Humans want principles, society demands rules and businesses want to manage risk, can we reconcile the differences?

The linkage between principles and rules is not clear because we have created so many words and variances in language that there is significant confusion. We are often confused about what we mean as we are very inconsistent in how we apply words and language, often to provide a benefit to ourselves or justify our belief. To unpack the relationships we need to look at definitions, but we have to accept that even definitions are inconsistent. Our conformational bias is going to fight us, as we want to believe what we already know, rather than expand our thinking.

Are we imagining principles or values?  

Worth noting our principles are defined by our values. Much like ethics (group beliefs) and morals (personal beliefs) and how in a complex adaptive system my morals affect the group’s ethics and a group’s ethics changes my morals. Situational awareness and experience play a significant part in what you believe right now, and what the group or society believes. 

Values can be adaptable by context whereas principles are fixed for a period, withstanding the test of time.  When setting up a framework where we are setting our principles implies that we are saying that we don’t want them to change every day, week, month, year, that they are good and stable for a generation but we can adapt/ revise/ adjust principles based on learning.  Fundamentally principles are based on values which do change, so there are ebbs and flows of conflict between them, this means we frame principles and often refuse to see that they are not future proof forever.  Indeed the further a principle is away from the time it was created, the less it will have in common with values. 

Are we confusing principles and rules?  

Considering characteristics, conceptually principles are abstract and universal whereas a rule is specific and particular. Principles cope with exceptions, rules need another rule.  Principles provide the power of thought and decision making, rules prevent thought and discretion.  Principles need knowledge and experience to deliver outcomes, rules don’t.  Principles cope with risk, conflict and abstraction; conflict is not possible for a rule, it is this rule or a rule is needed. 

The word “rule” needs some more unpacking as it can take on many meanings.   The history and origin of the word “Rule” is here.  The choice of the word rule is designed to be ambitious, allowing the reader to apply your own context, thereby creating more relevance to your own circumstances. 

For me, you or someone;

  • Rules are written or unwritten or both

  • Rules are mine, created by me that you need to follow. They are yours, crafted by you that you need me to obey. They are shared and we believe that they create a better society

  • Rules can be the law, just a guide, the standard you need to meet or the rituals that creates success.  But which law, they one we should not break or the one where we follow the spirit?  As a guide to guide me from here to where.  As a standard is that absolute or is a range good enough.  My rituals, did I learn them, did you teach me or somehow are they just there?

  • Rules equally give you more freedom (safety, less murder) and remove your freedom (choice). Rules give me more agency and at the same time remove it.

  • Rules define my boundaries but are the ones I have created for myself and I have continually refined them as I learn, or are my rules ones that come from history; because we have always done it this way.  

  • Rules are they creating my view on values or are the rules I have someone else’s values?

  • Rules are only there to be broken

  • Rules allow me to create something as I have done something, have experience and have learnt. Rules allow me to repeat and not make the same mistake or improve and adapt.  Rules save me time and energy - I love my heuristics

  • Rules allow me to manage, prevent and control risk

But whose rules are they?

Back to the relationship between rules and principles.  In companies and for a social policy we set rules and principles into matrices as below.  Asking is it better to break rules or comply, is better to uphold principle or challenge them.  This helps us to define where social norms stop and laws are needed.   

A review round the four quadrants highlights that there is no favourable sector and indeed as a society who wants to get improve, we continually travel through all of them.  Companies and executives often feel that upholding principles and obeyed rules (top right) creates the best culture, but also ask the organisation to be adaptive, agile and innovative. 

Given that principles are based on values, the leadership team will be instrumental into how upheld the principles are. Whereas the companies level of documentation for processes, procedures and rules will define what is to be obeyed, the culture of the top team will determine if they are to be obeyed or not. 

The matrix below thinks about the combinations of values and principles. Where values are either mine as an individual or we as a collective society.  

The fundamental issue with the two representations (rules or values and principles)  is that they cannot highlight the dynamic nature of the relationship between them.  By example, our collective values help normalise an individuals bias and that collective values informs and refine principles.  Indeed as principles become extreme and too restrictive say as our collective values become too godly, our collective values opt to no-longer uphold them.   When our individualism leads to the falling apart of society we raise the bar to create better virtues as it makes us more content, loved and at peace.  

