Policies, Procedures, and Governance of an Organization
By John Bandler
This short article introduces good governance principles for organizations with a focus on internal rules and documentation. These principles apply across all areas of an organization, but especially to information governance, how organizations manage information assets and the important areas of cybersecurity and privacy.
Governance is the process of how organizations manage themselves. No organization is the same, with variations in mission, size, decision making and implementation, history, people, "culture", and more. Needless to say, there is wide variety on how organizations document their rules, and how they follow them.
Internal rules: What they are and document types
Consider what an internal rule might be. It could be a verbal rule or other type of informal requirement, including organizational cultural norms. Often, rules should be in writing, and we will focus on written rules, especially three main governance document types.
First, consider the policy. A policy is a high level rule, approved by the highest levels of management. A policy is general (not detailed) and does not require frequent change. Details are reserved for other internal rules, or to the employee’s sound judgment.
Next might be a standard. It has more detail than a policy, might be approved at a lower level, and require more frequent updates.
Now comes the procedure, at the other end of the spectrum from the policy. A procedure provides detailed instructions (like a checklist) on how to perform a task. Because it has so much detail it may require more frequent updates as circumstances and tools change, and approval would be at a lower level than a policy.
Guidelines are documents that are not technically rules, but offer guidance for employees who can then use their discretion. There are many other types of governance documents, including articles of incorporation, partnership agreements, bylaws, charters, plans, handbooks, manuals, and more.
Why most organizations need written internal rules
Good management principles often suggest that organizations need written governance documents. These written rules also play an important role in managing legal, regulatory, and cybersecurity risks, Sometimes laws or regulations (“external rules”) may require they exist.
Sometimes informal, verbal, and unwritten rules work just fine. In very small organizations, owners, managers, and employees can agree on what needs to be done and how, any mistakes or issues can be identified and corrected informally.
At times, these so-called “unwritten policies” can be problematic. In some cases, such rules are not worth the paper they are [not] written on. Verbal rules can be subject to misunderstanding, differing recollections, and confusion. These issues are exacerbated if circumstances put an organization’s internal rules into the spotlight, such as if there is a lawsuit or government inspection or investigation.
A cost-benefit analysis always needs to be performed to decide how to invest resources for the creation and maintenance of internal rules. Very small organizations and start-ups would argue that they do not need extensive documentation. Certainly, as organizations get larger and otherwise mature, the need for documentation increases. And all organizations should review applicable legal requirements, threats, and existing rules.
External rules, requirements, and resulting legal risks
Organizations should evaluate all applicable legal requirements, what I call “external rules”. External rules come from laws, regulations, contracts, principles of negligence, and more. External rules impose consequences if the organization does not comply, and that requires evaluating legal risks and how to manage them.
Legal risks from external rules extend to information governance, including cybersecurity and privacy. Managing these risks may start with the creation of written, internal rules. Further, these written rules are an essential governance step towards protecting the organization.
Protecting the organization's systems and data is the primary goal, and that aligns with the purpose of cybersecurity related laws and regulations. Thus, protection comes first, and a secondary goal is demonstrating legal compliance.
External rules can be sufficiently complicated that employees cannot hope to master and apply them to their daily conduct. Thus, organizations need to create helpful internal rules which align to these external rules, and help employees accomplish their mission.
Here are a few examples of external rules that relate to cybersecurity, information security, and privacy:
- New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act”), GBL 899-aa and GBL 899-bb, imposing cybersecurity and data breach notification requirements on most organizations
- Growing privacy laws and regulations including the Federal Trade Commission (FTC) rules and the California Consumer Privacy Act (CCPA)
- Cybersecurity regulations for the financial and medical sectors, including New York’s Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 (“Rule 500”) and federal regulations as outlined through the Federal Financial Institutions Examination Council (FFIEC) and HIPAA and HITECH.
