Category Archives: Uncategorized

Information Assurance and Protection

Cyber, Data and Information Protection

As recent attacks by both would-be hero-geeks and nation states have shown there is no shortage of actors willing to exploit weaknesses in the information technology and systems that businesses of all sizes use as a matter of daily routine.

Are you confident that your business is secure and safe from potential attack? If you are not certain this brief commentary summarises the risks, consequences and potential solutions that exist.

If you are still unsure of your next steps AMDS Consultants Ltd will conduct a two-hour consultation workshop on your behalf to help you build prevention into their operations.

Cyber Security The primary risk to a business is the comprehensive loss of all operations dependent on information technology and systems. The threat is aggravated by a lack of awareness of cyber security within a business and the failure to ensure all IT is current, protected and monitored. The consequences can be severe ranging from simple financial loss through reputational damage to business collapse and prosecution. Key solutions include hardening of systems, a security culture driven from the top, along with constant monitoring and regular auditing

Data Protection In the modern world where data is not held on copperplate ledgers, but on computers or a server farm, either locally or over a distributed network, data loss through accident or intent is a major risk to business operations. Should a business lose its data not only will it have catastrophic financial and operational impacts it also has the potential to put a company and its owners in breach of the GDPR (General Data Protection Regulations replacing the Data Protection Act in April 2018). Prevention of loss should be a business imperative. Data protection techniques include: regular encrypted backups to secure storage, strict control of access to and utilisation of data, organisational awareness of the importance of data and the consequences of a loss as well as physical and digital security.

Information Assurance Failure to meet the principles of the ISO standard for Information Security Management Systems (ISO27001), even if a business does not feel that it needs to be accredited, presents a major risk to continuity, resilience and growth. Assuring customers that their data, personal information and their business systems are safe is increasingly important. Failures in assurance will impact sales, profitability and retention. Further, gaining a reputation for poor information security will significantly damage business reputations. The requirements of ISO27001 are well documented and readily accessible. Managing a business in accord with the standard will mitigate the information assurance risk at a reasonable cost.

The Worst-Case Scenario. The consequences of a cyber-attack or data loss through a lack of information assurance within a business can go well beyond the consequences highlighted. Should a business be found to be at fault for a breach of the GDPR, or fail to meet the standards of credit and debit card transaction protection, the penalties are draconian. Penalties for a breach of the GDPR can rise to a maximum of €20 million or 4% of global annual turnover whichever is the larger sum. A failure to protect a credit or debit card transaction will lead to fines of £100/transaction for every transaction undertaken during the month when the fraud occurred.

Insurance Options Insurance is your “reserve parachute” you really do not want to have to use it!

There are two types of supplier, large well-known companies such as Hiscox, AIG, AXA and Chubb and these are quickly being supplemented by a significant number of small, usually web-based, niche providers. In many respects the cyber, data and information insurance market is following a similar growth pattern to pet insurance where uncertainties in risk lead to high premiums. That said, as I hope we have shown that businesses of all sizes need to make intelligent choices to address this developing threat.

The AMDS Consultants Offer. The way we approach things is not to recommend a particular software solution, suite of protection or data storage provider. Rather we look at the issues from the organisation’s point of view helping them put in place processes, systems and structures that reduce their information assurance risks as well as helping business understand the threats and consequences.

We will travel to your business’ location and discuss your issues and potential options using a workshop format. Any session will be two hours long and will start with an overview briefing before working on solutions with the local team.

Subsequently we can support your acquisition of the right solutions for your identified needs as well as conduct an information security audit of the business against key standards such as ISO27001, PCI DSS (credit and debit cards) and GDPR (General Data Protection Regulations).

© Dr Alan Morpeth July 2017.

What do people want from their leaders and managers?

In my experience, there are four things that people in the workplace – including myself – want from their leaders and managers. Inspiring leaders and good managers all have these four qualities and market-leading organisations actively seek them when recruiting or promoting.

