The Second Rule of Human Risk is…

This blog continues my series on the Five Rules of Human Risk:

Rule 2: Compliance is an outcome, not a process

First a few words of explanation. Given I’ve previously expressed extreme dislike of the term “Compliance”, regular readers might be surprised to see the rule contains the ‘C-word’.

Don’t worry, my objection to the word still exists when it is used to describe a function within an organisation.

That’s not the sense in which it is being used here. The capitalization of “compliance” in the Rule is because the word comes at the start, not because it refers to the function!

In this context, compliance is meant in the true sense of the word; an outcome whereby people within an organisation are, and therefore the organisation as a whole is, compliant. That might be with a set of rules or regulations. Or it could be with a particular desired social, moral or strategic outcome. Similar to the way in which the medical profession uses the term “adherence” to describe when the patient correctly follows the personalised course of action prescribed to them by their doctor.

Look where you want to go

To achieve a desired behavioural outcome, we need to focus on the outcome rather than on the processes and controls we will use to achieve it.

Fellow motorcyclists will be familiar with the simple rule of “look where you want to go” when riding a bike. Not doing so risks crashing into the very thing that you’re fixating on avoiding. It’s counter-intuitive but also life-savingly effective.

Beatings will continue until morale improves

We have a natural tendency to do precisely the opposite. In a fast-moving world, it is tempting to jump into “solution mode” and open our standard toolkit of interventions to influence human behaviour. Particularly in crisis situations or where there is a requirement to fix things quickly.

To illustrate this point, consider an order ascribed to William Bligh, Captain of the Bounty; the ship made famous by a 1789 mutiny. He apparently ordered that:

“Beatings will continue until morale improves”.

Bligh probably didn’t issue that order. But that needn’t stop us from laughing at the ridiculousness of it, knowing that that the desired outcome (improved morale) is directly undermined by the process being used to deliver it (beatings). We also know that even if there were signs that morale had improved as a result of the beatings, it would be a faked rather than actual improvement. If the Blighs of this world had really wanted to improve morale, then they would have needed to adopt entirely different methods; possibly ones that were beyond their contemplation.

In the end, “Bligh’s” methods didn’t just fail to improve morale, they led to mutiny. Breaking the second rule of Human Risk comes with consequences!

Compliance (or non-compliance) is a function of human behaviour; organisations cannot be compliant of their own accord, it is the people within them that determine that status. Compliance is achieved if all of the individuals within an organisation do what is required of them.

The existence of the human component requires careful consideration. As we saw with Rule 1, all too often compliance programmes are designed for the way we would like people to take decisions, rather than the way they actually do. People are not robots and if we want them to behave in a certain way then, we need to work with, rather than against, the grain of human thinking.

To illustrate the importance of this, I’m going to briefly explore two (of many) common fallacies behind process-, rather than outcome-driven compliance approaches:

“If we tell them, they will do it”

It is often tempting for organisations to rely solely on the fact that employment contracts give them the right to tell their employees what to do; an “if we tell them they will do it” approach. In some circumstances, this can be highly effective. No-one in a nuclear power plant is going to object to having specific instructions about what they need to do. We don’t want people maintaining planes to suddenly develop a sense of creativity when doing so. But simply issuing orders and expecting people to comply with them because they have to, won’t always work.

If, for example, there is a qualitative element to compliance or, if there is no way of monitoring it, then relying on that dynamic can be a high-risk strategy. Instead, we need to think about things from the perspective of the target audience. This not only requires an understanding of how the target audience perceives the specific requirement but also their perception of the authority seeking to impose it.

An employer that requires its employees to be in the office at a certain time, will find it has broad acceptance of its authority to impose that requirement. But, to take a silly example to make a point, that same employer telling employees what music to listen to on the way into work is likely to find there is very little acceptance of its authority in that regard. In part because employees know that it will be impossible for their employer to monitor compliance, but also because they (quite rightly) will question the authority that allows the imposition of a requirement like. This isn’t about whether an employer can legally do something. Rather it is about ensuring engagement. We’ve all seen comedy scenes set in offices where the boss ends up screaming “I am your boss” in order to get their way. Using those tactics might deliver compliance on the surface, but it breeds resentment beneath it.

