Security Leadership and Management

Building Strong Policies for Ongoing Structure and Security

Building Strong Policies for Ongoing Structure and SecurityIn every element of our daily lives there are rules that guide our behavior. These rules come to us in many forms. From the time we are infants, our parents teach us what types of behaviors are acceptable and those that are not. We all remember the dreaded “No” from our mothers or fathers which was usually coupled with a stern look on their face. As we grew up, there were rules at school, and as we learned to drive there were traffic laws we needed to obey. Our world is full of legions of government regulations and laws with which we are expected to comply. We all understand that without rules, regulations and laws to guide behavior, civilization as we know it would cease to exist and we would be cast into a world of utter chaos.

Rules, regulations and laws give us that solid foundation to guide behavior and establish the consequences for failure to comply.  As we entered the working world, things like codes of conduct, policies, procedures and processes were added to our list of things to guide us and to which we were expected to conform.

The outer ring of this graphic identifies key elements of establishing a solid foundation for implementing an Enterprise Risk Management (ERM) based program. This month we are focusing only on the area of establishing policies, procedures and processes.

Our working worlds are filled with complexity, whether you work for a company, an NGO, a non-profit or a governmental entity. Establishing rules of behavior and the consequences for failure to comply are critical to ensuring and maintaining any form of consistency and uniformity of actions across the enterprise. Policies, procedures and processes are necessary tools in defining the day-to-day rules of behavior and the steps that are necessary to get your job done efficiently, effectively and in a consistent manner. 

Some organizations try desperately to create an open and free-wheeling environment in the belief that it will foster creativity and innovation. Somewhere along the way, unless it is a one-person entity, policies, procedures and processes will become necessary. Structure is a critical element to the working environment, just as it is to our everyday lives. Without structure, manufactured products would not be produced in a consistent manner, financial transactions would not be trusted and consistent failures would occur. These compliance failures not only can result in loss of trust in products or services, but can reach a level that breach laws and regulations. Ultimately, compliance failures can result in an erosion of the entity’s reputation and significant liability for not only the entity but also for those responsible.

There are a number of different ways to establish structure within an entity.  We have all seen the proliferation of “Mission and Vision” at the top of the food chain in setting the overall operating philosophy for an entity. Some organizations have a very hierarchical structure, while others expect the individual elements of their organization to establish the ground rules for how to operate in those units. Establishing a set of high level policies that guide behavior and set the general standards across the organization is one of the best ways to lay the ground work for consistency across the entity. In the very hierarchical environment, top level policies are typically followed by procedure manuals for each of the various elements of the organization. This hierarchical approach many times leads to classic stove piping and does little for cross-fertilization of operating philosophies or expectations across the organization.

A more effective, but admittedly more complex, structure to track document change management is embedding compliance or operating requirements directly in each functional area’s operating procedures. For example: one approach is to require Procurement to reference the corporate security manual for guidance on the steps necessary to conduct a due diligence review of a potential supply chain partner. Perhaps a more proficient manner is to embed the steps necessary to conduct due diligence of potential supply chain partners directly in the procurement department manual.

One of the most effective ways to ensure people understand what is expected of them is by creating process flow charts and utilizing yes/no decision trees. The old saying “A picture is worth a thousand words” holds very true in today’s complex world.  


This article was previously published in the print magazine as "Establish A Solid Foundation."

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Jerry Brennan

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security May 2015 Issue cover

2015 May

In the May 2015 issue of Security, learn how to be the bridge between busieness and security with "customer facing," how to effectively work with your CFO, and covert security.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.