Rethinking the Rules Pyramid
by John Bandler
Let's rethink the rules pyramid ("policy pyramid") to conceptualize the relationship between policies and procedures. The pyramid concept has some limitations and can be improved upon, so I propose another concept, the rules platform (a rectangular shape).
We will explore what the rules pyramid is, how it applies to policies, standards, and procedures, where it is helpful and where the analogy breaks down. Then we discuss my "platform" concept and how that is helpful for building a strong set of internal rules.
Organizations need to create internal rules to properly manage themselves. This ensures the organization can properly fulfil its missions, protect itself, comply with legal requirements, and ensure long term growth and success. This concept applies across all areas of organization management, though I write this mainly in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more.
As organizations build written internal rules, it helps to conceptualize what types of rules they should have, how the rules relate to each other, what they should have in them, and who approves them.
Types of rules in the rules pyramid
These are rules that are "internal" to the organization and can include:
- Verbal directions, unwritten rules, and organization culture (recognizing the limits here and potential for differing perceptions and understandings)
- Policies (general rules)
- Standards (more detailed rules)
- Procedures (highly detailed steps to accomplish a task)
- Other documents whatever their name, such as charters, plans, handbooks, manuals, etc.
Topics for internal rules can include cybersecurity, incident response, privacy, and any other subject you can imagine.
The rules pyramid
The rules pyramid typically shows policies at the top of the pyramid, then standards, then procedures, like this.
This is helpful to conceptualize the relative hierarchy and relationship of various rules such as policies, standards, and procedures. Policies are general, written at a "high level", approved at a high level. Then standards have more detail, must comply with policies, and are approved at a lower level. Then procedures have even more detail, must comply with standards and policies, and can be approved at an even lower level.
Of course, there are governance documents besides these three.
Guidelines are not rules, so I don't put them inside the rules pyramid, but as a cloud outside it to provide guidance.
Manuals could be a compilation of procedures (or other documents) so I depicted it this way.
The problem with this pyramid
This diagram is helpful to show policies at the top of the hierarchy, and evokes images of Egyptian pyramids, and the strength of the pyramidal structure.
The main issue I have with this pyramid concept is that pyramids (and other structures) are built from the ground up. Each new stone laid rests upon the stones below it.
But when we build organization internal rules, including if we are starting from scratch, first we create policies. Then we build standards to comply with the policies, and then procedures. Or we build and modify in ways that would make a traditional pyramid collapse, or have to defy the laws of gravity.
The pyramid concept with policies on top only goes so far.
What if we flip policies and procedures within the pyramid?
I have seen this rules pyramid flipped sometimes too.
Here, procedures are on top, and policies on the bottom. This is conceptually helpful if we think about first building a foundation with policies, then building standards, and then procedures.
Again, this analogy only goes so far. The documents are built and modified in ways that an actual pyramid would fall, and maturing organizations might not have a full suite of documents (e.g., might have some policies and procedures, but no standards yet).
Maybe we don't need a pyramid?
The next question is whether a pyramid is even a helpful conceptual shape to discuss policies and procedures.
I don't think it is helpful.
The pyramid shape is great for many things including building with stone and piling rocks on top of each other. The Egyptians were right and time has proven it. Their constructions have lasted thousands of years.
But today we build with more materials, including steel. We can now build in a variety of shapes to suit our need. The pyramid shape is unnecessary.
(Side note, we don't need our buildings to last thousands of years anyway, and same goes for our policies and procedures).
The rectangle works great!
The rectangular shape works great, especially since I am already using the rectangular "platform" concept with my other concepts of organization governance, including the Three Platforms to Connect for compliance, Fourth Platform to Connect, and the Five Components for Policy Work..
So let us convert the pyramid into a platform (and show you we don't need to "lose" any material as we shape-shift).
Each bottom base corner is a nice triangle which can be cut off and placed at the top.
Leaving us with a nice platform.
The internal rules platform
I like thinking of this as a platform for two main reasons.
- First, it fits with my "Three Platforms to Connect" concept.
- Second, it allows us to incorporate other helpful analogies for the building and improving of our internal rules as I cover here.
These concepts apply well for the full range of organizations, from small startup to well-established enterprise, everywhere in between and any sector.
This platform can be built by the organization to align with external rules, and to help ensure action aligns with both.
I talk about how to build these rules in the articles linked to below (I also built out an entire online course about it).
Geometry minutiae
Now let's spend a minute in the weeds of geometry because I took some liberties above with the shape names. Feel free to skip over this section.
There are clearly some limitations with the diagrams I can create and show, and we need to simplify concepts for discussion and display. My focus is discussing organizational governance, and using some shapes and analogies to make a point.
A geometry teacher would correct some of my terminology above relating to three and two dimensional shapes.
In geometry, a pyramid is a three dimensional figure (polyhedron), with a flat polygonal base, and triangular sides. The rules pyramid I depict is really a two dimensional triangle, one face of the pyramid.
While I called my "platform" a rectangle, know that a rectangle is technically a two dimensional shape. Of course, I add a third dimension with my rudimentary drawing skills. And a three dimensional rectangle is more properly called a cuboid, rectangular cuboid, or rectangular parallelepiped, or even more names. (FYI, a "cube" is a cuboid with equal sides).
Conclusion
Conceptualizing internal rules in a helpful way can help us to better build and improve them. The rules platform is a great start and fits in with the Five Components of Policy Work. If we build good policies and other rules, they help serve the mission, protect us, and help us comply with legal requirements.
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, let me know.
Additional reading
- Policies and Procedures Book (My new book!)
- Five Components for Policy Work
- External Guidance
- External Rules
- Internal Rules
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Policies and Procedures (and other governance documents)
- Policies, Procedures, and Governance of an Organization
- Policy Checklist
- Internal Rules Planning
- Internal Rules Building
- Policy and Procedure References (I have researched and built out many articles on the topic and they are all listed here)
- Rethinking the Rules Pyramid (this article)
- Mission and Business Needs
- Practice and Action
- Policy Project (planning and executing)
- My online course on security documents at Infosec Institute (coming soon). Link to my author page at Infosec.
This article is hosted at https://johnbandler.com/rethinking-the-rules-pyramid, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at NOT YET (though not kept as up to date).
Originally posted 5/28/2022, updated 5/30/2024.