Do you need to develop policies and procedures for your company?
How do you know?
Is it because someone suggested you need them, and if so, is there a tangible reason they are needed in your company?
Don’t develop new policies and procedures unless they will specifically provide some benefit that you want to achieve. It’s better to spend your time and energy on doing something else that provides value than to develop a bunch of policies that are just there “for show”.
Provided below are excerpts from my book, Practical IT Policies & Procedures that will give you a quick guide in developing new policies.
Let’s get started. In my books, you will find that I don’t waste a lot of time. My belief is that if you can get your message across in 40 pages versus 240, then you should save the paper and the time required to read all the extra “stuff”.
Step 1 – List areas of risk
Take a shot at listing things that can cause your company risk. Here are just a few to get you thinking:
- Software license compliance
- Employee safety issues
- Data backup and recovery
- Illegal access to company systems
- Infringing on privacy
- State and federal regulatory issues
- Email spam
- System viruses
- Company confidential information
- Losing clients
- Systems downtime
- Inappropriate use of company assets (equipment, facilities, money, etc.)
One company may consider all of these issues worth the time to develop formal policies and procedures while a similar company of comparable size and in the same industry may consider just a few, or none, worthwhile for its company.
I will keep emphasizing that what’s important and useful for one company may be very different from another. That’s the “practical” application of reviewing your situation and deciding for yourself what’s important for your company.
Step 2 – List desired behavior or processes you want
List the processes you want and the behavior that’s important for a smooth running operation. Simply start listing things that are important in the operation of your company that you truly think make you more productive or better at what you do.
Here is a quick list of items to consider:
- Programming change requests
- Vacation and time off requests
- Purchase authority and approval
- Equipment change requests
- Travel expense management
- Employee performance planning and reviews
- New employee orientation and quick start guidelines
- IT escalation steps to resolve downtime issues
- Use of company cell phones
Step 3 – Assign a “relative importance factor”
This step is to assign a relative weight of importance to each risk issue or desired behavior issue you have identified so you can decide on whether you want to put in a formal policy and procedure to address the issue.
This step is somewhat subjective. Actually, it’s very subjective and reinforces what I have been saying. It’s “your” company and the determination of whether a risk issue or a behavior issue is important enough to cause you to decide to develop a formal policy and procedure is up to you.
It’s the same as buying life insurance. Some of us prefer to have a lot while others go with much less. Who is right or wrong? I’m not so sure there is one person more right than the other; everyone’s situation is different. Companies are all unique as well.
Once you identify the policies and procedures that are important enough to develop formal documentation for in your company, you can determine how to develop them.
Step 4 – Define the list of policies and procedures you need
Identify a specific policy and procedure that addresses the risk or behavior issues you have deemed to be of major importance in Step 3.
For example, if your company is having difficulty in managing travel expenses, you may decide to develop and implement a formal Travel Expense Guidelines policy.
Step 5 – Prioritize your list of policies and procedures
Spend time on your most important policies and procedures first. One way to determine importance is to develop an estimated dollar value for the risk exposure or estimate the value of improving productivity or reducing costs by implementing a policy to address a specific behavior issue you have identified to be important.
The point is that you want to focus your priorities on the issues that give you the best return on your investment of time as possible. Focus on things that provide you and your company value.
Step 6 – Determine how you will develop your policies and procedures
There are essentially three ways to approach this task:
- Write them yourself from scratch, , , i.e., a blank sheet of paper and pen.
- Obtain copies from a company in your industry to use as a starting point.
- Research sources for examples to provide a starting point. Plenty of examples you can purchase or even find on the Internet that will help you get off to a fast start.
It’s important to remember one of the comments made earlier. You must take full responsibility for the content of any policy or procedure you develop. It is simply not enough to take a policy from another source and use it “as is”.
Every company has unique situations and whenever you decide to develop a policy or procedure, you need to consider your unique issues. Only you and others in your company can take the responsibility for the policies and procedures you implement.
Step 7 – Develop and implement your policies and procedures
There are three important aspects from this point forward.
- Assign responsibility for writing each policy and procedure with deadlines, objectives, and important points that should be included.
- Define your review process: who, how, when, review criteria, etc.
- Define your implementation or “roll-out” process. This will probably be different for different policies and procedures.
Step 8 – Monitor and enforce your guidelines
It really doesn’t do a lot of good if you document what you want to happen but don’t enforce your new guidelines. In fact, it can do more harm than good if employees of the company perceive your company is not really serious. You want to be certain that if you decide to develop a formal policy guideline and introduce it to the company that your company is prepared to back up what it says by enforcing the policy.
This is a quick guideline that I’ve used in past management positions and can get you started. More is discussed in the book, Practical IT Policies and Procedures and it includes 23 sample policies you may use to develop many of your new policies quickly.