Setting Up and Enforcing

Orgnanizational Policies
A TenStep White Paper

Contact us at info@tenstep.com
TenStep, Inc.
2363 St. Davids Square
Kennesaw, GA. 30152
877.536.8434
770.795.9097
 Setting Up and Enforcing Organizational
Policies
Why does your IT organization
need formal policies?
When companies are small, they rarely
have many (if any) formal policies in
place. However, as they get bigger
they always start to codify many of the
important aspects of the culture into
formal policies. Your IT organization
may have started the same way. When
there were only a handful of people
performing your IT function, there
may have been no formal policies.
Now look around. How many policies
do you see? If you’re like most
organizations, you probably have
policies for:
• Application Development
• Security
• Production turnover to support
• Asset management
• Teleworking
• Finance
• Procurement
• Dozens or hundred of others
How did it come to this – an
organization guided by policies?
Policies reflect an organizations logical
progression from working in an ad-hoc
manner to one where people are
following common and consistent
processes. A policy reflects your
organization’s desire for everyone to
perform a specific function in a specific
way. Policies help everyone
understand how to do things, and they
help managers understand the
framework in which they can manage.
Policies are developed and are they
are important for two main reasons.
• Working more effectively under
company best practices. One
thing you will observe about
policies is that they are created
Copyright© 2007 TenStep, Inc. All Rights Reserved
877.536.8434 / 770.795.9097
and approved by the people or
group that owns the process.
Because of this, you hope that the
policy reflects the best practices of
the group that is most experienced
in the area and most impacted by
the outcome. The policy then aligns
everyone else under these best
practices. For example, look at
your company Expense Reporting
Policy. This policy is going to be
established by the Finance group.
That should make sense. Even if
your team had the time to create
the policy yourself, you don’t have
the expertise to know the best way
to handle expenses. You are IT
people – not accountants. So,
following the established process
gives you the sense that you are
working on a firm foundation. Let
the Finance Department establish
the finance policies. Let the
Database Group establish the
database policies. Let your
management team establish the
management policies. These
groups are then accountable for
the policies and you know where to
go if you need an exception or if
you would like to change the
policy.
• Working more efficiently
through process reuse. Most of
us recognize the value of reuse. It
makes more sense to reuse things
that are already developed instead
of having to re-invent everything
we do from scratch. This is true
with work processes and policies as
well. For instance, you could
certainly come up with a
framework for handling IT security
on your project. But why would
you need to if your organization
has already developed and
approved a Security Policy. You
could also come up with a
workstation replacement policy
 Setting Up and Enforcing Organizational
Policies
that makes sense for your
department. But why should you if
your IT Department already has an
established and approved
Workstation Upgrade Policy.
Having common policies saves you
the time to having to invent and
gain approval on these for each
individual project or group. It also
saves time for new people in the
company as they learn how things
work in your world.
One short definition of culture is that it
is “how things are done around here”.
Written policies become part of your
culture since they reflect how things
are done in your organization. As
companies get bigger, they need to
establish policies so that people have
guidance on how to do things. Since
policies are established and approved
by the subject-matter experts, you
also should feel good that everyone is
doing things in ways that protect the
company and make sense.
You might complain about policies, but
don’t complain about policies in
general. If you do not agree with some
specific policy try to change it with
your better idea. However, all
organizations need policies. Your
organization would quickly get out of
control and be much worse off without
them.
Win support for your new policy
Have you ever had to create an IT
policy to formalize the way that some
process is executed or the way people
perform certain functions? If you have
you know that it may or may not be
easy. Actually effort required to
implement IT policies can vary
dramatically in different organizations
depending on your governance culture.
(Governance refers to your ability to
enforce organization priorities through
the management hierarchy.)
Copyright© 2007 TenStep, Inc. All Rights Reserved
877.536.8434 / 770.795.9097
If you are in an organization with
strong governance you can get a
policy adhered to strictly through the
governance process. You create the
policy, get it approved through the
appropriate channels, and then issue it
for everyone to follow. In this case the
concept of winning support for the
policy applies to the approval process.
Once the policy is approved, the
management structure enforces it.
This way of winning support is perhaps
applicable in the military and other
organizations with a strong
governance culture.
However, let’s say that you work in an
organization where it is not quite so
easy. You have to work a little more to
gain acceptance of your policy. If this
applies to you, the following steps will
help win support for your policy.