Trustworthiness

You cannot be a good leader or manager if you cannot win the trust of your people and sustain it over time. Trust binds commitment and promotes action. Without it, you cannot win. From the employee’s point of view, if they cannot see signs of your competence then you are not going to gain their confidence. Openness is another aspect of trust and good leaders and managers encourage openness and manage dissent. You will know when you have got it right when you do not have to reprimand staff who transgress; it will be enough that they know that you know.

Optimism

Oddly enough this is linked with trustworthiness. Working as a project and programme manager I have often been told that I am “positive” or “optimistic”. It is always good to hear because there is not a big market for negative and pessimistic project and programme  managers; we  need to be purveyors of hope. Optimism can be pervasive and powerful. However, it has to be built on trust and not on delusions; it cannot be an act. If you get hung up on your mistakes, problems, wrong turns or mishaps (we all make them) and do not treat them as opportunities to learn and change, do not become a leader or manager! Optimism stems from a clear vision of the future, a commitment to get there and determination to bring everyone on their team along for the ride.

Purpose, direction and meaning

Which brings me to determination. I cannot over-emphasise the significance of determination to achieve a goal, together with the conviction, passion and unique point of view that will establish the energy and direction of the leader and manager. If you are a leader then you are helping to define the purpose of the job. Without the sense of alignment behind the purpose there can be no direction. How do you know which way to face? It must also be a purpose that energizes and engages people, that has meaning and resonance. That is why it is easier to do for leading a project than for managing Business As Usual (BAU). However, it belongs to everyone in the organization. The leader and manager must communicate the purpose in such a way that ownership is created on every level of the operation.

Acts and gets results

Ultimately, of course, you are there to deliver results so you must have the capacity to convert purpose and vision into action. Having developed a great vision you have to use it to inspire people. It has to become “real” in some material way to produce results. Most leaders and managers are pragmatic dreamers and practical idealists, which is not an easy balance to maintain.

Can Managers be Leaders?

Businessmen standing in front of a map of the world

We are still meeting people who use the terms “management” and “leadership” as if they were synonymous because they cannot see the difference between the two or distinguish between the function of each type of role. Other people think that “leadership” exists among the people at the top of the organisational hierarchy. The layers below that in the organization are called “management” and then all the rest are the workers who produce goods and provide services.

There is also a misconception that “leaders” are born with a set of personality characteristics, including “charisma” and “vision.” By that definition, few people can provide leadership. Management, on the other hand, is a set of well-known processes. Planning, budgeting, recruitment, performance management, procurement and problem-solving, can all be learned. Management keeps the business running, delivering goods and services day after day, year after year. This can be an enormously difficult task, but you do not have to be a born manager. That division is so wrong in so many ways.

Back in the late eighties/early nineties, the call was to replace management with leadership. That is still common today and, then as now, it did not understand that both are needed because each serves different, but essential, functions. Let me explain with some examples.

When deciding what to do …

Leadership establishes direction by developing a vision of the future and devising strategies to produce the changes that will achieve that vision.

Management establishes the detailed work breakdown, milestones and timetable to achieve the required results then secures the budget and resources to make it happen.

When aligning people to results …

Leadership communicates the direction to everyone who may be involved, directly or peripherally, and influences the creation of teams and groups that understand and support the vision.

Management sets up the structure to achieve the outcomes of the plan, staffs the structure, delegates responsibility and authority to the staff with guidelines, policies and procedures, and defines performance standards.

When making it happen …

Leadership motivates and inspires, empowers people to overcome barriers (including political, bureaucratic and resource) focussing on the needs of the individual.

Management controls activities and solves problems, monitors results against the plan, corrects deviations and modifies the plan as necessary.

When looking at outcomes …

Leadership defines and redefines the outcomes, produces change and realigns the business to adapt to changing times.

Management produces consistency, reliability and order, key results that contribute to the desired outcomes.

Some of the best leaders I have met, and worked for, were ex-servicemen, some of them making a second career having retired from the forces. Generally, they were the best managers, too, because the armed forces long ago realised that leadership and management can both be learned and that they are not mutually exclusive. In my next couple of blogs, I am going to explore that theme.

