Would You Like to Play a Game?
Most people enjoy playing games, and we don’t just play conventional classics like chess, scrabble, poker, and Monopoly – we love to apply game elements to (“gamify”) other areas of our lives. Whether you’re on a supermarket trip or exercising, adding points, completion rates, friendly competition, trophies, and achievements to the process enhances your overall engagement within those activities. Gamification enhances your interest in the overall outcome and success, even if it’s just a free cup of coffee from your significant other after you’ve returned home with better than a 96% grocery list completion rate in under 90 minutes.
For these same reasons, gamification can be leveraged within every business to energize the completion of tasks that may not be incredibly engaging or exciting on their own. Here’s a list of our favorite tasks to gamify and reward top performances:
1. Annual Compliance Training
With topics ranging from privacy to information security to customer identification procedures, annual compliance training does not generate a high level of page turning appeal across the organization. Since these training exercises already pose test questions to demonstrate understanding, there are many different ways to gamify training using that foundation:
Frame the exit test as a computer game, and answering questions incorrectly leads to a point deduction, penalty, or one game life.
Create a scoring rubric covering early and timely completion, along with bonus points for high passing scores on their first attempt and associate those points to both the individual and the department.
Create a Kahoot (or similar group trivia) game with relevant questions and have employees demonstrate their ongoing knowledge live for points and prizes.
Integrate the results into all-hands calls, and suddenly every employee or department will want to be on the top of that scoreboard (or at least, not at the bottom).
While gamification can create excitement, be careful to avoid rewarding cheating and shortcuts. Remember, the goal is to ensure each employee has a basic understanding of key compliance requirements throughout the business, not to see who can click the “next” button the fastest through the module or which department created an answer key for their employees. Find ways to reward understanding, knowledge application, and completing these requirements independently within the timeframe allowed.
2. E-mail and Google Folder Cleanup
Employees keep a huge volume of emails and files in shared folders, and there usually isn’t a high level of urgency in discarding information no longer needed (or simply duplicitous). With the advances in cloud storage and computing, companies don’t feel much pressure from costs and infrastructure constraints to maintain these areas. However, some providers are considering scaling back email box limits, and Yahoo recently reduced their maximum (without add-ons) from 1TB to 20GB[1].
Regardless of the operational cost to store this information, these legacy files represent significant legal, compliance, and operational risk. It’s not advisable to have the same document saved in 17 different locations (or worse, 14 slightly different versions), and there may be policies, procedures, process flows and best practices in a shared folder of which only a few employees know the file path to access.
Importantly, data and information is discoverable by legal subpoena or other requests for information until it is erased or destroyed, even if your retention policy indicates that material should have been destroyed years earlier (don’t try to erase the data AFTER you receive said subpoena). Gamifying your business’s electronic spring cleaning can streamline operations, identify redundancies, save money and resources, and reduce legal exposure to 10-year old files.
Yahoo recently gamified email deletion for personal accounts to accelerate their data initiative and showed users nuanced differences between archiving (which still counts against your maximum capacity), trashing (which counts until your trash is permanently deleted), and permanent deletion. Each deletion rewarded you with points, pushed the monthly target meter forward, and ultimately culminated in a free spooky animated surprise after 100 deletions.
For your email deletion game, points could be awarded for making significant reductions in the employee’s storage utilization. Documents already stored in a shared file shouldn’t also take up space in email, and achievements or prizes could be awarded to employees on the basis of:
Limiting document retention through email (i.e., sharing Google Drive document links instead of a version of the actual document).
Average email received date (meaning older, legacy emails are being deleted)
Earliest oldest email received date
Volume of deleted email to email sent and received (last 30 days, last 90 days, etc.)
Most improvement on a percentage basis of email utilization
For shared drives such as Google folders, provide each department with the business’s retention policy and an excel document used to log potential files for deletion. Employees should use the log to identify whether a document is slated for deletion based on duplication, prior draft, or because it is obsolete and no longer requires retention, and have a second party confirm those observations (and delete the files in question). Departments could receive points, awards, and recognition for:
Identifying new classes of items that should be addressed in the retention policy
Correctly noting items that should be destroyed
Using enterprise-wide folders, such as for policies, procedures, testing, and all-hands presentations (and not saving their own copy of such materials).
3. Business Continuity Exercises
Well-designed business continuity exercises already feel a bit like a Dungeons & Dragons campaign; it’s easy to overlay your scenario with experience points, hit points, camaraderie and competition.
While your business might yawn at the thought of running through another linear scenario based on interest rate volatility, ransomware attacks, or supply chain breaks, it might pique your staff’s interest if your business kingdom is under imminent threat from competition and externalities that seek to wreak havoc and erase your business from existence – and that their actions may be the only difference between the institution’s triumph or untimely demise.
4. Basic Information Security Testing
While most institutions maintain robust information security and privacy systems, employees can unintentionally undermine the strength of those controls on a daily basis. Employees plug in found USB drives (which contain viruses), into their computers to find their owner, they bypass authentication measures for angry or elderly customers, and they react to or click on spoof emails, all of which can render an institution’s security controls meaningless.
It’s challenging to correct this behavior because each of these events exploits the employee’s trust, mindfulness, and desire to help someone as much as they can. It’s also difficult since most of these internal events don’t result in material costs to the employee or the business overall (other than initiating the employee’s remediation training).
Competition through gamification can provide the impetus to be mindful of our actions. No one wants to be the weakest link in the organization, and regular reviews of these areas will create awareness throughout the year. Consider creating an Information Security Olympics covering and scoring several key events for individuals and departments:
The Clean and Locked Desk => is all sensitive information locked away when the employee is away from their desk?
The Protected Desktop => is the computer locked when the employee is away; is the password written somewhere near the computer (under the keyboard, in the unlocked file drawer, or behind the monitor)?
The Foreign Object => if a random USB drive or memory card is found, is it reported to the IT team?
Spoof Email Detection and Reporting => if a spoof attempt is detected, is it reported as such to the IT team?
Authentication under Duress => do employees stick to authentication processes when the person cannot be authenticated (or when a third person is clearly heard in the background)?
5. Policy, Procedure, and Process Flow Development
While policies, procedures, and process flows are vital for organizational understanding and continuity, their creation and development are not often prioritized by businesses or their employees. Creating and updating procedures is often placed on a backlog until they become the subject of a significant issue or incident, which can expose companies to compliance, reputational, and operational risk.
Gamification can help break this huge enterprise-wise task down to individual owners, create some friendly completion, and provide mechanisms for employees and departments to be recognized for pushing these documents forward to completion.
Summary
Gamification gives organizations another option to reprioritize and refocus beyond “get this done or else” when vital business tasks are not top-of-mind or conflict with other obligations. Gamification increases engagement in these areas, especially when these tasks are otherwise not able to capture our full attention. It also provides a signal that the organization is invested in both the task and its outcome (and to prioritize accordingly). Points, achievements, trophies, and recognition have a way of making it worthwhile to participate and engage in a task when we are otherwise not fulfilled by the timely completion of those requirements.
Instead of being frustrated by low participation in compliance training, lagging issue resolution, or a lack of key procedural documents, think about ways to gamify the objective and outcome, engendering the attention those items deserve.
Follow NAQF and Geoff Kreller on LinkedIn for additional insights. For more information on how NAQF can help your organization with annual training requirements and certification, contact us at contact@naqf.org.
Article References
[1] https://thedroidguy.com/yahoo-mails-surprise-storage-slash-why-your-deleted-emails-arent-freeing-up-space-1268908
