Policies, Procedures, and Governance of an Organization
by John Bandler
Organizations should be managed effectively and efficiently, and to do so they need to be aware of legal requirements, and create internal rules that align. These internal rules could include policies and procedures, and could extend to many areas including management of information assets, cybersecurity, and privacy. This short article focuses on information management, but these sound principles extend beyond information governance to all areas of organization management.
Governance is the process of how organizations manage themselves. No organization is the same, with variations in mission, size, decision making and implementation, history, people, culture, and more. Needless to say, there is wide variety on how organizations document their rules, and how they follow them. Every organization can improve, and good policies and procedures are helpful to guide organization and individual conduct.
The three platforms to connect
My Three Platforms to Connect concept guides how governance documents fit in with laws, regulations, and the practice of the organization. The three areas to consider are:
- Laws and regulations (external rules)
- Policies, procedures, and other internal rules
- Practice, action, what is actually done.
These three platforms should align, organizations should reduce and "watch the gap". Here, our focus is the middle platform and the written internal rules, such as policies and procedures.
(Then I introduce my Fourth Platform, which is organization mission).
Internal rules: What they are and document types
Consider what an internal rule might be. It could be a verbal rule or other type of informal requirement, including organizational cultural norms. Often, rules should be in writing, and we will focus on written rules, especially three main governance document types.
First, consider the policy. A policy is a high level rule, approved by the highest levels of management. A policy is general (not detailed) and does not require frequent change. Details are reserved for other internal rules, or to the employee’s sound judgment.
Next might be a standard. It has more detail than a policy, might be approved at a lower level, and require more frequent updates.
Now comes the procedure, at the other end of the spectrum from the policy. A procedure provides detailed instructions (like a checklist) on how to perform a task. Because it has so much detail it may require more frequent updates as circumstances and tools change, and approval would be at a lower level than a policy.
Guidelines are documents that are not technically rules, but offer guidance for employees who can then use their discretion. There are many other types of governance documents, including articles of incorporation, partnership agreements, bylaws, charters, plans, handbooks, manuals, and more.
Organizations need to find the right balance with their documents. They need the right quantity of discrete documents, each of the proper length, and maximize efficiency. Too few or too short, employees don't know what to do. Too many or too long, employees can't find them or read them, and the organization wastes time maintaining them, or fails to maintain them.
Why most organizations need written internal rules
Good management principles often suggest that organizations need written governance documents. These written rules also play an important role in managing legal, regulatory, and cybersecurity risks, Sometimes laws or regulations (“external rules”) may require they exist.
Sometimes informal, verbal, and unwritten rules work just fine. In very small organizations, owners, managers, and employees can agree on what needs to be done and how, any mistakes or issues can be identified and corrected informally.
At times, these so-called “unwritten policies” can be problematic. In some cases, such rules are not worth the paper they are [not] written on. Verbal rules can be subject to misunderstanding, differing recollections, and confusion. These issues are exacerbated if circumstances put an organization’s internal rules into the spotlight, such as if there is a lawsuit or government inspection or investigation.
A cost-benefit analysis always needs to be performed to decide how to invest resources for the creation and maintenance of internal rules. Very small organizations and start-ups would argue that they do not need extensive documentation. Certainly, as organizations get larger and otherwise mature, the need for documentation increases. And all organizations should review applicable legal requirements, threats, and existing rules.
External rules, requirements, and resulting legal risks
Organizations should evaluate all applicable legal requirements, what I call “external rules”. External rules come from laws, regulations, contracts, principles of negligence, and more. External rules impose consequences if the organization does not comply, and that requires evaluating legal risks and how to manage them.
Legal risks from external rules extend to information governance, including cybersecurity and privacy. Managing these risks may start with the creation of written, internal rules. Further, these written rules are an essential governance step towards protecting the organization.
Protecting the organization's systems and data is the primary goal, and that aligns with the purpose of cybersecurity related laws and regulations. Thus, protection comes first, and a secondary goal is demonstrating legal compliance.
External rules can be sufficiently complicated that employees cannot hope to master and apply them to their daily conduct. Thus, organizations need to create helpful internal rules which align to these external rules, and help employees accomplish their mission.
Here are a few examples of external rules that relate to the management of information assets:
- Traditional legal requirements such as negligence and contract
- Data breach reporting laws and regulations
- Reasonable cybersecurity laws and regulations
- Privacy laws and regulations
- Some examples of these include:
- New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security Act”), GBL 899-aa and GBL 899-bb, imposing cybersecurity and data breach notification requirements on most organizations
- Federal Trade Commission (FTC) enforcement of unfair or deceptive trade practices, which extends to privacy and cybersecurity
- The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- Financial sector rules, including New York’s Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 (“Rule 500”) and federal regulations as outlined through the Federal Financial Institutions Examination Council (FFIEC)
- Health (medical) sector rules, including the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH).
