While hanging around the water cooler the other day, I took an informal survey of a few colleagues. “How many of you are finding the task of addressing private information in compliance with increasingly complex laws, regulations, and corporate mandates to be hugely fun?” Unsurprisingly, the feedback was unanimous; everyone was loving it. They couldn’t get enough. They clamored for greater records management responsibilities and litigation response obligations. They also mentioned that there is no better end to a long workday than an involved information-security training, provided that their lunchtime could be interrupted for dental work with no anesthesia.
As it turns out, employees in the real world don’t really like doing anything beyond their real jobs, and certainly don’t want to have anything to do with the perceived tedium of classifying their files according to a growing set of company rules. For the vast majority of people, information management is about as fun as a root canal. And yet, effectively managing information has always been essential and is more and more a differentiator for organizations. This capability impacts a company’s reputation, risk profile, and innovation initiatives.
What can companies do? They can’t outsource their obligations—even if a third party is brought in to do some of the legwork, ultimately the obligation to comply lies with the company. Neither can they ignore the issue because there are increasingly more laws that prescribe how companies and their employees must manage information from its creation to its proper destruction. Similarly, there are far more consequences in failing to get it right. It’s an unenviable position for companies; they need their employees protecting the company’s information assets, but most employees are disinterested at best, viewing themselves to be full up with “real” work that trumps a concerted focus on these efforts.
Generally, there are two kinds of employees: the ones who are motivated by carrots, and the ones who must be inspired by sticks. There are some employees who will follow rules because they are told to and because being proactive is good for the company. However, if there is no compelling reason for employees to do something, they often fall into the latter category of needing a consequence, a penalty, or a loss of some benefit or privilege before they will dream of doing a task at work outside of their perceived job scope.
That brings us to a confluence of realities: more downside, more attacks on the IT systems, more laws dictating what is required and penalizing companies when they fail to comply, and more employees behaving badly, uninspired to lift a finger to help your company better manage information.
Here are seven keys to fix such a problem.
1. Set the Tone at the Top. The CEO in some respects is the soul of the company in that he or she sets the big-picture objectives for the organization. This is commonly communicated through a mission statement, vision, and code of ethics. These concepts and values are then seen as calls to action by others in the organization and rapidly become operationalized. When the CEO or other executives message the importance of a company initiative or action, the employees (everyone below them) are more likely to listen and follow their lead. For example, if the CEO decides that being a “greener” company is important, then initiatives that advance that idea will get more attention and funding. Employees will more likely do what it takes to make the company greener. Thus, one thing that will be essential to making information activities come to life in the company is for the executive team and others in management to support the information project or program and message its importance to all employees. Another way they can show support is by funding such activities and publicly recognizing successful efforts.
2. Make It Part of the Job. One of the best ways to get folks to take on protecting private information is to make it a part of their job responsibilities. For many businesses, at most they develop policy and expect that employees will read, understand, and follow the directives. That is usually the last time the policy is addressed until something bad happens. Then everyone wants to know what went wrong. What commonly goes wrong is that employees have a black and white view of their roles and responsibilities. They disregard policies as irrelevant to their jobs if adequate context isn’t provided.
The company can “legitimize” the activity by making it a part of the employees’ job responsibilities in writing and by making it clear that failure to do as required will, for example, impact performance incentives. When compliance with a policy is tied to compensation, it tends to get employees engaged. That would be more of the stick approach.
In terms of the carrot, why not have high-potential employees nominated by senior leadership to serve as information stewards? Formalize the role, make it a coveted position, and recognize and reward them for participating. You will find that you have inspired these employees to be your eyes and ears in the business. This causes a chain reaction whereby those around them start caring more as well.
Providing a written policy or other directive tells employees what is expected; training them on it helps ensure they understand what they must do in greater specificity. In other words, policy is not enough. Training and perhaps even testing on the mastery of the training is far more effective.
Remember, however, that employees can’t take in endless training sessions on one topic after another. Be mindful to not put too much in front of them at once and spread it out to maximize the training’s effectiveness. In other words, limit how much training employees receive, given the law of diminishing returns.
Training should be an important tool in your arsenal when it comes to ensuring that employees are able to digest and apply vital policy concepts. It is a stepping-stone to behavioral change. One point of consideration is to consolidate trainings where possible. Companies often have a “code of ethics” or “code of conduct” that provides high-level principles regarding the company’s position on such matters as privacy requirements, books and records management, cyber-security fundamentals, and beyond. Publishing such a code for public/external consumption bolsters a company’s reputation for being trustworthy and of sound integrity. Is it possible to consolidate your trainings on various governance topics into one large “code of ethics” training that can be taken in modular format? This then strengthens and unifies the company’s position on various interdependent information-management directives while streamlining the training experience for employees.
4. Gamify. In the last few years, gamification of training has helped create better-trained employees and kept employees engaged with longer-term retention of the topic. Gamification is a process where an employee is engaged at a deeper level to make the training like a game. This means launching awareness campaigns that involve features like points, levels, and awards. The goals of gamification are to create a sense of intrinsic motivation, achievement, and mastery. The more employees interact with the training material or policy in a game context, the more likely they are to understand the material and be able to act upon it. Bottom line is that it works.
5. Auditing/Monitoring. The only real way to know whether employees are doing what is required of them is by looking. In the workplace, that is typically done by watching their actions in real time (monitoring) or looking at what they have done after the fact (auditing). Auditing and monitoring programs help ensure that employees are getting it right. These programs also allow the company to help employees better perform tasks and fix training or implementation issues across the company as they become known.
In highly regulated industries, auditing and monitoring are part of the normal course of business. In fact, internal audit and quality assurance teams can be excellent partners in building an audit readiness program and in conducting the audits themselves.
6. Whack with Love or Not, but Be Consistent. When employees get something wrong, there may be a need to reprimand them. Thus, when policies provide that noncompliance may result in disciplinary action, the company must follow through. Failure to discipline may result in claims that such policy or disciplinary action is applied in a discriminatory fashion. Remind and follow up with employees to ensure they are getting it right, and when they don’t, act swiftly, fairly, and consistently to address the failure. Remember, word travels fast, and others will take note, which tends to change behavior in a positive way.
7. Repeat. Training, behavioral change, and the business transformation that follows are not one-time projects or instantaneous outcomes. Begin the process of training on key topics from the very beginning of an employee’s tenure at your company during orientation. For topics that are essential for employees to master, such as information security, training should be routinized and part of an established schedule. Not only that, policy principles and core concepts should be patiently and persistently reiterated via meetings with communities of practice, company newsletters, annual refresher trainings, and embedded within spotlights on governance initiatives when there has been a “big win.” Making employees care about managing information well means making these conversations part of your company’s culture.
Information has become the lifeblood of organizations. Oftentimes, it’s pumping life without rhyme, reason, control, or direction, and that has to change. Unless leadership institutionalizes the management of information, the employees will likely do as little as possible or nothing at all. With value, volume, growth in legal requirements, and consequences all intensifying around information management, however, companies must have their work forces engaged. The seven keys may not build love, but they will build a reasonable, repeatable, and defensible process “hook” for litigators to hang their hats on when failure occurs, and it always does.