Skip to content
All posts

Enforcing Policy Compliance

Congratulations -- as a manager you've embraced your responsibility to require that people follow certain rules in their work -- you have to "enforce compliance with a policy" -- and now you get to wrestle with how exactly to enforce this. 

You've learned by now that decreeing something, doesn't make it so. You need to take positive actions of your own, in order to get others to take their actions. 

Be careful. This could put you on the path to toxic leadership -- or it could put you in the Hall of Fame as "Best Boss I Ever Had."

I advise my clients to focus on these things:

  • Build and maintain a strong trusting relationship with each person whom you manage. (This makes them want to comply when you require things of them.)
  • Only set the policies you truly need to set. 
  • When you do need to set a policy, do it clearly. (See related article.)
  • Treat new policies as naive first drafts that need to be adjusted to fit reality.
  • Encourage creativity in finding ways (process steps) to comply with policies.
  • Prove you're serious by checking on compliance.
  • Treat non-compliance as a puzzle to solve, not an offense to prosecute (at first).

The Danger of Not Inspecting

If you set a policy but never check on whether it's true, you undermine your people's confidence and trust in you. You're seen as behaving erratically -- because you've contradicted yourself. Your words and actions don't match. You come across as lacking integrity.

Here's why weak enforcement lands like low integrity. First you say it's important -- because you exercised your positional power to set a policy, a rule. Second you behave that it's not important -- because you can't be bothered to admire the work they put into complying with your rule.

So, if you're not prepared to inspect (or assign inspection and then pay attention to the report), it may be wiser not to set that rule in the first place. 

Indeed, the first step in creating a climate where fraud flourishes is to set policies but not enforce them.

Compliance Checking Approaches

OK, now you're at the point where you've found at least one rule that's important enough to insist on -- so you set the policy -- and that you're willing to put out the effort of enforcing -- so you're ready to check up on compliance. 

Suppose you need your people to follow a file-naming convention at your law firm. What are your options for checking compliance?

  • Periodic random sampling of recent files to check compliance - either by you or by someone you assign. (A common pattern in the US Army is for a captain to assign a task to Lieutenant A, and then assign the inspection of that task to Lieutenant B, and to include reporting as part of each assignment.)

  • Asking colleagues who value compliance to help with spot checks

  • Announcing periodic checks and making a show of inspecting files (not punitively)

  • Asking lawyers to inspect files jointly w/ their paralegals and provide you with screenshots

  • Tracking compliance rates and increasing the frequency of checking for poor compliers

  • Emphasizing continuous improvement of training and systems over blaming individuals

  • Discovering root causes of high vs low compliance and make compliance easier (i.e. create a batch uploader that renames files automatically)

Make Compliance Easy - Automation Opportunities

If compliance is effortful, it'll be less likely. Look for opportunities to automate portions of the compliance task.

If 50% of incorrectly named files are images that arrive in batches of several dozen at a time, you may find workers resist renaming them due to tedium or time constraints. Or they may make errors because of the sheer volume of repetitive work. Consider investing in a batch program that accepts a few keywords as input, then applies the renaming rule AND uploads the renamed files all at once. This would increase compliance while saving time.

Adjust Compliance Scope

The first version of a rule or policy is always "naive" -- you don't yet know what exceptions you should make. Therefore, soon after rolling out the policy, look with sensitivity at where your good workers are more vs less compliant. 

Be willing to question whether compliance actually matters in every case. With the file renaming, perhaps the standard isn't actually useful for certain file types like images and emails, which also happen to arrive in bulk. 

If you do make exceptions, make the exceptions official -- neglecting enforcement via "nod and wink" or tacit understanding is actually corrosive to good order. It can easily send the message that none of the rules are "real" or that rules are actually arbitrary and whimsical. Bosses often tend not to mind this, not realizing that about ⅓ of your directs will find this emotionally distressing, and a majority will find it offensive. (It sends a "rules are for thee and not for me" message and implies that the boss will happily get people in trouble based on whim or private personal preference -- and undermines the sense of integrity that forms the foundation of legitimate authority.)

Beyond Inspection - Punishments and Rewards

It's been said that all of parenting comes down to threats and bribes. Some say management is similar. I disagree.

(Not about parenting -- that part tracks. But management and leadership are NOT parenting.)

If you reward people for compliance, you send two bad messages -- one to your people, and one to yourself and your theory of organization. 

  1. By rewarding good compliance you send the message that compliance is "good" or "nice" and people should "make an effort" to comply. That's not how compliance works. If you've set up a rule, then that rule is not optional. Employees follow the rule because that's how we do things here. If something is optional and nice, it's not a rule -- it's a suggestion. Things I incentivize with rewards are things that are in some sense "above and beyond" -- they are not compliance, by definition. I would incentivize people for trying new things, or for staying late or otherwise exceeding the boundaries. Those are cases where I want them to know I see the extra effort and I appreciate it.  
  2. If compliance is effortful, you're probably doing compliance wrong. People shouldn't have to try all that hard, so rewards are a mental misdirection. Make your systems so easy that doing it right is actually easier than doing it wrong. 

You do have to punish non-compliance. But only after you've used curiosity and creativity to understand the root cause of the non-compliance, and you've engineered the system to make compliance easier, or at least very easy, and after you've explained the importance of the rule and you've trained people. Once that's done, you actually have a duty to incrementally sanction people for not following rules that are (A) easy to follow, (B) important and seen as important, and (C) that they have been trained on and have demonstrated they can follow. 

Some Caveats

This article is for people getting started on more formal policy setting -- because you're new to management, or you business has grown to the point where you need more formalization of mutual expectations. 

This article does not begin to touch the depths of detail needed in certain highly regulated industries. If you work in financial services, healthcare, pharmaceuticals, utilities, food or beverage manufacturing, aviation, defense, aerospace, etc. -- you must embrace a high level of formality and seriousness towards policy setting and enforcement. 

See Also: Establishing Policies: Create Accountability with the PRoPeLS Pattern.