Rethinking the Rules Pyramid
by John Bandler
Let's rethink the rules pyramid to conceptualize the relationship between policies and procedures. The pyramid concept has some limitations and can be improved upon, so I propose another concept, the rules platform (a rectangular shape).
We will explore what the rules pyramid is, how it applies to policies, standards, and procedures, where it is helpful and where the analogy breaks down. Then we discuss my "platform" concept and how that is helpful for building a strong set of internal rules.
Organizations need to create internal rules to properly manage themselves. This ensures the organization can properly fulfil its missions, protect itself, comply with legal requirements, and ensure long term growth and success. This concept applies across all areas of organization management, though I write this mainly in the context of information governance -- properly managing information assets such as computer devices, data, networks, and more.
As organizations build written internal rules, it helps to conceptualize what types of rules they should have, how the rules relate to each other, what they should have in them, and who approves them.
Types of rules in the rules pyramid
These are rules that are "internal" to the organization and can include:
- Verbal directions, unwritten rules, and organization culture (recognizing the limits here and potential for differing perceptions and understandings)
- Policies (general rules)
- Standards (more detailed rules)
- Procedures (highly detailed steps to accomplish a task)
- Other documents whatever their name, such as charters, plans, handbooks, manuals, etc.
Topics for internal rules can include cybersecurity, incident response, privacy, and any other subject you can imagine.
The rules pyramid
The rules pyramid typically shows policies at the top of the pyramid, then standards, then procedures, like this.
This is helpful to conceptualize the relative hierarchy and relationship of various rules such as policies, standards, and procedures. Policies are general, written at a "high level", approved at a high level. Then standards have more detail, must comply with policies, and are approved at a lower level. Then procedures have even more detail, must comply with standards and policies, and can be approved at an even lower level.
Of course, there are governance documents besides these three.
Guidelines are not rules, so I don't put them inside the rules pyramid, but as a cloud outside it to provide guidance.
Manuals could be a compilation of procedures (or other documents) so I depicted it this way.
The problem with this pyramid
This diagram is helpful to show policies at the top of the hierarchy, and evokes images of Egyptian pyramids, and the strength of the pyramidal structure.
The main issue I have with this pyramid concept is that pyramids (and other structures) are built from the ground up. Each new stone laid rests upon the stones below it.
But when we build organization internal rules, including if we are starting from scratch, first we create policies. Then we build standards to comply with the policies, and then procedures. Or we build and modify in ways that would make a traditional pyramid collapse, or have to defy the laws of gravity.
The pyramid concept with policies on top only goes so far.
What if we flip policies and procedures within the pyramid?
I have seen this rules pyramid flipped sometimes too.
Here, procedures are on top, and policies on the bottom. This is conceptually helpful if we think about first building a foundation with policies, then building standards, and then procedures.
Still, this analogy only goes so far. The documents are built and modified in ways that an actual pyramid would fall, and maturing organizations might not have a full suite of documents (e.g., might have some policies and procedures, but no standards yet).
Maybe we don't need a pyramid?
The next question is whether a pyramid is even a helpful conceptual shape to discuss policies and procedures.
I don't think it is helpful.
The pyramid shape is great for many things including building with stone and piling rocks on top of each other. The Egyptians were right and time has proven it. Their constructions have lasted thousands of years.
But today we build with more materials, including steel. We can now build in a variety of shapes to suit our need. The pyramid shape is unnecessary.
(Side note, we don't need our buildings to last thousands of years anyway, and same goes for our policies and procedures).
The rectangle works great!
The rectangular shape works great, especially since I am already using the rectangular "platform" concept with my other concepts of organization governance, including the Three Platforms to Connect.
So let us convert the pyramid into a platform (and show you we don't need to "lose" any material as we shape-shift).
Each bottom base corner is a nice triangle which can be cut off and placed at the top.
Leaving us with a nice platform.
The internal rules platform
I like thinking of this as a platform for two main reasons.
- First, it fits with my "Three Platforms to Connect" concept.
- Second, it allows us to incorporate another helpful analogy for the building and improving of our internal rules.
These concepts apply well for the full range of organizations, from small startup to well-established enterprise and everywhere in between.
This platform can be built by the organization to align with external rules, and to help ensure action aligns with both.
I talk about how to build these rules in this article, and provide a helpful concept for that. (In fact I'm building an entire online course about that).
Now let's spend a minute in the weeds of geometry. Feel free to skip over this section.
There are clearly some limitations with the diagrams I can create and show, and we need to simplify concepts for discussion and display. My focus is discussing organizational governance, and using some shapes and analogies to make a point.
We are not in geometry class, but I took some liberties which I now correct relating to three and two dimensional shapes.
In geometry, a pyramid is a three dimensional figure (polyhedron), with a flat polygonal base, and triangular sides. The rules pyramid I depict is really a two dimensional triangle, one face of the pyramid.
While I called my "platform" a rectangle, know that a rectangle is a two dimensional shape. Of course, I add a third dimension with my rudimentary drawing skills. And a three dimensional rectangle is really called a "cuboid", rectangular cuboid, or rectangular parallelepiped, or even more names. A "cube" is a cuboid with equal sides.
Conceptualizing internal rules can help us to better build and improve them, and aid with their understanding by the intended audiences.
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, let me know.
- Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all listed in this article)
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Policies and Procedures
- Policies, Procedures, and Governance of an Organization
- Policy Checklist
- Internal Rules
- Cybersecurity, Privacy, You, and Your Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Cybersecurity review and improvement for your organization - a checklist
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Bandler's Free Starter Cybersecurity Policy
- Bandler's Four Pillars of Cybersecurity
This article is hosted at https://johnbandler.com/rethinking-the-rules-pyramid, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at NOT YET (though not kept as up to date).
Originally posted 5/28/2022, updated 6/19/2022.