Image: Getty Images/iStockphoto

At their best, policies are helpful guidelines that not only tell employees what’s allowed and what’s prohibited, but allow them the latitude to best perform their work and understand all the considerations that entails. During the COVID-19 crisis, many companies were forced to abandon their IT policies and improvise in order to rapidly transition their workforces to alternative working arrangements. As companies have returned to work, transitional policies that cover everything from how to sanitize IT equipment, to how IT support staff should interact with the people they serve, should be developed. With these stopgaps in place, it’s time to consider updating your long-term policies.

SEE: COVID-19: A guide and checklist for restarting your business (TechRepublic Premium)

Let your policies wag the dog

In many organizations, a policy is a combination of documented procedures and informal “rules of the road” that may or may not agree with what’s in the document. In some cases, having frank discussions about what should be in the policies can force decisions that require multiple stakeholders, up to and including the executive level. It might be uncomfortable sitting down with HR or procurement to discuss how remote workers should be monitored and tracked, but circulating a draft policy can help force the issue and gain a consensus that would otherwise be difficult.

In many cases, we’re entering uncharted waters, so there’s no harm in using a refresh of your long-term policies to provoke some of these discussions and test the company’s willingness to liberalize or restrict stated and unstated rules.

SEE: Internet and Email Usage policy (TechRepublic Premium)

Remote working refresh

Before COVID-19, you may have had a specific remote work policy, or perhaps a blanket ban on remote working, but in either case, your policy likely did not cover the extent and duration of remote working that most companies experienced. Your company likely deployed everything from new software tools, to changes in how equipment was procured and distributed. These changes may be causing your company to completely rethink the nature of where and how work is performed, and companies I’ve spoken with are considering extremes from a return to “business as usual” in traditional offices, all the way to making remote work the de facto option.

Wherever your company falls on this spectrum, clear, easy-to-find policies will make this process less frustrating in the long term and serve as a tool to define the nature of work going forward. While that may sound like a lofty goal for an IT leader, technology was the prime enabler of the rapid transition to working from home and should be a key consideration as your company redesigns how its employees work in the future. Furthermore, decisions on where and how employees work will drive sweeping changes in your technology strategy. For example, a wholesale transition to allowing employees to work remotely using their own equipment will require very different tools, architectures, and support models than providing everyone with a traditional managed workstation that never leaves a company office.

SEE: Teleconferencing policy  (TechRepublic Premium)

Rethink your crisis response policies

In the early days of COVID-19, leaders found themselves effectively making up the response as they went along, with most companies unprepared for a rapid and widespread lockdown. The unknown is a key element of every crisis, but your organization likely learned dozens of lessons that can be applied to planning for future crises, which should inform your long-term crisis response policies. In particular, look for areas in your COVID-19 response that policy updates could address for a future crisis.

Perhaps you were unable to provision a new software tool since it exceeded a budget approval limit, or perhaps having some extra hardware on hand would have kept key workers connected. Simple policy updates like approval exceptions when certain conditions are met, or requirements to keep stock of certain equipment are easy remediations, and if you update your policies while the COVID-19 experience is still a recent memory, you’re unlikely to get pushback even if these policies have an associated cost. 

SEE: Security Awareness and Training policy (TechRepublic Premium)

Many organizations have discovered that changes as simple as keeping inventory of loaner equipment, or providing ways to access corporate networks with personal equipment would have saved days or weeks of getting key workers productive, and these cases make for straightforward justification to update policies that may have been previously designed to constrain costs rather than keep the company running.

While the quip to “never let a serious crisis go to waste” is a bit distasteful, the lessons learned from COVID-19 were acquired at significant human and economic cost, and incorporating them into your organization’s long-term policies is a great way of acquiring benefit from the experience.

SEE: Network security policy (TechRepublic Premium)