A good example of a grey area is dress codes. In some situations (say airlines or the military), it is standard practice for staff to be required to wear a uniform and for their appearance to be subject to detailed prescription. However, in others, dress codes are far more contentious and employee compliance is dependent on acceptance. Here’s an example where the employer “over-reached” somewhat and the code had to be withdrawn.

If we’re trying to influence human decision-making, then we need to have an understanding of how the individuals we are trying to influence are likely to react. Advertisers don’t launch ad campaigns without testing whether they are effective and likely to produce the desired outcome. Movie studios do trial screenings of movies to gauge audience enjoyment of their movies and, if necessary, edit before the final version is released. Yet all too often no such thought is given to compliance activities. Even though they are also attempting to influence behaviour.

“Zero tolerance”

One of the most common refrains when it comes to compliance topics is for management to adopt a broken windows policing” approach and have “zero tolerance” or “no appetite for” transgressions.

In some cases this is entirely understandable; fraud or racism are highly undesirable outcomes. But all too often, these statements are made for areas where such an outcome is unrealistic. Remember Rule 1: Human Risk cannot be eliminated.

Having a realistic understanding of how feasible 100% compliance is on a particular topic is critical. Setting unrealistic targets risks “management by delusion”, a loss of respect on the part of the target audience or, if the stakes are high enough, faked compliance. People are going to make mistakes; what is important is to understand where mistakes can be risk accepted and where they cannot. In some cases attempting to achieve 100% compliance may be counter-productive.

Many organisations obsess about employee surveys, aiming to get as close to 100% completion rates as possible. In effect making it a de facto unspoken compliance requirement. Yet coercing people into filling in surveys might well be counter-productive. If people don’t want to fill in a survey then forcing them to do so, risks getting responses that are worthless, thus undermining the purpose of the exercise.

Accepting less than 100% compliance, shouldn’t be confused with what is communicated to the target audience. Revealing that a certain level of non-compliance is acceptable, runs the risk of encouraging that outcome. But, through the clever deployment of BeSci and an understanding of how the target audience is likely to react, we can seek to achieve desired outcomes.

In the UK, the official speed limit on motorways is 70, yet everyone knows that the police generally only pull people over if they exceed 80. As a result, the de facto speed limit is 80. On the face of it, this is a bad outcome as most people drive over 70. In all likelihood, however, it is achieving precisely the desired outcome which is to get people to drive below 80. The police can enforce at 70 if they see a need to do so and anyone driving between 70 and 80 will be mindful of the fact that they’re technically breaking the law.

A prime example of where focussing first on the outcome and then working out what process will achieve it, bearing in mind the target audience, can be highly effective.

Primacy of auditability

A common reason for adopting a process-driven compliance approach is what I refer to as “the primacy of auditability“. In other words, designing something to ensure it is easily auditable, rather than most effective. Selecting “logical” processes often creates solutions that are theoretically perfect, but practically flawed.

A “logical” approach to a new regulation, would be to write an all-encompassing 500-page policy covering that regulation and require employees to read it. It’s a highly auditable approach. Yet it is unlikely to result in employees reading it, let alone understanding or remembering it. The box is ticked, compliance is theoretically assured, but the risk the rules are there to mitigate, remain on the table.

I recognise that in some industries, particularly those where there is a level of distrust between regulator and regulatee (step forward financial services), that the logical solution to demonstrating compliance is to ensure it is easily auditable. But I’d argue that by doing behavioural analysis on the approaches we adopt, we can see which ones are likely to fail and which more likely to succeed. That is a stronger argument than the fact something looks good on paper. Plus, if theoretical approaches worked in practice, then the distrust that drives the primacy of auditability, wouldn’t exist in the first place!

Which brings me back to my dislike of the word “Compliance” to describe a function. By seeing Compliance as a process rather than an outcome, makes it easier to delegate responsibility for it to the function that bears its name. That’s extremely dangerous in a world where compliance, like risk management, is the responsibility of everyone.

Finally, a word of thanks to the following authors whose works I highly recommend to explore more of the detail of this topic:

The Law of Good People by Prof Yuval Feldman

Conduct Risk Management by Dr Roger Miles

Ethical Business Practice & Regulation by Prof Christopher Hodges & Ruth Steinholtz

The author is the founder of Human Risk, a Behavioural Science Consulting and Training Firm specialising in the field of Risk, Compliance, Conduct an Culture.

  • YouTube
  • LinkedIn
  • Twitter
  • Facebook
  • Instagram