FAQ for the book and course: Policies and Procedures for Your Organization
By John Bandler
This page provides FAQ and responses regarding my book and online course on policies and procedures.
Frequently asked questions (FAQ)
This is in two parts (1) about my resources for policy work and (2) about doing the policy work itself.
1. FAQ about the book, course, resources
These questions focus on my resources about policy work.
The book can be purchased on Amazon.
You can buy it in either paperback, hardcover, or ebook format.
1.2 Do you have an online course at Udemy to parallel the book?
Yes I do!
see my main Udemy page here on this website, check for coupon codes there and elsewhere, and get look for the best deal before you buy.
1.3 Do you have a policies book resources page?
Yes I do!
It has a lot of helpful, free resources, whether you have the book or online course or not, and parallels the book and online course.
See my policies book resources page.
1.4 My policy work has nothing to do with cybersecurity, is this book right for me?
Yes, absolutely. Most of this book is about general policy work principles, which are applicable for any topic area of policy work, and for any type of organization. It is a philosophy and methodology to help you create or improve your governance documents of any type.
There are some sections and chapters that are specific to cybersecurity, and they are clearly marked so you can pass them by.
1.5 My policy work is only about cybersecurity, is this book right for me?
Yes, absolutely. You will read about general policy work principles (which apply to all topic areas, including cybersecurity), and then there are sections and chapters that are specific to cybersecurity.
1.6 Can you tell me why this book is about both general policy work principles and cybersecurity policy work?
Cybersecurity policy work is extremely challenging because it is a complicated subject matter and deals with technology, law, compliance, governance, organization mission, and communication. It is unique in some ways, but we still apply the same basic policy work principles to it.
Every organization, no matter their size or sector, needs to think about cybersecurity, so that is one topic area that unites us all.
Some people will obtain the book because it is about cybersecurity, others because they have a different type of policy issue for now, but eventually we all need to work on our cybersecurity management.
2. FAQ on policy work details
These are questions about doing policy work.
2.1. Policy/procedure creation priority
- What policies/procedures do I need for my organization?
- Is there a list of suggested policies (or highest priority policies) a typical company/organization should have? (e.g. not specific to an industry)
- I have a new organization, what policies/procedures do I need?
The initial (lawyerly) answer is: "It depends". This means I would need to know more about your situation to give good advice.
Practically speaking, the way to address this is to create a list of potential documents, then prioritize that list, thinking about your organization's mission and legal requirements (two of the Five Components for Policy Work).
Here are more details...
We don't want to say that every organization should spend the time and resources to create the same suite of policies and procedures. Every organization is different, with different challenges and priorities. Some organizations do reasonably well for a long time without any governance documentation at all (not saying I recommend this). Then come circumstances that require the creation of their first main governance document.
Remember that every document created needs to be created thoughtfully, and then needs to be read, followed, and maintained with annual review. So don't create them just to create them.
Think of the Five Components for Policy Work, especially Mission and External Rules, to figure out what documents you might need. To better accomplish your mission, what policies or procedures might help? Make a list. To meet legal requirements (compliance), what policies or procedures might help or be mandated? Add that to your list. Then prioritize that list, see where to start.
- Do employees make the same mistake repeatedly which interferes with accomplishing the Mission effectively? Writing down what they are supposed to do in a procedure might help them get it right.
- With my focus on cybersecurity, I think almost every organization needs a cybersecurity policy to protect itself, clients, and customers. And to comply. In some sectors it might be mandated. Privacy policies/notices might be mandated.
- Non profits in the U.S. that file full 990s are asked important questions by the IRS, including about whether certain policies are in place. Better to be able to answer that with a "yes".
- These are just examples so you need to consider your mission and legal requirements, and day-to-day operations.
Recap: Create a list of potential documents based on mission and legal requirements, then prioritize the list based on effort required to create the document and benefits obtained for mission and compliance. Then start with what is at the top of your prioritized list.
2.2 When do I retire a policy/procedure?
Put differently: When do we get rid of a policy, procedure, or other governance document?
This question requires us to assess these questions:
- Is the current policy/procedure outdated, obsolete, inaccurate?
- Do we need a policy/procedure on this subject?
- Should we update the current document or retire it?
The best long term plan is to only create the governance documents that you need, and then keep them updated regularly. If you have a governance document that you need, but has become outdated, the solution is to update it. Gradual updates over time keep things updated, and avoid confusion that can occur if too much is done at once.
When a governance document is updated, the update replaces the old version. So technically you have "retired" that old version, but this question focuses on when it is time to retire the governance document itself (and not simply update it).
On occasion, circumstances change, lines of business change, technology changes, and the need for certain governance documents might dissipate. Or, organizations realize they created a monster of too many different governance documents, and they need to reduce the document count and consolidate some, or retire some. Gradual updates and consolidation should be considered to help maintain continuity and reduce confusion about what is in place.
If you decide that a document should be retired (and not updated), you want to be clear about what you are retiring and when that became effective. If you track the revisions within the document (which I recommend), you can create a new version and clearly indicate the deactivation/retirement of that document within it. This can also be documented via email or memo or as appropriate according to organization practices. And remember to maintain copies in archive for compliance purposes.
Your question?
If you have a question, let me know.
Links
- Purchase the book
- Purchase the online course
- Resources on this website on policies and procedures:
- See my resources page
This page is hosted at https://johnbandler.com/policiesbook-faq, copyright John Bandler, all rights reserved.
Originally posted 7/26/2024. Updated 8/30/2024.