5 Reasons why the Age of the Corporate Policy is coming to an end

In nearly every organisation I have encountered, the approach has been to open up a word processor, draft a policy, get sign-off and publish it somewhere as a PDF. I have never seen this being particularly effective, and here’s why.

1. Availability of policies

By publishing a policy, you want people to use your rules as a reference when deciding a course of action. Many policy solutions I have seen have had a significant flaw in not actually being readily available to aid people in their decision process. Oftentimes policies are only available on the intranet, while many people work offline or off premise. Finding an applicable passage or rule in all of the policies is often difficult or simply inconvenient.

2. Policy Context

Unless you are extremely structured in writing your policies, most organisations end up with prose-heavy documents with fairly inconsistent structure across the policy set. This makes maintaining context between policies (e.g. a data privacy policy linking to the appropriate passages of the information security policy and vice versa), linking identified risks to a specific rule or understanding how legal or regulatory requirements are implemented through the organisation’s rule set prohibitively difficult.

3. Granularity of rules

As a result of design-by-committee and extensive review processes, many initially simple rules end up being lengthy, all encompassing prose passages. This makes it more difficult for people to get quick, clear guidance on their decision. It also makes it increasingly difficult to keep multiple language versions of the policy synchronised or the original policy up to date.

4. Level of Detail in Policy Documents

More mature organisations define different types of rule setting documents (e.g. Principles, Policies, Standards, Procedures) to try and differentiate the appropriate level of detail in the appropriate document types. Most documents I have seen have still suffered from wildly varying depth - sweeping statements are made next to step-by-step guidance. Sign-off processes become painful, as subject matter experts are uncomfortable with approving sweeping statements, and executives are unsure about details they are confirming. Additionally, the resulting document ends up being ill-fit for raising awareness.

5. Control Effectiveness

Organisations should not realistically expect their employees to read and adhere to hundreds of pages of policy documents. It is just not a great way to get people’s attention and not a smart way of setting rules.

At Alyne, we believe that in order to effectively change people’s behaviour and help them make informed and aligned decisions, rules and guidelines need to be specific, meaningful, granular and most of all accessible. Watch this space to see how Alyne enables this.

Karl Viertel

Related Posts

Happy Holidays from Alyne!

Wishing you and your family a wonderful festive season and a successful year in 2020!
Read more

Black Friday & Cyber Monday: Safety Before Sales

Practical tips on how to stay cyber safe this shopping season.
Read more

Cyber Security Awareness Month

October is Cyber Awareness Month and we are making sure that you don't leave your door wide open to cyber trick-or-treaters.
Read more