Internal rules must align with external rules
Internal rules need to align to external rules, and actual practice needs to align with both. Thus, there are three important areas for organizations to consider:
- External rules and requirements based upon applicable laws and regulations, contracts, and other legal requirements
- Internal rules created by the organization and put into writing, such as policies, standards, and procedures, and
- Practice: What the organization and their employees do.
Imagine three platforms, and think of the need to reduce — and watch — the gaps between them. The first platform is external rules, essentially built by the government. The other platforms need to be built by the organization, by creating a set of internal rules and ensuring the organization follows them.
Ideally, these three platforms interconnect seamlessly. In practice, organizations need to “mind the gap” in two critical places:
- If internal rules do not comply with (or conflict with) external rules
- If organization practice does not comply with written internal rules.
The diagram illustrates these three platforms and the gaps between them.
Creating internal rules that comply with external legal requirements can be difficult, especially where laws and regulations overlap or are confusing. The focus should remain on compliance with both the spirit and letter of the external rules. Knowingly ignoring or violating external laws or regulations puts the entire organization at risk. These internal rules need to be drafted for their audiences, and organization practice should align with these internal rules.
The need for cybersecurity and privacy documents
- Cybercrime is a serious threat to every organization and its customers, clients, and employees. Protecting against cybercrime requires good cybersecurity, and good cybersecurity often starts with having good information security governance documentation.
- Cybersecurity is an area of increasing legal requirements.
- Incident response planning and data breach notification rules indicate that documentation needs to be in place prior to an incident.
- A proper process of developing and creating these policy documents helps organizations grow, become more efficient, and protect themselves and their customers.
- Regulated (financial, health, etc.)
- Within New York State, or another state with “reasonable cybersecurity” requirements (or doing business with customers in those states)
- Collecting information about customers, clients, patients, donors, or employees
- Make any claim about their level of cybersecurity
- Considering applying for cyber insurance
- Desiring to protect themselves from cyberthreats.
Information governance is but one important area for organizations to consider. Needs for policy documents will extend beyond this, and important areas may include:
- Anti-fraud and anti-money laundering practices (in certain sectors)
- Human resource issues including hiring, firing, workplace conduct, anti-discrimination, and more
- For-profit organizations often need a host of documentation for many compliance, investment, and reporting reasons
- Non-profit organizations have reporting requirements as well, including in their annual filings with the IRS and state government. Many probably should have policies on whistleblowers, document retention, conflicts of interest, and more. It is good governance, and allows their annual filings to contain a truthful “yes” in response to the question about whether these policies exist.
Introducing the handy ENTER acronym
Organizations should do these things, using the helpful and memorable ENTER acronym:
- external rules and how they apply to the organization
- how to best comply with external rules
- how to protect the organization from legal risks and cybercrime threats
- how to prioritize compliance requirements
- the priority for the creation and maintenance of governance documents
- business needs
- external guidance
Newly create or update governance documents that:
- comply with external rules
- are clear, consistent, understandable, and helpful
Train all members of the organization (from the newest hire to the CEO) on the governance documents.
Ensure practice follows policy (compliance with internal rules)
Review and update policies and practices periodically, and evaluate the need for new policies.
Finally, organizations should banish these thoughts or statements:
- “Maybe we can consciously ignore this external rule, because we might not get caught, and even if we do get caught, the penalties might be mild.”
- “We need to get a policy in place quickly so we have it and can show [insert name]. But we don’t really need to follow it.”
- "We have good policies on paper, but we don't really follow them."
Good management of an organization requires appropriate documentation that aligns external rules with organization practice and promotes efficiency and compliance.
This short article is for your information and learning, and of course is not tailored to your circumstances, nor is it legal or consulting advice. It also contains my opinion and perspective.
If your organization needs help with improving cybersecurity and protecting from cybercrime, creating or improving policies, and complying with cybersecurity related laws and regulations, contact me.
- Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all listed in this article)
- Cybersecurity, Privacy, You, and Your Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Privacy, You, Your Organization, and the New NIST Privacy Framework
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Cybersecurity Laws and Regulations Part 2 (listing and brief summary of some laws and regulations)
- Bandler's Free Starter Cybersecurity Policy
- Bandler's Four Pillars of Cybersecurity
- Bandler's Three Platforms to Connect
- Policies and procedures
- The Three Priority Cybercrime Threats
- Cybercrime Frauds Involving Email and Funds Transfers (Email based funds transfer frauds, like business email compromise (BEC) and CEO fraud)
- Data Breaches
This article is hosted at https://johnbandler.com/policies-procedures-and-governance-of-an-organization, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at https://johnbandler.medium.com/policies-procedures-and-governance-of-an-organization-96ce8728a580 (though not kept as up to date).
Originally posted 3/17/2020, updated 6/28/2022.