Organizations that were highly satisfied with their IT policies were 3.7 times more likely to be highly satisfied with IT when compared to those organizations that did not have high satisfaction with their IT policies.
Policies, procedures, standards - they each have their specific purposes and functions within the context of corporate governance.
Unfortunately, policies and procedures are easily confused with each other, and this can lead to the perception (and often, the reality) that an organization has become too strict or rigid to perform efficiently.
Policies are a communication tool; they help your organization spread the message of what needs to be done and how it should be done.
This Blueprint helps IT professionals:
- Identify the set of IT policies your organization needs.
- Identify and assess IT’s greatest risks.
- Write effective policies.
- Communicate policy initiatives.
- Reassess the effectiveness of your IT policies
The need for a new policy is generally initiated in response to a new regulatory compliance standard or industry framework, or because of a mandate from the business that requires some degree of guidance over a new initiative.
Approaching policy creation in this reactive manner often results in an excessive number of documents that are narrow in scope and don’t address the underlying risk.
- Policies lag behind changing business and technology demands and compliance requirements.
- Employees complain that policies restrict them from doing their job.
- Find the right balance between policy and process - understand your risk landscape to identify key policy areas. In areas where policy is not necessary, establish SOPs, best practices, and guidelines to prescribe behavior.
- Policy work can be extremely tedious - start by aligning your policies with your greatest risks.
- It’s a misconception that your most severe risks each need a specific policy - write SOPs, standards, and guidelines to fit under your policy umbrella. Revise your policies regularly so you know they still enable your critical procedures.
- Write your policies on the right level - policies need to be understandable to the parts of the organization they affect.
- Develop an avenue for policy communication and make your policies available for reference in one place at any time.
- Listen to the feedback you get from your employees and talk it out. The best way to get buy-in is to make your employees part of the policy process - use their feedback and analysis to revise your policies.