Introduction to Policy
Business operations policy is essentially a formal communication method. It is specific to individual corporations and applies only to employees and partners of that firm. Policies communicate management’s expectations and method of governing to employees and partners. It establishes clear guidelines for acceptable and unacceptable behavior and often explains how behavior will be monitored or evaluated. Finally, properly written and implemented policy establishes penalties for violating the rules established. Business policy does not replace governmental jurisdiction, but instead works in concert with the legal system. Policy may impose sanctions such as loss of privileges, compensation, or even employment; whereas it relies on national, state, and provincial governments to apply more serious penalties for illegal behavior, such as prosecution, civil penalties, or even jail sentences. Policy is frequently one of the first things new employees and partners are introduced to when entering or working with a company.
Policy is often divided into three categories:
- Policy – Policy is usually higher-level or generally applicable, and addresses the question of “What should happen?”, or “What behavior is acceptable / unacceptable?”
- Procedure – If Policy is general, Procedure is tactically oriented and is a direct extension of Policy. It answers the question of “How should things happen?” For example, if a policy states the organization must have information system backups, procedure may require backups to be kept in tape form, or perhaps in an off-site data repository.
- Standard – Standard documents answer the question of “How much compliance with Policy and Procedure is enough compliance?” Standards are used when technical or complex issues are considered and provide guidance on judging the adequacy of a solution. One of the easiest examples to offer is computer encryption. Most policy and procedure dealing with information system protection will require “strong cryptography”. Since the technology world changes rapidly, a standard is kept that explains which types of cryptography are acceptable, and in which formats. Standards are normally used by employees specializing in the area the Standard addresses.
Reasons for Having Policy
Policy is established to encourage employees and partners to understand the desires of management and to contribute to organizational success in ways the management will find productive. Below are just some of the reasons for having well documented policies.
- Establishing Responsibilities One of the more important roles of written policies is to establish who is allowed to make decisions affecting the organization, and especially major decisions. This is often referred to as a responsibility matrix. A responsibility matrix identifies not only decision makers, but in larger organizations also identifies who is ultimately responsible for decisions being made by those lower in the management structure, and identifies people who may be affected by decisions, and therefore those who may need a voice in decision making. The fact that one individual or committee is assigned accountability over an identified business scope makes it possible for business decisions to be made quickly, and speeds business adaption to changing conditions.
- Defining Successful Cooperation One might say: “If you never ask for what you want, you’ll never receive it.” Along these same lines, policy is a business organization’s way of establishing clear guidelines for basic employee and partner behavior. Not all the answers to business problems are found in policy (such as strategy and product details), but policy establishes the framework for normal business operations (employee relations, procurement practices, information security requirements, etc.)
- Protecting Resources Policy normally identifies which resources the organization values and how employees and partners are expected to safeguard those resources. This includes organizational assets such as computers, but also extends to protecting human resources by making rules such as non-harassment and anti-discrimination rules. Data protection is one of the more important topics typically addressed. Whether the business wants to protect trade secrets, or simply ensure the privacy of people they hold information for, data protection can be an important part of protecting your business interests.
- Emergency Response Not only does policy define “normal” business operations, but it is also an important communication venue for organizing responses to non-normal business operations. Establishing expectations and an avenue for continuing to support business objectives in emergencies can be an important part of business planning. For example, online services may suffer significant financial damage if the service is not available for extended periods of time.
- Legal Protection Businesses finding themselves in regulated industries already know that they need clearly documented policy to pass audits. However, even companies in “regular” business environments benefit greatly from having clear policy and consistently following that policy. Many employment disputes or civil court cases may be benefitted by showing a company has and follows relevant organizational policy.
How to Develop Good Policy
Policy is most effective when it is kept current and available to be reviewed when needed. Several important aspects of policy include the following:
- Clear and Concise – Policy should be written clearly and understandably for all users. It is best written in outline form with outline numbering so specific requirements can be easily referenced.
- Consistent Format – All policy should have a similar format to make it easy to read and find requirements. Scope and applicability should outline who the policy applies to. Policy owners should be identified so questions may be easily and quickly resolved.
- Central Location – All policy should be available in a central location and should be available to all employees.
- Revisioning – Policy must have revisioning and applicability dates. Announcements should be made when new versions are released to ensure all employees are familiar with the current policy.
Information Security Policy
Policy protecting information resources is becoming a requirement for almost every business in today’s marketplace. For most, information systems use has long-since transitioned from a luxury to a necessity for successful business operations. Businesses connected to the Internet must recognize they have moved away from a world they mainly control into a world where many world players can and often do have an impact on the ability to conduct business. Information system use and protection policies based on recognized industry frameworks and best-practice standards help you to remain in control of your business and avoid unwelcome surprises.
Summary
All businesses, and especially those with over 30 employees should consider the value that well-considered policy will bring to your business. If you’re new to the policy world, consider starting with free on-line examples, or better yet an expert who can save you months of effort with framework-compliant policy templates customized to your individual needs.