Situation

The need for a new policy is generally initiated in response to a new regulatory compliance standard or industry framework, or because of a mandate from the business that requires some degree of guidance over a new initiative.

Complication

Approaching policy creation in this reactive manner often results in an excessive number of documents that are narrow in scope and don't address the underlying risk.

• Policies lag behind changing business and technology demands and compliance requirements.
• Employees complain that policies restrict them from doing their job.

Resolution

Find the right balance between policy and process - understand our risk landscape to identify key policy areas. in areas where policy is not necessary, establish SOPs, best practices, and guidelines to prescribe behavior.

• Policy work can be extremely tedious - start y aligning our policies with our greatest risks.
• It's a misconception that our most severe risks each need a specific policy - write SOPs, standards and guidelines to fit under our policy umbrella. Revise our policies regularly so we know they still enable our critical procedures.
• Write our policies on the right level - policies need to be understandable to the parts of the organization they affect.

Develop an avenue for policy communication and make our policies available for reference in one place at any time. listen to the feedback we get from our employees and talk it out. The best way to get buy-in is to make our employees part of the policy process, using their feedback and analysis to revise our policies.

Joe's Insight

Policies aren't just our rules - they communicate how we do business.

Policies are our friend - Use them to start a discussion with employees on how we do what we do.

More isn't always better - in fact, it can be worse.

We don't need a policy for every risk - just the ones that matter most to our organization.

This research is designed for:

• CIOs and Heads of IT

This research will also assist:

• IT Risk and Compliance Officers

This research will help you:

• Identify the set of IT policies our organization needs
• Identify and assess IT's greatest risks
• Write effective policies
• Communicate policy initiatives
• Reassess the effectiveness of our IT policies

This research will help them:

• Ensure IT policies are aligned with organizational policies
• Identify and assess IT's risk
• Govern IT risks
• Gain insight into the effectiveness of IT policies