Movement within the “stable compromise” domain has been explored many times but the Tytler cycle of history expands it very well.


In summary, a rules-based approach prescribes or describes in detail a set of rules and how to behave based on known and agreed principles. Whereas a principle-based approach develops principles which set the limits that enable controls, measures, procedures on how to achieve that outcome is left for each organisation to determine.

Risk frameworks help us to connect principles and rules

Having explored that a rules-based approach prescribes in detail the rules, methods, procedures, processes and tasks on how to behave and act, whereas a principle-based approach to creating outcomes crafts principles that frame boundaries, leaving the individual or organisation to determine its own interruption. 

  • In a linear system, we would agree on principles which would bound the rules.  

  • In a non-linear system, we would agree on the principles, which would bound the rules and as we learn from the rules we would refine the principles.  

  • In a complex adaptive system, we are changing principles, as our values change because of the rules which are continually be modified to cope with the response to the rules.

This post is titled “In a digital age, how can we reconnect values, principles and rules?” and the obvious reason is that rules change, values, which change principles that means our rules need to be updated. However, this process of learning and adoption depends on understanding the connection which offers closed-loop feedback.  An effective connection is our risk frameworks.

The diagram below places rules and principles at two extremes. As already explored we move from principles to rules but rarely go back to rethink our principles, principally because of the time.  Rules should refine and improve in real-time,  principles are generational.  However to create and refine rules we use and apply a risk framework.  The risk framework identifies risk and to help us manage it, we create rules that are capable of ensuring we get the right data/ information to be able to determine if we have control over risk.   As humans, we are not experts in always forecasting the unimagined and so when we implement rules things break and clever minds think how to bend, break or avoid them.  To that end we create more rules to manage exceptions.  However, occasionally we need to check that our rules are aligned to our principles and indeed go back and check and refine our principles. 

Starting from “Principles” these are anchored in ideas such as Human Dignity, Subsidiarity, Solidarity, Covenantal, Sustainability, The common good, Stewardship, Equality.  

Once we decide that one or more of these should anchor our principles and form a north star, a direction to travel in and towards. The reason to agree on the Principle(s) is that collectively we agree on a commitment to get to a better place. We state our principles as an ambition, goal, target with allow us to understand, manage and control uncertainty using a risk framework. The risk framework frame or bounds the risk we are prepared to take.  The risk framework enables us to define rules that get to our known outcomes.  We implement the rules to create controls using regulation, code and standards. Our risk frameworks use tools to identify, measure, manage, monitor and report on the risk, the delta in risk and compliance with the rules.  Whilst all is good we use the risk framework to create more rules and better framing and boundaries, creating better outcomes.  However, when the desired outcomes are not being created we revert to the principles, check our north star and take our new knowledge to refine/ redefine the risk we are prepared to take.

Data introduces new Principle problems! 

Having established this framework, the idea is to apply this to data.  We have an abundance of rules and regulations and as many opinions on what we are trying to achieve with data.  However, we don’t appear to have an agreed risk framework for data at any level, individual, company, society, national or global.  This is not a bill of rights, this is “what do we think is the north star for data and on what principle should data be?”  How do these principles help us agree on risks, and will our existing rules help or hinder us?

“what do we think is the north star for data and on what principle should data be?”  How do these principles help us agree on risks, and will our existing rules help or hinder us?

The question is how do our principles change when the underlying fabric of what is possible changes, the world we designed for was physical; it is now digital-first. Now we are becoming aware that the fabric has changed, where next?   By example, Lexis is the legal system and database.  With a case in mind, you use this tool to uncover previous judgments and specific cases to determine and inform your thinking.  However, this database is built on humans and physical first.  Any digital judgements in this database are still predicated on the old frameworks, what is its value when the very fabric of all those judgements changes.  Do we use it to slow us down and prevent adoption?  Time to unpack this

Physical-world first (framed as AD 00 to 2010)

Classic thinking (western capital civilisation philosophy) defined values and principles which have created policy, norms and rules.  Today’s policy is governed by people and processes. We have history to provide visibility over time and can call on millennia of thought, thinking and wisdom.  Depending on what is trending/ leading as a philosophy we create norms.  In a physical and human first world, we have multi-starting positioning. We can start with a market, followed by norms, followed by doctrine/ architecture - creating law and regulations  OR we can start with norms, followed by doctrine/ architecture, followed by market-creating law. 

