This column is not about compliance, or at least not “Capital-C” compliance; it is about compliance generally, corner-cutting lawyers and inscrutable IT departments. It’s also about workplace rules and constraints, imposed in the belief that they’ll facilitate the attainment of generally agreed-upon good things, and why they often fall short. Under these circumstances, what options are left?
How many of you have labored over clear and comprehensive information governance requirements for your company, then learned (all too often during litigation discovery) that one executive maintains a removable hard drive of everything he’s ever laid hands on, “just in case I need it”? How about an employee termination on your desk for approval, where the manager did not provide required written warnings because, he claims, his relationship with the employee in question “just doesn’t work that way”? You look at the policies at issue, and to your eye, they’re clear, concise and easy to find, and all employees have confirmed that they read and understood them. What’s more, the employees who colored outside the lines are all respected, rational, solid performers. To paraphrase Seinfeld, what is wrong with these people?
Sadly, we attorneys are often also “these people.” At dinner recently with several lawyers, the conversation turned to the aggravations each experienced at the hands of their IT departments. One reported being periodically blocked from her Westlaw subscription, where unblocking took hours and required management approval. Many acknowledged deploying personal laptops, tablets or removable media to work around security barriers that, they claimed, added time they couldn’t afford to waste, or prevented otherwise appropriate conduct entirely. The variably sheepish consensus about the propriety of the workarounds boiled down to “I can be trusted to protect this data, preserve client confidences and provide effective and efficient service, and these policies keep me from doing that, so I’m fine.” My impression was that the realism of this viewpoint varied considerably from speaker to speaker.
We lawyers like to think we’re special, and that we’re uniquely qualified to color outside the lines because we’re uniquely capable of adhering to the spirit of a workplace rule even as we disregard the letter. Are we? Are our IT “improvisations” any less of a problem than the file clerk who’s printed every instructional email his manager sent him since 2002, and saved them chronologically in a three-ring binder as thick and heavy as a canned ham?
So often, we must work within a system of constraints and requirements we didn’t choose, even though we wholeheartedly identify with and support the goals of those systems. From the vantage point of the constrained, maybe the requirement doesn’t clearly support the goal, or strikes an unacceptable balance between efficacy, efficiency and safety.
What can we do to improve outcomes? I gleaned several clues from the aforementioned confessional dinner. Many stated that they only became aware of the IT restrictions by bumping into them while attempting to complete time-sensitive tasks. They sometimes didn’t see any nexus between the restrictions and their notions of “security.” They were not part of any pre-implementation discussions to assess the impact to their business processes. They received no training on ways to accomplish necessary functions within the changed systems.
This suggests several strategies if we’re imposing policy. First, get real buy-in and shared understanding of the underlying purpose for the proposed changes, before they’re implemented. If people are about to have a tougher time doing something, or be prevented from doing it, they’ll be better equipped to change their ways if they see their values represented. Wherever possible, clearly communicate what’s changing in sufficient time to solicit feedback about the business activities affected. Focus on the changes when they roll out; infuse the training with a healthy dose of “let’s remember why this matters,” tying back to that shared understanding previously attained. Within weeks, or maybe days, of implementing the change, ask directly for feedback from a representative sample of the people subject to the requirements, and clearly identify obstacles to compliance.
In time, you’ll see better outcomes from “these people.” With any luck, your nemeses in IT or elsewhere will model your approach.