IT
Policy
Create policies for the risks that matter most to our organization
“Policies, procedures, standards – they each have their specific purposes and functions within the context of corporate governance.
Unfortunately, policies and procedures are easily confused with each other, and this can lead to the perception (and often, the reality) that an organization has become too strict or rigid to perform efficiently.
Policies are a communication tool; they help our organization spread the message of what needs to be done and how it should be done.“
Choose the tool that fits, then make sure we know how to use it.
- Policies lag behind changing business and technology demands and compliance requirements.
- Employees complain that policies restrict them from doing their job.
Find the right balance between policy and process - understand our risk landscape to identify key policy areas. in areas where policy is not necessary, establish SOPs, best practices, and guidelines to prescribe behavior.
- Policy work can be extremely tedious - start y aligning our policies with our greatest risks.
- It's a misconception that our most severe risks each need a specific policy - write SOPs, standards and guidelines to fit under our policy umbrella. Revise our policies regularly so we know they still enable our critical procedures.
- Write our policies on the right level - policies need to be understandable to the parts of the organization they affect.
Develop an avenue for policy communication and make our policies available for reference in one place at any time. listen to the feedback we get from our employees and talk it out. The best way to get buy-in is to make our employees part of the policy process, using their feedback and analysis to revise our policies.
Policies aren't just our rules - they communicate how we do business.
Policies are our friend - Use them to start a discussion with employees on how we do what we do.
More isn't always better - in fact, it can be worse.
We don't need a policy for every risk - just the ones that matter most to our organization.
- CIOs and Heads of IT
- IT Risk and Compliance Officers
- Identify the set of IT policies our organization needs
- Identify and assess IT's greatest risks
- Write effective policies
- Communicate policy initiatives
- Reassess the effectiveness of our IT policies
- Ensure IT policies are aligned with organizational policies
- Identify and assess IT's risk
- Govern IT risks
- Gain insight into the effectiveness of IT policies