Test your disaster plan

TEST YOUR DISASTER PLAN

A couple of years ago a major business operating in the Midlands (no names!) engaged me to audit their disaster recovery plans and to run a live exercise to test their resilience. Their plan was professional and comprehensive. Not surprisingly because they had a first class systems team working on it. Their ICT department and datacentre were housed in their headquarters building and they backed up their data to a warm backup site. They even tested the time it took for the backup site to get online. Real textbook stuff. With one weak point.

The headquarters building was under the flight path of an international airport so the exercise involved an airliner crashing, on and obliterating, the headquarters building. How quickly could their operations get back on line?

On the morning of the test the dialogue with the IT manager (let’s call him “Gerry”) went like this:

ME: “at 0849 this morning an Airbus 320 impacted with this building completely destroying it and killing or incapacitating everyone inside. What is the next step?”
GERRY: “I phone the backup centre and authorise them to activate the suite”
ME: “and how are you going to do that?”
GERRY: “by phone. I will use my mobile. I have them on speed dial”
ME: “what time did you get to the office today?”
GERRY: “Eight-thirty”
ME: “So what does that make you?”
GERRY: “Oh … dead!”

Only one error but it kippered the entire plan and it was discovered because they were thorough and professional and ran an exercise. Most organisations never test their plan …Fireball

Things get better

Project groupI was working in software development in the days when we still thought that Windows 2.01 was a big step forward. In those days developers spoke slightingly about “scope creep”, requirements changing and growing after they had been signed off. The favourite response to this was to “freeze the specification” i.e. no changes at all, “what you signed for is what we will deliver”. Given that there were likely to be changes in management, market forces, legislation, standards, technology, business direction and objectives for the system during the time it took to develop it this was an excellent way to ensure that the users did not get what they needed from the system.

Thank whichever god looks after hapless developers for coming up with Agile. I was working with agile (small “a”) back in 2000 in a project-based organization (construction company). Construction projects are intrinsically “waterfall” (you cannot iterate the requirements for an office block or shopping mall once you have started building it); however, most projects had an IT element and we also worked on the company’s own systems (including contractor management and on-line drawing sharing) so there we were able to work with the users and other stakeholders using what today we call “user stories” (“storyboards” back then). Implementing DSDM helped a lot and even though public sector and PFI projects had to be delivered using PRINCE2 we were able to blend PRINCE2:DSDM in a mix that satisfied the DfT, MoD, NHS and NAO.

In spite of some prominent hold-outs Agile is much easier to implement today, particularly under the Government Digital Agenda. What is less encouraging is the number of organisations that think that they are “agile”:

ME: “In what way are you ‘agile’”?

THEM: “We use SCRUM for software development”

ME: “How about agile succession planning”?

THEM: “Erm …”

I think it will be a few years yet before we have universal understanding (and acceptance) of the Agile Organisation but it is going in the right direction.

Cyber-insurance?

hands-1004271_960_720With the threat of a successful cyber-attack is becoming ever more likely (firewalls bounce back thousands of attempts a day, even for a small company) cyber insurance may become a basic cost of doing business. Awareness is growing because some well-known companies have admitted that they have been attacked, although the great majority of victims do not report an attack because they want to avoid reputational damage and do not want to encourage further attacks. Even so only 20% are protected by cyber-insurance. This is going to change with industry pundits predicting that it will become a ‘must have’ for businesses.

Insurance is not a defence against cyber-attacks and there is a danger that it may encourage complacency; however, IT service companies and cloud providers are tipped to start providing cyber-insurance as a standard part of their offering. Even so reputational damage is a hard thing to quantify yet might have a far greater impact on an organization than any monetary loss. As it cannot be quantified it may not be covered in a policy.

A UK government survey in 2015 reported that attackers had breached 90% of large corporations and 74% of SMEs at an estimated cost of £1.5m-£3m for the larger targets and £75k to £300k for SMEs. To cope with the aftermath of these breaches a single policy cyber-insurance market now offers both first-party and third-party protection. The challenge to insurers is to come up with a policy that provides adequate cover at an affordable price, not easy when it is impossible to predict third-party consequential loss.

