Picture this: someone on your team has gone the “extra mile” only to have those solid efforts backfire so far and so hard that now not just your team will suffer, but your company may miss earnings goals and lose gains made in the marketplace for at least a year.[1]
[1]Our Minnesota neighbor Target is all too aware of the negative impact a single event can cause. Target’s Red Card security issue was announced January 2014. The stock price immediately fell and did not return to normal until December. What opportunity costs did it suffer during 2014? Chief competitor Amazon made short term gains in its stock price during Target’s year of recovery.
Today we’re going to discuss the enormous impact of non-compliance and how better training, policies and procedures – utilizing instructional design – can help prevent non-compliance in the first place.
Instructional Design is a framework for creating instructional and training experiences that are more appealing, efficient and effective. |
Such errors can cost millions of dollars in direct costs and incalculable other costs such as opportunity costs, tarnished personal and corporate reputation, and so on. Let’s call these direct and indirect costs Detritus, and the unproductive meetings, breakroom angst, and speculating by the company’s employees Churn.
Detritus: The direct and indirect business costs following an adverse event. |
Churn: Unrecoverable time and energy expended by employees following an adverse event |
At first glance, the Waste seems grossly disproportionate to the triggering event. But dig in and you see that between the event—for example, an employee forgets her work papers on the subway[2]—and the Waste, is the organization’s negligence or gross negligence (or worse).
[2]The Massachusetts General Hospital settlement in April 2011 included $1 million fine and 3 years under a monitoring program with the federal government for HIPAA violations. MGH’s employee brought paperwork home with her, and then forgot it on the subway the following morning. One can only imagine what a superstar she thought she was being the night before, bringing work home with her. The paperwork included information concerning 192 HIV patients.
Standards vary by state but the difference between negligence, gross negligence, and willful disregard (which in some states is the same thing as gross negligence) could be seen as the degree to which indifference is systemic to the organization.
There probably are situations where the organization behaved reasonably and the fines seem disproportionate, nonetheless. Even so, it is not logical to throw up one’s hands and say “I might as well do nothing because the government is going to get me one way or the other.” The difference in financial penalty between exercising a very basic level of effort to prevent and correct compliance incidents and doing nothing is substantial.
Bottom line, the employee’s act is just a symptom; the organization has the disease.
Fortunately, a vaccination against Waste is available. It is not 100% guaranteed, and it is not easy, but it is fair to innocent bystanders to inoculate everyone.
Vaccination requires deploying effective training.
Effective training requires effective plans of action, i.e., effective job aids and policies[3] upon which to train.
[3] In the compliance world, policies, procedures, job aids, and work instructions are not the same thing. However, they all have a primary purpose: communicating the business’s expectation of behavior to the employee. What this post says about “policies” is equally valid for “procedures,” “job aids,” “work instructions,” “SOPs,” and similar documents. I use “policies” to mean all such materials.
There is an entire field of knowledge around how to make training efficient, effective, and engaging. If you are fortunate enough to have a background in instructional design, the rest of this post is NOT for you. If you are even more fortunate and work at a place where it is your role to inspire others to do good work, but a course in instructional design isn’t in budget this year, read on.
Photo of a white antelope taken during a snow storm, January 2018. Actually, see here.
Policies in many service organizations are so stuffy, outdated, or generic that they are not useful. (Let’s call the style found in such policies Old School). Old School policies may be in paper format or distributed via a web portal. Either way, they also commonly suffer from being difficult to consume by employees with disabilities.[4]
[4] If your audience includes people with, for example, color blindness or low vision, hearing loss, limited fine motor control, or cognitive impairments like distractibility or learning disabilities, your policies and training tools need to adapt. Fortunately, the changes will make your content clearer for everyone. See WebAIM for more info and guidelines to make your content perceivable, operable, understandable, and robust.
Ah, but you say ‘our lawyer wrote our Old School policies X years ago at great expense. Don’t touch them!’ It is a strange business indeed where neither the operating environment nor the risk the policies were designed to mitigate have not changed. Furthermore, if employees aren’t able to provide input on improving (i.e., revising) the policies, can the team really take the policies seriously?
