WPYO? The question Risk & Compliance Officers should ask their business

Reader warning: this post contains a word that Ofcom, the UK media regulator, classifies as “medium” in terms of potentially giving offence. They don’t regulate blogs and I use it for a very specific reason, but given this is work-related, it’s only fair to warn you.

Ask the audience

If you work in Risk or Compliance, then you’re in the business of influencing human decision-making. Whether you know it or not; that’s because organisations cannot be compliant or manage risk of their own accord. It’s the people within the organisation that determine whether those things happen. Or don’t.

Yet all too often, we ignore the perspective of the people we’re trying to influence. The logic seemingly being that because we employ them, we can simply tell them what to do.

In some situations, this can make sense. We don’t want people maintaining nuclear power plants to make innovative decisions about what to put into the reactor and we want people working in the food industry to follow strict guidelines when it comes to washing their hands, rather than undertaking self-assessment to determine levels of cleanliness.  

But there are many other aspects of Risk & Compliance frameworks, particularly in the Knowledge Economy, where we need the cooperation of the target audience. Either because there is a qualitative element to what we need them to do, or because we can’t put in place pre-emptive controls to prevent undesirable outcomes. You can require people to be ethical, but you’ll generally only know if they haven’t some time afterwards, when it’s too late.

We will get better outcomes from a Risk and Compliance perspective if our target audience is “on board” with what we’re trying to get them to do. I’m not suggesting we allow them to write or police the rules themselves. But what we can do, is try to see things from their perspective. People are sentient beings whose propensity to do something they’ve been told to is not driven purely by logic; rather it is driven by their perception of factors such as the likelihood of getting caught, the legitimacy of the authority issuing it and the risk the requirement is seeking to mitigate. 

Whether we want to admit it or not, every single one of us has broken rules and laws we think are pointless or ill-conceived. We really shouldn’t be surprised when our target audience doesn’t always follow requirements that they see as onerous, difficult to understand or painful; or if they question the authority of the organisation in that particular field. Workplace dress codes come to mind.

So how do we find out what the target audience thinks? Here’s a radical idea: ask them! The question I think we need to ask is:

What pisses you off?” (WPYO)

The very fact it’s not a question you’d ever expect to hear from Risk or Compliance is part of what makes it so powerful.  Though of course, I’ve neutralised your response to it somewhat, by warning you it was coming at the top of the article.  

My rationale for asking the question in that tone is that perception is an emotional, rather than logical process. To really find the things that most bother people, we need to tap into their emotive brains. If you’re politer than I am and can’t phrase it in quite that way, then find an alternative that works for you. Just make sure you ask it in a way that puts the person you’re asking at the heart of it. You want to understand how they feel, so avoid questions like “what could we do better?”.  When you get an answer (and I’m fairly certain you’ll get at least one!), find out why they feel that way.

Armed with that information you can make a decision as to what to do about it.  The answer isn’t nothing; asking for their opinion and ignoring it, is arguably worse than not asking at all. There are two main options:

Your first potential response is obviously to change the thing they don’t like.  Perhaps they’ve identified a design flaw in the control framework; an unnecessary procedural step or something that is unclear.  Whisper it, but they might even have good ideas for how to improve things.  

The alternative option, where you really can’t or don’t want to change the thing they dislike, is to put your Behavioural Science (BeSci) hat on and change their perception of it. Think about it as an advertiser would; what techniques can I use, to make someone feel differently about something?  By changing their perception, we can change their behaviour.  

Perhaps their irritation is caused by the fact that they don’t understand the rationale for what they’re being asked to do or the way in which they’re being asked to do it. Or perhaps they’re unaware of the personal consequences for them of non-compliance. Note “personal consequences”; the impact on the organisation is less compelling an argument when it comes to persuading people to behave differently than the impact on them personally. Yet often we rely on the former, rather than seeking to exploit the latter.

Small things can make a huge difference; the language we use when talking about Risk or Compliance is often dull, uninspiring and antagonistic. Just changing that, can change people’s perception of a requirement.  Hence the somewhat provocative tone of the WPYO question. You don’t necessarily need to change the underlying process to make people look at it differently; though obviously it helps if you can.  

Ask it of yourself!

I’m so convinced of the power of WPYO that I think it needs integrating into Risk and Compliance frameworks. Ask your target audience a form of the question regularly and you’ll get incredibly powerful feedback. Best case, you’re eliciting insights that will help you improve your control framework. Worst case, you’ve got a strong forward-looking indicator of where people might not do what you want them to.

Readers working in Risk and Compliance in larger organisations who like the idea, but feel they have no ability to influence the processes most likely to be complained about, should ask the question anyway. Then feed it back, constructively and politely, to Head Office. Even if you can’t influence change, you’ll have done your duty. 

Finally, this isn’t just something you should ask your target audience. Think about it from your own perspective; because the same rules apply to Risk and Compliance Officers. If something PYO then you’re not going to be as engaged in the process as you could and probably should be.  

I noted, at the start of this blog, that organisations aren’t compliant and don’t manage risk of their own accord; it’s the people within them that do that. If we want them to do that properly, then we need to do everything we can to avoid pissing them off. 

The author is the founder of Human Risk, a Behavioural Science Consulting and Training Firm specialising in the fields of Risk, Compliance, Conduct and Culture.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

All original content on these pages is fingerprinted and certified by Digiprove
%d bloggers like this: