Murder, Policies and Procedures
On a recent Sunday, the Philadelphia Inquirer shocked our
local community by stating the obvious: “Even after the
carnage at an Amish school in Lancaster County last week, a
spot check by Inquirer reporters found a surprising number
of security lapses at schools across the region. In spite
of rules aimed at limiting public access, reporters who
fanned out on a single day walked into more than a dozen
schools unannounced and without being challenged.” Schools
Caught Short on Security, The Philadelphia Inquirer,
October 8, 2006
Many people think that security is the security manager’s
issue. However, on a recent blog post, I stated: “You can’t
rely on your employees and consultants to use common sense
when it comes to your company’s security. Remember to
continually communicate the boundaries of permission to
remind everyone that safety and security are team issues.”
In the case of the school security breaches, well-meaning
teachers and students, as well as hapless employees and
contractors, provided unauthorized and unsupervised access.
Luckily, the intruders were reporters; there were no
casualties other than reputations and peace of mind.
In order to understand why this security lapse is
particularly astonishing at this time, here is the
background for those who don’t live in Pennsylvania and may
not know: A gunman had recently invaded a one room Amish
schoolhouse, killing 5, severely injuring 5, and
traumatizing the whole community. Subsequently, the often
repeated message has been, if this can happen at that one
room schoolhouse in the middle of the countryside in a
peace-loving community, it can happen anywhere. We should
step up efforts to keep our kids safe because of the high
likelihood of copycat crimes.
These security lapses occurred at a time of heightened
security. If a murderer had come sneaking in the side door,
the consequences would have been very deadly. While most of
us don’t have to worry quite this much about our policies
and procedures, it made me stop and think.
There were policies in place at all of the schools. Some of
the policies were better than others, but each had security
policies. When questioned, school authorities stated that
there were policies that were not followed. For some
reason, it seemed as though some felt that this settled
everything, though I was left with many questions:
* Are the procedures written in light of actual
practices/are they practical?
* Who is responsible for verifying that policies and
procedures are followed?
* How is accountability ensured?
* What is the personal consequence of causing a security
breach?
* How are the policies and procedures communicated, and how
can we be sure that the involved parties understand them?
* What are you doing to make sure that these kids are safe,
both now and in the future?
* How are updates communicated?
You can use these questions to consider the effectiveness
of the security policies and procedures for your business
as well. (There are many kinds of policies and procedures;
this discussion focuses on security.) Many people view
policies and procedures as an unpleasant set of paperwork
that is at times needed for regulatory or legal reasons.
However, policies and procedures should be meaningful
roadmaps to better business practices.
In the case of security, the documents are “organic”. The
procedures will change with advances in technology, or
changes in criminal behavior. Policies and procedures are
purposeful; when it comes to security, following policies
and procedures should prevent or limit loss. However,
misunderstandings can instead cause confusion and create
risk.
The good news: There are many things that you can do to
create a framework for success and thwart would-be crimes;
put your documentation to work! You can use the following
suggestions to ensure that your policies and procedures
aren’t just sitting in a drawer collecting dust.
If you don’t have policies and procedures in place, begin
with your most pressing concerns. You can update documents
later as needed, but it’s important to gain and keep
momentum or the project will stall. Once the writing
begins, you will immediately find gaps and broken processes
that need to be addressed. If a manager is doing the
writing, he or she is likely to have starts and stops as
attention is given to management issues. This can be
frustrating.
Many managers enjoy outsourcing the work to a writer so
that they can fix processes quickly without affecting the
project schedule. Most technical writers offer free
estimates and are happy to discuss your project with you.
You may also request quotes from more than one company to
comparison shop.
Create a communication plan. For instance, send out a
section per week for review instead of one overwhelmingly
large document, and meet later in the week to discuss that
section.
Make information relevant. The best way to do this is for
the manager to write a follow-up note or lead a discussion
regarding the manager’s specific concerns with the team.
For example, “Procedure 3.1 states that company laptops
must be secure, but it doesn’t elaborate. As part of the
sales force, your laptop travels with you and security is
really essential here. These are the types of things that I
feel are necessary to improve physical security, as well as
data security…” In this way, the employees are relating the
procedures to their own personal experiences and situations.
Cover all your bases. Make sure that there is a system in
place to thoroughly disseminate the information. In this
case, schools needed to communicate with teachers, other
employees, students, parents, and contractors. When you
need to educate a broad audience, you must have a plan.
Don’t assume that people will pick up the information by
osmosis.
Reinforce the information. Using training classes, online
quizzes, and class discussions reinforces the concepts and
gives people a chance to apply their new knowledge.
Providing employees with job aids, such as quick reference
cards, will also help them to gain proficiency.
Allow for input. Hold employee roundtable discussions or
encourage employees to provide input to the managers. In
many respects, employees are your first line of defense
against disaster.
Establish accountability. If a person knows that there will
be random security checks, he/she will be much more likely
to self-check. It’s human nature. Along the same lines,
managers who create a compliance audit plan are more likely
to follow up than those who do not.
Apply the rules to everyone. I have heard it said that
managers who feel that the rules don’t apply to them create
the biggest risk to corporate IT security. In fact, the
clearance held by top executives means that they are the
greatest risk, and they should probably be even more
careful (not less).
Be ready to take action. Treat security breaches with speed
and commitment. You don’t want to be overly punitive, but
you also don’t want to be a haven for scofflaws that aren’t
working with the rest of the company to keep everyone safe.
More than likely, if you are prepared to follow through
with those who are breaking policies, you won’t have to.
Review your business practices at the slowest time in your
annual sales cycle. The mere existence of this set of
documents does not automatically improve practices.
Policies and procedures only work if they are accurate,
relevant, and known.
When teams work together, crimes are prevented.
Well-written policies and procedures bring unity and
understanding, keeping people and possessions safe. When
security is breached in spite of the efforts, a
well-thought out backup plan will ensure that the problem
is resolved as quickly and as painlessly as possible. Far
from being a distraction, when written with respect and
participation, the development and implementation of
policies and procedures has a positive effect on job
performance, safety, and productivity.
—————————————————-
Dot Olonovich writes policies and procedures that
streamline and improve business practices. You can find out
more about her and the rest of the Logical Writing
Solutions team at http://www.logicalwriters.com Feel free
to contact her at dot@logicalwriters.com or 610.933.1989.
* Please note: You are welcome to publish this article on
your free website, blog, or ezine. Contact the author for
more information about copyright permissions.