A playbook approach to policies surpasses an old school strategy in at least 5 ways.
GOAL | Old School Strategy | Playbook Strategy | |
1 | Easy for users to access and understand. | The length and complexity of interwoven policies, whether on paper or poorly executed digital, make them hard to consume. | Digital distribution allows for chunking into shorter, consumable bits, hyperlinking, and flowing changes through all related materials, with accessibility features. [5] |
2 | Empower employees to make good decisions. | Policies are either too broad or too specific and do not deal well with variations or outlier events.
|
Use sample scenarios and explain the logic behind the desired decision. |
3 | Be ‘in sync’ with operations as the business and people change. | Policies lag real life operations.
Policies in multiple locations means there is no single source of truth.
|
Digital content with appropriate permissions and approval gating means the business can iterate policies to address changing needs and distribute in near real time. |
4 | Users comply with the documented expectations. | Users responsible for executing the policies have little enthusiasm for or influence on the development and maturation of those policies, and thus, compliance with the policies may be lackluster.
The organization doesn’t know if users comply until there is a large failure, or the organization monitors compliance with such general requirements that it can’t be sure users will know what to do in a true conflict. |
Content is as engaging as it can be, using graphics, white space, and short, active direction when possible.
Too few people make time to review policies to see if they are even being followed, before something goes wrong, or to determine if they are even relevant to the team anymore. |
5 | Sensitize employees to identify unusual patterns or variation, and then seek help | Use broad language lacking specifics such as “We comply with law.” Too grandiose to be meaningful. | Provides scenarios, or briefly explains why a step is required (or recommended), so the user can apply the same logic to events that don’t exactly fit the policy. |
[5] Melinda Sewell, Sr. Compliance Manager at vRad, discovered well organized, interlinked policies by an FDA-regulated business, Tidepool. See Tidepool Google Docs Sample
If these issues are endangering compliance at your organization, consider adopting a playbook content and distribution strategy.
A playbook focuses on practical guidelines that should be considered in given scenarios and why. It is presented in a manner that is easy for users to consume (white space around text, graphics, screen shots), and thus does not adhere to a strict format. A playbook may involve many people and many decision points. This is both a strength and a weakness.6
6There should be a good reason for using a paper manual. At vRad, users are advised to print a paper version of the business continuity plan and have it available off-site in the event of a “smoking hole” scenario. However, there are no other paper-based policies. If your organization “needs” paper policies, ask “why?” Keep asking why at least 5 times to get to the root of the issue.
The playbook approach can help achieve 3 metrics of an effective policy that other SOPs simply don’t accommodate: flexibility, clarity in meaning, and visual clarity.
Old school policies undermine flexibility because they:
In contrast, playbooks are ripe with flexible options because they:
Playbook thinking means including alternatives for users, such as:
[from a Crisis Communications Plan and Playbook]
Manage the situation with these goals in mind:
Old school policies are vague, with overarching purpose or scope statements that add little value. For example:
This procedure ensures SuperCo complies with all laws and regulations governing the confidentiality of employee data. It applies to all SuperCo employees worldwide who have access to confidential data.
A playbook explains the benefit or purpose at each step. The net result isn’t necessarily fewer words, but users know the “why” behind what they are doing.
For example:
Steps 1-4 prevent unauthorized access to employee data.
User should perform step 5 or a similar test to verify that steps 1-4 were performed.
Or:
(A). Export monthly log for prior calendar month. Review for anomalies and store at location xyz.
This log is an audit trail showing what users accessed which files and when. Our Compliance Plan and the OIG require proactive review of audit trails for compliance with HIPAA and SOX.
(B) Store the file on server abc using naming convention RecordAYearMoDate.
This server has limited permissions as required by our SOX policy, # 123.
Contact Helpdesk if you wish to store elsewhere.
