A policy, by general definition, refers to a course of action established to give guidelines toward sound business strategic plans and acceptable objectives. According to Ramey and Carl (1991), it represents a direct link between the vision and the daily activities of an organization. Policies are very crucial because they point out the main activities and provide an overall plan to decision-makers on how to tackle issues facing an organization. They also offer limits and a wide range of alternatives that would guide the process of decision-making. Policies are general in nature and are usually put in simple terms. They identify the rules of an organization, give reasons as to why the rules exist, when they apply, the people it covers, how they are enforced, and lastly, stipulate the consequences of not adhering to them (Ramey and Carl, 1991). However, policy should be differentiated from law, because law compels or prohibits behavior, but policy acts as a guideline towards attaining a desired goal.
Types of Policies
An organization can have many different types of policies, such as Information Security Policies, HR Policies, IT Policies, Finance Policies, Information Management Policies and many more others (Smith, 2002).
Human Resource Policies
They refer to the official rules as well as guidelines that organizations follow, which direct the way they assess, hire, train or reward their employees. According to Green (1999), Human Resource Policies can go a long way into eradicating misunderstandings between employers and employees that may arise due to infringement of certain rights or obligations. However, they have to be well organized and spread in a form that can be easily understood. Ardella Ramey and Carl Sniffen (1991) state that, “Sound human resource policy is a necessity in the growth of any business or company”. An acknowledgment of this requirement may occur when managers in the organization realize that a lot of time is often wasted due to issues dealing with human resource. This time could be used in planning for the growth of the organization or even in production and marketing. An organization is always at a disadvantage if there is a lack of clearly written and standardized policies.
Small businesses have no choice but to execute and apply fair human resource policies in their running of daily operations. Businesses that go out of their way to institute sound and comprehensive HR management policies are better prepared for success in the end than the rest. However, HR management policies have to be consistent in nature; otherwise, the results would be disastrous. Workers will have low morale, minimum employee loyalty, and the company will be highly exposed to legal penalties.
Green (1999) stipulates that, HR policies of a small organization should cover every aspect of human resource including holidays, meal periods, employee classifications and many more others. Koch and Rita (1996) also advance that formal human resource policies are advantageous in many ways as they contribute to the success of the organization. Notably, even the best policies will go to waste if managers in charge of the HR policies become reckless and incompetent in administering their duties.
However, organizations or small businesses that are consistent and intelligent in administering their HR policies will reap rewards in many areas, such as:
- Curbing litigation: Legal experts would agree that organizations could cut off legal threats from unsatisfied employees by enacting comprehensive personnel policies that are fair to all the parties involved.
- Communication with employees: A human resource policy manual that is well written can serve as an effective tool in circulating employer expectations considering the performances and behavior of employees.
- Communication with managers and supervisors: Formal policies can aid managers when it comes to hiring, rewarding, or promoting those working in the organization.
- Time savings: HR management policies that are comprehensive in nature can save organizations huge amounts of time that can otherwise be spent on other activities, such as competitive analysis or development of new products.
Making Constant Changes to Existing HR Policies
According to Ulrich (1998), it is paramount that organizations constantly revise their established HR policies. This is because as an organization or company grows, the environment they operate is changing. However, small businesses have to be cautious when they go about updating their HR policies. At times, even minor alterations to policy can end up in unplanned consequences. Ulrich (1998) also views that small firms and organizations have to understand the fact that any change in HR policy can have some impact on every individual in the organization. Any proposed change has to be cautiously examined and should involve consultations with trusted individuals within the organization. A change in policy should be circulated effectively and widely to each employee.
Information Security Policies
Many organizations possess high-level information policy that stipulates how and what information can be handled within the organization. Long (2006) describes an information security policy as that which addresses issues such as integrity, disclosures as well as availability concerns. Notably, many factors have to be considered before developing a security policy: for example, the type of the audience, the maturity of the process of policy development as well as the size of the company or organization. If an organization plans to start developing information security policy, it is advisable for them to employ the use of a phased approach, which starts with a basic policy framework, touching on the major policy required, before developing a large number of policies.
According to Long (2006), a security policy should:
- Protect information and members of the organization.
- Help reduce risk.
- Help follow up on compliance with rules and regulations.
- Set the rules for required behavior by administrator, management, and security officers within the organization.
- State and stipulate the repercussions of violating security.
- Authorize the security team to supervise, probe or investigate.
- State the organization stance on security matters.
Jarmon (2006) also adds that information security policies provide a framework that would reduce or minimize security risks and that there is an effective response to security incidences. The policies also help the staff become a part of the security team and hence secure the organization’s information assets. Barman (2001) also states that they also define the organization’s attitude towards information, thereby announcing that information is also property of the organization, and therefore, has to be protected from being accessed, modified or destructed by outsiders.
