In many organizations, applying the COBIT 5 Culture, Ethics and Behavior enabler is hard. Many believe that all you need to do is write a policy, tell people about it and watch them change. However, it does not work that way in the real world. People do not always embrace change and new policy. They like their routines and often need to understand the what is in it for me (WIIFM) benefit before they will change. Sometimes, people need a little nudge. That is where the COBIT good practice of sanctions comes into play.
When I use the word sanction, people generally think of negative sanctions: a penalty for noncompliance with a policy or standard. But the origin of the word is from sanctio, which means act of decreeing or ordaining.1 Synonyms for sanction include accredit, authorize, confirm, formalize and approve. So, you have positive sanctions as well. Think of a sanction as a way to encourage good behavior and to discourage bad behavior. There is no question that there is a direct link between individual behavior and the sanctions or reward systems your organization puts in place.
There is no question that there is a direct link between individual behavior and the sanctions or reward systems your organization puts in place.
With some animals, reward systems are easy. Tell your dog to sit and you will give him a bone.2 It is not always so easy with humans, though. However, the idea is the same, as you are trying to mediate the effects of reinforcement. A reward or positive sanction does reinforce behavior. All someone often needs is an “Attaboy!” or “Attagirl!” Given at the right time, positive acknowledgement is a very powerful motivator and increases the likelihood of a repeat of the behavior. Your reward system must show all employees the value that your organization places on that behavior. From a negative perspective, you might have to ask, “Is that a fireable offense?” From a positive perspective, you might have to ask, “Is that above and beyond the call of duty?”
Sanctions are a delicate matter. As the Inuit3 say, “By gifts one makes slaves and by whips one makes dogs.” By going too far in either direction, you create problems. You cannot make the reward seem gratuitous, but on the other hand, you cannot punish people unfairly. At one time, failures of systems were placed squarely on the users of the system. When something went wrong, we looked for a scapegoat and knee-capped that person then felt everything was dealt with accordingly. Now, we generally understand that we need to continually look for problems in our processes and fix them. Yes, there may be psychopaths and sociopaths in your organization, but generally, one does not exhibit the correct behavior because of the following:
- Missing—The individual is missing the information. That is, nobody ever told them the expected behavior.
- Incomplete—The individual has incomplete information and will, therefore, exhibit the wrong behavior.
- Not followed—The individual has the complete information, but is not following it for some reason. There is a myriad of reasons why. One reason is that the information is nonsensical. Another is that the person cannot physically carry out the task. And many more possible reasons may exist.
Your reward systems should deal easily with the first 2. Addressing the third is the challenge.
Many people and organizations believe money is a good reward, and it is to a point. In the book 1501 Ways to Reward Employees,4 the author points out that it is not always the case. I have actually seen people take home less money after a raise. Darn tax brackets! When thinking of rewards, ensure that the reward is timely and specific. If you catch me doing something right, tell me then, do not wait until my performance evaluation 6 months later. And if you really want to reward someone, publicly recognize them for good performance.
One thing that most of us have learned is that rewards for good behavior are more desirable than punishment when it comes to changing behaviors. Using the carrot and the stick approach5 is your choice. One will help you. Choose wisely.
Peter T. Davis, CISA, CISM, CGEIT, COBIT Foundation, COBIT Implementation, COBIT Assessor, COBIT INCS, CISSP, CPA, CMA, CMC, ITIL FC, ISO 9001 FC, ISO 20000 FC/LI/LA, ISO 27001 LI/LA, ISO 27005/31000 RM, ISO 28000 FC, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, SSGB, RESILIA FC
Is the principal of Peter Davis+Associates, a management consulting firm specializing in IT governance, security and audit. He currently teaches COBIT 5 Foundation/Implementation/Assessor, ISO 27001 Foundation/Lead Implementer/Lead Auditor, ISO 31000/ISO 27005 Risk Manager (RM), ISO 20000 Foundation/Lead Implementer/Lead Auditor, ISO 22301 Foundation, ISO 9001 Foundation and Project Management Institute Risk Management Professional (PMI-RMP) courses.
Endnotes
1 Dictionary.com, “sanction”
2 Obviously this is simplistic. My old Australian Shepherd would take the bone and do what he wanted. But that was my problem, not his, as I did not make him properly understand the rules of the game. Some managers have this same dilemma.
3 The Inuit are an Aboriginal people, the majority of whom inhabit the northern regions of Canada. Historic Canada
4 Nelson, B.; 1501 Ways to Reward Employees, Workman Publishing Company, USA, 2012
5 Originally, this expression referred to a donkey-cart driver. The driver offered a combination of rewards (the carrot in front of the donkey) and punishment (the whip to the donkey’s posterior) to induce behavior. The donkey would walk towards the carrot while walking away from the stick.