IG Policies: What is Good Content?
“Can anyone share their policy on…?”
Hang around the myARMA community long enough and you’ll see this question pop up time and time again. On …retention …data …privacy …security—you name it, and someone has put out feelers to find a policy to use as a template for their own.
We all know that even if there is no perfect IG policy, it can be very helpful to look at others’ documents as models for your own. Nevertheless, two points are worth noting.
First, policies are reflective of a corporate context. What you find in other organizations’ policies is at best a product of their circumstances and at worst a product of the circumstances of the office that they took the model from. Including all their statements in your own policy on the off-chance that you might need them one day is not an ideal approach—it creates lots of work and documentation but isn’t particularly efficient or practical.
Second, too many IG policies are bloated with statements that are not policy decisions at all. They include procedures, examples, instructional material, extracts from legislation, recommendations, best practices, and even notes-to-readers. That bloating is a vestige of the paper world and it’s time we moved past it.
The benefits of web-based technology
Typically, offices assemble all their rules in one place intended to help people do their jobs. For simplicity’s sake, let’s call that collection the “office manual.”
In the old days, “putting things in one place” meant “including them in the same document” or “storing them in the same binder.” So, we created lots of long documents and lots of binders.
Today, being “in one place” means being “accessible through a unified navigation menu.” That’s a whole different ballgame. Today, you can provide people with all kinds of rule-related information in one place by pulling links to disparate sources together on one screen.
Selecting Policy Content
The ability to control online reading through navigation pages brings new editorial freedom. You can now draft policies containing only bare bones, high-level statements that will be fleshed out through the incorporation of other, independent documents.
This technological advantage changes our strategic approach. We don’t need to start with the open-ended question What should I have in my IG policies? Instead, we can ask a more focused question: Which of our IG rules belongs in the policy itself?
Organizational structure plays a role
In a utopian world, an office manual alone would be sufficient documentation for everyone. It would set out all the rules and practices you want people to follow, along with explanations, examples, and suggestions. Consistent with that utopian world, everyone in the organization would happily comply.
In practice, that simple approach works only in very small offices, where the distinction between a policy and a manual is blurred: the person who drafts the manual is the same person who approves the policy. As an organization grows, it develops a need to separate the policy drafter from the decision-maker and the bigger it gets, the further apart those positions become. In these cases, it’s critical to make a distinction between true policy (rules approved by senior management) and general information (rules that come from elsewhere).
Workplace context plays a role
Overall, you might need lots of rules, but here’s a thought: not every rule has to be a policy statement. The only rules that need to be embedded in an official corporate policy are those that are
- not already backed by an existing authority, and
- unlikely to be followed in the absence of documented evidence of approval, given the corporate culture of the organization and people’s attitudes towards cooperation.
If the boss sends an e-mail throughout the office asking people to shut their computers at the end of each day and everyone cheerfully does that as a matter of course, then writing a policy on that rule needn’t be a priority. We need rules only when we are in a situation where we need to modify people’s behavior from an undesirable default to a more desirable choice.
Genuine policy decisions
Instead of writing a compendium of information on a specific topic and calling it your “policy”–which is all too common—you can achieve more success by limiting the official policy to genuine policy decisions, being those statements that actually require authoritative approval before they become true. Restricting your policies in that way does more than reduce your overall drafting and consultation time; it demonstrates respect for the decision-makers’ time by not asking them to approve statements that don’t need it.
Let’s look at some examples.
Your office manual explains that all your information assets are subject to the Freedom of Information Act. (FOI Act), and your authority is the FOI Act itself. In that situation, a policy statement such as “All corporate information assets are subject to the Freedom of Information Act” is pointless.
If that Act applies to your organization, the statement is true whether or not it appears in your policy. It doesn’t become truer by appearing in both the law and the policy. That statement doesn’t need consultation, it doesn’t need approval, in fact, it doesn’t need to go through any of the steps that a true policy decision needs to go through.
Examples of similar statements that don’t belong in IG policies are following:
Employees may copy documents so long as they don’t infringe copyright.
Employees must protect personal information from improper disclosure.
Employees must not keep any information or images prohibited by law on their computers.
Where laws exist containing the rules above, those statements in a policy document are completely redundant. Why waste precious time on them?
The same reasoning applies to any truth created by another authority—legislation, regulation, standards mandated by a professional oversight body, as well as statements that can already be found in policies written by other branches of the office, such as security or IT. If they are already approved, they don’t need to be approved again.
Some people justify repeating statements from legislation and other policies as a way to “remind” people of their importance. That’s a nice gesture but reminding people of things is not the role of policy. The role of policy is to record the official approval of management decisions. Reminding people of important facts is a job for the office manual.
Start by designing the office manual
This lean approach will allow you to focus your efforts on the practical gaps in your rule suite.
Your official policy might end up being only four statements long, containing the four statements in the office manual that require proper authority but don’t have it. Everything else can be put in other documents, which can then be assembled for the reader.
In all cases, the office manual is the right starting point. Design it to aggregate all your IG policies, standards, and procedures, and combine them with information drawn from legislation, existing facts, best practices, recommendations, and your advice. A good office manual is worth its weight in gold.
Of course, there’s no need to stop asking to see policies from other offices. They can be a great source of ideas and approaches, so long as we understand their limitations.
Join Lewis Eisen on Thursday, May 18th for a free (members only) webinar on IG policies!
How do I know what’s a policy and what’s a procedure? What’s the difference between a policy and a directive? Which definition should we include? Do we have to list everyone’s roles and responsibilities?
This session will answer questions that come up time and time again when drafting policy instruments so that you’re confident that you have the right content included.