The Roman philosopher Seneca is famous for the dictum, “Laws do not persuade, just because they threaten.” Today, consultants express it differently as, “Culture eats strategy for breakfast.” Most companies start defining a risk-avoidance strategy by drawing up a rulebook of some sort: a compliance manual, an HR handbook, or an IT security policy guide.
By setting out these rules in black and white, along with the penalties for breaking them, there is an assumption that the avoid strategy has been successfully implemented. But there is a big difference between the rulebook and what people actually do all day—the working culture.
Consider a big fish tank with an amoeba floating around in it. This single-cell creature needs heat, food, and light.
Now, let’s imagine the heat comes from the top left, he light from the bottom