Policies and procedures
(and other governance documents)
by John Bandler
Organizations create policies, procedures, and other documents so executives, managers, and employees know what to do. The documents serve important business needs and are an essential part of good management, growth and health of the organization. Policies are also necessary to ensure compliance with legal and regulatory requirements. Cybercrime prevention, cybersecurity, and privacy benefit from good policies, procedures, and other governance documentation.
In another article, I discuss the bigger picture of organization management, and how documents fit in with that, and here the focus is the documents themselves.
The three platforms to connect
My Three Platforms to Connect concept guides how governance documents fit in with laws, regulations, and the practice of the organization. The three areas to consider are:
- Laws and regulations (external rules)
- Policies, procedures, and other internal rules
- Practice, action, what is actually done.
These three platforms should align, organizations should reduce and "watch the gap". Here, our focus is the middle platform and the written internal rules, such as policies and procedures.
Then I introduce my Fourth Platform, which is organization mission, see link below.
Finally, I recognize a fifth component of external guidance, and thus we have Five Components for Policy Work (link below).
Internal rules (policies, procedures, etc.)
Internal rules are created by the organization, executives, and managers to guide internal conduct, inform customers, clients, or donors, and to demonstrate their compliance with external rules.
Of course, some internal rules are verbal, cultural, or "tone". Culture and tone is important but verbal rules can only go so far. Certain rules need to be written and that is the focus of this article.
Internal rules should be put in writing based upon size and maturity of the organization, topic, and individualized need. Organizations need to find the right balance between not enough documentation (insufficient written guidance) and too much documentation (too much for employees to read, understand, and maintain). Find the sweet spot for document quantity, length, and detail.
Internal rules need to mean something. They should never be just for "show" or to blindly create documentation - that can do more harm than good. Having a document "on paper" for "show" for "compliance purposes" is not compliance, it is merely pretending to comply. Effective governance means aligning practice and the internal rules.
Subjects of internal rules
Subjects of internal rules include:
- Incident response
- Conflicts of interest
- Employee rights and responsibilities in the workplace
- Anything else you can think of.
Organizations usually decide to create a written internal rule because they see a need or they have to. Our focus is rules that affect information assets, cybersecurity, cybercrime prevention, and privacy. Laws, regulations, and contractual requirements often dictate that organizations create and maintain internal rules on these subjects.
Every organization needs a helpful, quality cybersecurity policy. This informs and guides conduct by individuals and the organization, protects the organization from cybercrime and helps with legal compliance. To fill this need, I created Bandler's Free Cybersecurity Policy, which you can access through this website.
Types of written internal rules
Types of internal rules include:
- Policies (general rules)
- Standards (more detailed rules)
- Procedures (highly detailed steps to accomplish a task)
- Guidelines (guidance, but not a rule)
Rest assured, not everyone agrees on terminology, and different people use different words to describe various governance documents. Some information security people or software may describe a "security policy" as a discrete granular rule, and some organization "policies" seem (to me) more like a standard or procedure. Some organizations put out "Policy and procedure" documents that seem to combine elements of both.
Organizations are free to chart their own course, but the goal should be efficiency and clarity, and avoid confusion and wasted time trying to figure out what a document is, what it is supposed to do, and what it means. Every document must be readable and understandable for its intended audience. That audience might be the entire organization or employees from a certain department, and should always anticipate being read by critical audiences, to include regulators, plaintiffs, and at the compliance end of the road, a judge and jury.
Businesses starting out with their internal documentation or compliance can start with policies. These set the highest level of rules, and if growth and need develops, they can flesh out other documents that fall underneath the policies, adding detail where needed.
Companies that need to guide employees and new hires to accomplish tasks, and to institutionalize knowledge, can create procedures. The employee can be given a checklist they can follow to ensure nothing is overlooked (e.g., opening or closing the store, etc.).
First, consider the policy. A policy is a high level rule, approved by the highest levels of management. A policy is general (not detailed) and does not require frequent changes. Details are reserved for other internal rules (standards, procedures, or plans), or to the employee’s sound judgment. Other more detailed rules (discussed next) can be approved at lower levels, and must conform to policies.