Information security policies can serve as compliance tools, which show where the company stands when it comes to the best practice issues (Jarmon, 2006). The policies should be useful in protecting the security of the organization. However, they must be workable and realistic; they should match its audience and intermingle with other organizational policies within the organization. To attain this level, an organization must involve all the key players in policy development. Stone (2008) also adds by stating that the importance of the policies has to be communicated to organizational members who will live by them. To avoid facing users’ rejection, it is important to communicate the message that the policies are a framework that creates an enabling environment for employees to work.
The audience of such policies includes all company employees, who can then be divided into sub-categories: management, technical staff, and the end users. The audience plays an important role of determining what can be included in each of the policy document. Organizations have to make sure that security policy documents are consistent with the everyday needs of its audience; hence, they have to use different document types within the framework of a policy.
At a high level, governing policy should take care of information security concepts, define them, describe their importance, and state the organization’s stand on them. Both managers and end users will read it. The two groups, together with technical custodians, by default, will use the policy to achieve a sense of the organization’s philosophy on security policy. It is important to note that Governing Policy should be aligned with both existing and future company policies.
On the other hand, technical policies are to be used by custodians as they go about with their security duties for the system they are aligned with. Technical policies are more detailed that Governing Policy since they cover more topics that are specific to the general technical topic; they describe things that must be done. According to Barman (2001), procedural documents lay down the necessary steps required to carry out the policy statements. They may be written to assist readers understand what is in policy explanations.
When writing security policies, there is a need for policymakers to prioritize the topics that need to be addressed first. The remaining information can then be prioritized due to business sensitivity or criticality. It would enable one to discover which of the information is more sensitive than the rest.
In conclusion, Security policy in any organization provides evidence of the organization’s position on security matters and provides a living tool for every worker to assist in building or maintaining a certain level of security (Jarmon, 2006). This, therefore, calls for security policy to be accurate, useable, and comprehensive.
Information Management Policy
Information management policy includes a set of rules that manage the behavior and availability of a specific type of content that is important to an organization. Anderson (2005) stipulates that the policy empowers administrators to direct and evaluate individuals that can access information and the duration for information to be retained. The creators of this policy include records managers, compliance, IT staff, and all those responsible for managing risk. Information management policies cover all information assets that belong to an organization. However, some aspects of the policy could be available for the public; that is if the organization can be subject to freedom of information legislation.
Records Management Policy
The policy falls under information management policies. It is usually referred to as a “top level” policy, which is all about the maintenance and destruction of business records. The policy deals with documents, paper based files, computer-based files, electronic mail messages, faxes, diaries, intranet and internet web pages, brochures and reports, forms, maps and plans, photographs, microfiche and microfilm, and seized evidence (Anderson, 2005).
Records Management Policy usually applies to all employees, consultants, contractors, and secondees who can access organization’s records any time. The management of records helps organizations meet their statutory objectives. Records management policy, notably, cross-refers to related policies, including:
- Retention schedules: Records maintained by an organization for business purposes. They list the amount of time that can be maintained and when they can be reviewed for destruction or otherwise.
- A records mitigation policy, which is a policy that covers circumstances where the technologies that the records depend upon become outdated. Moreover, the records need to be moved to new technology so as they can be accessed more easily than in their former state.
- Records conversion policy: It covers situations where records have to be converted to another format.
- Record retention and destruction procedures: They are procedures that guarantee the records are to be destroyed in a legally compliant manner. This is because not every record can be destroyed in the same manner. It is important to take into consideration the media, volume, and sensitivity of the records, when deciding on the procedures and mechanisms of destruction.
- Records hold policy and procedures: They are procedures that cover circumstances where an organization has to put an end to the destruction of documents that usually happen when legal proceedings are sought after.
Information Technology Policy
IT policies express an organization’s vision, principles, and strategy as they relate to how information and information technology resources can be used. They interpret laws and regulations that can be applied within the company as well as ensure that the policies conform to legal requirements. Moreover, IT policies denote specific requirements for the regular use of IT resources across the organization.
For there to be a meaningful IT policy development process, an organization has to adopt a framework that would:
- determine the formula for what should be constituted in a policy;
- measure the effectiveness of the policy, as well as level of adoption;
- establish the time to launch a certain policy or set the guidelines;
- create a mode for drafting, updating, approving as well as expiration of various policies and standards.
