Every Rule Creates a Shortcut: Why Workplace Friction Fuels Risk

This article explores how workplace friction leads employees to create risky shortcuts that bypass risk, and compliance controls. Learn why strict policies often fail in practice, how “work as imagined” differs from “work as done,” and what redesign tactics can reduce friction and strengthen security.

GRC CONCEPTS

Joshua Clarke

8/28/20252 min read

Every Rule Creates a Shortcut: How Friction Fuels Risk

Introduction

Every rule creates a shortcut. The harder the rule, the quicker people find another way.

Picture this: you are in a coffee shop, laptop open, latte cooling by your side. A colleague is waiting on a file, and the deadline is minutes away. You try to log in through the VPN, but it keeps disconnecting. The secure path is right there in front of you, but it is slow and broken.

So you take the faster way. You email it straight from your personal account. The deadline is met, your colleague is relieved, and life moves on. But in the process, a sensitive file has bypassed every security control your company worked so hard to put in place.

That is how friction breeds shortcuts. And every shortcut carries risk.

Common Friction Points

Most professionals have faced moments like this:

  • Password rules that are so strict and frequently changed that no one can remember them.

  • Approval workflows that grind projects to a halt when time is short.

  • Systems that lag or fail at the worst possible moment.

Individually, these may feel like small frustrations. Together, they create an environment where shortcuts seem not only tempting, but necessary. Once those shortcuts become normalized, reversing the behavior is extremely difficult.

Work as Imagined vs. Work as Done

Policies and procedures look clean on paper. That is work as imagined.

In reality, deadlines close in, systems break, and people are under constant pressure to deliver. That is work as done.

The gap between the imagined and the real is where shortcuts are born. When the demands of the workplace clash with rigid rules, people bend those rules to keep moving forward.

Redesign Tactics

The solution is not to punish shortcuts harder. The solution is to make the right path the easiest one.

  • Reduce unnecessary friction. If a password policy forces people to write credentials on sticky notes, the policy has failed.

  • Streamline approvals. Build workflows that enable speed while maintaining accountability.

  • Improve reliability. If the secure system crashes often, people will abandon it.

Security should not feel like an obstacle. It should feel like part of the natural flow of work. When rules are easier to follow, shortcuts lose their appeal.

Key Takeaway

Friction breeds shortcuts. The smoother the path, the less risk you carry.

Good GRC design is not just about writing rules. It is about designing systems and processes that work in the real world, not only on paper. The closer policies align with daily reality, the stronger and more resilient your security becomes.

Insights

Where governance, risk, and compliance meet human behavior.

Connect

JOIN TheGRCJOURNAL NEWSLETTER

grcjosh.sec@gmail.com

© 2025. All rights reserved.

Subscribe