The Real Reason People Don't Follow The Rules

Jim Merrifield (00:06.734)
Well, hello everyone and welcome to the InfoGov Hot Seat Podcast. I'm your host, Jim Merrifield. And today we're wrapping up an incredible three-part series with our fantastic guest, Kim Tran. If you followed along with the series, you know that we've been tackling some of the most pressing challenges in governance and compliance. And wow, what a conversation it's been. We started with part one where Kim helped us understand why compliance is really about people.

and culture, not just policies and checklists. And then in part two, we explored how to move from mandates to mindsets and how to make IG policies stick by aligning them with real world behaviors. So now in this final installment, we're shining a spotlight on the real drivers behind governance challenges. And spoiler alert, it's not because organizations lack good policies. It all comes down to people and change management.

So that's right. Today's episode is all about governance isn't a policy problem. It's a people and change management disconnect. So Kim, welcome back to the hot seat.

Kim Tran (01:16.181)
Thank you, Jim. Well, I'm thrilled to be here again. I can't believe it's the third installment, three out of three. It's been such an engaging series. I'm super looking forward to closing this out, and especially because we've had some discussions in between the previous two sessions. So if you missed them, definitely go back and watch them or listen to them, whatever you prefer. And let's jump into it.

Jim Merrifield (01:42.156)
Yeah, absolutely. Your insights, Kim, have been incredible. I know this episode is going to be just as impactful. So let's do this. So all right, let's kick this off with a big idea that we've been centered on this in these episodes on governance isn't a policy issue. It's a people and change management issue. Can you break that down for us a little bit? What does it actually mean that?

It's a people and change management issue.

Kim Tran (02:13.227)
Yeah, so if you've listened to the first two episodes for those tuning in, I actually studied psychology in undergrad. And so I like to think about the human behaviors when it comes to translating policies, technology, processes into reality. And I think one of the biggest misconceptions is that it succeeds, policies succeed or fail on the strength of organizations

policies or you know playbooks or standards and procedures right as long as we have it in writing people will follow it and While having those in writing is obviously very important and critical Governance really breaks down because of the human element You know think about it as like laws right we have lawyers to interpret different laws different regulations

Do people follow the law? Not always. And so same thing with policies. I think people definitely hope for the best, right? But in reality is a lot of these frameworks are only as strong as the people implementing them, people following them. And the biggest gap is that if the employees who are meant to follow these policies don't understand them,

Then, you know, leadership, policy writers, whoever is enforcing these governance policies have really failed, right? And so the resistance, there's resistance or a lack of understanding because people are not, not because people don't want to follow the rules, but maybe they don't understand it. Maybe they're feeling scared or a little apprehensive about change.

or they may not even believe in the policy to begin with. and so, you know, having that investment or invested commitment upfront is so important because shared risk, shared trust, all of these concepts that we had talked about in the previous, episode about changing people's mindsets, right? All of this, is, is still really, really important, especially at this stage. Once you get into the actual change management of it.

Jim Merrifield (04:37.678)
Yeah, for sure. So I guess we might say that governance lives or dies by how it's adopted on the ground, not just what's outlined on paper. Is that true?

Kim Tran (04:49.259)
Yep, for sure. And I think, you know, that this is where change management comes in. And change, there's that, you know, there's that cliched expression, right? Change is the only thing consistent is change. And governance often requires changes in behavior processes and structure.

But change is hard, especially right now at a macro level with AI coming on, you know, and how do people react to that? How do people use it? How are people testing it and experimenting with it and implementing, right? And then the bigger picture of it is, OK, well, we're kind of past the testing stage now. How do we actually govern it? How do we scale it and how do we deploy it in a safe?

and most of all secure manner, right? Like we keep talking, data breaches have been just increasing at massive speeds, but now with AI that has exponentially compounded. And so when there's a lot of change, it's just human nature to resist that change. And some people are better at it. I think, you know, to toot our own horns, marketers have always been kind of at the forefront of change. We're constantly tinkering, experimenting.

But for folks who are more risk averse, who are in governance, who are lawyers, you know, that is your job. That is our job collectively. And I think having that resistance and understanding it so that you can overcome it together and actively engage folks on the front end is something that will just change the delivery of your outcomes or adoption or deployment processes. And not just from

a one and done result, really ongoing along with the policy changes and regulations that will come down inevitably.

Jim Merrifield (06:54.606)
Yeah, it makes so much sense. So, Kim, do you have an example, maybe perhaps from your own experience that highlights what happens when governance and change management aren't aligned?

Kim Tran (07:05.768)
Yeah, I think there's so many examples. I've worked through or in very many different industries now, most of them highly regulated and a lot of them in the public sector. But I think one example that really stands out is I was with a global organization. I may have mentioned it in earlier episodes, but we were rolling out a new data privacy framework. Again, we were

global, there are lot of different local laws, regional laws, country laws, the EU, for example. And so the privacy laws and policies were just, while very well researched, they were also complex and across languages, across different levels of understanding. Some people were more technical or more non-technical than others. And so there was that issue.

