‘Sometimes it is necessary to bend the rules a bit’
29 May 2017 | 0
A recent survey asked employees why they did not follow the rules and much of the response sounded a bit like a child answering their parent. They might have been bored or there were too many rules to deal with.
The rule breakers were called out in violating company policies. Other responses included:
- “Sharing of information that clients need to know but we may or may not have been given permission but is needed information for clients to have for testing success”
- “They are borderline infractions.”
- “Unhappy with job, company.”
- “Sometimes it is necessary to bend the rules a bit.”
- “So many policies I don’t know them until I break them.”
- “I’m bored and I want to get on the internet and play games.”
- “We cannot possibly know when a client is going to need certain information for testing success and often times it is spur of the moment so although the management team has not given permission, we have to make on the spot decisions with the hope we do not give too much information.”
Softwareadvice surveyed 110 employees across a variety of industries to better understand the (in many cases) daily violations of company policy they commit. One in five employees admitted to daily or weekly policy infractions. Out of the top industries in the survey, employee compliance violations are most common in banking/finance, and least common in manufacturing.
Daniel Harris, market research analyst for Software Advice cited the following examples of the rule breakers:
- Employees open phishing emails because they do not get the proper training on how to distinguish them from normal emails. Compliance management programs include LMS modules that can get employees up to speed on this point.
- Employees tend to store data where it is easiest to store data unless they get specific training or unless workflows are designed to ensure that they store data in the right places.
- Employees use company resources for personal use because they are bored.
- Phone dial-ins are easier than joining virtually in some instances. Telecom expense management policies are also arcane and complex to understand.
- People get sloppy with data
- People do not like paying for copyrighted work if they can avoid it, as witnessed by the success of file-sharing, torrenting, streaming, key-gens etc.
- Again, people get sloppy, and network policies are tough for non-IT personnel to understand.
He said compliance processes for preventive action, accident reporting can be tracked in a variety of tediously manual ways, particularly at smaller organisations. GRC platforms that offer workflow modules, templates and governance features can streamline such inefficient, paper-based processes.
“When we add in the 16% of the sample that have issues with the complexity of applicable regulations, we can see that overall, the diversity and complexity of compliance requirements creates the potential for violations for over half of our respondents,” Harris said.
Data privacy violations are also disturbingly high, he noted. “As we’ve seen in cases such as the Target hack, such violations can have devastating consequences. Risk-averse companies should explore software-guided training courses in these areas. Automated workflows can also help to streamline processes such as incident reporting, thereby increasing employee compliance.”
The answer to the problem is compliance management software, which is said to reduce both conscious and unconscious violations via training modules, automated workflows and compliance surveys. Compliance management software helps normalise features to reduce the number of policies employees have to contend with by mapping emerging requirements to existing policies, aggregating similar policies. Policies can also be mapped to controls to enhance visibility into the implementation of policies.
“Compliance management software can reduce both conscious and unconscious violations via training modules, automated workflows and compliance surveys,” Harris said.