I once worked somewhere requiring a receipt for every expense over a dollar. One dollar. You'd submit a reimbursement claim for a two-dollar pen and the finance team would chase you if the receipt wasn't stapled to the form in the correct orientation.
Nobody there had committed expense fraud. Nobody ever had, as far as anyone knew. But someone, somewhere, had written the policy for an imagined worst-case employee who would steal two dollars from the company given the slightest opportunity.
This is the trap most organizations fall into without realizing it. They write policies not for the people they've hired, but for the people they're afraid they might hire. And the people they've hired? They notice.
The 5% Problem
Every organization has them. The handful of people who will abuse any system you give them. Take unlimited vacation and disappear for six weeks. Expense personal dinners. Clock out early and mark it as a full day.
These people exist. I'm not denying it.
But here's what most policy writers never stop to ask: what percentage of your workforce does this represent?
In my experience across multiple organizations, it's tiny. Five percent. Possibly less. And yet, in most companies, one hundred percent of employees operate under policies designed for the five percent.
The other ninety-five percent aren't inconvenienced. They get the message, loud and clear: "We don't trust you."
What Your Policies Are Saying Out Loud
Think about what low-trust policies cost you. Not only in administrative overhead... though the overhead is real. But in what they signal to the people doing the work.
When you require three manager approvals to order office supplies, you're not protecting the company from theft. You're telling your staff they're not trusted with a ten-dollar decision. When you track bathroom breaks, you're not optimizing productivity. You're destroying it, along with any goodwill your team had left.
Patty McCord, the person who built Netflix's famously trust-first culture, watched companies layer policy on top of policy... each one written in response to one bad actor. The cumulative effect was a workforce with no reason to think for itself. Why would they? The policy told them what to do.
Netflix tried something different. They replaced most of their policies with judgment. No set vacation days. No travel approval forms for small expenses. A 2023 study found employees with unlimited vacation policies were 43% more likely to feel a strong sense of belonging at work. The sky does not fall when you treat people as adults.
I've Been on the Receiving End
Early in my career I worked for a company requiring every external email to be approved by a senior manager before it went out. The stated reason: someone, years prior, had sent a problematic message to a client.
One person. One email. And so for years afterward, a department of forty people spent a combined... I'd estimate two hundred hours per year seeking approvals for routine correspondence. The original cost of the bad email? Whatever the damage was at the time. The ongoing cost of the policy response? Incalculable, and growing every year.
The original problem employee had long since left.
Policies Outlive the People Who Inspired Them
This is one of the strangest things about organizational policy. It accumulates.
Someone does something wrong in 2015. Someone writes a policy. The person leaves in 2016. The policy stays forever.
I've reviewed policy documents at companies where half the rules on the books existed because of situations no longer applicable, from people no longer employed there, in a business context completely changed from the original. The rulebook was a museum of past mistakes.
Meanwhile, the current workforce... high performers you've worked hard to recruit and retain... live by rules designed for people who have already been fired or left in disgust.
Every policy review I've participated in surfaces at least one rule existing because of "the Brian situation" or "what happened with Melissa back in 2019." Brian and Melissa are gone. The policy protecting against them is still there, annoying everyone who showed up since.
Return to Office: A Case Study in Worst-Case Thinking
You want a vivid modern example? Look at the return-to-office wave.
When remote work revealed some employees weren't delivering, leadership at dozens of major companies arrived at the same conclusion: bring everyone back. Not the slackers specifically. Everyone.
The people who thrived at home, delivered strong results, kept their commitments and stayed connected? They came back in too. Because of the people who did not deliver.
This is worst-case policy design in its purest form. A small number of employees used flexibility badly, so companies removed it from the employees who used it well. The message the high performers received was unambiguous: we don't trust you either. Many of them responded by finding employers who did.
The Test Worth Running
Audit your policies with one simple question: "Who is this for?"
If the answer is "the one person who abused the system four years ago," delete it. Deal with bad actors directly when they appear, not preemptively at the expense of everyone else.
Here's a test I use. Picture reading every policy in your employee handbook out loud to a strong performer you're trying to recruit away from a competitor. Watch their face. The policies making a sharp candidate look skeptical? Those are the ones built for your worst employees.
Some rules exist for good reasons: compliance, safety, legal protection. Those stay. Everything else deserves scrutiny.
Trust Is Harder Than Policy
The shift from defensive policy-writing to trust-first management isn't soft. It's harder, not easier.
It means addressing bad behavior directly rather than hiding behind rules. It means having a difficult conversation with the person abusing the system, instead of writing a policy punishing the entire team for one person's choices.
Policy-writing feels like doing something. It produces a document you point to later. It distributes the punishment across a whole workforce without requiring anyone to confront the real problem. This is not management. It's avoidance wearing a suit.
Your best people see through it immediately. They're calculating whether this is an organization respecting them as adults. The policy handbook is one of the loudest signals you give them. If it signals "we expect the worst from you," don't be surprised when they go find an employer who expects better.
A Different Starting Point
Most policy documentation starts with: "What do we need to prevent?"
Try starting with: "Who are we writing this for?"
If you're writing for the ninety-five percent of your team who show up, do good work, and handle their responsibilities without being managed every hour of the day... write accordingly. Give them freedom. Trust their judgment. Deal with the five percent as individuals when the situation arises, not as a statistical ghost haunting everyone else's daily experience.
The people worth keeping already treat the company's resources with care. The ones who won't... a policy won't stop them anyway. It'll only insult the others.
Write your rules for the people you want to keep. Then have the courage to deal with the rest directly.