Designing Processes People Can Follow

A password policy that requires 14 characters, three symbols, a number, uppercase, lowercase, and a sacrifice to the IT gods.
A VPN login with four different codes and a phone confirmation.
A compliance workflow that feels like a scavenger hunt across three systems.

Sound familiar?

Most employees are not “failing” security. They are drowning in it. The problem is not always bad intent, but cognitive overload. When processes pile up and grow too complex, people cut corners. Not because they are careless, but because human limits eventually give way.

Human Limits

Think of the last time you were running late for a flight. You were juggling luggage, boarding passes, gate changes, and that half-finished email from work. In that moment, if someone handed you a five-step instruction manual for finding the security line, you would probably ignore it.

Security and compliance tasks often land in the same way. Employees may know the rules, but under pressure, they rely on shortcuts. Cognitive load is real: the more steps, the more fatigue, the higher the chance of failure.

Reducing Steps

Good GRC design means fewer clicks, fewer screens, fewer fields to fill. If a task can be completed in three steps, do not make it five.

Take phishing simulations, for example. Organizations sometimes design elaborate reporting tools, but the most effective setups give users a single button: Report Phish. Simpler pathways mean higher adoption.

Defaults and Guardrails

Humans are more predictable than we like to admit. Most people stick with defaults. That is why seatbelts that automatically lock save more lives than seatbelts that require a conscious click.

In security, the same principle applies. If encryption is the default, users do not have to remember to turn it on. If compliance tools block unsafe uploads, people do not have to decide what is safe under stress. Guardrails and defaults reduce the need for willpower.

Measuring Fatigue

Every extra policy, control, or login screen feels reasonable on its own. But stacked together, they create fatigue. And fatigue is invisible until it shows up as failure.

How do you measure it?

• Track skipped steps or incomplete forms.

• Ask employees where the process feels hardest.

• Monitor for rising help desk tickets on the same issue.

These signals are not resistance. They are fatigue indicators. And they are just as important as audit findings.

The Takeaway

Complexity is not strength. A system that looks strong on paper but collapses in practice is a governance weakness.

The lesson for GRC leaders is simple: design for the human brain, not just the compliance checklist. The best control is not the one with the most steps, but the one people can actually follow under pressure.