Et Tu, Policy

Policies constitute an established course of action directed toward accepted business goals and objectives. Procedures are methods by which policies performed. Standards are definitions of quality generally accepted by industry. An example of standards is the Institute of Electronic and Electrical Engineers standard 802.11. This is a measure for standard information technology telecommunications and information exchange between information networks.

Each procedure has an action, decision or repeated step. In other circumstances, the word procedure can also take a variety of usages such as, Standard Operating Procedure (SOP), Department Operating Procedure (DOP), or Quality Operating Procedure (QOS). Regardless of the terminology used, policies are written to carry out the details of the business process. In some business cultures, there may not be a significant distinction between policy and procedure. In other cultures, there may be a great difference between policy and procedures.

In times passed, there were many businesses that did not think they needed well-developed policies and procedures. However, in today's legislated world, there is hardly an organization that is not specifically addressed by laws and regulations. For example, in the area of healthcare, data collected must undergo a high level of access restriction because failure to do so could result in criminal or civil penalties. The content of privacy statutes, directed to healthcare providers, is detailed in very specific language.

Organizations must ensure that the content of policies and procedures does not violate rules, regulations, and laws under which they must operate, and good business sense. The rationale for establishing policies that are disseminated throughout an organization is twofold:

1. They establish clear and consistent processes. Organizations must show widespread uniformity in applying laws and regulations.

2. To allow employees, who are not legally minded, to have confidence that they are performing their duties in conformity with the law. For example, a township finance office has the responsibility of accounting for sales tax revenues collected from local businesses. Local ordinances require such taxes to be paid to the township government one quarter after collection. Recently, the township council decided they would offer certain qualifying business rebates on their collected sales taxes as an incentive to remain in the township, as there had been some difficult economic times. The township had a policy that described the process for creating, amending, and depreciating policies. Accordingly, the finance office drafted, vetted, and implemented a series of policy changes. Policy changes were proposed by the finance office and vetted through their legal counsel, the audit unit, and the township executive committee. After all parties approved the policies, they were adopted and installed. Corresponding changes in check processing software were made for tax rebate checks having two signatures: (1) the signature of one of the five township executives and (2) the signature of the comptroller. This policy observed changes made to the law and the internal controls of least privilege and separation of duties. Under the policy, no one person or office could authorize the release of revenue rebate checks.

There are many other reasons for documenting policies:

Performance standards. Written policies enable managers and their subordinates to define and understand their requirements, boundaries, and responsibilities. Policies create performance baselines to which subsequent changes can be referred, enabling orderly process changes to be made.

Performance metrics. Policies enable managers to determine whether a subordinate's action was simply poor judgment or an infringement of the rules. If specific rules did not exist, then employees could not be held accountable for their actions. Having a written baseline of performance expectations, those in authority can decide if disciplinary action or reward is warranted.

Management metrics. Policies provide substantial freedom to employees in the performance of their duties, allowing them to make decisions within previously defined boundaries. Well-defined policies allow employees to do their jobs without micro-managers meddling in their work. In this same vein, policies enable managers to manage by exception rather than by controlling every action and decision of their subordinates. Before an action begins, employees know the rules and are more likely to produce the right result the first time.

Quality models. The International Standards Organization developed a series of worldwide quality standards known as ISO 9000. This is a set of documents addressing quality systems applicable to most settings. They specify requirements and recommendations for the design and assessment of management systems, ensuring that goods and services reach specified requirements. ISO 9000 standards apply to most processes and require that policies and procedures are documented, understood, and executed.

The Capability Maturity Model® (CMM) process developed by the Scientific Engineering Institute located at the Carnegie Mellon University is a framework that describes key components of effective systems and software development. The CMM is very powerful as it provides the necessary detail to understand the requirements of each maturity level, allowing organizations to examine and compare their practices. In this fashion, gap analyses are completed and improvements are prioritized addressing specific needs. The CMM has five maturity levels, with each level requiring specific policies and procedures before advancing to the next level.

Both ISO 9000 and the CMM are important industry standards representing desirable and pursued quality standards. They are important to organizations in terms of process improvement, but they also are considered an excellent source for policy content.

Policies and Procedures

Policies, Procedures, Standards, and Politics
Modern organizations have developed into a complex waltz of human resources, data, equipment, facilities, processes, policies, and procedures. For most of us, our daily activities are not scripted and rely on policies and procedures to create an efficient and productive environment. Developing and implementing fixed policies often seems like a futile exercise, yet unless there is a formal architecture, employees end up spinning their wheels.

In the same sense that countries require laws governing the conduct of their citizens, organizations require policies to govern the conduct of their critical assets. Policy development and enforcement is neither an academic drill nor an exercise just to placate auditors. It is an essential component of sound business operations. If appropriate conduct were decided on a voluntary basis, it would be observed about as often as those who make a complete stop at stop signs without a police officer present. True, it does happen, but not often.

Policies are the methods by which business processes are documented and disseminated. Not all policies are going to apply to all business units. Consequently, policies may have general coverage areas, or coverage that is directed to specific business units and even specific functions. They provide employees with limits, alternatives, and governance. Formal policies allow senior managers to conduct their business without constant intervention, enabling employees to work within defined frameworks. They reduce the range of individual decisions and encourage managers to deal with items that are only outside that framework.

Policies assure equitable access to secure resources for authorized users. They make certain that safe, consistent, correct procedures are being employed to conduct the organization's work. Many policies are not optional; rather, they are mandated by legal and regulatory requirements while others are based on fear, uncertainty, and doubt (FUD).

Ask any system administrator how many times he or she has repeated the company's policy mandating that employees not open e-mail attachments. Before long, the system administrator has to deal with an employee who has done exactly the opposite.

There is another purpose for developing written policies and procedures to help guide the practice and performance of professionals who are faced with a combination of mundane tasks and crisis-related activities requiring an immediate decision. Professionals such as lawyers, accountants, auditors, scientists, physicians, and others are dependent on policies to assure their efforts are directed toward specific accepted practices. The logic behind policies for professionals assures that the work is done the same way, regardless of who is doing it, as the accepted manner of completing the task is consistent from professional to professional.

Under most circumstances, senior employees are expected to be promoted, leaving vacancies behind them. The generally accepted idea is that the employee accepting the position will be able to "hit the ground, running," because there will be written policies and procedures left by the employee vacating the position. Written policies and procedures refined by the incumbent ensure that the employee filling this position will be able to work effectively and efficiently at this job with a minimum of delay. These policies bridge the gap between two employees doing the same job at different times, locations, or even business divisions.

When followed, these policies guarantee the consistency of the work performed previously or in different locations. They form a core of institutional communication between the experienced, knowledgeable person who developed or enhanced the work plan, and the new person assuming the position. Policies address ways to handle routine situations, and can form a directory of operating procedures to be used in unique circumstances. As a learning tool, policy documents form a basis for describing new procedures or explaining the application of special circumstances to others.

Written policies and procedures form essential components of the organization's management system because they detail management instructions that are often the result of high-level discussions or legislated requirements. Statements of policy, especially as they relate to critical incident management, are the manifestation of executive direction in the organization's environment. As practical instruments of managers, written procedures bind the organization's philosophy to the actual work-related task.