Five monkeys were placed in a cage. A banana was hung on a string and a ladder was placed below it. Each time one of the monkeys started climbing the ladder, all the monkeys were sprayed with a blast of cold water. This experiment was repeated for several days. Then each of the original monkeys was replaced with a new one. The experimenter did not need to spray the new monkeys because, as soon as any new monkey proceeded towards the ladder, all the other monkeys attacked it simply for the fear of being sprayed.
Finally, all the original monkeys were replaced with new monkeys that had never been sprayed; yet all the monkeys attacked any monkey that dared climb the ladder. Now you may ask why those monkeys that had never been sprayed would attack their mates without any rationale for their acts. The monkeys were just following the policy laid down for them. They had no clue as to the origin of the policy. (To get a complete description of this experiment, visit www.wowzone.com/5monkeys.htm.)
It is highly likely that most of your employees follow policies established a long time before they joined the company and they did not contribute to their development. Ask a sample of your employees how well they understand specific policies within the organization (e.g., policies on who and what to tell the media, how to keep their computer passwords, or policy on handling confidential information). Are they doing things just because that is the way things are done or do they understand why they do them?
What is a Corporate Policy?
A corporate policy is a formal document that states specific rules that must be followed by members of an organization. To be effective, a policy must possess the following characteristics:
? It must communicate a judgment acceptable to members of the organization
? It must specify what is considered to be an appropriate behavior of a member of the organization
? It must identify tools and procedures needed to perform specific tasks
? It must be clear and understood by all employees and the human resources department to help in taking proper actions when the policy is violated
? It should be a living document
Who Developed Your Corporate Policy?
Since it is imperative that your policy needs to communicate a judgment acceptable to all members of your organization, it is necessary that a policy implementation team should have representatives from at least four areas of the organization:
? A senior level administrator
? Someone from the management team who can enforce the policy
? A member of the legal staff
? A member of the user community
As a living document, the implementation team should meet regularly (at least quarterly) to ensure the viability of the policy (Mark Ciampa, Network Security Fundamentals-Policies and Procedures, 2005).
What is Policy-Based Management? Is it Old Wine in A New Bottle?
Whether in government, industry, or academia, organizations have always employed policy-based management with varying degree of success. This paradigm is now being given a new life in designing and managing complex organizations and systems. The focus is to make such organizations autonomic. By this I mean, organizations are aiming to function just like the way the nervous system operates. The nervous system knows how to automatically transmit messages from different organs of the body to the brain for the body to function as a whole.
Policy-based management is based on the premise that the organization should be able to adapt dynamically to changing environments (i.e., self-configuring); handle operational exceptions and prevent disruptions (i.e., self-healing); protect its information and resources from malicious attacks (i.e., self-protecting), and manage its resources efficiently by using self-optimizing strategies (On Demand Computing, Craig Fellenstein, 2005).
The recent and ongoing accounting scandals among several well-established organizations could have been prevented had there been well-documented policies understood by those affected. Can the Chief Executive Officer (CEO) claim that it is not his/her role to understand the accounting practice of the company as presented by the Chief Financial Officer (CFO) as in the case of Enron, WorldCom, and HealthSouth?
A legal and well-articulated policy that documents the responsibilities of the CEOs and the CFOs could have exonerated either party. In defending its position regarding its document shredding policy, Arthur Andersen's case would have been much stronger if its policy development team had a representative from the legal department who ensured the legality of such a policy.
What's the Cost of an Ineffective Policy-based Management System?
Johna Till Johnson's brief article on Telecom Carriers (NetworkWorld, 5/23/05, pg. 62) stresses the gravity of the losses incurred by organizations that mismanage information because the companies did not have or follow policies. Her examples include: (a) Time Warner's loss of social security numbers for 600,000 employees while the storage tapes were in transit from the company to an external archive; (b) ChoicePoint lost sensitive customer data due to a security hole in the company's security policy; (c) Morgan Stanley lost $604 million because they were unable to produce email records to support their case.
In conclusion, it is the responsibility of the managers and administrators to institute effective policy-based management that consistently educates the members of the organization on the value and rationale behind the policies. This is critical for the survival of every organization and reduction of economic losses, which creates a strain on the economy.
Dr. Odubiyi is the author of Blueprint for a Crooked House-a book that reflects on the factors that caused the collapse of a $10 billion joint venture between AT&T and British Telecom. He is an associate professor of computer science at Bowie State University in Maryland. He was a Principal AI Researcher and R&D Manager at British Telecom North America/Concert Global Communications (USA).
http://www.blueprintforacrookedhouse.com