“It is an equal failing to trust everybody, and to trust nobody.” ~ English Proverb
Type ‘trust’ into your search engine and you will be inundated with quotes from business leaders about the importance of trusting your people and being trusted by them. Trust is a firm favourite when it comes to company values, and it’s hard not to see it as a fundamentally ‘good thing’.
But what do we really mean by trust? Trusting someone is the willingness to expose yourself to potential harm because you believe that person has the good will and the competence not to let you down. We trust our bank to look after our money and we trust our kids not to go joyriding in the family car. But there is always a chance that we will get it wrong. So ultimately, trust is all about risk.
The Trust Paradox
As someone with insider risk in my job title, you might expect me to be wary about trusting people too much. Everyone knows that people’s relationships with their employer can go sour, and the best-intentioned employees can be pressurised by outsiders to do harm. So arguably, the more we trust, the more we are at risk. But the paradox about organisational trust is that it not only increases insider risk - it also reduces it! How can this be? It is because when you demonstrate to people that you trust them, they tend to internalise the idea of being trustworthy and they behave accordingly.
Take the example of key-cutting company Timpsons, which famously hires employees straight out of prison. The organisation has an enviable employee retention rate and very few cases of criminal recidivism. Its founder, James Timpson, vaunts the positive effects on employee behaviour of placing trust in people who have not been used to being trusted. As one Timpson employee eloquently put it, “Timpson’s done me a big favour. I’d never do anything to upset them”.
Finding the balance
There is no doubt that high trust organisations are generally nicer places to work. Companies that give their employees autonomy, look after their welfare and don’t search their bags at the end of the day are likely to see the benefits in terms of a loyal and well-motivated workforce. But it is not all roses. There is such a thing as too much trust. Unconditional trust can make your employees feel that you don’t really care how they behave, and that their transgressions will go unnoticed. Over time it can erode standards of behaviour, create a lack of accountability and allow conflicts to fester.
But most companies have some insider controls in place, even if these are just basic screening checks. So, the question is not whether to trust, but how much to trust. We have worked in organisations where the trust narrative was so strong that managers and HR were reluctant to address misconduct or security issues for fear of upsetting employees and damaging trust. The effect, of course, was to cause distress to those affected by the misconduct. Senior leaders in these organisations balked at even the most basic forms of insider risk controls, concerned how they would be interpreted by staff. When security breaches occurred – as they sometimes did – there were no controls in place to identify them promptly. A reluctance to hold people to account meant that post-incident investigations were slow and often inconclusive, with predictable effects on morale and the security culture of the organisation.
The Met: An example of distorted trust
The Metropolitan police are once more in the limelight, accused of having lost the trust of the public. One of the reasons we hear for police officers not reporting the misdemeanours of their colleagues is that officers need to ‘have each other’s back’. No-one, we are told, wants to go out on patrol with someone who betrayed a colleague by reporting them for racism or misogyny. Officers need to be able to ‘trust each other’. This distorted version of organisational trust drove the reluctance at all levels of the force, including the leadership, to take action against misconduct. By exalting the virtues of internal trust, the force succeeded in losing the trust of its female and BAME employees, and of the wider public.
Resolving the paradox
As insider risk experts, we don’t believe that ‘verify’ has to come at the expense of ‘trust’. We recommend that companies have an honest adult conversation with their employees about insider risk, setting out what it means for them as individuals, explaining why it needs to be managed, and outlining the sorts of measures that are in place to manage it. You may be surprised at how they react. We have found that most employees think it is pretty reasonable for their employer to be taking steps to protect itself and its staff. And by inviting them to take part in the insider risk conversation, companies can reinforce the very thing they are most concerned about losing – employee trust.
About the author
Dr Susanna Berry is the behavioural science lead for the insider risk consultancy in Blacksmiths Group. She previously spent a thirty year career in a range of foreign policy- and national security-related roles in UK government.