In “Mischief of Many Sorts” I offered the view that rules are all very well but they follow the dictum of necessary but not sufficient. I concluded that piece on the issue of ethics and asked the question: “How should directors prepare for the sins they know will be committed?” Sound, strongly held ethics are the best defense, and if we could only be sure that they will always be in operation this page would be unnecessary - but it is.
A dilemma for directors is the fact that ethical behaviour is not simple. Not only does one have to know the right thing to do, one must also have the intestinal fortitude to do it. Ethical people believe in honouring their word, respecting the law, acting honestly, respecting other people’s property, displaying loyalty and working hard-but even these virtues are not sufficient unto themselves for there is always the question of circumstance. Companies write policy manuals to describe expected behaviour, and directors take comfort from those pages. Some manuals, such as the one for public companies called Internal Financial Control and Reporting, are largely prescribed and one assumes that the board spent a lot of time approving them. To the extent that such rules and regulations are complete, clear and understood they are a comfort and a bulwark, but treating them as a panacea could be perilous.
If humans knew and heeded all the rules no one would jaywalk, or throw litter, or act rudely - but they commit all those petty acts and more. The problem for a director is what to do about the absolute certainty that somebody at some time is going to act badly, the event will be connected to the company and it will be costly. This is a small attempt at helping to prepare for that eventuality.
The diagram on the following page can be treated as a thought experiment or perhaps a rough form of early warning radar. It could be either. It assumes that it matters not whether the “sin” is perpetrated during working hours or on company premises or neither. Once the gaffe has been enacted it will be attributed, and the time and place will matter less than what was done. The more colourful incidents are prized as such. Media attention will always find a drunken CEO more newsworthy than the same person working with a charity, just as the CEO will attract a lot more attention than the janitor. To start, think about when and where employee (or director!) activities might occur: “Inside Normal” is within normal working hours and on company premises, and “Outside Normal” is off premises and/or outside of nine to five. Then, consider the “rules” that should apply, that is, the contents of the company policy manual, the code of conduct, the company mission or a statement of principles or values. For the sake of this discussion assume that the employee in question knows these well, so the degree to which the situation is covered is also known and understood, or at least it is to the extent anticipated by the manual writer. This allows us to construct a diagram that maps the possibilities (and, yes, it is overly simplistic).
It identifies the likely degree of influence of policies and rules when they are applied to behaviour in all the situations that might occur. These behaviours are either Inside Normal or not, and they are seen either as closely related to the company and its world, or they seem unrelated. We can expect the typical employee to behave accordingly, plus or minus variables such as mood and stimulants.
This simple construct recognizes that the influence of company policies is likely to diminish when the employee is off-site. Similarly, a policy is more likely to be ignored if the employee judges the issue it addresses to be unrelated to the company and its business, even when on company premises. In other words, corporate policy is less likely to influence the behaviour of an individual if he or she is not “at work”, e.g. if they are engaged in sports or in volunteer work. In this way corporate policy is rather like parents attempting to influence a child’s behaviour when the youngster is out of sight and beyond the range of their voice.
The model divides behaviours into four groups, and the colours are suggestive. We expect an employee at work to pay attention to company policies that are specific to their job, i.e. they have a strong influence. Green cell behaviours are unlikely to attract risk.
Behaviours that might occur in the yellow cells need some cautionary attention while those in the red cell are likely to be problematic. For example, an employee at a trade show is operating in the bottom-left cell, but is less likely to cause a problem than that same employee later the same day, now relaxing in a bar - after crossing to the right into the Red Zone.
Companies and their boards cannot address all possible issues, no matter what they might wish, but emulating an ostrich is unwise so setting priorities is in order. The grid can be used like early warning radar, highlighting problematic situations, when they will arise, and what level of risk they are likely to incur. Many Red Zone risks are reputational, and recovery is difficult, so prevention or avoidance is better than cleaning up afterwards. The “legitimacy matrix” provides a stress test for any given policy, because using it as a framework for thinking will “paint” a blip of risk while it is still at a distance and evasive action can succeed. The directors of small companies might consider setting aside all those issues likely to be “in the clear”, (meaning they are in the green cell and should not be a concern), ration their time on the amber zones and spend their precious time and effort on the Red Zone.
They should expect that most of the of Red Zone risks will originate either with some form of conflict of interest or the wonderful way that humans have of behaving like humans. Obstreperous and thorny by nature, these issues thrive in the less-defined and thus risky climate of theRedZone. They can come into play at any time, usually without warning and often from an unexpected quarter. Worse, entirely new and parallel Red Zones materialize where none existed when the stakeholders change and new values and opinions redefine the boundaries. For example, many small companies start life as family concerns or they may be owned by two or three good friends. Their culture is relaxed and informal. There are no rules about entertaining customers, or using the corporate golf membership for family and friends, or granting favourable payment terms to a supplier who just happens to have gone to high school with the owner. Laissez-faire is an attractive style and may even be a “best practice” in some circumstances. Then the boundaries change and Red Zone issues materialise as a small company travels the path from private to public, or from family-owned and -operated to professional management.
Instead of opting for ostrich behaviour it is infinitely better to consider the whole set of possible conflicts in a proactive way and provide clear guidelines for one and all. You cannot cover every eventuality, but you can be specific on the majors and set a framework to judge the minors. Be proactive - it takes time and effort but much less than removing the persistent stain of major attack on your company’s reputation.