Internal rules must align with external rules
Internal rules need to align to external rules, and actual practice needs to align with both. Thus, there are three important areas for organizations to consider:
- External rules and requirements based upon applicable laws and regulations, contracts, and other legal requirements
- Internal rules created by the organization and put into writing, such as policies, standards, and procedures, and
- Practice: What the organization and their employees do.
Imagine three platforms, and think of the need to reduce — and watch — the gaps between them. The first platform is external rules, essentially built by the government. The other platforms need to be built by the organization, by creating a set of internal rules and ensuring the organization follows them.
Ideally, these three platforms interconnect seamlessly. In practice, organizations need to “mind the gap” in two critical places:
- If internal rules do not comply with (or conflict with) external rules
- If organization practice does not comply with written internal rules.
The diagram illustrates these three platforms and the gaps between them.
Drafting internal rules that comply with external legal requirements can be difficult where laws and regulations overlap or are confusing. The focus should remain on compliance with both the spirit and letter of the external rules. Knowingly ignoring or violating external laws or regulations puts the entire organization at risk. These internal rules need to be drafted for their audiences, and organization practice should align with these internal rules.
The need for cybersecurity and privacy documents
- Cybercrime is a serious threat to every organization and its customers, clients, and employees. Protecting against cybercrime requires good cybersecurity, and good cybersecurity often starts with having good information security governance documentation.
- Cybersecurity is an area of increasing legal requirements.
- Incident response planning and data breach notification rules indicate that documentation needs to be in place prior to an incident.
- A proper process of developing and creating these policy documents helps organizations grow, become more efficient, and protect themselves and their customers.
- Regulated (financial, health, etc.)
- Within New York State, or another state with “reasonable cybersecurity” requirements (or doing business with customers in those states)
- Collecting information about customers, clients, patients, donors, or employees
- Make any claim about their level of cybersecurity
- Considering applying for cyber insurance
- Desiring to protect themselves from cyberthreats.
Information governance is but one important area for organizations to consider. Needs for policy documents will extend beyond this, and important areas may include:
- Anti-fraud and anti-money laundering practices (in certain sectors)
- Human resource issues including hiring, firing, workplace conduct, anti-discrimination, and more
- For-profit organizations often need a host of documentation for many compliance, investment, and reporting reasons
- Non-profit organizations have reporting requirements as well, including in their annual filings with the IRS and state government. Many probably should have policies on whistleblowers, document retention, conflicts of interest, and more. It is good governance, and allows their annual filings to contain a truthful “yes” in response to the question about whether these policies exist.
Introducing the handy ENTER acronym
Organizations should do these things, using the helpful and memorable ENTER acronym:
- external rules and how they apply to the organization
- how to best comply with external rules
- how to protect the organization from legal risks and cybercrime threats
- how to prioritize compliance requirements
- the priority for the creation and maintenance of governance documents
Newly create or update governance documents that:
- comply with external rules
- are clear, consistent, understandable, and helpful
Train all members of the organization (from the newest hire to the CEO) on the governance documents.
Ensure practice follows policy (compliance with internal rules)
Review and update policies and practices periodically, and evaluate the need for new policies.
Finally, organizations should banish these thoughts or statements:
- “Maybe we can consciously ignore this external rule, because we might not get caught, and even if we do get caught, the penalties might be mild.”
- “We need to get a policy in place quickly so we have it and can show [insert name]. But we don’t really need to follow it.”
This short article is for your information and learning, and of course is not tailored to your circumstances, nor is it legal or consulting advice. It also contains my opinion and perspective.
Here are other articles that are helpful:
- Cybersecurity, Privacy, You, and Your Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Privacy, You, Your Organization, and the New NIST Privacy Framework
The top three priority cybersecurity threats you should think about are:
Originally posted 3/17/2020, updated 6/13/2021.
Also posted to Medium at https://johnbandler.medium.com/policies-procedures-and-governance-of-an-organization-96ce8728a580 (though not kept as up to date).