Where Policy Stops and Enforcement Begins

In the Dalai Lama’s Rules for Living, he famously included, “know the rules well so you can break them effectively.”  The consensus has always been that he was speaking of civil disobedience, of which he was a big fan, but I’ve seen this paraphrased and used in a business paradigm as well.  I’ve seen it said of entrepreneurs and others known for innovation in a positive way, and by bad actors in a more devious way.  In fact, a famous entrepreneur I had the chance to meet said, “Being creative in business requires you to know the rules and often break them - and the boundaries/limitations simultaneously! Watch the mavericks -- they see opportunities where others see limitations and failure.”

That struck me as odd on two counts – first, that he didn’t credit the Dalai Lama for the concept, and second that he applied the Dalai Lama’s words to business (something I am convinced the Dalai Lama really didn’t care much for or pontificate on often).  But it did give me pause to think.  The same logic, or maybe better said linkage, that ties policy to violating policy also ties policy to enforcement.  In the context of GRC, those ties are intrinsic, assumed, and yet all too often ignored.

What do I mean by that?  

Inconsistent enforcement of company policies happens when policy development exists separately from training

In business, policies sit at the intersection of laws and other regulatory issues and employee conduct.  Policies are necessary to offer a guiding light to employees who are typically unaware of the various laws and regulations that govern their company.  There’s a loop – from policies, to informing employees on policies, to enforcing them – and that is best served by a chain and not a disparate pile of links.  

Many companies do, in fact, address this as a set of disparate links. "Here" they have policies, some of which may be complex and comprehensive; "There" is where training and policy awareness take place. What is provided in training may not accurately and completely reflect the actual policy, but nonetheless allows the company to check the box that training on the subject or topic is available.  Then, in yet another disconnected area, there might exist a means to report a policy violation which might be based on an understanding based on the training or possibility of a reading of the policy. Hopefully the training content and the actual policy are closely enough aligned to give the employee at least some understanding of whether a policy was violated or not before reporting it.  That’s asking a lot for an employee to know their way around well enough to find the right door to knock on to read a policy, be trained on a policy, or to report a policy violation.  Whew!  I’m dizzy thinking about what these poor employees must go through!

How To Simplify and Enforce Policy Uniformly

Make no mistake, some of the disparate systems are expensive and extremely comprehensive, albeit disconnected.  Me, I’m a simple guy.  I want to read the policy and verify my understanding with a simple attestation and quiz to show that I understand my company’s policies.  That allows me to be a well-informed employee who will know when a policy is being violated rather than having to figure it out.  And guess what, I want to go back to the same place to raise my hand when I’ve been wronged or witness a wrong to another so that does not become a scavenger hunt.

When I do report, I want to know confidently that my company takes my report seriously and acts upon it – and that if I choose to remain anonymous, that my anonymity is maintained.  I want to know that my concern was treated the same way as anyone else’s and that no bias existed by varying the interview or questions asked.  I want to know the process was fair.  I want to know I was respected.  I want to know that ethics matter to my company.

The ETHIX360 blog brings you weekly updates on all things human resources and compliance.

MEET THE AUTHOR

J Rollins is the co-founder and CEO of ETHIX360. J is a well known leader and innovator who has served on senior leadership teams ranging in responsibility from Chief Revenue Officer, Chief Marketing Officer, SVP of Product Strategy and Chief Operating Officer.

ABOUT ETHIX360

RELATED BLOGS