Gartner Blog Network

When Policy and Practice Diverge?

by Craig Roth  |  February 14, 2011  |  2 Comments

Does it matter if organizations have a policy about use of consumer technology at work?  When I talk to staff and mid-level IT employees (particularly those in the communication and collaboration departments) it’s clear that even if those policies exist they are often bunk. 

Our U.S. Symposium survey showed about three quarters of the 189 people that took the survey work in organizations that have a policy (90% of the time that policy is to disallow their use).  My question today, is what are the cultural impacts when there is an obvious disconnect between policy and practice in an organization?  There are many other impacts, such as opening up security holes and e-discovery vulnerability.  But I’ve seen a lot written on security and e-discovery risks of employees using consumer devices and websites for work.  I haven’t seen much on the cultural impacts:

  • It creates a new group of “haves” and “have nots”.  The “haves” are usually in two categories: techies and execs.  Techies possess the technical savvy to use devices or get to websites of their choice despite lack of assistance or blocks from IT.  Or sometimes they can declare them a “research” or a “pilot”.  Execs possess the authority to ignore the policy without fear of reprisal.
  • It creates a status marker.  By flashing around a forbidden iPad with full access to enterprise e-mail, the out-of-compliance employee is demonstrating that they are more technically savvy, have more authority (or immunity from rules), or are more fearless than the cowering masses around them.
  • It hampers the authority of other policies.  Other policies, from dress code to travel guidelines, may seem unrelated to use of iPhones or LinkedIn at work.  But open flaunting of technology use policies calls into question the need to comply with other policies as well.

My point is not that there should be iron-fisted enforcement.  First, I’m just thinking aloud about the cultural impact of consumer use policies and would like to know if others have observed the same.  If I’m right, then I’d argue organizations shouldn’t publish these policies if they don’t plan to enforce them because not having a policy may be less damaging than having one that is frequently and publicly flaunted.

Category: organization  social-software  

Craig Roth
Research VP, Tech and Service Providers
7 years at Gartner
28 years IT industry

Craig Roth is a Research Vice President focused on cloud office suites, collaboration tools, content management, and how they are being impacted by digital workplace and digital business trends...Read Full Bio

Thoughts on When Policy and Practice Diverge?

  1. Aaron says:

    A rule of thumb I try to follow: Do not write a policy that you cannot enforce. The understanding is that there are policies that a company must formulate, and behavior that must be followed. But it must be consistent, relevant, pertinent and enforceable. The policy must clearly state the intent, as well as the penalties for non-compliance.

  2. Craig Roth says:

    I agree Aaron. For those times where you know a policy can’t or won’t be enforced, maybe it’s better to reword them as “guidelines” or “tips”. You still get to point out correct behavior, but this was when you don’t enforce, it will not diminish the authority of future policies.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.