Perils of Policy Management

Late last year I was on a conference call, hashing out some ideas for sessions to hold at the Compliance Week 2011 conference. On the phone was Scott Giordano, general manager of the GRC software vendor Mitratech. I asked him what a good subject would be.

“Policy management!” he said. “Just look at those enhanced pat-downs at the airport and what a mess that is!”

Giordano had a point. The Transportation Security Administration had just rolled out its policy of enhanced pat-downs for anyone who declined to walk through a back-scatter portal (“peepshow machines,” my mother calls them), and indeed, the situation was a mess. Every airport seemed to interpret the TSA standard differently, leaving passengers fuming and all the more eager to abandon the pat-down plan entirely. Giordano said it was a great example of a centralized office crafting a universal policy, which the local business units then fail to enforce uniformly.

Policy management has been on my mind again because we've seen a titan of Corporate America slow-roasted over the flames of public scrutiny lately: Walmart.

Walmart appeared before the U.S. Supreme Court on March 29 to fight a potential class-action lawsuit alleging discrimination against female employees. The plaintiffs' argument was fairly straightforward: Yes, Walmart did have a policy of nondiscrimination for pay and promotion, but it left application and enforcement of that policy to local managers. That approach inherently encourages lax enforcement, the plaintiffs said, and created the inequitable situation for female employees that allegedly exists today.

I see the logic of that argument, and no doubt at least some female workers at Walmart have been low-balled on pay or promotions over the years because of their gender. Still, I struggle with this. We in the compliance community talk all the time about the benefits of “principles-based governance.” Well, that's what Walmart was encouraging. It gave local managers the broad policy mandate not to discriminate, and left them to use their best judgment on how to achieve that.

Critics might say such local discretion to interpret a policy allows abuse to creep into the system—but we raise those complaints only because discrimination is so offensive. Remember that in 2005, Walmart applied that same flexible policy approach to its response to Hurricane Katrina. It essentially told local managers to do what was necessary to help their local customers, and they did so with gusto. One manager had a bulldozer demolish a wall so she could distribute emergency supplies; another drove a forklift through a wall so he could fetch water for the local nursing home. 

My point here is that a flexible approach to policy management has benefits and flaws—and companies would do well to think hard about changing their approach to policy management simply because one particular flaw glares out at us. If you want to go down that road of strict policy enforcement across the whole enterprise, that's fine; but you lose flexibility at the local level. Or, as Justice Antonin Scalia phrased it while grilling the plaintiffs: “It's either individual supervisors who are left on their own, or there is a strong corporate culture that tells you what to do. If somebody tells you how to exercise discretion, you don't have discretion.”

A discretion-less environment is a dangerous thing; you lose the ability to make judgments, bad as well as good. And remember that at the end of all these theoretical debates about policy management are your employees—they are the ones whose decisions create the compliance at your company. Do you really want them thinking, “Management has a policy for everything, so I should just obey policy, do my job, collect my paycheck and go home” ?