People’s willingness to obey or disobey policy directives largely arises from their company culture. Business Technology’s resident U.S. blogger Keil Hubert shares a story about learning this lesson from a colonel’s peculiar cross-dressing advice.
I’ve spent a great deal of my professional life arguing with people about how best to craft effective policy – especially security policy. I’ve found that – for entirely predictable reasons – most company policies in the tech domain are utter crap. They’re often well-intentioned, and sometimes mandate prudent behaviour, but they’re almost always unenforceable because of limitations in corporate culture. Many policies are worse than useless (as in, actively detrimental) because their impotence exposes the company to more risk than it’d face if the company had no policy in force at all.
I believe that this is largely a matter of social psychology and the self-destructive ways that most people act when they’re part of a collective.  Soc-Psy, if you’ve forgotten your undergrad days, is the science of how people’s perceptions and actions are influenced by the implied presence of other people. In the workplace, this academic discipline plays a huge role in the way that we form our policy directives: how do we expect our employees to act in a given situation when they’re subject to the scrutiny of their peers and superiors? If a policy crafter guesses right about her people’s probable actions, then her calculated, targeted policy can be used to ‘nudge’ people away from doing risky or destructive things and towards safer behaviours. Guess wrong, and… well, odds are good that your gentle nudge will be perceived as an aggressive shove and will motivate the offended employees to (metaphorically) shove right back.
Effective policy writing requires an understanding of the social values and attitudes that permeate your company’s unspoken collective culture. Put another way, you really need to understand how your people actually perceive their world (and, thereby, understand their relationship with others in said world). If that sounds too academic, let me offer up an example that’s absolutely pants. 
I spent the first twelve years of my military career as a soldier in the U.S. Army. As you’d expect, the Army is a very regimented place (that’s there the word comes from, after all). There were rules about everything: how to make your bunk how to clean your rifle, how to fold your shirts… Rules for every possible activity. Every rule was codified in absolute terms in a formal rulebook. If you were feeling clever, you’d scrutinize the rulebooks and work out what you could and could not get away with while still operating strictly within the law. Yes, I got into quite a bit of trouble over the years operating entirely within the regulations in ways that were not anticipated by the authors of the rules. On the whole, though, I understood the operating culture: One Must Comply To The Letter, Amen.
When I transitioned to the U.S. Air Force in the summer of 1999, I found myself immersed in a culture so drastically different that it may as well have been designed by space aliens. At first, I thought I was simply having trouble translating service-specific language. I naïvely thought that we shared a common essential world-view. We did not. Not even vaguely.
Case in point: uniform wear. Even though the two services’ dress uniforms were nearly identical, the way that they were worn was infuriatingly different. The first time I ever donned my new blue polyester ensemble was to attend a technology conference. I assembled my uniform exactly the way the Air Force Instruction (the air service’s version of an Army Regulation) told me I should. When I showed up in the coffee line on the first morning of the conference, I was pulled aside and given a mild scolding from a bored senior fellow – both for having followed the written rulebook, and also for having failed to comply with the Air Force’s widely understood (but entirely unwritten) uniform wear rules.
The Army regulation told you exactly what your uniform consisted of (e.g. one polyester shirt of a specific shade of green, to be pressed in a certain pattern, with a plastic nametag placed just so on the right-breast pocket flap, and so on). The Air Force Instruction was just as specific. Both documents said that compliance with the written standard was mandatory. What wasn’t written was that the author of the Army document was dead-serious when he or she said that, while the author of the AFI was only pretending like he or she expected the reader to take the warning seriously.
One of the first ‘secrets’ that I learned during that admonishment was the upsoken Air Force tradition of wearing sock garters under one’s trousers. This practice was (I discovered later) a cheat that young officer candidates in the USAF had come up with in order to keep their dress uniform shirts tucked in while simultaneously keeping their socks pulled up. They’d get some lengths of elastic with clips on either end from a women’s lingerie store, and would use them to secure the tails of their shirt to the tops of their socks, underneath their trousers. Once they worked out the right tension, the act of standing and walking would keep everything pulled just so.
When I pointed out that women’s bloody lingerie was neither mentioned in the AFI nor expressly authorized for wear with the men’s uniform, the senior man gave me a withering scowl and dismissed me. At the time, I was flummoxed; one of the core principles of soldiering is that orders are explicit, comprehensive, and not open to interpretation. Whenever there’s a smidgen of doubt about whether a rulebook has adequately covered a subject, you’re expected to fall back on Army Rule 1: Anything not expressly permitted is forbidden by default. It didn’t matter if the writers of the uniform regulation had known about the sock garters trick or not; since they didn’t mention it in their list of acceptable components, it was therefore disallowed.
I was a bit miffed at having been dressed down (so to speak) by a senior officer, but that indignation didn’t last long. The social scientist in me got interested in this peculiar unauthorized uniform variation and what it meant for my new service’s larger operating culture. I started interviewing other Airmen about it. Why was this okay? Whose idea was it? Why was it tolerated? What happened to people who got caught doing it? I learned quickly that the answers were (respectively): because it made it easier to look sharp, no one knew who first came up with it, none of the senior officers seemed to care, and not a damned thing.
When I got back to base, I broadened my inquiries, and quickly discovered that ignoring the rules laid out in AFIs was not only common – it was, oftentimes, expected. Airmen tended to operate on the principle that obedience was something one did only when one absolutely had to (e.g., when an angry general was watching). Over the course of the next few months, I observed officers run around in public with no hat, sprint in from the car park to avoid saluting the flag at reveille, walking about with the fly of their trousers open, refuse to salute superior officers in public… pretty much whatever they thought they could get away with.
