​

SECURITY MANAGERS charged with developing security policies can use a project management approach to develop effective, enforceable policies that will earn buy-in from across the organization. Project management fundamentals include planning and development, execution, monitoring, and evaluation. The following case study and discussion can serve as a guide.

Case Study

In 2008, a U.S.-based global security provider operating in Afghanistan was faced with charges that an employee was sexually harassing a coworker. The incident led the vice president of the human resources department to revise the company’s sexual harassment policy. A Web-based training program was also created. The vice president of human resources did not consult anyone else in developing these materials. That executive then mandated that all employees complete the training within 30 days.

The failure to consult managers or consider employee needs created several problems. The first problem was that due to Internet bandwidth constraints and the remote location of several job sites, the Web-based training was inaccessible to about 50 percent of the personnel required to complete the training.

Once the problem with Internet-based training was pointed out by several end users who could not comply with the policy, the next proposed solution was to send a single HR officer to each location to conduct live training.

Aside from the cost implications of conducting live training, a failure to consider local culture created serious problems. HR selected a young female who had never left the United States to conduct training in Afghanistan. The personnel required to attend this training were often housed at all-male facilities where no women were permitted. Some attendees were devout Muslims with little understanding of progressive Western values. At one location, there were no facilities or quarters for a female trainer who had to stay overnight.

After a series of painful meetings with the in-country management team and operations and legal executives, the policy was radically altered. Four months and tens of thousands of dollars later, almost all of the goals established at the onset of the policy’s development were abandoned. A new goal was set: to have relevant sensitivity and sexual harassment training developed and conducted at the regional and country levels with HR oversight.

The Right Approach

A project management approach could have helped the company pursue a better path from the beginning. The approach should generally include the following steps.

Policy charter. If you are developing a new policy or are in the process of changing a current policy a charter is essential. It identifies the stakeholders as well as the intended goal of the policy.

Stakeholder identification. Obtaining stakeholder buy-in up front prevents a reinvention of the wheel. By getting input, the project leaders can assess whether goals can be met, for instance, simply by codifying into policy practices already implemented somewhere in the company. For example, a program devised for a unit based in Asia might become policy for all units in that part of the world.

Needs assessment. A needs assessment should be conducted using both a bottom-up and a top-down approach prior to full development of or revision of any policy. All stakeholders should be involved in this assessment. Considerations should include issues such as best practices and benchmarking that can be used as a baseline for what a policy should be.

Goal setting. The next step is to document, based on the needs-assessment findings, why a policy project is being undertaken and what the objectives are. Included here will be an explanation of whatever is needed technically to achieve the objectives. For example, if an objective is Web-based training for employees, high-speed Internet access will be a technical need, and one objective will have to be making sure that is in place.

Legal and cultural considerations must also be factored in. The disparity between what is permitted, authorized, or legal can greatly affect development and may require a functional, regional, or country analysis to determine whether a corporate level policy will work.

In many cases, the best policy can simply be a requirement for the development of subordinate policies by key stakeholders. And in some cases, training programs will also need to be locally crafted and implemented.

Timeline. Once objectives are established, a timeline for implementation and guidelines for measuring compliance should be developed within the charter.

Development. Once the policy charter has been completed, development of the policy can begin. The charter provides a concise plan for the development phase. Also, the charter is a living document and may be amended if it turns out that following it won’t result in the desired outcome.

Implementation. In many cases, how a new policy or a major policy change is introduced is far more important than what the policy says. The implementation phase has many subsets. Managers must launch the policy, train employees, generate compliance, communicate expectations, monitor progress, and evaluate the program. In addition to financial support, successful implementation requires a strong launch and adequate training.

Launch. To reduce confusion and provide answers to questions that will inevitably arise, there should be a policy launch briefing for managerial and supervisory personnel who will ultimately be responsible for enforcing the policy. The objective is to ensure that they understand the need for the policy and will be able to answer any questions staff may have. While responsibility for compliance as well as the consequences of noncompliance should be clearly spelled out within the policy itself, the kickoff briefing allows for specific expectations to be made known in a public forum.

Training. Training is the most significant, as well as the most often overlooked, portion of policy development. Providing training is the key to getting the desired results. Additionally, training demonstrates to staff the organizational commitment to policy implementation and, thus, helps to increase compliance.

The goal of successful policy implementation is to generate compliance with the policy in the most efficient manner. One way to accomplish this is to develop a compliance timeline prior to the kickoff.

Monitoring/Evaluation. Perhaps the most critical aspect of effective policy administration relates to monitoring the effect on organizational behaviors, actions, and procedures. It’s important to assess the qualitative as well as quantitative changes across the enterprise and to adjust future policy development accordingly.

A comparison of the policy charter and the policy as implemented through the results of the policy audit will yield objective performance calculations along with projected future benefits.

Key elements to a policy project closeout should include completing a post implementation evaluation report, documenting any lessons learned, and archiving all records related to the development of the policy.

The world is constantly changing. With the globalization of the marketplace, and the transnational structure of the global economy, the practice of developing policies that are effective and sustainable across multiple cultures, time zones, and business units becomes increasingly complex and challenging. By understanding the basics of project management, security managers can ensure that their programs are successful.

M. David West, CPP, has developed enterprise-wide security policies for numerous government and commercial organizations including both an international central banking institution and a major U.S. government contracting firm. West is a member of the ASIS International Leadership and Management Practices Council.

Devin G. Reynolds, CPP, provides training and consulting services to a variety of domestic security organizations, law enforcement agencies, and U.S. government contractors.