Humor aside, a policy is a high level statement from senior management to the enterprise describing how it expects everyone to conduct business. Consider this example:
“We minimize risk of inefficiency and data theft by possessing only the data we need must. Data owners keep records for as long as we need them for our business purposes or to satisfy regulatory requirements then destroy them. Business Unit owners determine retention times for business purposes. The Compliance Officer determines which regulatory requirements are applicable. The Information Security Officer ensures data is destroyed in a timely fashion.” is a policy. The elements of the policy are:
- Define a specific strategy for doing something, in this case managing risk by not keeping data around once it’s not needed.
- Defines roles required for carrying out the policy. Here, the roles are Data Owner, Business Owner, Compliance Officer, and Information Security Officer.
- Identifies the responsibilities of each role.
I’m sure you’ve seen very few policies worded that simply. Sometimes, that’s because policy is poorly crafted, but often it’s because management has as part of its culture specific ideas about what should be in a policy. There are perfectly valid reasons for this – when to have a policy is something specific to a culture. Consider the difference between the Air Force, where an officer who encounters a situation not currently covered by a policy is under standing orders to establish a policy; and the Navy, where anything not forbidden by policy is permitted. Who’s got the thicker policy manual? A million dollar loss because the policy wasn't there... limits complaining about how big the policy manual is. Who’s officers spend more time reading policies and therefore less time doing other things? Note that I’m not criticizing either service’s approach – they fill different roles, so it makes sense they’d do business differently. In the business world, consider one electronics manufacturer I know of that includes with each and every policy text describing an example of how the company lost a million dollars because the policy wasn’t there previously. That probably limits the amount of complaining about how big their policy manual is. On the other hand, a small start-up would be right out of business if the CEO spent even a tenth of their time writing policies.
Some policies contain specific enforcement clauses, words to the effect that if you don’t follow the policy you’ll get fired. Others simply point to an enforcement policy, so the threat only has to be made once. Either’s valid.
One benefit to having policies is that everyone understands the rules. There’s no saying, “I thought you wanted me to keep the data forever” at a company with the policy I describe above. “I thought that person over there was supposed to destroy the data” does not fly if you’ve been told that’s part of your job as Information Security Officer. Another is that when you start getting new data from a new business drive, no one has to waste time trying to decide what to do about data retention and destruction. All there is to do is identify the four role holders and make sure they know there’s data to handle. If your company has a corporate compliance officer and information security officer, then there’s only two people to identify and two people to notify.
This works in our own lives as well. If we have defined the rules we live by, we don’t have to reinvent the wheel every time something new comes our way. I don’t have to stay up all night trying to decide if I’m willing to take a job for which I’d have to relocate to the middle of nowhere, I have a policy that I only want to live in places that meet certain qualifications. Of course, if someone offered me a million dollar salary, I’ll be putting on the coffee because policies are not inflexible – one important policy is the exception policy, which defines how to go about deciding whether to make exceptions to all the other policies; and if so how to do so while still meeting management’s expectations.
I hope this discussion of policy has been helpful, but it’s by no means complete. Next time, I’ll write about some of the common policy traps I’ve encountered, and how to avoid them. In the meantime, what sort of policy culture do you have where you work? Do you find it stifling, does it leave you with no meaningful guidance, or did they strike a good balance? What policies have you defined for your life? How do they help you achieve your mission and vision for yourself? I’d love to hear about it.