If you have home insurance but leave your front door open when you go out for the night your insurer is likely to decline to pay out on the policy when you are burgled. Similarly, insurers expect businesses to take adequate measures to protect themselves against cyber-crime (making all staff cyber-aware, alerting them to scams, implementing basic security practices, providing adequate firewalls, warnings on using public WiFi and so on). Increasingly businesses will need cyber-insurance to reassure their customers and it may become a requirement of doing business with public bodies.

There is scope here for consultants to go into businesses and audit their cyber-awareness and the adequacy of their protection with the incentive of lower rates if audited satisfactorily. Insurers and their brokers may offer this service themselves to get the right cover for their clients at the best price.

Business resilience projects have taken on a new dimension.

The Weakest Link

Talking to a cybercrime specialist from Barclays yesterday I learned that 72% of their business customers had reported receiving bogus invoices by email. No surprise there; many businesses I have spoken to have received them and there were two in my own inbox when I got in to the office today. What did surprise me was the number of businesses (Most were SMEs, but not all were) that actually paid these invoices!

I am using this to underline the lesson that the weakest part of any system, and the part targeted by cyber-criminals in 90% of attacks, is a human operator. Which goes to show why human interaction with technology needs to be made failsafe and why cybercrime is becoming less a technical issue and largely a human problem.

It seemed incredible that someone would pay an invoice without checking that it was owed until I remembered a scam that happened in New York a few years ago. A likely lad put an ad in the New York Times. It read: “This is the last day to send in your $10. Box xxxxxxx”. Just that. He had pocketed $30,000 before the NYPD caught up with him.

There is an increasing need for education at all levels to help businesses to protect themselves particularly from social engineering attacks (bogus invoices, fake legal fees), staff negligence (password taped to laptop screen, failure to follow secure procedures) or malicious insider attacks. A major element of advice in our resilience and assurance projects is to “educate your staff”.

Value for money

Another ice-breaker I sometimes use works like this …

I put a picture of Apollo 11 on the screen and say: “When NASA set up the Apollo programme they realised that normal ballpoint pens do not work upside down or in zero gravity. So they set up a project to develop a ‘space pen’. And they came up with this …” [produce official NASA space pen] “… which, adjusted to today’s values, cost $1.5bn to perfect. The Soviets used … a pencil” [produce pencil] “My question to you is: is this system to be a space pen or a pencil?” Invariably someone will say: “can we have the space pen for the cost of the pencil?” and you are off on your discussion of a key factor for every  project – value for money.

Discover your client’s main project drivers

When giving a project presentation to a prospective client I sometimes start with an ice-breaker. One favourite method is to put an old joke on the screen:

GOOD!

FAST!

CHEAP!

– choose two …

… which usually gets a chuckle, even if only out of politeness.

Of course you are going to deliver on all three. However, there are two serious purposes behind this joke:

  1. It initiates discussion to discover of the client’s main drivers for the project;
  2. It is an indication of where you are likely to have to deploy most of your skill during the project. Think about it this way:
  • If the client wants the project delivered quickly and cheaply then you are likely to spend a lot of effort on resolving quality issues.
  • If they want a high quality project delivered quickly then financial control is going to be particularly important.
  • If they want a quality project without spending a lot of money then you are going to have to be prepared to use some inventive shortcuts.

Potential Developments in European Test and Evaluation

Potential Developments in European Test and Evaluation – International Consolidation versus National Protection

For many years the ivory towers of the European defence sector have been consolidation and collaboration. The European Defence Agency (EDA) considers these twin peaks one of if not their only “raison d’être”. Further in the NATO alliance much weight is given to commonality and interoperability. Such a position has clear operational and financial benefits but in some quarters it has been suggested instead that it is closer to a cornerstone of the success of the USA’s political, defence, industrial complex. Such assertions are hardly surprising given the size of the American defence budget, the size of their contribution to the alliance, the close relationship of Federal and State Government with “local” defence contractors and the investment in R&D by US original equipment manufacturers. All of which have contributed to the preponderance of American weapons, systems and platforms among the Armed Forces of Europe.

