I keep returning to the COBIT 5 Culture, Ethics and Behaviour enabler as it is so difficult to address and it is where many companies fail. Let us focus on performance measurement in this article. You have most likely heard the expression, “You get the behavior you reward.” Most people look at this as the basis for their reward systems. And, generally, it works out well. At first blush, it seems right, but what happens when you tweak it a little? What about, “You get the behavior you reward, not the behavior you want.” Eli Goldratt, the man behind the Theory of Constraints,1 once said, “Tell me how you measure me, and I will tell you how I will behave.” Two sides of the same coin.
I cannot tell you how many conferences and training seminars—out of my control—have not started on time. Conference organizers are notorious for this. The chapter president always says to me, “Let us give attendees another couple of minutes before we start.” Tardy attendees always say something such as, “The traffic is bad today.” (It is bad every day, and for you statisticians out there, it regresses to the mean.) If you never start your session on time, then why would I show up on time? It sends the message that you do not really start on time. Worse, it makes the people who arrive before the appointed hour think that you do not value their time as much as that of those who arrive late. You are indirectly rewarding the people who show up late and punishing those who show up on time or early. Behavior reinforced is behavior repeated.
It is not just not-for-profit volunteers who exhibit this behavior. I cannot tell you how many organizations I have been in where meetings do not start on time. I did a short contract for a financial institution where nobody showed up on time for a meeting. You never knew how late to be as it seemed random. It was as if they wanted to be fashionably late and make an appearance and tell us how busy they are. I honestly thought they waited in the hall watching others arrive before making their grand entrance with a flourish. My rant may seem trivial, but it is an example of what criminologists call the broken windows theory. Small things lead to big things. I can tell you that the financial institution had serious organizational behavior problems beyond people being late to meetings, but it was a symptom of a general malaise. You get what you reward, not what you want.
You get what you reward, not what you want.
The ramifications of Goldratt’s quote are interesting as well. I did some work for a health care organization and noticed some dysfunctional metrics. One metric struck me as extremely dysfunctional. The service desk, which they incorrectly called the help desk, had a metric that measured how fast they passed on an incident. They were not rewarded for helping the customer or user, nor reprimanded when the incidents were passed to the wrong group or person. Nobody measured how many times the incident was passed back and forth between the help desk and first-line support, which, anecdotally, they told me was often. The help desk became the best incident pushers in the history of mankind to the detriment of the organization. But when you tell me how you will measure me, I will tell you how I will behave. Of course, a reasonable person would push incidents any which way to maximize their performance based on that metric.
Organizations reward behavior they do not want in thousands of ways and feign surprise when they get more of the behavior they do not want. What behaviors in your organization do you reward that you need to change? You need to look long and hard at the bad behavior in your organization and determine whether it is self-inflicted because you rewarded the behavior. If you do not like the behavior you see, you need to change the reward system and the way you measure things.
Peter T. Davis, CISA, CISM, CGEIT, COBIT Foundation, COBIT Implementation, COBIT Assessor, COBIT INCS, CISSP, CPA, CMA, CMC, ITIL FC, ISO 9001 FC, ISO 20000 FC/LI/LA, ISO 27001 LI/LA, ISO 27005/31000 RM, ISO 28000 FC, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, SSGB, RESILIA FC
Is the principal of Peter Davis+Associates, a management consulting firm specializing in IT governance, security and audit. He currently teaches COBIT 5 Foundation/Implementation/Assessor, ISO 27001 Foundation/Lead Implementer/Lead Auditor, ISO 31000/ISO 27005 Risk Manager (RM), ISO 20000 FC/LI/LA, ISO 22301 Foundation, ISO 9001 Foundation and Project Management Institute Risk Management Professional (PMI-RMP) courses.
1 Goldratt, Eliyahu M.; The Goal: A Process of Ongoing Improvement, North River Press, USA, 1984