Writing Policies Best Practices and Common Pitfalls in Policy Writing

Learning objective: By the end of this lesson, students will be able to discuss best practices for writing actionable policies aligned with organizational goals.

Best practices

Let’s discuss some best practices to elevate your policy writing game:

• Engage stakeholders: Policy writing shouldn’t happen in a vacuum. Engage key stakeholders - such as IT, HR, Legal, and affected business units - early and often in the process. Their insights can help ensure that the policy is comprehensive, practical, and aligned with organizational needs.

• Use templates: You shouldn’t start from scratch every time. Leverage policy templates as a starting point. Customize them to fit your organization’s specific context and requirements. This can save time and ensure consistency across policies.

• Be specific: Vague policies are open to interpretation and hard to enforce. Be as specific as possible in your rules and guidelines. For example, “Employees should use strong passwords” is not a good policy. Instead, say, “Passwords must be at least 12 characters long and include a mix of upper and lowercase letters, numbers, and symbols.”

• Provide examples: Examples can help clarify abstract concepts and make policies more relatable. For instance, when discussing acceptable use of company email, you might provide examples of inappropriate content such as explicit language or confidential business information.

• Use active voice: Write policies in active voice, which is more precise and direct than passive voice. For example, “Employees must report security incidents immediately” is better than “Security incidents should be reported immediately by employees.”

Common pitfalls to avoid

Now, let’s look at some pitfalls to steer clear of:

• Jargon and legalese: Policies laden with technical jargon and legal terminology can be confusing and off-putting. Strive for clear, plain language that all can understand.

• One-size-fits-all: Not all policies fit all situations. Consider the unique needs of different departments, roles, and locations, and tailor policies accordingly. For example, a blanket social media policy may not work for both your marketing and finance teams.

• Set-it-and-forget-it: Policies are not a one-and-done deal. They need to be regularly reviewed and updated to stay relevant. Avoid putting policies on a shelf and forget about them until something goes wrong.

• Lack of enforcement: A policy without enforcement is just words on paper. Ensure clear processes and accountability measures are in place to enforce policy compliance. This includes training employees, monitoring for violations, and consistently applying consequences.

• Overcomplication: Policies don’t need to cover every possible scenario or contingency. Aim for a balance between comprehensiveness and simplicity. Overly complex policies can be hard to understand and follow.

• Covering too many topics: Avoid cramming too many topics into one policy. Each policy should focus on a specific area or issue. For example, instead of combining an acceptable use policy with a data protection policy, create separate documents for each.

• Ignoring feedback: Don’t be afraid to seek input from employees and stakeholders after implementing a policy. Their insights can help identify areas for improvement and ensure that the policy is practical and effective.

Putting it into action

Let’s put these principles into practice with an example. Suppose you’re drafting an acceptable use policy for company-issued smartphones. Here’s how you might apply our best practices:

• Engage stakeholders: Work with IT to understand security needs, HR to align with employee policies, and a sample of end-users to ensure the policy is practical and understandable.

• Use templates: Start with a base acceptable use template, then customize it with your company’s specific apps, security protocols, and usage guidelines.

• Be specific: Instead of “Use work phones responsibly,” specify what responsible use means, such as “Company smartphones may not be used to access adult content or download unapproved apps.”

• Provide examples: Illustrate unacceptable use with examples like “Downloading games, sending chain emails, or using excessive data for personal streaming would violate this policy.”

• Use active voice: Write rules as direct instructions, such as “Employees must password-protect their company smartphones” rather than “Company smartphones should be password-protected.”

By following these practices and watching out for common missteps, you’ll be well on your way to crafting clear and effective policies tailored to your organization’s needs.

Effective policy writing is about balance and clarity. It’s about balancing being comprehensive enough to cover key risks and focused enough to be understood and followed.

Be firm in your guidelines yet flexible enough to accommodate the realities of your organization. Most importantly, write in a way that is accessible and actionable for your audience.

Remember that policy writing is a skill that takes practice. Don’t be afraid to iterate, seek feedback, and learn from real-world examples. With time and experience, you’ll develop a knack for crafting policies that drive clarity, mitigate risk, and support your organization’s goals.

Go forth and write some stellar policies! The tech world needs more savvy policy crafters like you.