Alyned Thinking

Why new thinking is needed and how we are putting our expertise to work.

5 Reasons why the Age of the Corporate Policy is coming to an end

Is the sun setting on Corporate Policies?

Every growing organisation will reach a certain point in time where someone in a leadership position wants to set a certain behaviour for the organisation and gathering everyone around the water cooler to tell them becomes impractical, too non-committal or plain illegal. In nearly every organisation I have encountered, the approach has been to open up a word processor, draft a policy, get sign-off and publish it somewhere as a PDF. I have never seen this being particularly effective, and here’s why.

1. Availability of policies

By publishing a policy, you want people to use your rules as a reference when deciding a course of action. Many policy solutions I have seen have had a significant flaw in not actually being readily available to aid people in their decision process. Oftentimes policies are only available on the intranet, while many people work offline or off premise. Finding an applicable passage or rule in all of the policies is often difficult or simply inconvenient.

2. Policy Context

Unless you are extremely structured in writing your policies, most organisations end up with prose-heavy documents with fairly inconsistent structure across the policy set. This makes maintaining context between policies (e.g. a data privacy policy linking to the appropriate passages of the information security policy and vice versa), linking identified risks to a specific rule or understanding how legal or regulatory requirements are implemented through the organisation’s rule set prohibitively difficult.

3. Granularity of rules

As a result of design-by-committee and extensive review processes, many initially simple rules end up being lengthy, all encompassing prose passages. This makes it more difficult for people to get quick, clear guidance on their decision. It also makes it increasingly difficult to keep multiple language versions of the policy synchronised or the original policy up to date.

4. Level of Detail in Policy Documents

More mature organisations define different types of rule setting documents (e.g. Principles, Policies, Standards, Procedures) to try and differentiate the appropriate level of detail in the appropriate document types. Most documents I have seen have still suffered from wildly varying depth - sweeping statements are made next to step-by-step guidance. Sign-off processes become painful, as subject matter experts are uncomfortable with approving sweeping statements, and executives are unsure about details they are confirming. Additionally, the resulting document ends up being ill-fit for raising awareness.

5. Control Effectiveness

Organisations should not realistically expect their employees to read and adhere to hundreds of pages of policy documents. It is just not a great way to get people’s attention and not a smart way of setting rules.

At Alyne, we believe that in order to effectively change people’s behaviour and help them make informed and aligned decisions, rules and guidelines need to be specific, meaningful, granular and most of all accessible. Watch this space to see how Alyne enables this.

Karl Viertel
Author: Karl Viertel
About the author
Founder & CEO of Alyne, IT security professional, gadget enthusiast.