In the research for my latest book (this new one is on leadership) I came across the German cultural philosophy of “Ordnung”. It appears to be a significant part of the German way of life. For the history buffs, it appears to originate with the German Monk, Martin Luther (Not to be confused with Dr Martin Luther King Jr). So what is Ordnung? Ordnung translates into English as Order and as far as I can tell there are unwritten rules, everyone knows these rules and they must be followed or society would collapse. Basically, “Ordnung” is sacred in Germany! People are brought up to believe deeply in the power of orderliness – “Ordnung muss sein” (There must be order). This is not just a saying, it’s a lived philosophy that starts in childhood and carries over to adult life. When asked if everything’s alright, a firm “Ja, alles in ordnung!” (All is in order) isn’t just a statement of well-being; it’s a statement that embodies a very German mindset. Now I am inclined to think order is generally a good thing, but what happens when order becomes the be all and end all of a governance function? What happens when the InfoSec team are dogmatic to their enforcement of the rules? What happens when the DPO or the Head of Compliance respond with “the law says no”? How can Governance, Risk and Compliance (GRC) professionals avoid creating a them and us situation that is simply not good for the business? Let’s have a look…
Law and Order: Special Misdemeanours Unit
In addition to the philosophy of Ordnung, Germany also has a public body called the “Ordnungsamt”. It’s Germany’s Public Order Office. This current organisation must not be confused or conflated with the “Ordnungspolizei” or Order Police who formed part of Nazi Germany between 1936 and 1945 – and may lead to raised eyebrows should a native English speaker jokingly use the term Order Police with a German colleague! The Ordnungsamt is responsible for policing misdemeanours. Think noisy neighbours, parking violations and even how long a dog is allowed to bark at night. If you flout the rules, you will get a ticket. Notwithstanding the official organisation’s role in maintaining order, all Germans are bought in. A German is more than comfortable to tell a stranger if they are flouting the rules. Quite in contrast to the British mentality of just quietly tutting from across the carriage of the quiet train as a fellow passenger has the loudest conversation with someone on the other end of their Bluetooth headset!
Now let’s overlay the above Public Order Office into an organisational setting. I’m sure many of your may have come across an organisation where a team responsible for governance risk or compliance operates as a caricature of the Ordnungsamt. They believe they are the enforcers, patrolling the open plan office with an eagle eye for policy breaches, always on the lookout to correct or caution. But here’s the rub: while such professionals have a laudable goal of ensuring compliance, they are failing to harmonise with their sister departments such as sales, fuelled by the dynamism of deal-making, or R&D, thriving on the edge of innovation. When a risk management function becomes too rigid, it creates friction with other departments. The marketing team, for instance, might feel stifled in their creative campaigns, or the IT department could be bogged down with security controls that impede agility. A risk management approach that’s too stringent turns collaboration into a minefield, where instead of fostering collective success, the organisation is left with an environment of caution, constraint, and obfuscation. Operational departments simply stop telling the risk management function what they are doing, for fear they will be wrapped up in miles and miles of red tape – and that’s not good for anyone!
A better approach
So is there a better way?! Well, yes. Below are some examples of things governance teams could do to adopt a more collaborative approach:
Foster Open Communication: Encourage regular dialogue between governance functions and other departments to understand mutual goals and challenges. As an example, holding quarterly meetings where the governance teams presents recent changes in regulations and discusses with the operations team how to implement these changes without disrupting workflow.
Prioritise Flexibility: Develop policies that provide clear guidelines but allow for department-specific adjustments. For example, a security policy could set a company-wide standard for data encryption but allow the R&D department to have more stringent protocols due to their work with sensitive technology.
Risk-Taking as a Skill: Train staff in making calculated risks, understanding that a well-considered risk can lead to significant rewards. As an example, a marketing department could be trained to evaluate the risks and benefits of a controversial advertising campaign, weighing the potential for a big payoff in brand visibility against the risk of public backlash.
Incentivise Innovation: Create incentives for teams that successfully manage risks while driving innovation within their departments. An example could be offering a bonus or recognition program for the product team that designs new services with built-in privacy features that exceed industry standards, thus managing risk while being innovative.
Diversify Approaches: Recognise that different departments may require different risk management approaches and allow for tailored methods. For instance, the finance department might implement rigorous risk controls for investment decisions, while the human resources department adopts a more flexible risk approach in its recruitment strategies to attract a diverse range of candidates.
And last but not least…
Measure Impact: Develop metrics to measure the effectiveness of the approaches adopted to support other departments achieve company goals. For example, a company could track how effectively the risk management function has supported the sales department by correlating risk advisory activities with a decrease in contract disputes or an increase in completed deals.
Order is half of life…
Whilst enforcing order is certainly an approach to good governance, life is also messy. The Germans have another proverb which pretty much sums this up: “Ordnung ist das halbe Leben und Unordnung die andere Hälfte” or in English: “Order is half of life…and disorder is the other half.”. Having good processes and controls in place is going to help an organisation mitigate risks where everyone is bought in, but life is messy. Dogmatic approaches simply will not work when the situation in question is neither black nor white (so most situations). Governance professionals must, therefore, be mindful of messiness and be flexible and pragmatic when needed. So what do you think? Should the rules be rigidly followed or is there room for freedom within boundaries? Let me know in the comments below what has worked for you.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
