Process 1: Determine Areas Requiring Policy

Published: April 25, 2008


Figure 3. Determine areas requiring policy

Activities: Determine Areas Requiring Policy

A key activity in Policy is the process of aligning the goals of the IT organization to those of the overall business, then using that information to decide which areas need to have policies created.  Organizational goals should be evaluated to determine possible risks. The impact of risks can be evaluated by considering what might happen if the expectations surrounding that risk are not made clear to everyone in the organization. If an identified risk and its impact stand in the way of achieving a goal, then it will likely need to be addressed by a policy. In this way, management establishes clear guidelines that help ensure desired performance, fitting checks and balances*, and appropriate workplace interactions.

The following table lists the activities involved in this process. These activities include:

  • Documenting goals.
  • Assessing current state.
  • Envisioning future state.
  • Performing gap analysis.

Table 4. Activities and Considerations for Determining Areas Requiring Policy



Document goals

Key questions:

  • What are the near-term (one year or less) goals of the business?
  • What are the longer-term (two years or more) goals of the business?
  • Are there contingency plans for the business?


  • CEO strategy
  • Operations strategy


  • IT and business goal statement(s)

Best practices:

  • Consider the impact of not having policy in place to address the identified risks and impacts to organizational goals. Legal advisors may provide input for considerations of having or not having policy covering a given area.
  • Out of the identified goals, select specific goals to support with policy that will either fit with the existing organizational culture or will transform the culture in a desired direction.  
  • Discuss your strategy and its implications with executives. Ensure that senior management provides a strong, clear sign-off that will communicate policy direction to the organization. This helps establish the “tone at the top.”

Assess current state

Key questions:

  • How effective are our current policies and procedures?
  • Are there any audit issues that reflect ineffective, inappropriate, or non-existent policies?
  • Does the current portfolio of applications and systems comply with the intent of our policies?


  • Risk analysis from all IT service lifecycle phases captured in the risk knowledge base
  • IT strategic goals statement
  • Current IT portfolio
  • Service reviews


  • Documented current state of policies  

Best practices:

  • Ensure that key users and stakeholders are personally interviewed—ask them what is working well, what needs improvement, and what future policies they would like to see.
  • To help both assess the current state and start planning for the future state, suggest that interviewees think at least two years out. If nothing changes in terms of policy, what problems do they foresee? The answers might reveal current inadequacies in policy. Then ask them how policy will need to change to take into account not just regulatory and technological changes, but the strategic direction of the organization as well as potential changes in their industry or market.

Envision future state

Key questions:

  • What are current best practices?
  • Where is the technology going?
  • What are the resource limitations on the business?


  • Analyst reports
  • Budgets
  • Best practice reports


  • Gap analysis between current state and envisioned future state
  • Metrics
  • Formal prioritization of future state

Best practices:

  • Consider whether the future state is financially worthwhile—whether it’s better to put resources toward filling gaps in policies, or to just leave the gaps. Make sure to get opinions from the legal department and upper management.
  • Keep a record of the decision-making process—leave an audit trail.

Perform gap analysis

Key questions:

  • What is the gap between our current state and our desired future state?
  • Is gap closure realistic?


  • Future state document
  • Budgets
  • Best practice reports


  • Gap report

Best practices:

  • Ensure that the gap analysis includes an evaluation of risk.
  • Do not make general policies overly restrictive or they will likely be ignored. Describe desired outcomes, not just prohibited activity.
  • Consider instituting role-based policies that can be “tuned” (made more or less restrictive) according to specific job functions.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.


Get the Microsoft Operations Framework 4.0

Solution Accelerators Notifications

Sign up to learn about updates and new releases


Send us your comments or suggestions