The policy is approved at a high level, such as a Board of Directors (or committee within it), or CEO, or other high level management. For them to approve it, they need to read it, and they should not be burdened nor dealing with unnecessary detail, nor frequent changes. Of course, their approval can also rely on advice of their subordinate managers, but the principle is to keep policies general, or at least not have details that will change frequently.
So a policy might describe general cybersecurity rules for the organization, including that:
- The organization will protect the confidentiality, integrity, and availability of all information assets.
Now that's really general, so a little more granularity will be needed, but the concept is that the policy avoids getting into too many details. At least not the type of details that will require frequent changes.
Next on the level of detail is a standard. It has more detail than a policy, might be approved at a lower level than the policy, and require more frequent updates. It falls underneath policies and must comply with them.
Not every organization needs standards documents. Again, the goal is efficiency and the right quantity and length of documentation to ensure peak efficiency.
While a policy might describe general cybersecurity guidance, the standard would have more granular details. The standard document is suited for its audience, but might be a painful read for non-specialists, such as the Board of Directors, CEO, or others not familiar with information technology or information security. The standard might use more technical language, and might describe specific security controls (safeguards) that must be implemented.
The standard needs to ensure it doesn't have too much detail, as excess detail should go into a procedure.
Now comes the procedure, with the most level of detail. A procedure provides detailed instructions (like a checklist) on how to perform a task. Because it has so much detail it may require more frequent updates as circumstances and tools change, and approval would be at a lower level than a standard or policy.
Procedures can be important so that employees know all tasks they need to accomplish, or all the steps within a particular task. This can help establish consistency and attention to detail across personnel. When the employee who knows and does the task is not available, or is sick, resigns, retires, or is terminated, the procedure allows another employee to perform the task.
Pilots follow many procedures and checklists because a missed item could result in disaster. Other procedures might tell the employee in information technology (IT) or information security (IS) the exact steps to log into an application, configure settings, or field a help desk inquiry. For the store employee closing up, it includes steps mundane and critical, such as ensuring the stoves are off, register is empty, alarm is set, door is locked, and to tug on the door to ensure before walking away.
Here I am thinking about an incident response plan, which represents the organization's preparation and planning for an incident, and tells the organization what to do if certain triggering events occur.
An incident response plan would be approved at a high level of management, would also include strategic and general requirements, and might refer to procedures.
Guidelines are documents that are not technically rules, but offer guidance for employees who can then use their discretion. This is in contrast with the prior documents which are "rules" to be followed -- not mere aspirational hopes.
Of course, people are not robots, every rule requires some discretion, and every organization and employee should exercise common sense, logic, reason, and good judgment. But the takeaway here is that a guideline is a guide, not a rule.
Other governance documents
There are many other types of governance documents, including articles of incorporation, partnership agreements, bylaws, charters, plans, handbooks, manuals, and more.
Some governance documents have great legal significance. Articles of incorporation are filed with the government, partnership agreements and joint ventures and more are contracts between individuals and entities. Bylaws might need to be filed with the government, and are the organization's top internal rule.
Charters might describe the powers of committees or sub units. Plans might describe what the organization does in certain circumstances (e.g., cybercrime incident response plans). Handbooks and manuals might be knowledgebase type guidelines to help employees do their jobs and transfer knowledge to new and future employees.
As the tool to accomplish the goals, documents can be named and shaped to suit the need, provided they align with external rules and are internally consistent.
Internal governance documents (policies, procedures, and more) are important mechanisms to help organizations properly manage a variety of areas. When created and maintained properly, they are a valuable tool for legal compliance, guide employee conduct, and ensure good management and efficiency.
This short article is for your information and learning, and of course is not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, let me know.
- Five Components for Policy Work
- Internal Rules
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all linked to in this article)
- Policies, Procedures, and Governance of an Organization
- Policy Checklist
- Cybersecurity, Privacy, You, and Your Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Bandler's Free Starter Cybersecurity Policy
- Bandler's Four Pillars of Cybersecurity
- Your company’s policies and the law, John Bandler (September 12, 2022), https://westfaironline.com/management/your-companys-policies-and-the-law/
This article is hosted at https://johnbandler.com/policies-and-procedures, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at NOT YET (though not kept as up to date).
This article carves out and expands upon this topic from my 2020 article: Policies, Procedures, and Governance of an Organization.
Originally posted 1/20/2022, updated 3/14/2023.