Creation of good policies and procedures is an art that can be helped with some core advice. Policies are the backbone of how a business tells their employees how to act and react, and ensures consistency and productivity. A great company culture, a consistent vision and values, and compliance with external regulation are all benefits of creating good policies and procedures. The best policies are;

  • Accessible and easy to find
  • Simple to read and understand – by the people who need to follow them
  • Valid, relevant, and match the business need
  • Regularly reviewed, and up to date

Each company will have their own policies to match their business needs, their environment and their employees. So, there will be many instances where an employee will have worked under a different policy at a previous workplace, causing confusion. For this reason, it is important to ensure that policies and procedures are easy to find and understand.

Accessible and easy to find

One of the most common issues I come across is that people say they did not follow a policy because they could not find it. We have moved beyond policies being filed on a shelf in ring binders, but people still have problems in locating the policy. This can also cause problems where departments and divisions decide to create their own policies – duplicating (and diverging from) existing policies.

Naming and categorisation / filing standards are obvious, to ensure that policies and procedures have names that describe what they are, and a centralised location where all policies can be found. Further, it can be useful to follow SEO approaches to ensure that documents can be found by Intranet search (remembering that Content Management Systems like SharePoint do not have search as powerful as Google).

READ ARTICLE:   Information disclosure as a security risk

Ensure that the purpose of the policy is explained on the first page, and include other terms that the person may be searching for. For example, “acceptable use policy” should be explained with “this AUP states what you are allowed to use company computers and equipment for, and the types of websites and activities that you should not do, and rules for using your assigned business laptop and/or mobile phone handset”. This includes some of the terms that employees may be searching for, and increases the chances of users being able to find the policy they need.

Simple to read and understand

Another mistake that people make is to be too official with their policy wording. You should consider the tone and wording of your policies to match the company values and vision. As with the above point of making a policy accessible and easy to find, if you use complex legalese and jargon or acronyms, then this can lead to people not fully understanding.

The language should be simple, and aimed at the least informed people who will need to follow it. That means, if your business has cleaners and catering staff, a large proportion of new graduates or an aging workforce of craftspeople – your language and approach should match the audience. Not every consumer of a policy is a business educated desk professional, and so the policies should not just be written for those with an MBA or law degree.

I find that it is helpful to also put in a paragraph or section on the “intent” of a policy. Policies tend to have a focus of “you should not do X”, but if this does not match exactly the scenario that confronts the user, they are finding a loophole. Such wording as “you should not access pornographic websites, resources that contain violence or hate speech, as these sites can also contain malware or be tracked for future dangerous activity against the company. Accessing these sites are likely to offend those around you, and also change your attitude and approach to be not suitable for how you should act in the workplace.” A bit of text about the intent and motivations can go a long way to avoid misunderstanding, decrease opportunities for finding loopholes, and increase adoption.

READ ARTICLE:   Copy Photos to OneDrive for Business

Valid and relevant for the business

The simple reason that we don’t all use exactly the same policies for every company, is that they all need to be customised to meet the needs of the business. There is no benefit in a discrete “equipment disposal policy”, if the company leases all equipment, and disposals are done by the external lease provider. Similarly, there should be policies that reflect any regulation of legal obligations that the company must follow. For example, if the company needs to retain all documents for 7 years and other documents for longer, then this should be in a company policy and not depend upon staff to investigate the regulations, laws, and compliance requirements to try and work it out themselves.

Similarly, only create policies that are actually needed. Review with managers and department heads to find out what their concerns and needs are, review past incidents (or near misses), review the company risk register and mission / vision / objectives and values. Don’t waste weeks creating a policy for an edge case that happened once in 5 years and had little impact.

Regularly reviewed and updated

Policies need to state their creation date, their version, and when they are due to be reviewed. If a policy is replaced, the old version needs to be removed and made unavailable.

Related posts:

Azure Vs. AWS terminology
The right way to prepare for P2V
Install MSI as another user
Cybersecurity reform in Australia
Share this knowledge
         

Leave a Reply

Your email address will not be published. Required fields are marked *