• Make sure you own the business or
IT process. You can’t create
policies in areas that you don’t
own. This means that you can
create a database policy if you are
the database group. You can create
a telecommunication policy if you
are in the telecommunications
group. However, you can’t create
the new helpdesk policy if you are
in the IT development area. Of
course, the policy may be issued
by another senior manager. The
CIO may issue a policy on cell
phone usage. However, the CIO
certainly did not create the policy.
The telecommunications people
did.
• Communicate the purpose of the
standard policy. People must
understand why you are creating
the policy. There has to be a clear
purpose. Not everything needs a
common policy. For instance,
having a policy that results in email
getting scanned for viruses and
spam is important. Determining
 Setting Up and Enforcing Organizational
Policies
how often a manager must talk to
each staff member probably cannot
be dictated in a policy.
• Make sure the policy drives
business value. Policies provide
guidance on how things should be
done, so they save the time and
effort that would be required if
everyone had to figure it out on
their own. You need to make sure
your organization derives overall
value from your policy. A policy
that results in more effort and cost
without corresponding business
value doesn’t make sense. You
might as well leave people on their
own if that drive more
organizational value.
• Get input from affected groups. It’s
a good idea to gather input from
the people that the policy will
impact. This helps make sure that
the policy is workable and also
helps solicit their buy-in for when
the policy is issued.
• Validate the policy make sense.
This sounds obvious, but
sometimes misguided policies are
written that never have a chance
to be adopted or supported
because they don’t make sense.
People will generally be more apt
to follow a policy that seems to
make sense, even if they don’t
agree with it entirely. One way to
ensure the policy makes sense is to
circulate it to a broader group of
people outside your functional
area.
• Make sure the policy is clear. You
don’t want to issue a policy and
have people say they do not
understand it. In fact, it would be
good if your organization has a
common format for describing your
policies. The policy must be very
clear on when it is applicable, who
Copyright© 2007 TenStep, Inc. All Rights Reserved
877.536.8434 / 770.795.9097
it applies to, how you work under
the policy, etc. You may need to
provide some examples. If there
are general exceptions, make sure
you state what those are. Just as
with the point above, you probably
want to circulate the policy to
others outside your functional area
to make sure it is understandable.
• Try to have an enforcement
mechanism. You can issue a policy
that is perfectly clear and that has
everyone’s buy-in. However, you
will be much more successful if you
have an enforcement capability.
For example, you may be able to
enforce a policy on scanning for
email viruses since you probably
own the email servers. However, if
you issue a policy on email
etiquette, you will probably be less
successful because you don’t have
the enforcement capability.
Those are some of the basics.
Depending how political your policy is,
you may have a multifaceted
campaign to communicate the policy
and gain the support of the effected
staff. However, for most policies, you
just need the basics – be the owner,
have a purpose, drive business value,
have a reasonable policy, be clear,
gather initial feedback and have an
enforcement mechanism if possible. If
you will follow th4se simple, but
critical steps, you will have a much
better chance of building support for
your policy with the people that are
affected.
Use a policy audit to ensure your
policies are followed
Many IT organizations are good at
establishing policies but have an
uneven ability to get their staff to
follow them. It is important that an
organization be able to enforce
policies. If the policies are important
 Setting Up and Enforcing Organizational
Policies
enough to create and approve, they
are important enough to enforce. In
fact, if the organization is not prepared
to enforce a policy, there is really no
reason to create it to begin with.
The best way to make sure your
organization follows your defined
policies is to initiate a policy audit. On
the surface, a policy audit might seem
daunting. However, it is not so hard.
Follow this simple process to execute
an audit to ensure your IT policies are
being followed.
1. Inventory your policies. You
can’t do a policy audit if you are
not sure what your policies are.
The first thing to do is to inventory
all of the policies in the IT
5. Manually audit the remainder
organization.
2. Pick the policies that are most
important - and then a few
more. You could audit every policy
in your inventory but you don’t
need to. You should pick out the
policies that are important to you;
such are your email policies, your
Internet usage policy, and your
hardware procurement policy. Then
pick out a couple more policies
more or less at random. The
reason for picking both is that you
want to ensure that your most
important policies are being
followed, plus you want to check
some others to make sure that
your organization seems to be
following all policies – not just the
important one.
3. Talk to the business owners of
each policy. Start by identifying
the business owner of each policy
6. Prepare general conclusions.
and have a discussion with them
about each policy.
