Why Your Business Needs Policies and How to Make Them Less Awful
Well-written and thorough policies are hardly the most exciting parts of growing a business. But crafting them may be one of the most important things you do. To help make the process less painful, we’ve invited Chris Pantaenius, co-founder and CEO of Onspring Technologies, to lay out some best practices:
I’ll admit it, when you’re starting a business, one of the last things you want to think about are corporate policies. You’re focused on getting your product or service to market and growing a solid team, not on some collection of dos and don’ts. Besides, that’s what large, stodgy companies do, right?
That’s how we felt in our early days at Onspring. And, to be fair, we did have a lot of great processes in place, but they weren’t formally documented. That’s probably still okay when your company consists of just a few founding members, but once you start to hire employees and gain new customers, you really should take the time to draft key policies and ensure employees read and attest to them.
Here are a few reasons why:
Your employees want the knowledge. The vast majority of people want to do the right thing. But as you hire and expand, it becomes infinitely more difficult to ensure everyone is on the same page. Your employees will have questions, such as “What should I do if my cell phone is stolen?” “Is it okay for me to use my company laptop for personal use?” “How do I know if my data is encrypted?” Everyone needs to know your expectations without having to ask. Straightforward and easy-to-access policies will point them in the right direction and help them avoid costly mistakes.
Your clients will require policies. At some point, and probably sooner than you think, a client (or auditor) will ask, “Do you have an information security policy? May I see it?” “What’s in your clean desk / clear screen policy? Can I get a copy?” “When are employees required to read it?” At this point, you can’t fake it. You’re fooling no one. You either have these policies and require that they are read and understood, or you don’t. I remember one such audit when I was asked if we had an ethics policy. Thankfully, we did. It was about 1 month old. The auditor asked if we required employees to read it, and we told him that we had conducted a lunch-and-learn. He asked if employees had signed off that they had read and understood it at the lunch-and-learn. “No, but they were there,” I replied. His response: “Without documentation, it didn’t happen.”
Your competitors have policies. Fresh ideas and new ways of thinking are great advantages of startups and young companies, but keeping up with the processes of age-old incumbents can be a bit more challenging. Just remember, you’re probably already doing it. Take the time to write your policies down. And don’t worry, there are number of great tools out there that can help you meet policy requirements without getting bogged down in a document nightmare.
How to write (and deliver) policies for your business that really work
So how do we make policies less of a hassle for everyone? That was our goal at Onspring, and I’d like to share our approach:
#1. Save a Tree. Deliver Policies Digitally.
The last thing new employees want to do is sit at their desk, thumbing through a giant policy manual. Instead, we use our own product, the Onspring Platform, to deliver policies online through a self-service dashboard. Employees can review individual policies at their own pace, and they can easily access and search policies whenever questions arise. Also, the online policies are much easier to keep up-to-date.
#2. Track Acceptance and Understanding.
We use a survey to deliver policy training to new employees. We also retrain all team members on the anniversary of their hire date. If you haven’t started drafting your policies, a few general areas in which you may want focus are listed below. It’s not an exhaustive list, but it’s a good starting point:
Acceptable Use: This policy outlines the acceptable use of computer equipment and mobile devices. These rules are in place to protect your employees and your business. Inappropriate use exposes you to risks including virus attacks, compromise of network systems and services and legal issues.
Background Checks: This policy defines the procedures to perform when requesting a background check on new hires. Background checks are essential for the protection of your employees, company and clients.
Clean Desk and Clear Screen: This policy establishes the minimum requirements for maintaining a “clean desk” and a "clear screen" where sensitive/critical information about employees, intellectual property, clients and vendors is out of site and secure in locked areas. A clean desk policy is not only ISO 27001/17799 compliant, but it also complies with internal privacy controls.
Ethics: This policy establishes a culture of openness, trust and fair business practices. It serves to guide business behavior to ensure ethical conduct for all employees, from interns to upper management.
Information Security: This policy covers all areas of the company’s operations as they pertain to the security of information. An information security policy also should explain your company’s controls, standards and procedures regarding the management of physically and electronically stored information, the devices or assets on which the data reside and the roles of the people who interact with data. This type of policy helps to maintain the highest levels of security, both inside and out.
Non-Disclosure Agreements: This policy communicates the conditions in which a mutual NDA between your company and a third party may be required, along with the review process.
Security Training & Awareness: This policy defines the actions your business takes to provide employees with knowledge, best practices and guidance on security and privacy.
Vendor / Third-Party Management: This policy typically provides controls and standards relating to third party efforts regarding information security, network and system security and human resources security. If you rely on third-party vendors for key business functions, establishing clear policies and an accompanying awareness program is essential.
A quick web search will provide several examples of these types of policies and many more. You can pretty easily modify these sample policies to your specific business needs.
When we conduct online policy training, we give employees a few days to complete it. Responses are auto-saved so team members can go at their own pace. For each section of the training, we ask employees to indicate that they accept and understand the policy. If they don’t understand, they can ask questions right there in the survey, and we can ensure that the policy language is clear.
#3. Hang On to Your Records.
Remember what I said earlier about clients and auditors who will want to see your policies? That also applies to your employee attestations. You must save this information. Again, if you don’t have proof, it didn’t happen! Be sure to hang on to employee records that show when they reviewed and accepted your policies. At Onspring, we manage all of this right in our own product, and we can report on policy attestations at the individual employee level or across the organization—instantly.
While it might make life easier, you don’t have to use a platform like Onspring to manage your policies. The important thing is to just have policies and track employee acceptance. If your business is small, polices managed in Google or Word documents and a spreadsheet tracking acceptance will suffice. As you grow, consider ways to streamline the policy management process with cloud-based software like Onspring. So, when the auditors pay you a visit, you’ll be ready!
Chris Pantaenius is the CEO of Onspring Technologies. He co-founded the company in 2010 to help business people solve complex problems through modern, flexible technology. As a career consultant and solution developer, Chris has deep experience in the areas of vendor and contract management, risk assessment, compliance and business operations.
Learn more from Kansas City’s entrepreneurial community
If you need specific tips, connections or introductions to grow your business, you can always call us at 816-235-6500 or drop us your info at www.kcsourcelink/myplan
and we’ll get back to you within 1 business day with your customized list of resources to help you reach your next milestone. And that’d be for free.