Without our common and accepted belief our physical world would not work. Law, money, rights are not real, they are command and control schema with shared beliefs.  Our created norms are based on our experience with the belief.  We cope by managing our appetite to risk. 

Digital world first (frame as AD 2020 - AD MMMCCX )

People-in-companies rather than people-in-government form the new norms as companies have the capital to include how to avoid the rules and regulations.  The best companies are forming new rules to suit them. Companies have the users to mould the norms with the use of their data. Behaviour can be directed. Companies set their own rules.  Doctrine/architecture creates the market, forming norms, and the law protects those who control the market.  Policy can create rules but it has no idea how rules are implemented or governed as the companies make it complex and hide the data. There are few signs of visible “core” human values, indeed there are no shared and visible data principles.  We are heading to the unknown and unimagined.

The companies automate, the decisions become automated, the machine defines the rules and changes the risk model. We are heading to the unknown and unimagined as we have no data principles.

By example. Our news and media have changed models. The editor crafted control to meet the demand of an audience were willing to pay to have orchestrated content that they liked.  As advertising became important, content mirrored advertising preferences and editorial became the advertising and advertising the content.  Digital created clicks that drove a new model to anything that drives clicks works.  The fabric changed from physical to digital and in doing so we lost the principles and rules of the physical first world to a digital-first world that has not yet agreed on principles for data. 

Data is data

This article Data is Data explores what data is and is my reference to define data. 

Imagine looking at this framework of “principles, rules and risk” within the industry and sectors seeking to re-define, re-imagine and create ways for people to manage the digital representations of themselves with dignity.  How would say their data and privacy be presented?

With data (privacy, protection, use, collection) we have an abundance of rules and regulations and as many opinions on what we are trying to achieve.  We appear to be missing an agreed risk framework for individuals, company’s, societies (national &global)  

The stated GDPR principles are set out in Article 5

  • Lawfulness, fairness and transparency.

  • Purpose limitation.

  • Data minimisation.

  • Accuracy.

  • Storage limitation.

  • Integrity and confidentiality (security)

  • Accountability.

We know they are called “Principles” by the framing of the heading in Article 5, however, if we read them slowly are these principles, values or rules? Consider are these boundaries, stewardship ideals or a bit of a mashup.   By example to get round “Purpose Limitation,” terms and conditions  become as wide as possible so that all and or any use is possible.  Data minimisation is only possible if you know the data you want, which is rarely the case if you are a data platform.   If a principle of The European Union is to ensure the free “movement / mobility” of people, goods, services and capital within the Union (the ‘four freedoms’), does data identity ideals and GDPR align?  

Considering the issue about the “regulation of” Big Tech, in general should they exist, as no one entity should have that much power and control over people’s data and ability to transact? So the framings that accepts them as acceptable, won’t create rules that actually moves towards the principle of ending the current hegemony but rather just seek to regulate it as is.  If we add in open API’s and the increasing level of data mobility, portability and sharing whose “rules or principles” should be adopted?

How do your principles change when the underlying fabric of what is possible changes? The entire privacy framework, say in the US today, is based on early 1970’s reports written in the United States to address concerns over mass state databases that were proposed in the mid-late 1960’s  and the growing data broker industry that was sending people catalogues out of the blue. It doesn’t take account for the world we live in now where “everyone” has a little computer in their pocket.  Alas, IMHO, GDPR is not a lot better than rules with no truly human based core principles.


We appear to have outdated “principles” driving rules in a digital-first world. 

Our commercial world is now dominated by companies setting “their” norms without reference to any widely agreed-upon values. The down side of big tech gaining so much power that they are actually seen by people-in-government as “equivalent to nation-states” is telling.  Right now we need historians, anthropologists, ontologists, psychologists, data scientists and regular everyday people who are the users to be able to close the loop between the rules we have, the risk frameworks we manage and the principles that we should be aiming for.      

Take Away

  • How are we checking the rules we have are aligned to our principles?

  • How are we checking our principles?

  • Is our risk framework able to adapt to new principles and changes to rules?

  • How do we test the rules that define and constrain can create better outcomes?