Beyond Compliance Checkboxes - Part 2

Jim Merrifield (00:01.356)
Well, hello everyone and welcome back to the InfoGov Hot Seat Podcast. I'm your host Jim Merrifield and I couldn't be more excited to bring you part two of a special three part series with the incredible Kim Tran. Now last time we tackled the real compliance challenge discussing why organizational culture and people, not just policies and checklists, are the heart of compliance success. Now if you missed it,

Go back and download that episode. Check out part one after you finish this episode. It's, it's a must listen. I'll tell you now today's episode is titled moving from mandates to mindsets, getting IG policies to stick in reality versus theory. In this episode, we're going to dig into a common stumbling block organizations face when implementing information governance or IG policies. Too often the policies sound too perfect in theory.

they fall apart in the real world. Why? Because shifting from mandate driven approach to a mindset driven approach is easier said than done. So with that, I'm glad to welcome back Kim Tran, an insightful leader in governance, risk, compliance, change management and everything else. Kim, welcome to the hot seat once again.

Kim Tran (01:22.478)
Thanks, Jim. Great to be back as always. Love being part of the series, both as a listener, but also now as a speaker and panelist. So thank you for that. And just getting the chance to chat with you and unpack these really important topics, because as AI and new emerging tools are coming up into the market, it's important to translate that into not just adoption, but sustainable transformation for organizations.

Jim Merrifield (01:52.342)
Yeah, we love having you here, Kim. Your insights really hit home for our audience. So let's jump right into our discussion. We mentioned the title of the episode. We'll talk about shifting from mandates to mindsets. So to kick things off, can you help us unpack what that actually means? Like, what's the difference between those two approaches in the context of IG policies?

Kim Tran (02:19.745)
Yeah, great question. So I studied psychology in undergrad, so I will always have a soft spot for human behavior and human mindset. And so when we talk about shifting from mandates to mindsets, this is basically what I am really passionate about, because a mandate-driven approach is usually about compliance.

through enforcement, right? Like I'm a parent and so I'm gonna use a parent analogy here, but telling your kids to do something or not to do something to various degrees of success and people actually listening to you. But really it's about creating rules, processes, policies, and oftentimes you're creating all of this to really tick off the regulatory boxes, right? Or like the auditors.

or to meet specific, very defined objectives from legal or risk, which are all important, of course. But it's also really important that people are engaged and bought into these processes as employees. And that takes more than just a blank piece of paper or a policy book somewhere that they need to flip through or scroll through.

And oftentimes, I think from a psychological perspective, people feel like compliance, generally speaking, is being imposed on them rather than something that they believe in or they're actively part of or even like second nature, right? Because a lot of compliance folks, we live and breathe compliance. We know the repercussions, but a lot of our stakeholders internally and externally are not compliance

professionals. And so the while they understand the risk, they may not be sharing the same risk levels as we are. And so shifting that approach to mindset driven perspective really fosters that shared understanding and the value of following these policies, but also this shared what I call shared risk as well. And making them understand that, you know, something that affects you as a compliance professional will also affect them.

Kim Tran (04:36.789)
as a non-compliance professional is really, really key. So it's not just about making them understand what they do, but why they should be doing it and why they need to adopt and protect the organization. And for those who tuned into the first episode, we talked a lot about this where employees are not just going through the motions of following a policy, but really getting them to think about how the policy and their jobs will help protect the organization as a whole.

and uphold corporate trust, corporate reputation, rather than just their jobs or just their roles. And so that mindset driven approach really takes it a few steps higher and really making folks really buying into this idea of protecting the organization, protecting the enterprise and getting buy-in at all levels of the organization.

Jim Merrifield (05:35.586)
It makes perfect sense. mean, so it's a shift from telling people what to do to helping them want to actually do it. And I love the analogy with since you have kids, you I remember with my parents, you know, you tell them, hey, don't do this, don't do that. And then what do they do? They do that. So what's the biggest challenges you see organizations face when trying to make this shift?

Kim Tran (05:48.429)
You

Kim Tran (05:53.57)
Yelp.

Kim Tran (06:03.861)
Yeah, so there are a lot of challenges, but I think two main ones that I'll highlight here is one, I think there is a disconnect and we've seen a lot of research come out, especially with AI, between the people who are drafting the policies and then the people who are expected to follow them, both from a leadership but also a technical user or implementation perspective.

And what I like to remind people is that just because you have information does not automatically translate into implementation. And so when you're creating these policies on paper, it might look perfect, you know, on a Word doc or Google doc or whatever you're using to capture and document this. In reality, it gets messy. People may or may not be using it correctly the way you want them to use it.

a lot of challenges around, know, people get entrenched in their own behaviors, right? And so that's really translating, that's the challenge, translating compliance policies into real life application. And then secondly, I think the biggest challenge as well is that organizations spend so much time perfecting these policies and not enough time actually rolling it out.

and they underestimate the role of communications and training. A lot of times I've worked both for myself as an individual, as a leader, but also just across the enterprise is that people spend so much time getting consensus on finalizing the policies that they don't spend enough time really consistently training folks, consistently socializing the policies.

with various departments, various employees. And people need to understand that the context, like why does the policy exist? Why does it protect them? Or how does it protect the organization? So that people can really adopt these by second nature when they go into their daily lives. And it's not just a one and done.

Kim Tran (08:20.872)
announcing the policy at an all hands or something, but really consistently, you know, following up whether it's a bi weekly, all hands or even a weekly one on one to check in. So I like to compare it to, you know, working out, right? Like it's not a one and done when you're trying to get into a brand new lifestyle. You can't just work out, you know, once a quarter.

You kind of have to break down those habits and hold yourself accountable on a regular, consistent basis, whatever that regular and consistent means to you personally and also within your organization.

