Style Guide to Writing Good Procedures
Last week, we explored the process of writing effective policies. This week we will take a look at what goes in to writing effective procedures; the policy counterpart. Procedures are the process or task instructions on how, exactly, a policy is followed. They communicate the responsibility for a task or a process. Where a policy defines the rule as a guide to employees making decisions and mandatory rules that require enforcement, the procedure says “This is who is expected to do it, and this is how they are expected to do it.”
Components of Procedures
When you look at a procedure, what are some good components you would have within the procedure? Some of the required document components are:
- The name of the procedure
- The procedure reference
- Records of audit, change, and review
- The effective date
- Who approved the procedure
When is the last time this procedure was reviewed? When is the last time it was changed? There needs to be an effective date saying this is when we, as an organization, instituted this procedure, and from this point forward we expect it to be followed. Is this procedure just a piece of paper or this this something that is really and truly followed by an organization? Who approved it? Do they have the appropriate authority to approve this procedure? Has it been clearly communicated to all employees? Is it being enforced? These are the components we, as auditors, look for when reviewing an organization’s procedures.
What to Include in Your Procedures Documentation
Looking more at the document itself, what are some things that should be inside the procedure document? A good general overview and summary of a procedure is helpful in defining the procedure before getting into the nuts and bolts of the actual procedure itself. A purpose statement helps keep you focused on what you’re trying to accomplish. What is the scope? Does it apply to all offices, an office, a division, or a special case? It’s also important to identify who the responsible parties are to help determine the people that need to be educated and involved. Some procedures don’t need to be sent to all employees if they don’t affect them. Be thoughtful and specific about who is responsible for this procedure, and that this procedure is sent to them.
Another important thing that should be included in a procedure are any forms and related references. If there are websites or databases that need to be visited, or forms that need to be filled out, they must be referenced in the procedure. You should always ask yourself, if you weren’t there, would you be able to hand the procedure to someone else and they be able to figure out what needs to be done?A good way to begin the procedure writing process would be to go to each department head and have them prioritize the functions they are responsible for every day, week, month. Then have them write out what that looks like to them on a daily basis. Once you have those lists, it’s time to add some flesh to it by defining the purpose, scope, responsible parties, etc.
Policies and Procedures Maturation
Maturing your procedures will take time. A lot of companies discover that it may take up to three years to fully mature your policies and procedures. Getting the initial procedures written down, getting the other components into place, and ensuring you have a procedure that someone can actually test and follow can be time consuming and may seem overwhelming. Here are some last minute tips to help the process along:
- Start at a high level and drill down layer by layer.
- Establish a defined scope that includes a starting and ending point of what the procedure covers.
- Consider all of the possibilities and decision points.
- Interview all of the responsible parties.
- Utilize flow charts and checklists.
KirkpatrickPrice helps organizations develop and implement policies and procedures. We offer general templates as well as guided development. For more information on developing your policies and procedures, contact us today.
More Resources
15 Must-Have Information Security Policies