IT policy usually applies to all handling of the IT facilities in an organization. It covers both communication and computing facilities, including desktops, email, printers, photocopiers, internet, telephones, mobile telephones, facsimiles and other web services. The policy represents an organization’s position on matters dealing with IT. Therefore, it should be consistent and appealing to all users. On the other hand, users must know of their responsibilities and be ready to comply with the IT policy. They should also be aware of their legal obligations.
Accounting policies refer to specific policies that an organization uses in preparing its financial statements. They include bases, specific principles, rules, measurement systems and procedures that can be used to present disclosures. They represent an organizational way of following the rules involved in accounting.
Selection and Application of Accounting Policies
The accounting policy applied to a transaction has to be determined by using the Standard or Interpretation issued by the International Accounting Standards Board (IASB) for the particular Standard or Interpretation. In case the Standard or Interpretation is absent, then the management is allowed to use its judgment to develop and apply an accounting policy, which will bring out reliable results.
An organization can pick and apply accounting policies repeatedly for transactions that are similar, except when a standard or Interpretation allows items to be categorized so as specific policies can be applied. An organization can decide to change an accounting policy, if it is required to do so by a standard or interpretation or if the accounting policy results in financial statements giving relevant information on the effects of transactions.
Various disclosures arise due to changes in accounting policy caused by a brand new Standard or Interpretation:
- The standard title or interpretation title resulting to the change;
- The amount of amendment relating to the time before those given;
- The nature of accounting policy change;
- If an application is not possible, and description of how the change in the policy was applied.
Critical Accounting Policy
This refers to a policy for an organization considered as possessing a highly subjective element, which also can affect the financial statements materially. According to Howard (2005), most accounting policies usually involve subjective valuations put on various items to allow an observer to have the best view of a company by looking at just one single balance sheet or loss statement. Critical accounting policies are policies particular to an organization and are more subjective than other policies. Many analysts and investors focus on critical accounting policies, because their subjective nature is more vulnerable to creative accounting, especially that the one referred to as a slush fund accounting. Here, excess earnings from a specific financial period are hidden by altering the subjective element of the policy. The hidden funds can then be channeled back to profit the company during a bad quarter. Most companies do this because they have to maintain the profitable aspect of a company.
Examples of critical accounting policies include:
- Estimating bad debts;
- A manufacturing plant accounting for future returned items;
- Banks accounting for future loans that might be unpaid.
Characteristics of a Good Policy
- It should have an enabling purpose. The purpose of policy should be stated clearly and apply to all its users fairly. The aims stipulated in the policy outline should never be a technical statement. They should be easy to understand and create a joint responsibility towards the creation of better performance.
- It is linked to a wider objective. It is important for the wider objective to relate to the base line of an organization.
- A good police has a clear ownership. The ownership of the policy should be shown clearly and authorized from a proper level within the organization. The level should represent all the members of the organization. It should not be seen as an imposition against a few individuals within the organization.
- It is short and clear. Users should be able to read the policies without straining. For them to comprehend with ease, the document should be clearly on paper.
- It arises from a valid process. Members of the community around should be able to understand the process of how the policy was developed. It should ideally show that comment and input are allowed.
- It works within the confines of a given authority. The authority should be placed above all users whom the policy will affect.
- It is enforced. The policy has to be enforced and be enforceable at the same time. Enforcement can be achieved at both a human level and technical level. Sending a warning email is usually very effective in most organizations.
- Good policy is adaptable. A good policy is constantly in need of revisions as the network grows; no policy is perfect. It is important to present clear information on how the policy can be changed or adjusted.
Characteristics of a Bad Policy
In analyzing policy,Jenkins (1978) lays down the following characteristics:
- It is not backed by monitoring. It is important to ensure that an organization has the technical capability to monitor the policy and the network before finalizing the policy. This ability should be present at the start of the whole process.
- It is unduly complex. It is important for policy to be focused and understandable.
- Policy that does not fit the environment: this refers to policies that have been cut and pasted from another organization. It is better to formulate a policy from scratch.
- Policy that is never enforced. Due to lack of political will, some policies might never be enforced. It is better to have no policy than have an existing one that is never enforced.
- Unofficial policy: this does not have the support of decision-making organs of the organization. Others are implemented in isolation. When unofficial policy clashes with an official one, the authority will be undermined in the end and users will be confused.
According to Smith (2002), a policy is essential because it gives an outline for action that helps an organization accomplish their tasks. A policy can also be seen as a tool to be used in quality improvement, which allows various requirements to be met. It forces an organization to conform to accreditation standards. The various elements of a policy are as follows:
- It creates the agenda for action to be taken in an organization.
- It is a decision.
- It is grounded in legal authority.
- It is written down.
- Individuals in an organization are familiar with a specific policy.
- Creating a policy is a continuing process.
- It represents a wider framework within which a certain organization operates.