every organisation has its rules. Every organisation also has people, and people are notorious for breaking rules. Deliberately, sometimes; accidentally other times. No matter what, organisational; rules are different from suggestions, aspirations, or cultural norms. Official rules carry weight: do (or don’t) do this; if you fail to comply, there will be consequences. That the entire point of publishing official doctrine. Warnings and training exist so that workers are forewarned about the behaviours that will get them reprimanded, demoted, or sacked, specifically because it’s natural and normal for people to break rules. Pre-empting the inevitable.
The headache for doctrine writers is that people are not (contrary to business school case studies) servile automatons. Real people are naturally inclined to push against constraints; to probe the limits of their ability to deviate from norms. This isn’t criminal; it’s how people learn where the so-called ‘red lines’ are in their culture and how close they can manoeuvre near (but not over!) those red lines before they put themselves in danger.
It’s strange, isn’t it, that our culture constantly tells young people to ‘push their boundaries’ and ‘transcend their limitations’ as a path to success then expects them to immediately become passive automatons the moment they reach the workplace.
As a deliberately ridiculous example: if a company states in policy its intent that every employee is required to wear a hat on Thursdays, then Hatless Bob should get a talking-to as soon as he arrives bareheaded on Thursday morning. Witnesses will then associate Bob’s deviation from standards with management’s immediate corrective action, and will learn from it. They’ll internalize the organisation’s expectations to avoid being like Bob. That’s the desired result of spot corrections.
The important part of this on-the-spot action is that Hatless Bob won’t be reprimanded or sacked on his first offence. Bob’s exploration of the boundaries of what’s allowed earns him remedial training. The only exception to this would be if the company’s Hats-on-Thursday was driven by inviable safety or legal concerns. For example, personal protective equipment in a hazardous location. Even then, the first offence is meant to be a teaching moment, not an execution.
In the abstract, I’m a firm believer that organisations should be very deliberate about the rules they publish. My motto as a policy writer is never publish a rule that you’re not committed to enforcing. Rules that exist only on paper are corrosive to an organisation’s security culture. The moment that people realize that official company policy is either routinely ignored or only enforced arbitrarily, their trust in (and respect for) the organisation and its leaders erodes. Organisations should create official rules only for those behaviours that are essential.
Again, though, rules that are enforced only in secret have no deterrent value. If Hatless Bob is seen being escorted to the street after multiple on-the-spot corrections and subsequent consequences, his termination reinforces the observers’ commitment to follow the policy (ridiculous as they might find it). If Hatless Bob goes cheerfully about his Mandatory Hat Thursday with no repercussions and then simply doesn’t return on Friday, it’s highly unlikely that anyone will make the connection between Bob’s behaviour and his removal. Unless, that is, management explains what happened and why. But that rarely ever happens.
People are going to screw around in the office. Don’t be so draconian that every conceivable act of stress relief becomes a career-ending mistake. Focus instead on the behaviours that actually matter (health, safety, harassment, etc.).
Why? In most of the places I’ve studied, it’s because of concerns over liability. Legal, personnel, HR, and/or upper management (depending on the organisation) expressed concerned that publicizing a wrongdoer’s wrongdoing might get them sued. Sure, they’d possibly persuade some other employee from making the same mistake, but at an unacceptably high cost. Imagine having to pay out £100,000 to Hatless Bob solely because Bob’s manager informed the rest of their department that Bob had been chastised for violating the Thursday Hat Policy. No department budget could sustain that. I understand their thinking … I just don’t agree with it.
I’ve seen this hyper-conservative approach to employee discipline backfire. An organisation’s version of Hatless Bob screws up and receives appropriate disciplinary action. Nothing is said outside of a sealed counselling session. Bob might or might reform. Meanwhile, right outside the conference room glass, Hatless Betty (Bob’s analogue from another department) obliviously strolls past and triggers an identical and easily preventable disciplinary action for the exact same offence. Bob’s reprimand carried no deterrent value, and might have even encouraged others to commit the same misconduct. Less than ideal.
I’ve discussed this with a bunch of managers, lawyers, and personnelists. No one has ever offered a workable solution to the deterrent-versus-privacy condundrum. Most of the people I’ve argued with agreed that leaders should be teaming up to prevent incidents of career-ending misconduct. Warning people away from non-malicious bad behaviour is good for the company: it reduces turnover, improves morale, and builds institutional trust. Even the most conservative of lawyers agreed that some sort of deterrent was preferable to multiple cases of the same ignorant offense.
That said, no one could suggest a practical way to balance the need for deterrence against the need to minimize liability. It seemed like an all-or-nothing deal; a few people suggested only ‘advertising’ example cases where there was no possible way that they could get sued for it. This being the U.S.A., there’s no such thing. In America, we let our elected representatives sue imaginary cows. Anyone can sue anyone else for anything.
The only fantasy that Americans love more than getting slim by consuming nothing but fast food and beer is the fantasy of getting filthy rich by ruining a rival’s life via the court system. We have issues.
So, what’s to be done? People are going to break rules just to see if they can. Leaders are compelled to take immediate corrective action. If they fail to, the organisation’s rules will lose their legitimacy. For those leaders who shy away from confrontation, rules become a hindrance rather than a help. Maybe the only practical solution for such entities is to replace all ‘rules’ with ‘suggestions’ … at least then there’s no risk of consequences when a worker elects to ignore them.
Or … hear me out, because this might be controversial … we could only publish those few rules the organisation is deadly serious about and then consistently and publicly enforce those rules so that every worker knows where they stand. Sure, some feelings might get hurt. Better that, I argue, than creating a corporate culture where the lax enforcement of the trivial rules inspires some malcontent to violate an existentially dangerous one.
Pop Culture Allusion: None this week
POC is Keil Hubert, email@example.com
Follow him on Twitter at @keilhubert.
Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant.
Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.