Before there was Equifax there was British Petroleum. Before British Petroleum there was Enron.
All three were responsible for disasters. And, all three are evidence of something every who leader needs to embrace:
It’s always the culture.
Sure, skills and experience, tools and technologies, and processes and procedures matter too. For example: Just as you thought it couldn’t be any worse comes the revelation that in Equifax Argentina, an internal system that provided access to customer records had a backdoor, where both login ID and password were “admin.”
Proper security policies and procedures would have prevented this.
Just kidding.
For all I know Equifax Argentina’s security policies and procedures are just fine and dandy. If they’re out of step with the corporate culture they wouldn’t have made any difference. Culture wins every time.
Call it Lewis’s Law of Unnatural Disasters: When something goes terribly wrong you can bet there’s something about the organization’s culture that makes terribly wrong inevitable.
But in engineering your organization’s culture … and yes, culture is something to engineer … you need to consider your chosen solution’s ripple effects for the culture to be a positive force.
Let’s hypothesize that Equifax Argentina does have security P&Ps that specify what constitutes a suitably secure password — that the fault was a culture that resulted in nobody giving a damn. What cultural trait should its leadership be encouraging to prevent a recurrence?
The obvious one is a culture shaped so the employee handbook is law and everyone obeys it. That should do the trick.
It would. It would also create a culture where jailhouse lawyers are on a constant quest for loopholes that can only be closed by increasing the length of the P&Ps. Eventually, all your employees would need a year of study just to learn what’s in the handbook.
Beyond that, it would lead to a culture where checking off the boxes is what matters, not accomplishing the desired outcomes.
Worst of all it would result in a culture that combines blind obedience with a complete absence of risk-taking and initiative.
Compare that to a culture that focuses more on outcomes than obedience. Culture is loosely defined as “how we do things around here.” The cultural trait We don’t put people at risk” wouldn’t just eliminate the admin/admin login/password combo, whoever put it in place would suffer a fate worse than being fired.
They’d be shunned.
But there’s a complication in all of this that isn’t easily addressed.
Enron’s CEO and board chair, Jeffrey Skilling and Kenneth Lay pleaded the ignorance defense — yes, Enron the corporation was doing awful things, but they didn’t know about them. After Deepwater Horizon exploded, BP’s CEO Tony Hayward expressed a similar level of know nothing-ism.
Equifax’s executives haven’t yet pleaded ignorance, but it’s only a matter of time.
Which gets to the complication: They probably were ignorant, and in some important respects they should have been.
The best leaders don’t find ways to succeed. They build organizations that find ways to succeed. They can’t do this without delegating. They can’t do this unless the people they delegate to delegate.
In great organizations, employees at all levels have authority and take responsibility, to degrees that are surprising to those managers who consider any decision not made by themselves or someone higher up the chain of command to be an unacceptable risk.
Or as D. Michael Abrashoff, former Captain of the Benfold and author of “It’s Your Ship” put it, “I chose my line in the sand. Whenever the consequences of a decision had the potential to kill or injure someone, waste tax-payers’ money, or damage the ship, I had to be consulted. Sailors and more junior officers were encouraged to make decisions and take action so long as they stayed on the right side of that line.”
Sounds great. It is great. Only if someone on board the Benfold had done something reckless with Deepwater-Horizon-scale consequences, Captain Abrashoff very likely would have been ignorant, because that’s the whole point: The people in charge not making themselves decision bottlenecks.
Culture is certainly the first line of defense. But those pesky human beings being what they are, it isn’t a perfect, airtight solution.
Leaders also need metrics, controls, and governance mechanisms, to provide the guardrails that backstop culture’s lane markers.
But even with these, culture comes first because with the wrong culture, employees will find ways to jigger the metrics, fake out the controls, and game the governance.
What they won’t do without a culture that encourages it is take the risk of telling you something that should be happening isn’t, or that something that shouldn’t be happening is.
It’s always the culture.
It’s just like family. I had such great respect for my father that I would not do anything that would risk his censure or cause his embarrassment. If our corporations could only instill that level of respect, perhaps that is the culture that you seek. Government, on the other hand…
If the culture of BP was one of strict adherence to unreasonable deadlines, that can lead to a lot of skipped procedures. But if the company needs to meet a dept payment, that’s a high priority for the C-level. The highest priority. Period.
Or if management keeps saying do more with less, or just keep doing the same with fewer people, such as in say, the U.S. Navy, then people start having more accidents and organizational performance decreases.
I worked fora regional fast food chain back in the day.
The owner was a fanatic about the source of revenue. Everybody was expected to know how the revenue was generated and respect those who generated the revenue.
So everybody in company who was not in Operations worked one week a year in a restaurant.
And the highest position someone could be hired into Operations was Assistant Manager. And the minimum time in-rank was six months.
So if someone was hired to be an Area Executive, they would hire in as Assistant Manager (at a much higher pay rate), at six months get their store, in six months move up to Regional, then in another six months take their role of Area Executive.
Hourly employees and store managers were superstars in that company.
Very much akin to the old Disney model, where everyone started in a fur suit in one of the theme parks.
I love this approach. Thanks for taking the time to describe it.