By Dana P Skopal, PhD
It is important for any business to ensure the safety of their staff and clients. This safety links to not only physical safety in the workplace but other criteria such as cyber security and conflicts of interest. In a broad sense, these factors are risk management. To ensure staff and clients know how to safely operate at work, management needs to put clear policies and procedures in place. However, from our experience, staff don’t like writing these documents and often the content is difficult or boring to read.
Management should not shirk their responsibility of risk management and need to be proactive in reviewing and updating policies and procedures. Policies and procedures reflect an organisation’s values and need to comply with legislation; these are management’s responsibilities, but the content applies to staff. For effective implementation this means co-operation between management and staff as well as documents written in plain English.
Clear effective policies and procedures mean that management and workers are on the ‘same page’ and everyone understands the systems that operate around them. Further, clear policies and procedures clarify responsibilities and accountabilities.
Policy documents do not need to be wordy and can effectively state the organisation’s values, principles, and relevant regulations on one page. The length of procedures relates to the actual processes they cover, but key steps can be covered in two to three pages, which is like presenting a five-minute summary to staff. If detailed content is necessary, this material can be presented using document design such as tables in appendices.
If managers focus on presenting these key points in clearer documents, it shows that the organisation can articulate the important values and processes while engaging their staff. One sure way to have staff not read a procedure is to place them in front of a computer screen to read long-winded documents. Effective procedures entail co-operation between management and staff, training with these procedures, and having regular reviews. They also mean an organisation is being run with agreed values and a good understanding of responsibilities.
For further information, see:
Williams, B. L. (2013). Information security policy development for compliance: ISO/IEC 27001, NIST SP 800-53, HIPAA standard, PCI DSS V2.0, and AUP V5.0. CRC Press.
Copyright © Opal Affinity Pty Ltd 2021