Internal Rules 
by John Bandler
"Internal rules" means any rule an organization creates for itself and its employees.
Internal rules are an important part of organization management and governance (including for cybersecurity, privacy, and management of information assets).
Internal rules are one of my Five Components for Policy Work, and within my earlier platform concepts (three and four platforms).
Many may use the term "policies and procedures" but governance documents and management direction come in many shapes and names. "Internal rules" includes all those document types and also unwritten rules and culture.
I write this primarily in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more. But these concepts apply across all areas of organization management.
Internal rules within the Three Platforms concept
And I discuss these internal rules within the framework of my Three Platforms to Connect for compliance method which visualizes how legal requirements, internal policy, and organization practice should align.
The three areas to consider for compliance analysis are:
- External rules: Laws and regulations
- Internal rules: Policies, procedures, and more
- Practice: or action -- what is actually done.
Then I introduced the Fourth Platform of Business needs, which brings organization mission and business needs into our conceptual diagram. Mission can include doing good to help individuals and society, earning revenue and business, obtaining donations or grants, surviving, thriving, and growing.
Internal rules within the five components for policy work
When we added external guidance, we get the five components for policy work, and here they are viewed from the top.
Internal rules
Internal rules can include:
- Verbal directions, unwritten rules, and organization culture
- These are critical too!
- But we need to recognize their limits and the potential for differing perception and recollection
- Policies (general rules)
- Standards (more detailed rules)
- Procedures (highly detailed steps to accomplish a task)
- Guidelines (guidance, but not a rule, but we may write them down)
- Other governance documents whatever their name, to include bylaws, articles of organization, charters, plans, handbooks, manuals, etc.
Topics for internal rules can include:
- Cybersecurity
- Incident response
- Privacy
- Conflicts of interest
- Employee rights and responsibilities in the workplace
- Anti-discrimination
- Documents on how to manufacture goods or provide services.
Written internal rules
Written internal rules include policies, procedures, and other governance documents.
Quality written internal rules have these attributes:
- Align and comply with applicable laws and regulations (external rules)
- Follow helpful best practices (external guidance)
- Direct proper action
- Clearly written and practical
- Well organized
- The right length and detail (not too long, not too short)
- Practical and capable of being followed
I discuss these documents in more detail in my article on policies and procedures.
Separately, it is the organization's responsibility to:
- Build good internal rules
- Follow them
- Review and update them periodically.
Planning to create or improve internal rules
This concept of Five Components for Policy work is helpful for organizations as they plan to create or update their internal rules.
In sum, we first examine external rules, business needs, external guidance, practice, and existing internal rules. We use all of that to create or improve our internal rules.
I discuss it more in this article on internal rules planning.
Building internal rules
I have reworked the traditional policy and procedure rules "pyramid" into the "internal rules platform".
I also offer a traditional building analogy which is helpful as we build our internal rules, considering verbal rules, general policies, and more detailed documents. I lay it out in this article in building internal rules.
This article seems kind of short
Internal rules are critical for mission, action, and compliance, so why is this article so short? Well, this article is a landing page for that concept, and provides a jump-off point for all of my other articles devoted to planning and building internal rules. You will see many other articles that delve into the details of policies, procedures, and more. I even built an entire online course on the topic.
Conclusion
Internal rules are a critical for every organization to fulfill their mission, comply with legal requirements, and secure themselves.
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.
Additional reading
- Policies and Procedures Book
- Policies and Procedures Book Resources
- Five Components for Policy Work
- More articles on Internal Rules
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Policies, Procedures, and Governance of an Organization
- Policy Checklist
- Rules
- Internal Rules Planning
- Internal Rules Building
- Cybersecurity, Privacy, You, and Your Organization
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Bandler's Free Starter Cybersecurity Policy
- Bandler's Four Pillars of Cybersecurity
- My online course on Policies and Procedures at Udemy
This article is hosted at https://johnbandler.com/internal-rules, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at https://johnbandler.medium.com/internal-rules-c2a225baaf1 (though not kept as up to date).
Originally posted 5/15/2022, updated 6/23/2024.