A key activity in Policy is the process of aligning the goals of the IT organization to those of the overall business, then using that information to decide which areas need to have policies created. Organizational goals should be evaluated to determine possible risks. The impact of risks can be evaluated by considering what might happen if the expectations surrounding that risk are not made clear to everyone in the organization. If an identified risk and its impact stand in the way of achieving a goal, then it will likely need to be addressed by a policy. In this way, management establishes clear guidelines that help ensure desired performance, fitting checks and balances*, and appropriate workplace interactions.
The following table lists the activities involved in this process. These activities include:
Assessing current state.
Envisioning future state.
Performing gap analysis.
Table 4. Activities and Considerations for Determining Areas Requiring Policy
What are the near-term (one year or less) goals of the business?
What are the longer-term (two years or more) goals of the business?
Are there contingency plans for the business?
IT and business goal statement(s)
Consider the impact of not having policy in place to address the identified risks and impacts to organizational goals. Legal advisors may provide input for considerations of having or not having policy covering a given area.
Out of the identified goals, select specific goals to support with policy that will either fit with the existing organizational culture or will transform the culture in a desired direction.
Discuss your strategy and its implications with executives. Ensure that senior management provides a strong, clear sign-off that will communicate policy direction to the organization. This helps establish the “tone at the top.”
Assess current state
How effective are our current policies and procedures?
Are there any audit issues that reflect ineffective, inappropriate, or non-existent policies?
Does the current portfolio of applications and systems comply with the intent of our policies?
Risk analysis from all IT service lifecycle phases captured in the risk knowledge base
IT strategic goals statement
Current IT portfolio
Documented current state of policies
Ensure that key users and stakeholders are personally interviewed—ask them what is working well, what needs improvement, and what future policies they would like to see.
To help both assess the current state and start planning for the future state, suggest that interviewees think at least two years out. If nothing changes in terms of policy, what problems do they foresee? The answers might reveal current inadequacies in policy. Then ask them how policy will need to change to take into account not just regulatory and technological changes, but the strategic direction of the organization as well as potential changes in their industry or market.
Envision future state
What are current best practices?
Where is the technology going?
What are the resource limitations on the business?
Best practice reports
Gap analysis between current state and envisioned future state
Formal prioritization of future state
Consider whether the future state is financially worthwhile—whether it’s better to put resources toward filling gaps in policies, or to just leave the gaps. Make sure to get opinions from the legal department and upper management.
Keep a record of the decision-making process—leave an audit trail.
Perform gap analysis
What is the gap between our current state and our desired future state?
Is gap closure realistic?
Future state document
Best practice reports
Ensure that the gap analysis includes an evaluation of risk.
Do not make general policies overly restrictive or they will likely be ignored. Describe desired outcomes, not just prohibited activity.
Consider instituting role-based policies that can be “tuned” (made more or less restrictive) according to specific job functions.