You can tell you have an old school policy if it:
Playbooks embrace design fundamentals. Your policy is a playbook if it:
For example:
User A
User B
Some processes simply must be followed to the letter. Accounting transactions should be executed the same way every time, for the integrity of the financial records. Worker safety requires that heavy equipment be maintained and used according to certain parameters, all of the time. IT Security requires that all new laptops are set up and deployed a certain way, every time. Though there may not be a lot of choice allowed during certain processes, there are many choices one makes in how the material is presented that can affect whether or not the information will be put into practice or not. Basics applicable to any policy, job aid or other tool:
[6]Pros and cons of bullets could be a whole ‘nother blog post. Oh wait, there are already such posts. See: http://fi.deluxe.com/community-blog/financial-marketing-insights/bullet-points-some-pros-and-cons/ and http://websitecopywritingservices.com/blog/bullet-point-secrets/ and https://www.copyblogger.com/writing-bullet-points/
An electronic playbook is ideal because the user can search, click hyperlinks, and suggest annotations or updates that can be deployed with relative ease compared to paper manuals or overly-strict SOPs. Each playbook and site hosting several playbooks are best owned by the department or team responsible for executing on it.
Playbook sites are frequently colorful, engaging, and even a bit whimsical. Two examples of SharePoint playbook sites at vRad are shown below.
One vRad team puts a heavy dose of “play” in its playbook site.
The Office of General Counsel playbook site similarly makes good use of the flexibility afforded by Microsoft’s SharePoint platform.
At vRad, we are gradually using more playbook-style guides and wikis. Complex processes include narrative augmented by diagrams. Below is an example from a cyber-incident response playbook.
We break down department-oriented playbooks into buckets that can be visually appreciated or taken in all at once. For example: a privacy wiki is shown at left.
The content on a wiki page is similar to what one would find in a typical process, but provides a digest version for a quick reminder on how to do something.
Arming staff with easy-to-consume support documentation enables them to do their job quickly, confidently and correctly – whatever challenges arise.
And while we certainly can’t measure the number of non-compliance events a particular strategy will prevent, we can be certain that preventing even a single lapse in compliance – or simply reducing the severity of that lapse – will be worthwhile.
The delta between a fine for negligence and gross negligence is at least 2x, and the delta between negligence and fraud or willful disregard is easily 10x. It is 30x in the case of HIPAA violations. These figures may be a useful estimation of the difference in Detritus and Churn that accompanies each situation. The severity levels below indicate increasing indifference to the regulations and the steps necessary to ensure an entire organization is committed to “how we do things around here.”
Regulatory Issue | Severity 1 | Severity 2 | Severity 3 |
Customs violations, civil penalty; 19 USC sec. 1592 | negligence
lesser of (a) domestic value of the merchandise; (b) 2x the duties, taxes, and fees on that merchandise; or (c) 20% x the dutiable value of the merchandise. |
gross negligence
lesser of (a) domestic value of the merchandise; (b) 4x the duties, taxes, and fees on that merchandise; or (c) 40% x the dutiable value of the merchandise. |
Fraud
not to exceed domestic value of the merchandise |
Differential (Compared to Level 3) |
0.20 | 0.40 | 1.00 |
OSHA; 29 USC sec. 666 | serious violation
$12,675 per violation |
serious + failure to abate
$12,675 per day beyond abatement date |
willful or repeated
$126,749 per violation |
Differential (Compared to Level 1) |
1.00 | 2.00 | 10.00 |
HIPAA; 42 U.S. Code § 1320d–5 | negligence
$1,118-$55,910 per violation |
willful neglect, but corrected within 30 days of either knowing, or by exercising reasonable diligence, would have known, that the violation occurred. $11,182-$55,910 |
willful neglect and not corrected within 30 days…:
$55,910-$1,677,299 |
Differential (Compared to Level 1) |
1.00 | 1.00 | 30.00 |
[7]As of January 13, 2017.
[8]Assuming 2 days.
I don’t know, but I have a good place we could look.
Karen Scott