Jim Merrifield (09:02.23)
Yeah, that makes a lot of sense. So do you have any examples? I know maybe from your own experience of how these challenges played out in real life. I know you must have some stories.

Kim Tran (09:14.144)
Yeah, I have a lot of stories and I think lessons learned, it's very easy to assume that people know what you are trying to get them to do. And so I think one story and lesson learned again and again is give people benefit of the doubt and assume positive intent.

people want to follow the policy, people want to learn about the policy, and more importantly, they want to adhere to them. And I think one lesson for me is when I was in financial services, highly regulated industry, public company, we had a lot of regulatory rules and policies that sometimes a lot of teams, especially the non-technical teams just weren't aware of.

and so whenever we would roll out a new compliance policy, we got kind of the, the, both the leadership, on board, also boots on the ground, people who knew their departments best. And we almost did like an internal road show. and this is kind of an internal speaking tour and we didn't go off and created our own.

calendar of meetings, we actually met with the heads of each department of each team of each function and we had a internal speaker who went around to each hub to talk to each audience. And so whether the customer representative team already had their established communication cadence or their weekly meetings, we came to them and worked with them to communicate.

the policy changes rather than expect them to come to ours, for example. And that created trust, but it also created a very collaborative dynamic right off the bat. And people took that as, hey, they really want to work with us. And it wasn't just imposed on them as we were talking about. And then contrasting that with another organization that I worked with,

Kim Tran (11:32.364)
This was the Discovery Channel early on in my career. And I was going through a new, we were migrating legal invoices, paper legal invoices, to a digital invoicing management system. And as you can imagine, I think lawyers just love paper to various degree. And how we approach that wasn't top down. My manager at the time,

amazing leader. He actually went around to boots on the ground folks first to see where we were struggling and what the challenges were. And he actually encouraged us to map out those pain points, talk to each other and then become the hub of how to change the policies, how to start the transformation journey from paper to digital.

And so I know that a lot of folks listening may or may not be on the same journey as well. And so I want to maybe just feature that story because a lot of times we think that something will stick because a leader told us to top down. But a lot of times a lot of the people who will engage with the policy and make sure that it translates into real life are the boots on the ground folks, are the people who day to day live and breathe.

you know, how these policies will look like off paper and off records. So I really encourage folks to engage and think through a holistic rollout and think through who are your team leaders who can be champions. And then also who are your leaders who can then enforce it and collaborate with your team leaders to make sure that people aren't just following the mandates, but really bought in living and breathing.

making the second nature to them.

Jim Merrifield (13:28.076)
Yeah, I think you're exactly right. I mean, when people are part of the process, it changes everything. They feel like they're part of the project, if you will. I mean, we're seeing that with organizations that are deploying AI when everybody's involved, not just from the top, but also people that are in the middle or even at the lower level, basically all levels that makes a successful deployment, whether it's AI, a policy or whatever.

Kim Tran (13:34.986)
Mm-hmm.

Jim Merrifield (13:57.858)
And that's how you kind of create those internal advocates, right? So that's great. So okay, Kim, it's time to give our listeners some actionable takeaways. So if they want to take the shift from mandates to mindsets, where should they start?

Kim Tran (14:04.491)
Yeah.

Kim Tran (14:17.995)
Yeah, so I think as compliance folks, we tend to be very detailed. We love our 50 page playbooks and guide policy documents, all of that. But the people who are adhering and implementing this may or may not actually digest them. so simplifying our policies, whether it's AI, whether it's

risk, whether it's a new auditing regulation, it's important to think more of like a PR or marketing person where you want to take out the most important takeaways and simplify and summarize what is the most important so that you can create maybe a one pager or an FAQ. And this is my diversity and inclusion lens a little bit, but we have a lot of folks.

across the journey with a lot of different levels of understanding of compliance. so making sure that you make the language accessible, but also how are people consuming this, whether it's a Word doc, whether it's a recording that they can watch, you know, async or offline. And so thinking through all of this and maybe, you know, sometimes you don't have to guess, just ask.

who is the most important person who needs to adhere to this policy and ask them, what is your preference in terms of getting this policy or digesting this policy? And so I know that in grade school, we had the KISS acronym, right? Keep it simple. And the other word, you can replace that.

Jim Merrifield (16:05.398)
That's too funny now listen Kim here as always your insights are are spot-on I love how practical and actionable this advice is it makes the shift from mandates to mindsets feel possible for any organization So thank you so much for that for our listeners I hope to you I hope you're as inspired as I am after this conversation, but remember making IG policies stick is more about

is more than theory. It's about getting people to believe in the value of what you're doing. So next time Kim will be back for the final part of our series where we'll talk about why governance isn't a policy problem. It's a people and change management disconnect. And trust me, you don't want to miss this episode. So once again, Kim, thanks for being here. How can our listeners get in touch with you if they want to continue the conversation?

Kim Tran (17:02.485)
Thank you, Jim. This has been such a topic that's near and dear to my heart. And I talk about it a lot actually on LinkedIn. so folks can connect with me on LinkedIn at Kim Tran. And yeah, I think that's the best way. I am always looking forward to connecting and I will also be at various industry events. And so that's the first step there is to stay connected with me on LinkedIn.

Jim Merrifield (17:32.702)
Awesome. Well, thanks again, Kim, and thank you to all of our listeners. Don't forget to subscribe and leave a review. It helps others discover the podcast. And until next time, I'm your host Jim Merrifield on the Information Governance Hot Seat Podcast. Thanks so much.

Kim Tran (17:49.963)
Thank you, Jim. Bye, everyone.

Jim Merrifield (17:53.858)
Thank