By contrast, the major nations of Europe have continued to separately develop weapons and systems (METEOR and STORMSHADOW two honourable exceptions) despite the total value of the top 5 national defence budgets in Europe equating to approximately one-third of US investment in defence. Where collaborations do occur on major platform programmes such as: Eurofighter Typhoon, Panavia Tornado, CNGF and A400M, national interests and cultural differences lead to significant delays in realising the desired military capabilities. Consequently, how likely are recent bi-lateral agreements such as the Anglo-French defence and security accord or the Franco-German memorandum on defence test and evaluation to succeed and will they lead to a new era of collaboration and consolidation?

Collaboration in Defence Test and Evaluation in Europe has several precedents including:

  • Anglo-French agreement on hydrodynamic testing
  • NAMFI the established NATO Missile Firing Installation in Crete
  • Joint Test and Evaluation Plan for Meteor
  • The Anglo-French accord on missile design, development and manufacture

Yet there remain many advanced capabilities within Europe that are: under-utilised, searching for third-party income and competing with each other on National and International programmes. What drives this choice and what could be a realistic alternative?

A major contributory factor to the future of both collaboration and consolidation within Europe is the national desire to maintain a Defence and Technology Industrial Base. Investing in national programmes is seen as critical to both maintaining an expertise base and realising defence exports, both of these contribute to growth in GDP. A second and equally important factor is the potential impact on local employment of out-sourcing defence capabilities such as test and evaluation where thousands of staff are employed in both the Public and Private Sectors. The final and potentially dominant factor is the proverbial “line in the sand”; every nation has its own list of defence capabilities that must remain in country, which might include:

  • Special Forces
  • Electronic Warfare
  • Nuclear capabilities where established
  • Munitions manufacturing capability
  • C4ISTAR

Against this background those seeking collaboration and consolidation may find their options limited to technologies that do not necessarily provide a battle winning capability. If we acknowledge that every nation in Europe with a defence budget will strive to maintain the level of indigenous capability implied by the list above how can the European nations create a more realistic and better utilised defence test and evaluation base and what would be the benefits?

To consider the question posed above we need to look at the basic dynamics between the European inventory of modern weapons and the availability of expertise, facilities and capabilities to test, evaluate and train in war-like scenarios with them. Across Europe there are perhaps a dozen nations that possess the expertise, infrastructure and test and evaluation ranges capable of exercising modern weapons and smart munitions to their fullest extent whilst there are 30 or more nations who already have or are planning to acquire such military capability. Among the dozen there are some unique capabilities but also a significant number of duplicate facilities. By using, in a more intelligent way, the extensive set of European test and evaluation facilities across national boundaries our defence sector could: increase utilisation, reduce national costs and increase collaboration through familiarity breeding trust and confidence. Consequently Europe creates headroom to compete more effectively with the USA in markets both within Europe and across the world. The challenge is how!

Collaboration and consolidation in Europe does not start with a blank page as I hope I have shown by the observations made above. What we can do however is change the nature of the discussion by moving on from capturing every nations’ facilities to expressing what Europe alone and through NATO needs by way of a Defence Test and Evaluation Base for the future; this could be based on the recently published NATO 2020 recommendations. A start has been made on this by the EDA but unfortunately the starting point was not what Europe needs but how Europe will cut costs by forcing collaboration and consolidation. I would therefore like to suggest an alternative approach to stimulate this essential development.

