I’ll admit it, when you’re starting a business, one of the last things you want to think about are corporate policies. Your focus is on getting your product or service to market and growing a solid team, not on some collection of dos and don’ts. Besides, that’s what large, stodgy companies do, right?
That’s how we felt in our early days. And, to be fair, we did have a lot of great processes in place, but they weren’t formally documented. That’s probably okay when your company consists of just a few founding members, but once you start to hire employees and gain new customers, you really should take the time to draft key policies and ensure employees read and attest to them.
Here are a few reasons why:
Your employees want the knowledge. The vast majority of people want to do the right thing. But, as you hire and expand, it becomes infinitely more difficult to ensure everyone is on the same page. Your employees will have questions, such as “What should I do if my cell phone is stolen?” “Is it okay for me to use my company laptop for personal use?” “How do I know if my data is encrypted?” Everyone needs to know your expectations without having to ask. Straightforward and easy-to-access policies will point them in the right direction and help them avoid costly mistakes.
Your clients will require policies. At some point, and probably sooner than you think, a client (or auditor) will ask, “Do you have an information security policy? May I see it?” “What’s in your clean desk / clear screen policy? Can I get a copy?” “When are employees required to read it?” At this point, you can’t fake it. You’re fooling no one. You either have these policies and require that they are read and understood, or you don’t. I remember one such audit when I was asked if we had an Ethics policy. Thankfully, we did. The document was about 1 month old. The auditor asked if we required employees to read it, and we told him we had conducted a lunch-and-learn. He asked if employees had signed off that they had read and understood it at the lunch-and-learn. “No, but they were there,” I replied. His response: “Without documentation, it didn’t happen.”
Your competitors have policies. Fresh ideas and new ways of thinking are great advantages for startups and young companies, but keeping up with the mature processes of age-old incumbents can be a bit more challenging. Just remember, you’re probably already doing it. Take the time to write your policies down. And don’t worry, there are a number of great tools out there that can help you meet policy requirements without getting bogged down in a document nightmare.
So how do we make policies less of a hassle for everyone? That was our goal at Onspring, and I’d like to share our approach:
#1. Save a Tree. Deliver Policies Digitally.
The last thing new employees want to do is sit at their desk, thumbing through a giant policy manual. Instead, we use our own product, the Onspring Platform, to deliver policies online through a self-service dashboard. Employees can review individual policies at their own pace, and they can easily access and search policies whenever questions arise. Also, the online policies are much easier to keep up-to-date.
#2. Track Acceptance and Understanding.
We use our survey functionality in Onspring to deliver policy training to new employees. We also retrain all team members on the anniversary of their hire date. If you haven’t started drafting your policies, a few general areas in which you may want focus are listed below. A quick Web search will provide several policy examples, and you can then modify them to your specific business needs.
Acceptable use and device management
Encryption and media/removable devices
We give employees a few days to complete the online training. Responses are auto-saved so that they can go at their own pace. For each section of the training, we ask employees to indicate that they accept and understand the policy. If they don’t understand, they can ask questions right there in the survey, and we can ensure that the policy language is clear.
#3. Hang On to Your Records.
Remember what I said earlier about clients and auditors who will want to see your policies? That also applies to your employee attestations. You must save this information! Again, if you don’t have proof, it didn’t happen. Be sure to hang on to employee records that show when they reviewed and accepted your policies. At Onspring, we manage all of this right in our own product, and we can report on policy attestations at the individual employee level or across the organization—instantly.
To be clear, you don’t have to use a platform like Onspring to manage your policies. The important thing is to have policies and track employee acceptance. If your business is small, polices managed in Google or Word documents and a spreadsheet tracking acceptance will suffice. As you grow, consider ways to streamline the policy management process with cloud-based software like Onspring. So, when the auditors pay you a visit, you’ll be ready!
Policy Management Solution Brief
Learn how to take control of policies, change reviews, attestations and exceptions