Rules and procedures are often used to legitimize scapegoats

In Resilience Engineering there are broadly two views on Human Error. The first one, the “old view” which in my own personal experience is still more prevalent in many businesses, focuses on minimizing and punishing mistakes made by individuals.

In this context, rules and procedures provide excellent tools that can be used by people in power to blame individual practitioners when things go wrong.

“They acted in violation of the rules”, they will say, and wash their hands off the entire affair without taking responsibility for their role and that of the rest of the organization in enabling, condoning or possibly even subtly encouraging, that rule-breaking in the first place.

One extremely obvious example of this happened in 2021 following the SolarWinds hack where the CEO blamed an intern for leaking the password solarwinds123:

Confronted by Rep. Rashida Tlaib, former SolarWinds CEO Kevin Thompson said the password issue was “a mistake that an intern made.”

“They violated our password policies and they posted that password on an internal, on their own private Github account,” Thompson said. “As soon as it was identified and brought to the attention of my security team, they took that down.”

The idea that one intern’s actions alone can explain a major security breach affecting the United States federal government and many other fortune-500 companies is beyond absurd, but it does show people will readily point to policy violations to avoid taking personal responsibility.

In the case of SolarWinds there is way too much publicity for this defense to stand, but in many other situations, victims of this kind of scapegoating will have a lot more difficulty defending themselves.