Step 1. Agree that this is a Europe-wide initiative through the EDA supported by NATO
Step 2. Acknowledge that every nation round the table has their own national capability requirements and agree them based on genuine need and investment not national “chutzpah”
Step 3. Identify and agree unique European test and evaluation capabilities – two examples from the air weapons domain are: The UK Hebrides which is the only METEOR and AMRAAM war-shot capability in Europe, FMV Vidsel in Sweden the largest overland range in Europe by a factor of 10,
Step 4. Identify and agree the pre-eminent national test and evaluation capabilities that support the future needs of the defence sector and request that they lead on the development of a road map for a particular expertise leading to the requisite consolidated Europe-wide capability
Step 5. Support the consolidation with the negotiation of the necessary defence accords to ensure access to the consolidated facilities and security of national data within the specialised Europe-wide capabilities created by implementing step 4
Step 6. Re-direct the funding from consolidated facilities into the R&D essential to a modern, competitive European-wide defence sector that can truly compete with the USA

©MORTAR and PESTLE: Blending the Perfect Opportunity Pursuit Strategy

It is a well-established truism, particularly in the Public Sector world of competitive tendering, that there are only two types of winner in any competition: the company or consortium that actually wins and the teams of bidders who withdraw before sacrificing too much profit! As companies look for higher win probabilities in the tenders they choose to pursue more and more emphasis is being placed on successfully identifying, assessing and planning the opportunities to invest time, money and energy in.

There are many different and well-used opportunity assessment tools and methodologies but nearly all require a thorough understanding of: your market position, the strength of the competition and the potential of alliances. A detailed example can be found at:

Http://www.rti.org/pubs/mr-0003-0802-liao.pdf

The MORTAR and PESTLE approach looks to bring together many of the key aspects of these different methodologies into a simple and memorable form.

PESTLE is the most commonly used assessment framework that looks at the external environment influencing the opportunity. For those unfamiliar with the model PESTLE looks at the:

  • Political
  • Economic
  • Socio-cultural
  • Technological
  • Legal and
  • Environmental

factors at play in the chosen market that will have a direct bearing on the opportunity under assessment and the delivery environment should the competition be won. An excellent summary of PESTLE analysis is presented in Exploring Corporate Strategy 7th Edition pp 65-8 by Johnson, Scholes and Whittington published by Prentice Hall in 2006.

©MORTAR[1], for those with any of: a scientific training, a classical education or a penchant for making their own spice mixes, is the natural partner to PESTLE. In the context of competitive strategy MORTAR is all about the internal factors that can affect the practicality and value of pursuing a particular opportunity. The key questions within the framework are described below.

Market:

Assess the company’s position in the market where the opportunity lies, what is the company’s market share, strength, standing, and reputation?

What are the explicit and implicit customer needs and wants as expressed by the company’s business development discussions, the contract announcements and the actual tender documents?

Who are the competitors, what are their strengths, weaknesses and standing within the market, how does the customer view them?

Organisation:

How will the company approach delivery, does it have acceptable or value-adding methodologies that will stimulate customer support?

If the competition was won how would the product or service be achieved and what can be the growth pattern?

Can the company make money; is the competition worth winning from the perspective of top and bottom line profitability?

Where does the opportunity sit within the company strategy for products and markets (the Ansoff Matrix) or is it a must win contract to protect market position, company relationships or customer confidence?

Requirement:

What are the explicit and implicit requirements (as opposed to wants and needs) identified by the customer?

What are the required levels of delivery performance and quality standards?

Are there any explicit performance metrics that must be addressed?

Has the business development or tender clarification process exposed any hidden requirements that can give the company an edge?

Can the company offer any “Big Improvements For Free”, i.e., opportunities and approaches that can discriminate or differentiate the company’s offer from the competition?

Track record:

Can the company show successful previous delivery if so will their customer recommend or endorse the company’s efforts?

What is the current level of delivery performance on contracts of a similar nature and are the measures sufficiently robust to provide one or more case studies?

Can the company demonstrate in the tender process methodologies, flowcharts and metrics that prove that the work can be done and delivered effectively with efficiency and value?

Alliances:

Is the chance of success greater if the company establishes an alliance, JV or SPV with a potential competitor or a player from an adjacent or similar market segment?

If the possibility of an alliance increases win probability is the company confident enough in its existing relationships or prepared to invest time an money in developing new relationships to create a profitable operational alliance?

Can the company broaden its coverage and increase its competitiveness by entering into an arrangement with one or more organisation and would the customer condone or resist such a move?

