Chapter 2: Policies and Procedures

Policies, Procedures, Standards, and Politics

Modern organizations have developed into a complex waltz of human resources, data, equipment, facilities, processes, policies, and procedures. For most of us, our daily activities are not scripted and rely on policies and procedures to create an efficient and productive environment. Developing and implementing fixed policies often seems like a futile exercise, yet unless there is a formal architecture, employees end up spinning their wheels.

In the same sense that countries require laws governing the conduct of their citizens, organizations require policies to govern the conduct of their critical assets. Policy development and enforcement is neither an academic drill nor an exercise just to placate auditors. It is an essential component of sound business operations. If appropriate conduct were decided on a voluntary basis, it would be observed about as often as those who make a complete stop at stop signs without a police officer present. True, it does happen, but not often.

Policies are the methods by which business processes are documented and disseminated. Not all policies are going to apply to all business units. Consequently, policies may have general coverage areas, or coverage that is directed to specific business units and even specific functions. They provide employees with limits, alternatives, and governance. Formal policies allow senior managers to conduct their business without constant intervention, enabling employees to work within defined frameworks. They reduce the range of individual decisions and encourage managers to deal with items that are only outside that framework.

Policies assure equitable access to secure resources for authorized users. They make certain that safe, consistent, correct procedures are being employed to conduct the organization's work. Many policies are not optional; rather, they are mandated by legal and regulatory requirements while others are based on fear, uncertainty, and doubt (FUD).

Ask any system administrator how many times he or she has repeated the company's policy mandating that employees not open e-mail attachments. Before long, the system administrator has to deal with an employee who has done exactly the opposite.

There is another purpose for developing written policies and procedures to help guide the practice and performance of professionals who are faced with a combination of mundane tasks and crisis-related activities requiring an immediate decision. Professionals such as lawyers, accountants, auditors, scientists, physicians, and others are dependent on policies to assure their efforts are directed toward specific accepted practices. The logic behind policies for professionals assures that the work is done the same way, regardless of who is doing it, as the accepted manner of completing the task is consistent from professional to professional.

Under most circumstances, senior employees are expected to be promoted, leaving vacancies behind them. The generally accepted idea is that the employee accepting the position will be able to "hit the ground, running," because there will be written policies and procedures left by the employee vacating the position. Written policies and procedures refined by the incumbent ensure that the employee filling this position will be able to work effectively and efficiently at this job with a minimum of delay. These policies bridge the gap between two employees doing the same job at different times, locations, or even business divisions.

When followed, these policies guarantee the consistency of the work performed previously or in different locations. They form a core of institutional communication between the experienced, knowledgeable person who developed or enhanced the work plan, and the new person assuming the position. Policies address ways to handle routine situations, and can form a directory of operating procedures to be used in unique circumstances. As a learning tool, policy documents form a basis for describing new procedures or explaining the application of special circumstances to others.

Written policies and procedures form essential components of the organization's management system because they detail management instructions that are often the result of high-level discussions or legislated requirements. Statements of policy, especially as they relate to critical incident management, are the manifestation of executive direction in the organization's environment. As practical instruments of managers, written procedures bind the organization's philosophy to the actual work-related task.