Some organizations claim to hold "respect for others" as a core value, but when you look at their documents the story is different. Whether they call them "policies," "terms and conditions," or simply "guidelines," most of these rules sound like they were written by angry parents talking to naughty children.
Changing the way organizations think about governance – changing the culture of governance – is a true OxyMoron mission. That’s what Lewis Eisen is all about. He is a well-known writer and speaker on governance policies and the author of How to Write Rules that Others Want to Follow: A guide to drafting respectful policies and directives. Get his book. Now.
Here’s my curated summary of my OxyMorons conversation with Lewis. Any errors in transcription or curation are mine.
What’s the most surprising thing on your Spotify/Pandora playlist?
I'm not on Spotify or Pandora. I go through YouTube. I'm a Pentatonix fan and a big fan of acapella music. [Note: You can find a Pentatonix playlist HERE.]
How about your guilty pleasure TV binge?
During COVID, especially in the winter, you spend more time inside and we’ve been watching Downton Abbey. I didn't see it originally and we are binging on it now. [Note: Although it’s nine years old and the language is a little rough, “Downton Diddy” still makes me laugh. Google it.]
What's the biggest mistake that organizations typically make when they set up governance policies?
I’m basically a “reformed lawyer.” [Note: Perfect for an OxyMorons show!] I practiced law for a while and then went into IT consulting for 20 years. I worked for 17 years with the government, most of that in information management and with a focus on policy writing.
What I ended up realizing was that we write legislation in a far different way than we write policy. If you look at the way legislation is written, most laws don’t sound half as vicious as most of the governance policies that we send to our employees. People are worried that if their governance policies don't sound strict and stern, then no one will follow the rules. But think about the way criminal laws are worded. They're very straightforward. 80% of the penal codes in the 50 US states say things like, “Setting fire to houses is arson. Arson is a crime. The penalty for doing it is two years in jail.” The laws don’t adopt a paternalistic tone about how arson is bad, and forbidden, and “you must not do that,” and so on. The laws assume that those considering arson will weigh the benefits and the costs and make a calculation and a choice.
What kinds of unintentional and counterproductive negative messages do we send in our governance policies?
We frequently talk about control, doing bad things, and punishment, as opposed to helping employees do their job. In these two examples, the policies on the left are all about dictating behavior, while the ones on the right are all about offering to help. The ones on the left are the very typical old style policy, which is, “Here's our command, and here's the punishment.” In other words, you better not break this policy, because you don't want us to have to think of how we're going to punish you. That's what our policies often sound like. They certainly do not move the agenda of collaboration forward. The ones on the right just describe the way we handle things. Our job in governance is to help employees better understand how to do their job and the right thing at the same time.
What is the different between corporate values and strategies?
Organizations frequently misunderstand values and strategies. “Compliance” is not a corporate value. Compliance is a strategy. For it to work, there must be a clear corporate value behind it, and that value is integrity, corporate integrity. Transparency is another example. My colleague at the Royal Canadian Mounted Police originally tried to push the concept of transparency, encouraging people to release policies and information publicly. Everybody said, “What a great idea,” and then never did anything. The problem is that “transparency” is not the value, it is a strategy to achieve the real value -- earning the trust of the public. When he moved the discussion to the right value, he started getting better results from his colleagues.
What is the difference between policies and standards and procedures?
A procedure has a beginning and an end and steps in order, and you do it and then it's done.
A standard is a set of technical specs. And when I say technical, I don’t necessarily mean “technological,” I mean measurable specifications. People will tell me that they have a standard to “keep their drives clean,” and then also tell me that “nobody’s doing it.” My question is usually, “What's the standard for a clean drive?” As subject matter experts, I think we need to help define some of these targets and set out standards that describe specifically where we want to be.
A policy is a statement that it connects how you as an organization, carry out your strategy and how you make decisions. That's what a policy is. Using a privacy example, let’s say our corporate value is that we want the public to trust us. So we're going to have a strategy that says we need to take extra care of private information. Based on that strategy of taking care of private information, we might have a policy to “proactively do inspections on apps before we release them.”
How can organizations make their policies “stick” without being overbearing to people?
The first thing organizations should do is check their corporate values. Start at the top and look at the mandate for good governance and how (if!) this mandate connects with corporate values. Corporate values are not things like compliance and standardization; those are really just strategies. Values are things for which people will join your organization – or leave it. Values are things like being a trustworthy organization, an organization that can be trusted by employees, partners, and customers. Nobody leaves an organization because you failed to standardize a particular process. But they will leave if you're not living up to the values you claim to espouse.
The job of an IG professional is to help create the technical specifications that allow an organization to achieve its governance mandates and live out its values. Our objective should be to specifically answer these kinds of questions: What is a good governance? What is a safe system? What is a good image? What does good life cycle information management look like? Let's describe it. Let's paint the picture and create technical descriptions that define this picture.
What are you going to talk about at the MER Conference?
I’ll be conducting an Information Governance Policy Drafting and Wording Workshop at MER. I’m hoping to give attendees of the workshop three key takeaways:
Techniques for wording mandatory statements.
A list of words that trigger people's defenses and prompt resistance.
Visual aids to help you explain your approach to other policy writers in your organization.
The MER Conference is great. When I was a lawyer, what I learned was that policies were just extensions of contracts, and so we treated them as such. When I got into the business world, I realized that policies are not really extensions of contracts; they should not be adversarial documents. Policies are supposed to be collaborative. Records people and lawyers need to learn to work better together. The MER Conference is a forum where we're all in the same room and we can have that discussion of how we should work together.
(MER Registration information and the Conference agenda are HERE.)
What do you what do you know now that you wish you knew then?
When I was 25, I knew everything. Now, many years later, I realize that nobody knows everything. I wish I had been more open to realizing that my view of the world was narrow.
——-
These posts might also be of interest…