Once upon a time, I was a professional corporate bureaucrat. Part of my job was to define policies that would directly affect thousands of people, and indirectly affect thousands more. Early in that job I learned that our company didn't offer much guidance about writing policies. Sure, we had clear policies about the format in which we would publish policies, but no guidance about other key elements of policies, such as how to define policies, how to maintain them, and how to encourage adoption. Lacking that guidance, I created my own.

Basic Principles

Make your policy effective

  1. To make your policy effective, identify the policy's beneficiaries, the people who benefit from the policy.
  2. To make your policy effective, identify the business benefit that the policy creates its beneficiaries.
  3. To make your policy effective, construct a cause and effect model that shows how compliance creates the business benefit.
  4. To determine whether your policy is effective, measure compliance.
  5. To determine whether your policy is effective, measure the business effect that the policy is intended to create.
  6. To determine whether your policy is effective, correlate the measured compliance with the measured business effect.

Encourage people to adopt your policy

  1. To encourage people to adopt your policy, describe the policy's beneficiaries.
  2. To encourage people to adopt your policy, describe the business benefit that the policy creates its beneficiaries.
  3. To encourage people to adopt your policy, describe the cause and effect model that shows how compliance creates the business benefit.

Help people find policies that affect them

  1. To help people become aware of relevant policies, link to each policy from web pages related to the policy's scope and purpose.
  2. To help people find the policies they need, publish each policy where people are likely to look for it.
  3. To help people find related policy information, list all related policies, and only related policies, in the Related Policies section.
  4. To help people determine whether a policy applies to them, clearly describe the scope of the policy by identifying who must comply, and, if appropriate, under what conditions.
  5. To help people determine whether a policy applies to them, put all scope information, and only scope information, in the Scope section. Put other information, such as guidance, background information, or procedures, in a separate section or a separate document.
  6. To help people determine which policies apply to them, when writing scope statements, use the "one-name-one-meaning" principle: each time you refer to the same set of people, use the same name; each time you use the same name, make sure it refers to the same set of people.

Help people determine which "policies" are legitimate

  1. To help people determine whether a policy is legitimate, identify the person who approved the policy, and identify the date on which the policy was approved.
  2. To help people understand whether a policy is in effect, indicate each policy statement's approval status or revision status. Examples of status include approved, draft, and pending approval.
  3. To help people understand the importance of a policy, put the word "Policy" in the title of the policy. Similarly, when creating titles for other kinds of admonitions, such as guidelines, standards, and procedures, include a word that identifies the type of admonition. This helps the reader distinguish among the types of admonitions, and give the appropriate significance to each.
  4. To help people understand whether a policy is legitimate, keep the policy current.
  5. To keep a policy current, periodically review the policy to determine
    • Is the policy's purpose still relevant to the organization?
    • Are the policy's compliance criteria necessary and sufficient to achieve the policy's purpose?
    • Are the names used in policy (e.g., organizations, roles, technologies) still current?
    • Are the related policies and documents referenced by the policy still current?
    • Are there other policies that overlap or conflict with this one?
  6. To help people find current policies, periodically remove old drafts and unapproved policy candidates from publication.

Help people understand what they are being asked to do

  1. To help people understand what they are being asked to do, put all compliance criteria, and only compliance criteria, in the Policy section. Put other information, such as guidance, background information, or procedures, in a separate section or a separate document.
  2. To help people understand the relationships among policies, list all related policies, and only related policies, in the Related Policies section.
  3. To help people find information related to a policy, when referring to policies, events, practices, or other information defined elsewhere, give full citations. A full citation includes enough information to guide the user to easily find the referenced information.
  4. To help people access information related to a policy, give citations in a form that readers can use. Some readers will read the policy on-line. Others will want printed copies of the policy. Use hyperlinks to help on-line readers. For people reading printed copies, give full citation information in the body of the policy statement, in a way that is readable on the printed copy.
  5. To help people understand a policy, use the "one-word-one-concept" principle: each time you refer to the same concept, use the same word; each time you use the same word, make sure it refers to the same concept.

Help yourself maintain your policies

  1. To make a policy maintainable, when assigning responsibilities, use role names; do not use the names of individual people. Refer readers to an external source (maintained separately from the policy) that identifies which people currently fill each role.
  2. To make a policy maintainable, when requiring the use of technologies, require the most general technology that will achieve the policy's purpose.
  3. To make a policy maintainable, refer to related documents; do not copy text into the policy from other documents.