Have you ever had to create an IT policy to formalize the
way that some process is executed or the way people perform certain functions?
If you have you know that it may or may not be easy. Actually effort required
to implement IT policies can vary dramatically in different organizations
depending on your governance culture. (Governance refers to your ability to
enforce organization priorities through the management hierarchy.)

If you are in an organization with strong governance you can
get a policy adhered to strictly through the governance process. You create the
policy, get it approved through the appropriate channels, and then issue it for
everyone to follow. In this case the concept of winning support for the policy
applies to the approval process. Once the policy is approved, the management
structure enforces it. This way of winning support is perhaps applicable in the
military and other organizations with a strong governance culture.

However, let’s say that you work in an organization where it
is not quite so easy. You have to work a little more to gain acceptance of your
policy. If this applies to you, the following steps will help win support for
your policy.

1. Make sure you
own the business or IT process.

You can’t create policies in areas that you don’t own. This
means that you can create a database policy if you are the database group. You
can create a telecommunication policy if you are in the telecommunications
group. However, you can’t create the new helpdesk policy if you are in the IT development
area. Of course, the policy may be issued by another senior manager. I have
seen the CIO issue a policy on cell phone usage. However, the CIO certainly did
not create the policy. The telecommunications people did.

2. Communicate
the purpose of the standard policy.

People must understand why you are creating the policy.
There has to be a clear purpose. Not everything needs a common policy. For
instance, having a policy that results in email getting scanned for viruses and
spam is important. Determining how often a manager must talk to each staff
member probably cannot be dictated in a policy.

3. Make sure the
policy drives business value.

Policies provide guidance on how things should be done, so
they save the time and effort that would be required if everyone had to figure
it out on their own. You need to make sure your organization derives overall
value from your policy. A policy that results in more effort and cost without
corresponding business value doesn’t make sense. You might as well leave people
on their own if that drive more organizational value.  

4. Get input
from affected groups.

It’s a good idea to gather input from the people that the
policy will impact. This helps make sure that the policy is workable and also
helps solicit their buy-in for when the policy is issued.

5. Validate the
policy make sense.

This sounds obvious, but sometimes misguided policies are
written that never have a chance to be adopted or supported because they don’t
make sense. People will generally be more apt to follow a policy that seems to
make sense, even if they don’t agree with it entirely. One way to ensure the
policy makes sense is to circulate it to a broader group of people outside your
functional area.

6. Make sure the
policy is clear.

You don’t want to issue a policy and have people say they do
not understand it. In fact, it would be good if your organization has a common
format for describing your policies. The policy must be very clear on when it
is applicable, who it applies to, how you work under the policy, etc. You may
need to provide some examples. If there are general exceptions, make sure you
state what those are. Just as with the point above, you probably want to
circulate the policy to others outside your functional area to make sure it is
understandable.

7. Try to have
an enforcement mechanism.

You can issue a policy that is perfectly clear and that has
everyone’s buy-in. However, you will be much more successful if you have an
enforcement capability. For example, you may be able to enforce a policy on
scanning for email viruses since you probably own the email servers. However,
if you issue a policy on email etiquette, you will probably be less successful
because you don’t have the enforcement capability.

That’s just the start

Those are some of the basics. Depending how political your
policy is, you may have a multifaceted campaign to communicate the policy and
gain the support of the effected staff. However, for most policies, you just
need the basics – be the owner,  have a purpose,
drive business value, have a reasonable policy, be clear, gather initial
feedback and have an enforcement mechanism if possible. If you will follow
th4se simple, but critical steps, you will have a much better chance of
building support for your policy with the people that are affected.