How will the business model improve and profitability increase by using an alliance strategy rather than a go-it-alone approach?

Relationships:

Does the company already have a relationship with the customer base and if so how good is that relationship?

Does the company have or can it establish contacts with all the appropriate levels within the customer’s organisation?

Can the company map the customers, stakeholders, buyers and gatekeepers i.e. just how much does the company understand the customer for the opportunity?

Does the company have sufficient insight into the customer’s wider community of advisors, influencers, political connections and community relations? Any or all of which will influence the outcome of the competition

While the MORTAR and PESTLE may not provide the comprehensive coverage sought by some organisations it does provide an accessible, memorable and readily used framework that should help business make the right choices when considering the pursuit of competitive tenders.

Happy Blending,  Alan Morpeth August 2015

[1] Based on an original idea by Alan Morpeth in Winter 2010

Manage people personally, not by policy

Over the past 15 years I have been engaged by a number of commercial organisations, local and central government and SMEs and a recurring theme that seems to run through every sector is the way some managers prefer not to face up to the tricky side of management: correcting the unacceptable behaviour of their staff.  This has been compounded by the loss of the traditional functions of HR departments to automated workflow systems, providing a  temptation to justify their existence by introducing nit-picking rules and policies. It is a seductive mixture but in the interest of maintaining staff morale in difficult times it would be well to resist that temptation. There are a number of ways in which individual infractions, which would be most effectively dealt with face-to-face by managers and supervisors, end up as one-size-fits-all policies that antagonise the best and are ignored by the rest.  If organisations can rethink their moral-shattering policies and remove or alter those that are unnecessary or demoralizing, everyone will have a more productive time at work even if it is at the cost of managers having to manage.

Alan tells me that this is one of my “grumpy old man” blogs (thanks, Alan …) but if you have the stamina come along on the ride.

Websites. There are certain websites that no one should be visiting at work but once you block the  porn-sites and the other obvious stuff, it is a difficult process deciding where to draw the line and many companies draw it arbitrarily in the wrong place. People should be able to kill time on the Internet during breaks. Does anybody object to them reading a book or newspaper? When companies unnecessarily restrict people’s Internet activity, it does more than demoralize those that cannot check Facebook; it can limit people’s ability to do their job. Many companies restrict Internet activity so severely that it makes it difficult for people to do on-line research. When I am bidding for a contract, for example, I might expect the client to check my Facebook profile to get a better feel for the kind of person I am. And some people need specialised access that is cut off by over-zealous Internet rule-makers. When my friend Jenny worked as the unit administrator of a sexually-transmitted diseases clinic in London she was banned from accessing, and came close to being disciplined for trying to access, websites containing reference material for her job because these sites “contained sexually-oriented material”. Really!? Reference works on STD’s contain sexually-oriented material! Gosh …  So public service can be as bad, or even worse, than business.

Timekeeping. Generally you pay your employees for the work they do, not for the specific hours they sit at their desks (unless you are running Dombey & Sons). When companies penalise salaried employees for showing up five minutes late, even though they routinely stay late and work at home over the weekend, they send the message that policies take precedence over performance. If you cannot trust your staff to deliver then you should not be employing them; if you can trust them then why risk losing their “go-the-extra-mile” willingness by introducing nit-picking rules?  Of course there are occasions when you might need employees to be in a certain place at a certain time. If you are running a shift system on a call centre, for example, or for an important meeting, but when companies are unnecessarily strict in requiring documentation for bereavement and medical leave, it leaves a sour taste in the mouths of employees who deserve better. After all, if you have employees who will fake a family death to miss a day’s work, what does that say about your company?

Email. Some companies are getting so restrictive with email use that employees must select from a list of pre-approved topics before the email software will allow them to send a message. Again, it is about trust. If you do not trust your people to use e-mail properly, why did you hire them in the first place? In trying to rein in the bad guys, you make everyone miserable every time they send an email. And guess what? The bad guys are the ones who will find ways to get around any system you put in place. There are legal banana skins to sending emails, particularly in a world where there are those who spend their time relentlessly tracking down every opportunity to be offended, so you do need safeguards, such as filters to trap unacceptable terms, but they should be unobtrusive and preferably invisible.

