Sunday, October 30, 2011

Compliance Starts with Explaining Why

I’ve just finished reading a couple of books by Kevin Mitnick, the famous computer hacker and phone freak who, after serving some time in prison, eventually became a security consultant. In his books, Kevin not only describes how amazingly easy it was to dupe employees at various organizations to willingly grant him access to their systems, but he also provides many suggestions for corporate security policies and measures.

The one thing that becomes obvious from reading Mr. Mitnick’s books is that people will comply with policies much more willingly, when they are explained. Why is this policy in place? Don’t just mandate a screen saver with a password protection to increase your data security level. Explain to employees why they need it. People aren’t dumb. With the proper explanation, they will remember and more likely comply.

Whenever I’m flying, I notice how the air travel experience is filled with seemingly contradictory rules and regulations that come with no explanation. For example, I have to take my laptop out of the bag for a security check while all my other electronics, including the iPad, can stay in the bag. Why? During take-off and landing, I have to turn off all electronic devices even though I can’t really turn off my digital watch nor can I turn off my iPod Nano. Again, there is no explanation provided and I see more and more people simply ignoring the rule altogether.
I can see very similar challenges with enterprise compliance. The HR department makes employees take mandatory training on business ethics but rarely, is there any explanation provided as to why we are taking these course. The reason is probably not that the HR department suspects us to be taking bribes or contracting out work to our relatives. The reason is more likely that by making us take the training, the company reduces its own liability. That’s a good reason and the employees should be told.

The same thing happens with adding metadata, classifying content, and completing compliance related work steps. We create rules but rarely do we take the time to explain why. What benefit will the organization gain?

The results are often disappointing: poor quality, lack of consistency or simply a complete refusal. Such results become very costly for the organization and practically impossible to remedy after the fact. People don’t follow the rules because they were never really told why should they bother.

Yet the solution is often amazingly simple. Give your employees the rationale behind the rules and most of them will try to do the right thing. You may not get a 100% compliance nor the perfect quality but you are going to experience measurable improvements.

Because good compliance starts with explaining why.

No comments:

Post a Comment