The Need for Sanctions

In many organizations, the COBIT 5 culture, ethics and behaviour enabler is hard.  Many believe that all you need to do is write a policy, tell people about it and watch them change.  However, it does not work that way in the real world.  People don’t always embrace change and new policy.  They like their routine and often need to understand the WIIFM (what’s in it for me) before they’ll change.  Sometimes they need a little nudge.  That is where the COBIT good practice of sanctions comes into play.

When I use the word sanction people generally think of negative sanctions: a penalty for non-compliance with a policy or standard.  But the origin of the word is from sanctio, which means act of decreeing or ordaining.  Synonyms for sanction include accredit, authorize, confirm, formalize, and approve.  So you have positive sanctions as well.  Think of a sanction as a way to encourage good behaviour and to discourage bad behaviour.  There is no question that there is a direct linkage between individual behaviour and the sanctions or reward systems your organization puts in place.

With some animals reward systems are easy.  Tell your dog "sit" and I will give you a bone


.  Not so easy with humans though.  The idea is the same though as you are trying to mediate the effects of reinforcement.  A reward or positive sanction does reinforce behaviour.  All someone often needs is an “attaboy” or “attagirl”.  Given at the right time, it is a very powerful motivator and increases the likelihood of a repeat of the behaviour.  Your reward system must show all employees the value that your organization places on that behaviour.  From a negative perspective, you might have to ask: Is that a fireable offense?  From a positive perspective, you might have to ask: Is that above and beyond the call of duty?

Sanctions are a delicate matter.  As the Inuit say: “by gifts one makes slaves and by whips one makes dogs.”  By going too far in either direction, you create problems.  You cannot make the reward seem gratuitous but on the other hand you cannot punish people unfairly.  At one time, failures of systems were placed squarely on the users of the system.  When something went wrong we looked for a scapegoat and knee-capped that person, and felt everything was dealt with.  Now we generally understand that we need to look continually for problems in our processes and fix them.  Yes, there are psychopaths and sociopaths in your organization, but generally one does not exhibit the correct behaviour because of the following:


Missing: The individual is missing the information, that is, nobody ever told them what the expected behaviour was.


Incomplete: The individual has incomplete information and will exhibit the wrong behaviour.


Not followed: The individual has the complete information but is not following it for some reason.  There is a myriad of reasons why.  One reason is that the information is nonsensical. Another is that the person cannot physically carry out the task.  And many more possible reasons.

Your reward systems should easily deal with one and two above.  Dealing with three is the challenge.

Many people and organizations believe money is a good reward, and it is to a point.  In the book 1501 Ways to Reward Employees,


  the author points out that is not always the case.  I have actually seen people take home less money after a raise.  Darn tax brackets!  When thinking of rewards ensure the reward is timely and specific.  If you catch me doing something right tell me then, don’t wait until my performance evaluation six months later.  And if you really want to reward someone publicly recognize them for good performance.

One thing that most of us have learnt is that rewards for good behaviour are more desirable than punishment when it comes to changing behaviours.  Carrot or stick approach


: it is your choice.  One will help you, choose wisely.

By Peter T. Davis, CISA, CISM, CGEIT, COBIT Foundation, COBIT Implementation, COBIT Assessor, COBIT INCS, CISSP, CPA, CMA, CMC, ITIL FC, ISO 9001 FC, ISO 20000 FC/LI/LA, ISO 27001 LI/LA, ISO 27005/31000 RM, ISO 28000 FC, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, SSGB, RESILIA FC is the principal of Peter Davis+Associates, a management consulting firm specializing in IT governance, security and audit. He currently teaches COBIT 5 Foundation/Implementation/Assessor, ISO 27001 Foundation/Lead Implementer/Lead Auditor, ISO 31000/ISO 27005 Risk Manager (RM), ISO 20000 FC/LI/LA, ISO 22301 Foundation, ISO 9001 Foundation and Project Management Institute Risk Management Professional (PMI-RMP) courses.


Obviously this is simplistic.  My old Australian Sheppard would take the bone and do what he wanted anyways.  But that was my problem not his as I didn’t make him properly understand the rules of the game.  Some managers have this same dilemma.


Nelson, Bob.  2012.  1501 Ways to Reward Employees. Workman Publishing Company: New York, NY.


Originally this expression was “carrot and stick” and referred to a donkey-cart driver.  The driver offered a combination of rewards (the carrot in front of the donkey) and punishment (the whip to the donkey’s posterior) to induce behavior.  The donkey would walk towards the carrot while walking away from the stick.

Category: COBIT


Post new comment

The content of this field is kept private and will not be shown publicly.