These observations made me realize that there was a fundamental cultural concept in play that was 180 degrees opposite of what I’d been brought up to believe in the Army. It wasn’t inherently ‘wrong’, necessarily; it was simply a different cultural imperative. The good Airman’s guide to life started and ended with Air Force Rule 1: Anything not expressly forbidden is permitted. That was followed closely by Air Force Rule 2: Anything considered forbidden is only really forbidden when someone chooses to enforce it.
Once I grasped the essential difference in attitudes between the two services, it removed a considerable amount of negative stress from my professional life. I changed my approach to my co-workers in blue, judging them not based on my own cultural expectations, but on theirs. The Airmen I served with were products of their formative environment, and didn’t understand why I (a transplant from the reviled ground-pounders) found some of their antics distasteful or downright disrespectful. Most zoomies really didn’t mean to offend. They simply acted according to their cultural conditioning, the same way that their peers did, in order to curry approval with and avoid censure from the crowd. That’s what people everywhere do.
I remembered the gap between those cultural imperatives when I started working in the business-consulting world. I made it a point to always try to evaluate the company culture whenever I arrived at a new client site. Using the simple green/blue  test, I’d try and figure out which way the locals thought their world worked. When I designed new technology or business process solutions for my clients, I took their worldview into account so that I wasn’t inadvertently trying to oppose their people’s conditioned expectations of normalcy.
From a policy crafter’s perspective, that little green/blue test is one of the most important factors to consider when trying to decide how to best influence employee behaviour. It matters very little what the company claims about their culture of compliance; what matters is how people really behave when the boss isn’t around to skew the results. If the employees are inclined to obey an edict even when no one is observing them, then you can get away with writing simple, declarative instructions (e.g. do this, don’t do that). If, on the other hand, the company’s employees are inclined to defy authority whenever they think that they can get away with it, then your policy writing exercise becomes much more difficult… you can make the same declarative statements, but you also have to build in explanations of what will happen if or when your declarations are disobeyed. That, in turn introduces a dangerous new complication regarding policy enforcement. 
In a largely ‘blue’ work culture – that is, one where people are predisposed to buck the rules for whatever reason – attaining employee buy-in and compliance requires a great deal more effort. You have to explain why a directive is being made, what the consequences are for disobedience, just how seriously you take the problem, and what management will be doing to compel compliance. It’s sort of the equivalent of a parent stomping his foot and emphasizing that he ‘really means it this time’.
Should all that extra work be necessary? It probably shouldn’t be in an ideal world – or in cultures like Germany, where social order is highly valued. In a cowboy culture like we have in the USA, however, it’s pretty darned important. We’re often inundated by what we consider ‘stupid’ rules, at home, in public, and at work. When an average person can’t see the value in a rule, they challenge it. They may complain about it at first. Eventually, someone will flat-out violate it to see what will happen. If they don’t get immediately smacked down, the public act of defiance will embolden others to start violating the stupid rule as well. The less that a rule is enforced, the more that’s it’s held in contempt even when it’s a bloody good idea to follow and it doesn’t cause anyone any harm.
That’s why I’m a huge advocate for companies writing as few rules as possible. I advise clients to define what’s critical to their business, and to craft simple, clear, unambiguous rules to protect those critical things. In all non-critical areas, apply a general behaviour standard that distils down to ‘don’t be a jerk to other people, and don’t get the company in trouble’. Whatever hard rules you have must be enforced every time, without fail. The first instance of selective enforcement (i.e. letting someone get away with violating a hard rule) will utterly undermine management’s credibility. Most companies only have a finite supply of willpower when it comes to chastising people; therefore, their precious reservoir of determination should be applied only where it’s absolutely necessary.
My approach frequently puts me at loggerheads with the ‘compliance’ crowd. These are people – usually lawyers – whose job is to protect the business from all possible theoretical future harm. They look at all of the potential ways that the business could get fined (by a government or regulating body) or sued (by an employee or customer) and try to craft administrative protective measures to mitigate every possible vulnerability. If a rule exists anywhere outside the company that could expose the company to risk, the compliance department will add a new rule to their exhaustive catalogue of Things Not Allowed. They’re often viewed (unfairly) as bitter, jealous misers who are bound and determined to erase every last scrap of joy and creativity from the enterprise.
I feel that’s largely an unfair characterization. I have met a few compliance people that were utterly insufferable.  Most of them, however, have been smart, empathetic people who were given an impossible job to do and tried their utmost to do right by in. The longer they served in a compliance role, the more they accepted as inevitable the compromise of writing rules that they didn’t really expect people to follow; if or when the company was sued or embarrassed, the blame could all be placed on the offender. They weren’t really trying to compel change; merely to pin responsibility. In essence, they’re placed into a role that demands a ‘green’ corporate culture even though their company is almost always a ‘blue’ culture. It’s immensely hard for them to succeed. For that, they have my empathy.
The most pragmatic approach to policy writing is to understand who your people are and how they think, and to then draft guidelines and directives that will resonate with your people as they really are. You don’t have to agree with your employees’ (or your clients’ employees) worldview; you only have to accept their culture it for what it is, and then deal with it on its own terms. Your overarching function as a policy architect is to influence people’s behaviour in order to mitigate a perceived risk. Therefore, it’s in your best interests to bone up on your social science principles. Invest the time to dispassionately evaluate your operating culture, and then change your approach to best align with the beliefs and values of your audience.
 I can rant on this subject for hours if you’re inclined to listen.
 Literally, pants. Or, rather, what’s under them.
 Or the ‘grunt/zoomie’ test, if you like. Except that sounds an awful lot like the Voight-Kampff replicant detection test from Bladerunner.
 We’ll cover that in a later column.
 Remind me later to share the story of why a rainy day is not a ‘corporate value.’
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.