Toilet breaks. I still find it difficult to believe that there are organisations that restrict their staff’s toilet breaks.  What is that all about? When you limit basic personal freedoms by counting their  trips to the toilet you can expect your staff to start counting their days at the company. If you are going to limit people’s trips to the toilet you might as well come out and tell them that you would prefer to employ robots that have no inconvenient bodily functions to cater for. The day you have to bring in a doctor’s note to prove that you warrant additional trips to the loo is the day you realise that you do not want to be here.

Airmiles. Do you do a lot of flying on business trips?  Work travel is a major sacrifice of time, energy, and sanity, puts a strain on the person and a strain on the family. One little perk that travel-weary employees earn, is their frequent flier mileage. So how about employers who do not let their staff keep their miles for personal use? It is greedy and small-minded (and often a visible sign of a business in financial tail-spin) and staff become more resentful with every flight. Taking employees’ miles sends the message that you do not appreciate their sacrifice and that you will hold on to every last penny at their expense. It says to creditors that it might be time to start calling in their loans.

Political Correctness. Political Correctness is a much disputed topic. Maintaining high standards for how people treat each other in a world that is full of hostility and prejudice is a good thing. As long as employers know where to draw the line. Going on a witch-hunt because someone says “Bless you” to another employee who sneezed (real example) creates an environment of paranoia and stifled self-expression, without improving how people treat each other and can even be counter-productive by building resentment against “favoured” groups.

Performance measures. Some organisations use statistical measures of performance. I read statistics at university and love the old “bell curves”. However, some individual talents follow a natural bell-shaped curve, but job performance does not. When you force employees to fit into a pre-determined ranking system, you do three things: 1) incorrectly evaluate people’s performance, 2) make everyone feel like a number, and 3) create insecurity and dissatisfaction when performing employees fear that they will be fired due to the forced system. Performance management should be a major part of the work of managers and supervisors not a spreadsheet calculation.

Mobile phones. If I ban mobile phones in the office, no one will waste time texting and talking to family and friends, right? As the Duke of Wellington said: “if you believe that you will believe anything …” Organizations need to do the difficult work of hiring people who are trustworthy and who will not take advantage of things. They also need to train managers to deal effectively with employees who underperform or violate expectations (such as spending too much time on their phones). This is hard work, but what are you paying your managers for? The easy, knee-jerk alternative is to ban phones. It will stop people making or taking calls; it will also demoralize good employees who need to check their phones periodically for pressing family or health issues or at an appropriate break from work.

Personal possessions. Many organizations control what people can have at their desks. A life-size poster of a shirtless soccer star? OK, maybe that could be a problem. But some employers dictate how many photographs people can display, whether or not they can use a water bottle and how many items they are allowed to place on their desks. Sadly for them people have personalities and are happiest and most productive when allowed to express their personality. I worked in technical support for a while and nothing was more frustrating than turning up to fix a problem with a PC and having to remove photographs of children, partners and cats, gonks, dried flowers, rubber elephants, birthday stars and a host of other detritus attached with large quantities of blu-tac. If we had banned these personal items we might have saved two or three minutes on each call.  However, these were people, not androids, and the clues their personal items presented about the caller’s personality smoothed our way when dealing with people who just wanted to get on with their work but were being hindered by a blank screen.

Dress codes. Some organisations need dress codes.  They work well in private schools, armed forces and liveried organisations but they are unnecessary at most workplaces. Hire professionals and they will dress professionally. When someone crosses the line, their manager needs to have the skill to address the issue head-on. Otherwise, you are making everyone wish they worked somewhere else because management is too inept to handle touchy subjects effectively.

I think you see the thread running through this blog: choose good staff, trust your staff, deal with shortcomings and poor performance face-to-face and do not ask HR to fashion a rod to beat all the staff with because one or two have crossed the line.