The Tough Stuff: Creating a Policy on Policies

One of the most frequent questions I’m asked is, “While Compliance owns compliance-related policies, I’m being asked to manage all of the policies in the company. This seems ridiculous. Who the heck should own all the policies? HR? Compliance? Operations?”

To no one’s surprise, the answer is, it depends. Upon what does it depend? The company’s structure, size, function makeup, and of course, the availability of time, technology, and human resources to manage policy architecture.

While there isn’t any one answer about who should own the polices or policy architecture, there are best practices for managing this beast. The best way to start is with a “Policy on Policies” that governs the policy architecture. A Policy on Policies should always include:

The Outline of a Singular Structure

Nothing is worse than disparate policies from different departments with no commonality of structure, branding, or style. People like to see consistency in the structure of policies so they know where to find the information they need. A Policy on Policies should lay out the structure required for all polices. Better yet, it should contain an appendix that vividly displays each piece of the standard policy, along with the font, style, and branding required. This will help ensure that all policies are consistent.

The Requirement of a Policy Owner

Each policy needs an owner. This can be harder than it sounds. The truth is, for many policies, there are several stakeholders. For instance, in responding to a data breach, Information Technology, Information Security, Legal, Compliance, Privacy, and Human Resources will all likely be involved. Which should own the Data Breach Response policy? It doesn’t really matter – what matters is that someone does.

The Requirement to Note the Policy Approver

Just as policies need to have an owner, they also need to have an approver. The approver can be either a person (e.g., Raymond Cerano) or a role (e.g., Vice President, Human Resources). An individual needs to be responsible for the content of the policy. Make sure it is clear who has approved the policy so the approver can be identified and asked questions if the policy language is ambiguous.

A Process for Approval…