A simple policy mechanism

Here is a mechanism to evolve policy that makes sure the decision-maker is consulted when necessary and not bugged when unnecessary.

One of the challenges of areas that need tight policy, such as IT security, is that process is often set up in such a way that the subject-matter experts (SMEs) approve each request. This is mundane work that they see as a low priority for their esteemed selves, so it becomes a bottleneck in request fulfillment.

Yet the rules of approval can be complex, so it can be hard to pry the experts' hands off the controls.

What is required is a solution that allows process workers to complete requests without having to wait for the experts to approve. Here's an approach that can work.

Establishing policy to begin with:

  • Review existing directives from the governors of the organisation, and existing higher-level policies. What does this policy need to align/comply with?
  • Work with senior management who will be affected by the activities and outputs. What goals should the policy have? What rules and bounds need to be put on workers’ activities?
  • Determine who is the decision maker(s) about policy, and other Subject Matter Experts (SMEs).
  • Interview the decision maker and SMEs.
  • Capture all known policy (goals/objectives, bounds, rules, guidelines) into a policy document or tool. If there is little or no policy in existence yet, never mind: create an empty or minimal policy. This mechanism will start filling it.
  • Review it with the decision maker and up the chain of command to all necessary approvers.
  • Review it and perform walkthroughs of scenarios with case workers to ensure it is useful.
  • Once content is settled, promote awareness of the policy and educate the affected users of it.

Using and improving policy:

  • Empower workers to act within the policy (and ONLY within the policy).
  • Require workers to refer to the decision-maker SME for anything not covered by policy. The mechanism will probably be the original approval process we are replacing, or very similar.
  • Coach the decision maker about the bounds of their own authority and the need to go up the chain of command to the appropriate level for making and approving any decision.
  • Whenever the decision maker is asked to decide on policy or to clarify policy, the practice owner (or the SME - they have a vested interest in a quiet life - or someone else... ) should capture the result in the policy document (and get the SME to confirm the update), so that next time the answer is in the policy and we don't need to bother the SME again.
  • Audit the workers' output for policy compliance. The experts may want to do this themselves or to delegate it to an auditor.

Evolving policy

The SMEs still control approval but they are freed from the mundane approval of every transaction and people stop complaining about them being slow. The workers get more authority and respect, and they get the job done faster. Win-win.