I do a lot of policy review for Gartner clients, and I see many of the same counterproductive practices over and over again.
Requirements to ‘do what is appropriate’ or ‘obey the law’ are tantamount to saying “we won’t tell you specifically what to do, but if you don’t do it, we will punish you.” How can that possibly be productive in improving morale or reducing the propensity to engage in inappropriate behavior? If the institution wants employees to follow a certain line of action, then they must support them in making effective decisions. If the corporate counsel’s office doesn’t know what the law requires, then it makes no sense to demand that employees follow the law.
A second form of counterproductive policy is typified by words such as ‘may’, and ‘as required’. “…shall take the necessary actions.” is a thinly veiled way of saying “We know we are missing something important, so we reserve carte blanche to interefere with your life in the future.”
Recognize that there are an infinite number of bad things that could occur, and that policy can do very little about it. Concentrate instead on practical and specific requirements and clear lines of responsibility.
Treat policy as a communications mechanism to improve employee willingness and ability to protect the enterprise. Do not use policy as a way to dump your risk on somebody else’s lap.