While we had the data privacy framework and the plan in place, there was no preemptive engagement or communication plan to really proactively get employees bought in or even addressing their concerns and questions. And so when the rollout happened, it was just very kind of direct.

in a way, the rollout happened. know, employees across departments were just overwhelmed. They were told to just, hey, read these new data privacy policies and frameworks and rules for our teams and company. And they felt like the new frameworks just added more complexity to their work.

and most of all, they just didn't see any clear benefit or even explanation as to why this impacted them or why they had to, you know, follow it or worse, what would happen if they didn't follow it. And so I think, you know, this happens a lot, with shadow IT, for example, but instead of adopting the policies, we started to see that people were kind of doing their own thing.

Kim Tran (09:27.05)
I'm kind of skirting around, know, finding work grounds and things like that. And so that's just like one example of a global organization that we worked at.

Jim Merrifield (09:41.016)
Yeah, you mentioned Shadow IT. I think now we have Shadow AI. I know we were talking about that earlier.

Kim Tran (09:47.082)
shadow AI, shadow data, shadow IT, all of the things.

Jim Merrifield (09:52.536)
Yeah, so it definitely shows that having a powerful alignment is really the best way to get employees engaged and to adopt policies, right? So they're not rigid rules. So all right, so what actionable advice, Kim, do you have? Would you give organizations looking to bridge the gap between governance and change management?

Kim Tran (10:19.646)
Yeah, think before I get into the actionable advice, I think just sharing a quick example of what did work and then why did it work and go from there. But I worked for another global ed tech company and maybe we're in ed tech and so educating people were kind of embedded in the DNA.

What worked at this organization was when we were piloting a brand new governance framework and policy across new teams and departments, we had just acquired a new arm and division and we came together, we were kind of a three person pilot team. we, from the start, we knew this would be a change initiative, both internally and externally. So we held

you know, little folks, groups with internal team members. We wanted to get inputs. What worked for you? What didn't work for you? What are you challenged by? What do you really hate about, you know, what, what do you want to see being improved or changed? And then after that, we also went externally to then get stakeholders and our partners, external partners bought in and to get their concerns and challenges addressed. And so from a psychological standpoint,

This made people feel like they were invested, they were committed, and they were also valued for their inputs. And we aligned on what does success even look like? What does success mean? And so celebrating those wins, either big or small, was really important because it built momentum. It built efficiencies from the start. And overall and over time,

we then started to reduce risk and all of that perfect storm together and change management, people started to get really excited about this new governance policy. They were less afraid of following a rule or a mandate and really they were just excited to protect the organization and to do it together. And so to bring it all back down to

Kim Tran (12:37.757)
what are three actionable things and why did this case study work? One, we engage folks early and not just early, but often. And so as I shared, we engage folks internally first, we sought out their inputs. We really made them feel like they were active participants. They were heard. And we really shared our commitment and shared.

of course, also risk, right? That's also a psychological piece of it. So everybody wanted to succeed. And the other piece too is training early adopters and change agents. I mentioned that marketers are often at the forefront of testing things out or testing out new tactics or upholding data privacy laws because we're marketing to folks, right? And so

Governance in a way in parallel needs training as well and needs these change catalysts or change agents that will really be passionate about enforcing governance, right? Or showing people or training others on how to follow the policy and making sure they understand the policy. And I think lastly, people have short-term memory. You know, I think the...

the new kind of sound bite out there is that we all have about nine second attention spans now, the equivalent of a goldfish. so communicating the why, not just when, like frequently, why, why are we doing this? What will happen if we don't do this? Not just like a one and done type of frequency, but again, very often, very frequent and in channels that.

Jim Merrifield (14:13.39)
Thanks.

Kim Tran (14:32.243)
people actually pay attention to. One example, in my current organization, everybody conducts everything via Slack. But I know prior to my current company, we were Microsoft shopped. And so, you know, people were in teams all the time, people were chatting, people did read their emails, but unless it was, you know, pertaining to them specifically or had a deadline, they'll...

they would skim it and then forget it. And so just remembering that people are far more likely to adopt something and remember it if they actually understand it, but if they actually pay attention. so framing that not just from a why perspective, but where and when is also super important to change management as well. So anyway.

Wanted to walk through that. was a lot, but the great thing about recording is that you can always go back and listen.

Jim Merrifield (15:31.104)
Yeah, for sure. I love it. That was such a valuable information and really impressive with that. I'm glad that you brought up that example as well. This whole discussion has been so awesome. I love how you've redefined governance as a people first challenge, not just a policy challenge. And the examples again and advice has been spot on. For our listeners, I hope this conversation inspires you to look at governance in a whole new light.

Remember, it's all about alignment, trust, and engaging your people every step of the way, right? Engagement is key. Kim, thanks so much for being part of this series. It's been a pleasure having you on the InfoGov hot seat.

Kim Tran (16:14.579)
Jim, thank you so much as always.

Jim Merrifield (16:17.614)
Yeah, this has been great. To our listeners, thank you for joining us on this special three-part series. If you'd enjoyed it, please leave a review, share it with your colleagues, subscribe to more episodes as well. You can re-watch the last two episodes as well. And until next time, thanks so much and enjoy the rest of your day.