by John Bandler
We all have different perspectives on rules and here I break down my thoughts and put it in the context of self, family, groups, government, and law. My perspective comes from experience as a lawyer, in law enforcement, plus life experience.
Some of us may be more rule-abiding, wishing others behave similarly. Some of us may chafe at various rules, and be more rebellious or dismissive of requirements we are subject to. And there's a few who may want rules to apply to others but not themselves. Whatever our viewpoint, we can all agree that some rules (and adherence to them) are required for society, organizations, and families.
The entire field of law is about rules: rules of how people should conduct themselves, and rules about how to resolve a dispute about whether someone has violated a legal code of conduct, whether criminal or civil. I have written about laws, regulations, policies, and procedures, this article puts concepts about rules into a foundational framework.
Rules come from many places, including:
- Parents and family
- Society (including religion)
- Organizations we work for
Our first rules as individuals
We first experienced rules as children from our parents. Perhaps the first rules we remember are about not eating dessert until we are done with our main meal, and about bedtime. Hundreds of parental rules and teachings become part of our personal rules. And as we age we become subject to more rules from different places, including from schools and government and society.
Our personal rules
Based on our upbringing and experiences, we develop personal rules that guide our conduct. Sometimes this is known as one's conscience, ethics, integrity, moral compass, values, or personal honor. Consider the "Golden Rule" to do unto others only as you would wish done to you. Our personal rules are heavily influenced by external forces and are not fixed in stone.
Early societal rules
Ever since humans began living together in communities, their groups imposed rules. These rules were helpful to obtain food to eat, shelter, and protection. There might need to be a division of labor regarding who might hunt, gather, farm, cook, build, clean, or fight. Individuals needed to conform to certain rules for the greater good. Religion has played important roles in societal rules to influence behavior and establish codes of conduct.
Whatever the rules and wherever they come from, people have been breaking rules since the beginning so societies have always needed mechanisms to deter and punish such violations. It is worth a reminder that no society is perfect and not every rule is a good rule, but here we focus on the general principles and the need for good rules.
Government rules ("external rules")
In my work as a lawyer with organizations and their cybersecurity, privacy, compliance, policies and procedures, I find it helpful to think of external rules. An external rule is imposed upon a person or organization from outside, such as from the government. Obvious examples of such external rules are laws and regulations. Criminal laws are important external rules we should comply with. Then there are a myriad number of civil laws, including specific statutes and general legal principles for areas such as negligence and contract.
As organizations think about what their internal rules are (or should be) they must consider all applicable external rules.
Ethical, criminal, and civil rules in context
I like a good Venn diagram which demonstrates how concepts overlap and differ. Putting these rules in context, I think of criminal laws as prohibiting the most extreme types of bad conduct, civil law may prohibit many actions already disallowed by criminal law plus more, and then ethics is an even higher standard of conduct encompassing all of the above plus more.
There are a number of grey areas on how these overlap or differ but we can save that for another time. For example some acts might violate criminal law but not civil law, and one could argue some acts could be ethical even if they violate a law.
Internal rules of an organization
Internal rules are those that individuals, families, or organizations create.
In families, parents create rules about when children can have dessert, bedtime, curfew, and so on. Some parenting styles discuss these rules and the reasons for them with the child, and there may even be child involvement in the rule making process. Sometimes (rarely?) these rules are put in writing.
Organizations create internal rules to govern the organization and tell employees what they can and cannot do. These rules might be informal and cultural, provided directly and verbally, or in written form of policies, procedures, and other documentation.
Growing legal requirements (external rules such as laws and regulations) surrounding cybersecurity and privacy require a degree of written internal rules. Government sometimes takes the position that "unwritten rules" are often not worth the paper they are not printed on. Government often suggests that an early and important step towards compliance is creation and then enforcement of good internal written documentation.
Good management practices also suggest that quality written internal rules are necessary. Some areas are too complex to rely on unwritten understandings, and employees need proper guidance. The right degree of documentation helps the organization and individuals know what to do.
Policies and procedures are the common terms for such internal documentation, but a full list can include:
- Policies (general rules)
- Standards (more detailed rules)
- Procedures (highly detailed steps to accomplish a task)
- Guidelines (guidance, but not a rule)
- Employee agreements (codes of conduct, NDAs, confidentiality, etc.)
Well, guidance is not a rule, it is just a guide that we can follow, adapt to our needs, or disregard. But as organizations create internal rules, they might seek external guidance to develop those rules, and they might provide their employees with guidance (suggestions but not rules).
If we find ourselves debating whether something is a "rule" or a "guide", we should consider that rules generally allow a degree of thought and decision. Rules rarely specify the exact action to be done in response to exact circumstances. Thus I believe a document can be a "rule" while also providing guidance and allowing discretion on how to follow that rule.
Fairness of the rule and fairness of enforcement
Rules can be fair, unfair, or somewhere in between, and there will usually be room for reasonable people to debate that.
The next issue is enforcement of rules, and whether that is fair or not. Rules can be interpreted and enforced fairly, with consequences tailored to the infraction and person. Or they can be enforced unfairly, arbitrarily, or capriciously. Again, reasonable people will debate this as well.
Separating the two issues of:
- What is the rule (or what should it be), and
- How should the rule be enforced and punished,
can sometimes lead to a more productive debate, whether we are discussing a company's cybersecurity policy or the criminal justice system in general.
Action (what we do)
Let's not forget an important third aspect. Government creates and enforces rules for its inhabitants, and organizations create rules for its employees. The third aspect is what people actually do -- their action or practice. Those acts might be in compliance with rules or not, and sometimes it is hard to say either way and fodder for reasonable debate. The general goal is to get people to behave in accordance with external and internal rules.
Again, we are discussing general principles and most rules allow for a reasonable interpretation and enforcement.
Bandler's Three Platforms to Connect
My Three Platforms to Connect conceptually aligns three important areas. First is the external rules imposed on us by society and government, then organizations create internal rules (which should align with those external rules) and finally action (what is actually done) should be in compliance with both.
Building internal rules
Creating and updating internal organizational rules is an important task and it should be done well.
I have read many terrible internal rules throughout the years, with writing that is difficult to read and understand, and subject to debate about what it means. This means that even management is confused about what it means, and lower-level employees are even more confused.
Good internal rules are clear and readable. They align with external rules without incorporating or creating indecipherable legalese. They clearly communicate what is expected. They are the right length and level of detail.
Good internal rules also evaluate whether there is helpful external guidance. External guidance is a guide, not a rule that must be followed.
This quick discussion on rules helps put some more complex topics (laws, regulations, policies and procedures, government and society) within a common framework we are all familiar.
This short article is not tailored to your circumstances and (of course) is not legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with laws and regulations, including regarding cybersecurity and protecting from cybercrime, let me know.
- Internal Rules
- Internal Rules Building
- Policies and Procedures
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Policies, Procedures, and Governance of an Organization
- Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all listed in this article)
- Policy Checklist
- Cybersecurity, Privacy, You, and Your Organization
- Bandler's Free Starter Cybersecurity Policy
- External Rules
- Guidance (not a rule)
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
This article is hosted at https://johnbandler.com/rules, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at NOT YET (though not kept as up to date).
Originally posted 4/1/2022, updated 9/28/2022.