Performance Measurement Musings

I keep returning to the COBIT 5 culture, ethics and behaviours enabler as it is so hard and where many companies fail.  Let’s focus on performance measurement this time.  You have most likely heard the expression “you get the behaviour you reward.”  Most people look at this as the basis for their reward systems.  And generally it works out well.  At first blush it seems right but what happens when you tweak it a little?  What about: “You get the behavior you reward not the behavior you want.”  Eli Goldratt, the man behind the Theory of Constraints


, once said “Tell me how you measure me, and I will tell you how I will behave.”  Two sides of the same coin.

I cannot tell you how many conferences and training seminars—out of my control—have not started on time.  ISACA chapters are notorious for this.  The Chapter President always says to me: “Let’s give them another couple of minutes before we start.”  They always say something like the traffic is bad today.  (It’s bad every day and for you statisticians out there it regresses to the mean.)  If you never start your session on time, then why would I show up on time?  It sends the message that you don’t really start on time.  Worse it makes the people who arrive before the appointed hour think that you don’t value their time as much as that of those who arrive late.  You are indirectly rewarding the people who show up late and punishing those who show up on time or early.  Behavior reinforced is behavior repeated. 

It’s not just not-for-profit volunteers who exhibit this behaviour.  I cannot tell you how many organizations I have been in where meetings don’t start on time.  I did a short contract for a financial institution where nobody showed up on time for a meeting.  You never knew how late to be as it seemed random.  It was as if they wanted to be fashionably late and make an appearance and tell us how busy they are.  I honestly thought they waited in the hall watching others arrive before making their grand entrance with a flourish.  My rant may seem trivial but it is an example of what the criminologists call the broken windows theory.  Small things lead to big things.  I can tell you that the financial institution had serious organizational behaviour problems beyond people being late to meetings, but it was a symptom of a general malaise.  You get what you reward not what you want.

The ramifications of Eli’s quote are interesting as well.  I did some work for a healthcare organization and noticed some dysfunctional metrics.  One metric struck me as extremely dysfunctional.  The service desk, which they incorrectly called the help desk, had a metric that measured how fast they passed on an incident.  They were not rewarded for helping the customer or user nor punished when the incidents were passed to the wrong group or person.  Nobody measured how many times the incident was passed back and forth between the help desk and first line support, which anecdotally they told me was often.  The help desk became the best incident pushers in the history of mankind to the detriment of the organization.   But when you tell me how you will measure me, I will tell you how I will behave.  Of course, a reasonable person would push incidents any which way to maximize their performance based on that metric.

Organizations reward behaviour they don’t want in thousands of ways and feign surprise when they get more of the behaviour they don’t want.  What behaviours in your organization do you reward that you need to change?  You need to look long and hard at the bad behaviour in your organization and determine whether it is self-inflicted because you rewarded the behaviour.  If you don't like the behaviour you see, you need to change the reward system and the way you measure things.

By Peter T. Davis, CISA, CISM, CGEIT, COBIT Foundation, COBIT Implementation, COBIT Assessor, COBIT INCS, CISSP, CPA, CMA, CMC, ITIL FC, ISO 9001 FC, ISO 20000 FC/LI/LA, ISO 27001 LI/LA, ISO 27005/31000 RM, ISO 28000 FC, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, SSGB, RESILIA FC is the principal of Peter Davis+Associates, a management consulting firm specializing in IT governance, security and audit. He currently teaches COBIT 5 Foundation/Implementation/Assessor, ISO 27001 Foundation/Lead Implementer/Lead Auditor, ISO 31000/ISO 27005 Risk Manager (RM), ISO 20000 FC/LI/LA, ISO 22301 Foundation, ISO 9001 Foundation and Project Management Institute Risk Management Professional (PMI-RMP) courses.


Goldratt, Eliyahu M. 1984. The Goal.  North River Press: Great Barrington, MA.



Post new comment

The content of this field is kept private and will not be shown publicly.