4. Validate automated
enforcement. Ask the policy
owner whether there are any
enforcement mechanisms that
Copyright© 2007 TenStep, Inc. All Rights Reserved
877.536.8434 / 770.795.9097
ensure that the policy is followed.
For instance, you may have a
policy for virus scanning of all
inbound emails. When you talk to
the email group, you may discover
that this policy can be enforced
systematically since this group
owns the email servers and they
can ensure that all incoming emails
are scanned. If a group can enforce
a policy systematically, they need
to prove that the policy is being
enforced in all instances. If they
can, you are fine for that policy. If
they cannot validate that the policy
is being enforced in all instances,
then document this policy as one
that needs further scrutiny.
of the policies. Most policies
cannot be enforced systematically.
Work with the policy owner to
determine the best way to validate
that the policy is being followed.
Depending on the policy, this could
take many forms. For instance:
• You cold look at the paperwork
for 25 turnover instances to
validate your production
turnover policy.
• Your teleworking policy may
require that you identify 5
teleworkers and interview them
and their managers.
• You could analyze a cross-
section of 20 workstations from
around the company to
determine whether your
workstation policies are being
followed.
After you have completed all of the
individual audits, you can make
some overall conclusions. For
instance, if the results of the
individual policy audits are all
generally favorable (perhaps not
 Setting Up and Enforcing Organizational
Policies
prefect, but generally favorable)
then the CIO should feel confident
that policies are generally being
followed. If the results of most of
the specific audits were
unfavorable, then the CIO should
have reason for concern that
policies in general are not being
followed. There will be some
follow-up necessary to determine
why the policies are not being
followed, and then an action plan
will need to be put into place to
turn ensure your organization does
follow defined policies.
You don’t have to audit every policy
and every instance to make an overall
conclusion on whether your
organization is following your
documented policies. Based on the
results of this policy audit you can
determine if you are okay in how your
organization follows policies or
whether you have more work to do.
Setting up and enforcing
organizational policies does
not have to be a daunting
task.
We have done it before.
Contact us for more
information.
info@tenstep.com
877.536.8434 / 770.795.9097
About TenStep
TenStep, Inc. (www.TenStep.com) is
headquartered in Atlanta, Georgia
(USA), and specializes in developing,
consulting and training in business
methodologies. The company’s
Copyright© 2007 TenStep, Inc. All Rights Reserved
877.536.8434 / 770.795.9097
flagship product is the TenStep Project
Management Process®, which has
been licensed to thousands of
companies and individuals around the
world. In addition, TenStep has
training, consulting and business
methodology products covering Project
Management Offices, portfolio
management, software development
and application support.
The TenStep process is translated into
14 languages, allowing it to be utilized
by organizations in most parts of the
world.
TenStep meets the needs of local
businesses with a network of
offices in the USA and around the
world.
Our training classes include:
• Project Management (advanced
and basic)
• Preparing for the PMP Exam
• Earned Value Management
• Setting up and Running Project
Management Offices
• Setting up and Running Portfolios
• Gathering Business Requirements
• Many, many more
Our consulting services include:
• Project management deployment
and customization
• Project Quickstarts
• Setting up PMOs
• Project management coaching,
auditing documentation review
• Managing your projects
• Many more
About the Author:
 Setting Up and Enforcing Organizational
Policies
Tom Mochal, PMP is the president of
TenStep, Inc. (www.TenStep.com), a
methodology development, consulting
and training company. He is also the
head of The TenStep Group, a network
of TenStep offices supporting the
TenStep process in numerous
languages and countries around the
world.
Mochal is author of a book on
managing people called "Lessons in
People Management" and a companion
book on project management called
"Lesson in Project Management”.
Mochal also authored all of the
TenStep methodology products.
Mochal recently won the
Distinguished Contribution Award
from the Project Management Institute
for his work spreading knowledge of
project management around the world.
Mochal is a speaker, lecturer,
instructor and consultant to companies
and organizations around the world.
He is a member of the Atlanta,
Georgia (USA) chapter of the Project
Management Institute (PMI), the
American Management Association
(AMA), the American Society for the
Advancement of Project Management
(asapm®), and is a partner in The
Management Mentors, a group
dedicated to building knowledge in
project management, IT management
and leadership/personal development.
Contact us at info@tenstep.com
TenStep, Inc.
2363 St. Davids Square
Kennesaw, GA. 30152
877.536.8434
770.795.9097

Copyright© 2007 TenStep, Inc. All Rights Reserved

877.536.8434 / 770.795.9097