As a starting point, many IT organizations make the initial mistake of using
a shared drive or a traditional document management system
to store their policies and procedures.
On the surface the approach of simply documenting the operating policies and
procedures using a shared drive or a document management system may seem logical but,
in many cases, it's giving senior management a false sense of security.
That's because in and of themselves, the policy and procedure documents are only
part of the associated effort since they actually do very little to influence whether or not
employees actually adhere to them. In other words, these alternatives do not include
measurable accountability.
To complete the effort, management needs to include a strong focus on their people (not
just the documents). Their accountability to the defined policy and procedure
content and their accountability to comply is essential for both short and long-term
success. Unfortunately, it's usually not until there is a crisis that management
realizes this.
When a poorly defined policy or procedure or an employee's failure to comply causes a
major problem such as network down time, loss of data, or a breach of security, that's when management realizes that simply managing the documents isn't
enough. Internal control and governance of an organization is only achieved when there is
measurable accountability of employees- something shared drives and document management
systems do not measure or track.
While the functionality found in a document management system is appropriate for managing
the policy and procedure documents, it is insufficient as it relates to the people-related
activities and their measurable accountability.
To successfully establish internal control, the required functionality needs to extend
beyond simply managing the policy and procedure documents to include a more holistic,
start-to-finish approach that measures and tracks the accountability of the people
responsible for defining the content as well as those responsible for executing it.
In other words, documenting the policies and procedures is one thing - actually putting them
into practice, holding people accountable for adhering to them, tracking continuous
process improvement efforts, and periodically auditing operations to assess compliance - is another.
When using a shared drive or a document management system, employees may have
access to the policy and procedure documents but management does not have easy access to the
data and reports that relate specifically to the people and their measurable accountability. And, governing without being able to measurable the accountability of employees is
similar to driving an expensive car without a good insurance policy. When an accident occurs,
you really wish you had it.
|
