| Five monkeys were placed in a cage. A banana was | | | | What is Policy-Based Management? Is it Old Wine in |
| hung on a string and a ladder was placed below it. | | | | A New Bottle? |
| Each time one of the monkeys started climbing the | | | | Whether in government, industry, or academia, |
| ladder, all the monkeys were sprayed with a blast of | | | | organizations have always employed policy-based |
| cold water. This experiment was repeated for | | | | management with varying degree of success. This |
| several days. Then each of the original monkeys was | | | | paradigm is now being given a new life in designing |
| replaced with a new one. The experimenter did not | | | | and managing complex organizations and systems. |
| need to spray the new monkeys because, as soon | | | | The focus is to make such organizations autonomic. |
| as any new monkey proceeded towards the ladder, | | | | By this I mean, organizations are aiming to function |
| all the other monkeys attacked it simply for the fear | | | | just like the way the nervous system operates. The |
| of being sprayed. | | | | nervous system knows how to automatically |
| Finally, all the original monkeys were replaced with | | | | transmit messages from different organs of the |
| new monkeys that had never been sprayed; yet all | | | | body to the brain for the body to function as a |
| the monkeys attacked any monkey that dared climb | | | | whole. |
| the ladder. Now you may ask why those monkeys | | | | Policy-based management is based on the premise |
| that had never been sprayed would attack their | | | | that the organization should be able to adapt |
| mates without any rationale for their acts. The | | | | dynamically to changing environments (i.e., |
| monkeys were just following the policy laid down for | | | | self-configuring); handle operational exceptions and |
| them. They had no clue as to the origin of the policy. | | | | prevent disruptions (i.e., self-healing); protect its |
| (To get a complete description of this experiment, | | | | information and resources from malicious attacks (i.e., |
| visit | | | | self-protecting), and manage its resources efficiently |
| It is highly likely that most of your employees follow | | | | by using self-optimizing strategies (On Demand |
| policies established a long time before they joined the | | | | Computing, Craig Fellenstein, 2005). |
| company and they did not contribute to their | | | | The recent and ongoing accounting scandals among |
| development. Ask a sample of your employees how | | | | several well-established organizations could have been |
| well they understand specific policies within the | | | | prevented had there been well-documented policies |
| organization (e.g., policies on who and what to tell the | | | | understood by those affected. Can the Chief |
| media, how to keep their computer passwords, or | | | | Executive Officer (CEO) claim that it is not his/her |
| policy on handling confidential information). Are they | | | | role to understand the accounting practice of the |
| doing things just because that is the way things are | | | | company as presented by the Chief Financial Officer |
| done or do they understand why they do them? | | | | (CFO) as in the case of Enron, WorldCom, and |
| What is a Corporate Policy? | | | | HealthSouth? |
| A corporate policy is a formal document that states | | | | A legal and well-articulated policy that documents the |
| specific rules that must be followed by members of | | | | responsibilities of the CEOs and the CFOs could have |
| an organization. To be effective, a policy must | | | | exonerated either party. In defending its position |
| possess the following characteristics: | | | | regarding its document shredding policy, Arthur |
| · It must communicate a judgment | | | | Andersen's case would have been much stronger if |
| acceptable to members of the organization | | | | its policy development team had a representative |
| · It must specify what is considered to be | | | | from the legal department who ensured the legality |
| an appropriate behavior of a member of the | | | | of such a policy. |
| organization | | | | What's the Cost of an Ineffective Policy-based |
| · It must identify tools and procedures | | | | Management System? |
| needed to perform specific tasks | | | | Johna Till Johnson's brief article on Telecom Carriers |
| · It must be clear and understood by all | | | | (NetworkWorld, 5/23/05, pg. 62) stresses the gravity |
| employees and the human resources department to | | | | of the losses incurred by organizations that |
| help in taking proper actions when the policy is | | | | mismanage information because the companies did |
| violated | | | | not have or follow policies. Her examples include: (a) |
| · It should be a living document | | | | Time Warner's loss of social security numbers for |
| Who Developed Your Corporate Policy? | | | | 600,000 employees while the storage tapes were in |
| Since it is imperative that your policy needs to | | | | transit from the company to an external archive; (b) |
| communicate a judgment acceptable to all members | | | | ChoicePoint lost sensitive customer data due to a |
| of your organization, it is necessary that a policy | | | | security hole in the company's security policy; (c) |
| implementation team should have representatives | | | | Morgan Stanley lost $604 million because they were |
| from at least four areas of the organization: | | | | unable to produce email records to support their |
| · A senior level administrator | | | | case. |
| · Someone from the management team who | | | | In conclusion, it is the responsibility of the managers |
| can enforce the policy | | | | and administrators to institute effective policy-based |
| · A member of the legal staff | | | | management that consistently educates the |
| · A member of the user community | | | | members of the organization on the value and |
| As a living document, the implementation team should | | | | rationale behind the policies. This is critical for the |
| meet regularly (at least quarterly) to ensure the | | | | survival of every organization and reduction of |
| viability of the policy (Mark Ciampa, Network Security | | | | economic losses, which creates a strain on the |
| Fundamentals--Policies and Procedures, 2005). | | | | economy. |