Careful which rules you bend in the new work-from-home world

Suddenly every office worker in the world is doing their jobs from spare bedrooms and kitchen counters. Universities are having to rework processes on the fly, and some venerable rules are falling away in order for critical business to continue. As your institution figures things out along with the rest of us, the urgency can lead to needed change – but be careful your pruning isn’t sending the wrong signal.

Early to go will be hand-signed approvals for everything from expense claims to purchase requisitions to gift agreements. Universities that have been slow to embrace digital and cloud solutions are having to accept scanned and emailed copies in place of originals. They’d be in a less risky place today had they accepted secure digital electronic signing earlier. Presumably universities will not revert to paper processes when this is over. Probably a good thing.

Pressure to streamline has its downsides, though.

Mass dislocation of workers means a lot of personal and sensitive data will end up stored on personal computers, laptops, and mobile devices. Consumer-grade personal devices have long been present in the business enterprise, leading to heightened risk of data breaches. The work-from-home tsunami has accelerated the risk, as hardware gaps are addressed with even more personal devices.

Now is the time to insist on adherence to policies for protecting personal and confidential information, not cut corners.

Everyone is trying to adapt and do their work. I get it. We moved a staff of 73 with little or no history of remote work (aside from fundraisers) into their homes over the course of three days. Logging into a VPN and a central file store can seem like a nuisance. So much easier to drop the file in C: drive.

But the more data sitting outside your institution’s system of record – whether on people’s hard drives or as email attachments – the greater the chance that a lost device or a successful phish will lead to a data breach. Breaches can have negative consequences for alumni, supporters and others. They also damage the university’s reputation.

A few days ago there was a story in Slate headlined “America Is a Sham.” The subhead asserted, “Policy changes in reaction to the coronavirus reveal how absurd so many of our rules are to begin with.” The fact the US Transportation Security Administration has waived the 3.4-ounce limit for liquids and gels for hand sanitizer only is proof that the rules are arbitrary, nothing but security theatre. (1)

True or not, I don’t know. Either way, you send a signal to users when you let things slide for the sake of convenience. Choose wisely.


  1. America Is a Sham,”, 14 March 2020

Effective data governance requires a leadership mindset

The path to establishing effective institutional data governance might never be smooth, but some paths are smoother than others.

Success is more likely when people know their prime object is to advance the mission of the institution. Leaders recognize that data governance is the policy framework that establishes that key administrative data, regardless of where it is created or where it resides, is an asset of the institution, to be used to guide strategy and decision-making.

Success is less likely when people are primarily advocates for their area of custodianship or for a set of professional principles. Issues of confidentiality, security, data management, and protection of personal information are important, but do not define the core value proposition of data governance.

Advocates see policy through a lens that takes on the colour of their subject-matter expertise. Leaders appreciate the importance of these considerations, but strive to place those important pieces in proper relation to the value proposition.

The beauty is that advocacy vs. leadership isn’t about rank. You get to choose which role to play, and when. When you advise, you might do best to be an advocate. When you get to frame policy, you need to be a leader.

Data governance requires both mindsets, but ultimately leadership must prevail.

Collaboration rules

Operations groups like to make rules. It’s our superpower. I guess this comes from our awareness of how laws, regulations, and university policy apply to the business. We have to develop internal guidelines to clarify grey areas and ensure compliance, so rules are a tool we’re familiar with. And maybe we reach for that tool too often.

Rules are necessary to prevent serious risk: to the security of personal information, to institutional reputation, to charitable status. (Other useful “rules” are actually standards; think of counting guidelines, which don’t target behaviour but ensure consistency, transparency, and credibility for fundraising reporting.)

Rules are less useful when the risks are operational – those times when doing something out of the ordinary puts us at risk of being inefficient. This new thing creates manual work, or it means some data that could be useful to the business is not created or used, or causes some disorder or uncertainty by straying outside of established process.

Efficiency is a worthwhile goal only when you’re doing the right things. If a new thing is the right thing to do, there should be allowance for short-term inefficiency and uncertainty. The size of the opportunity determines how much disruption is okay.

When an opportunity arises and a decision must be made, the best approach is to collaborate and consider the unique circumstances. (Barring legal, reputational or other serious risk.) Operations should advise on internal risk and be given due consideration. If there are short-term risks that don’t cancel out the benefits, and there’s a path to return to equilibrium, then it makes sense to mitigate the risk and press on.

This works when Operations is integrated with the front line, is fully aware of organizational goals, and is considered a credible partner. If Operations is just a back-office service desk disconnected from strategy, then you can create all the rules you like. Good luck with that.

To mess with a quote borrowed from Émile Durkheim: When there is a culture of collaboration, rules are unnecessary; when the culture is lacking, rules are unenforceable.