Privacy issues in the Canadian news, including breaches and commentary regarding emerging privacy and information security risks and trends affecting private and public sector organizations.

Does your organization have effective controls in place to ensure policies are organized and appropriately maintained? Internal and external drivers of change are constantly shaping organizational risks and requirements. With this rapid pace of change, the task of reviewing and updating policies is a daunting one. For many organizations the outcome is policies that are outdated and misaligned.

Policies establish the standard of care for an organization. Consequently, disorganized policies can create significant risk and liability for an organization. So how to begin tackling disorganized policies?

• Start by creating an inventory of your organization’s policies, if one does not already exist.
• Review the policy listing to determine if any policies are no longer relevant and can be decommissioned.
• Of the remaining policies, identify which represent the greatest current risk and prioritize those for review/updating. For example, policies that are not in compliance with current legislative/regulatory requirements, as well as policies that no longer reflect the actual and desired practices of employees.
• Group related policies for review to identify opportunities for consolidation and to ensure consistency across related policies.
• Assign a policy owner to be accountable for the policy review/revision, with input from other key stakeholders.
• Ensure the policy is written clearly, in concise, easy-to-understand language. A consistent policy template and format should be used to make it efficient for employees to find the information they need.
• Ensure policies are maintained in a centralized, organized location that is accessible to employees regardless of their location of work.

Policies are an important tool for managing organizational risk, compliance, and advancing organizational goals and objectives. However, in many organizations, policy development and maintenance is under-resourced – done off the side of leaders’ desks, if, and when, they can shift other priorities. All too often, the result is incomplete or outdated policies that, at best, fail to be useful in guiding organizational behavior, and at worst, increase liability for the organization.

In search of a solution, so many organizations turn to boilerplate policies obtained through the web, or generic downloads from organizations that are meant to ease the burden. But policies and procedures are not “plug and play”; what works for one organization and culture most often does not make sense in another.

Policies need to take into consideration, the type of organization, the products and services that organization provides, the strategic plan, the alignment of the vision, mission and values of the organization and its overall culture. Employees need to see themselves and the work they do within the policy. The policy needs to relevant and understood in order to assist with compliance.