“Why do IT policies fail?” is like a mantra throughout many organizations – from IT asset managers to CIOs and COOs.
If we listened to and took to heart Colin Powell’s declaration – “There are no secrets to success. It is the result of preparation, hard work and learning from failure.” – IT policies would be wildly successful.
First, let’s understand that there are two main behavior factors as to why any IT policies fail. In fact, these both can be applied to why broken rules and/or regulations fail. Failure is assured if both factors are not in-sync and complied with:
While both behavior aspects could prove challenging, when people have enough information to justify forced rules – from jaywalking to corporate policies – there are some measures that can be taken to ensure that IT policies do not fail.
Policies should be…….
Organizations must …….
Both awareness and willingness to comply as well as the other proactive factors listed above are what organizations should take to determine the policy effectiveness. However, it is important to remember that compliance does not and should not determine the effectiveness of the policy in achieving its goals as it may not accomplish the desired outcome.
Examples of this:
Compliance becomes so costly that it causes more damage or prohibitively adds to IT costs than remedies the issues – such that the costs of compliance are so great that it takes up millions to implement and manage, while giving little back year-over-year. Case and point, while a SAM tool may initially reveal some startling cost savings, you have to consider that against the overall investment (short and long-term). For instance, how difficult is the installation and implementation? Does it require specially-trained consultants? Will these ongoing consultants be involved in an ongoing manner due to the complexity of the enterprise and the software? What’s the cost structure as a handful of SAM tools are modeled after the dreaded annual maintenance cost structure?
Compliance may be possible, but does not adequately achieve the desired objective. Case in point, if the intended goal is to create a strategic IT asset management program that addresses the needs of the enterprise from strategy to tactical, but only the discovery process is implemented, showing some initial cost savings results, the mandate remains unfulfilled. The underlying problem to be solved was not understood well enough to identify the right solution. Therefore, the policy put into effect is not effective. In this case, the policy would only address a small portion of the tactical IT asset management program and very likely leave off vital elements including contract management, disposal, security, regulatory issues, communication and education.
While it is seemingly easier to identity, plan and create IT policies, organizations need to take more care with the procedures, communications and enforcement efforts as well as accountability of its objectives. Think about how many times you’ve downloaded “free” software apps; made or accepted personal phone calls on your company’s mobile phone; or even sent out or received personal emails. It’s likely that one or more of these actions are not acceptable based on your corporate IT policy. Now, ask yourself what you would do if you were responsible for the maintenance and enforcement of the IT policy?