Breaking the Rules: Temptation and Risk

Wile many businesses and IT enterprises these days are placing increased emphasis on policies and procedures, few are looking at why their policies and procedures are so routinely bypassed.

Certainly, perceptions of practitioners play a large role, but so too does the tone from the top and pressures placed on the organization. If groups fail to understand the pressures that cause people to bypass the rules, then no amount of policies and procedures will make any difference.

Carefully planned and implemented policies and procedures, along with the right people in the right positions, create a control framework that enables an IT organization to meet objectives while managing risks. The goal of the control framework and IT in general must be to assist the organization by adding value, not simply creating policies and procedures.

The All-too-Often Reality

Unfortunately, the intentional bypassing of policies and procedures too often is reinforced from the top. In other words, senior management creates an environment which rewards the violation of controls: “Just get it done.” Those four words can do more damage to a control framework than an explosion.

As Dietrich Dorner points out in his excellent book, The Logic of Failure, the bypassing of standard protocols rarely results in an explosion, and bypassing them often has a positive outcome. In other words, it is very easy to skip or change the steps in a process to yield a result that is faster and/or cheaper.

This creates fertile grounds for the mindset that it is acceptable to cut corners, especially when management lauds the results. Regardless of the perceived benefit, the margin of safety was reduced by the action.

Applying this to IT, how often are policies and procedures bypassed to gain an advantage? For example, how often are changes introduced into production by well-meaning people? Odds are that many of those changes go into production just fine. There likely also are many cases, both known and unknown, where changes brought the same systems down or had negative consequences.

In bypassing change management, the seemingly positive incentive is faster deployment to production. The negative is that there are always risks associated with changing the state of anything and sooner or later an applied change will create an undesirable result.

Critical Success Factors

Controls have very real benefits for an organization by improving security, availability and integrity while managing costs. Getting to the point where a sustained positive control environment exists takes very real effort. For controls to be implemented successfully in an organization, there are some essential elements that must be factored in:

• Tone at the Top — First and foremost, the upper levels of the organization must support the control environment and not ask or imply that the practitioners bypass them. A carefully constructed set of controls can be irreparably damaged by the actions of senior management.
• Understandable — The control environment and associated policies and procedures must be clear. They must both be applicable and legible to the parties reading them.
• Add Value — As important as tone at the top, the practitioners must see the value of the controls. The controls must not be arcane and bureaucratic. They must be seen as adding value both to the organization as well as to the individuals.
• Proactively Communicate — Simply writing policies and procedures is not sufficient. They must be communicated to the organization — not just IT, but to all relevant stakeholders of each policy or procedure. Furthermore, the communication must move from simple awareness to true understanding.
• Training — In situations where communication isn’t enough, training is a must. Sometimes the training involves how to actually implement the new policy or procedure. Other times, training may be needed to ensure the recipient(s) comprehend the new policies and procedures.
• Regular Review — Policies and procedures must be regularly reviewed to ensure that they continue to reflect reality.
• Audit — There must be routine audits to ensure that what is documented is being followed. Variances could mean that training is needed or that the process needs to be revised.

  
  A Balance

  None of this is meant to suggest that controls are more important than adding value. The fact is that IT and management must balance controls so important risks are managed appropriately. A control framework should not impede business, but support it.

  At the same time, everyone must understand why the controls are necessary and what the function of each control is. “Just do it” doesn’t do much to further understanding. All it does is create another perceived layer for bureaucracy. Take the time, provide the rationale and drive home as many direct benefits to the stakeholders as possible — not just in IT, but outside of IT as well.

  Summary

  Policies and procedures alone do not create a control environment. Management cannot simply buy a set of policies and procedures and expect IT to follow them. There is far more to the creation of a positive control environment than that. This article listed a number of critical success factors to consider, but the fact is that each organization is unique and they need to understand what is needed to create and sustain a control environment. The effort is significant and the journey begins with the tone at the top.

RELATED NEWS AND ANALYSIS

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2020

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020

• Anticipating The Coming Wave Of AI Enhanced PCs

  FEATURE |  By Rob Enderle,
  September 05, 2020

• The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  August 14, 2020