TrueOfficeYou can't be timelier than this: today I last minute finished two mandatory corporate compliance training sessions that I had dreaded and postponed and moved back for weeks. One was about Corporate Security, the other on my understanding of the Business Code of Conduct. Thankfully, I don't have to go through another Sexual Harassment training (BTW: shouldn't it be called "Anti-Sexual Harassment training"?) anymore.

But here is the point: all these things are necessary and make sense, and my brain says: "Mario: it is important to know about this and comply." Right! But my gut says: "How boring! Isn't there anything more fun that I can do right now?"


A few days ago I discussed how users can be empowered to acquire the proper authorizations in a business application through gamification. Instead of an official submission process with a system administrator following a number of steps and finally granting (or not granting) authorizations, I explored a multitude of ideas, like having players gain experience in their daily use of  a business solution and leveling up after certain milestones reached in their achievements.  

This approach is fine for processes that are not regulated through a company-internal policy or through legal requirements that aim at risk mitigation. Policies might state that purchases above a certain amount require the approval of a manager, or business trips need to be approved by the board.


A rather boring and time consuming exercise in an enterprise is the administrators' tasks to assign authorizations to a system user. Regardless of the system, a new user gets assigned a profile with transactions that this user is allowed to access and use. You may for example create a new account and edit it, but not delete it. Or you may edit only your own records, but not the ones of co-workers, even if they are in the same team. Or you may not override certain limits in placing an order, but you would need the OK from your VP to do so. The same VP, who's actually never really working with the system and therefore is not familiar with it, which leads to the anachronistic situation that the system user may know the VP-user and password and logs in with this user's account by himself, just for practicability purposes.

Over time, of course, you need additional authorizations, as you become more familiar with the system and will more likely encounter on a regular base exceptions which require your supervisor's approval. That's when you submit a request for getting more authorizations assigned for your user. A system administrator, who - as is the case in a large corporation - may not even know you, has to decide, if your request should be granted. The decision is rarely based on whether you are actually qualified to use the transaction, but more if you are a VP or if the comment-field in your request contains a compelling case. And that case was written by you, and is not based on verifiable data.