Writing Clear Policies and Procedures

No one is waking up at 7am, sipping coffee, thinking, “Wow, I really hope someone explains holistic wealth architecture today.” People want clarity. They want content that feels like a conversation, not a lecture. They want to understand what you’re saying the first time they read it. Write like you're talking to a real person. Not trying to win a Pulitzer. - Use short sentences. - Cut the jargon. - Sound like someone they’d trust with their money, not someone who spends weekends writing whitepapers for fun. Confused clients don’t ask for clarification. They move on. Here’s how to make your content clearer: 1. Ask yourself: Would my mom understand this? If the answer is “probably not,” simplify it until she would. No shade to your mom, she’s just a great clarity filter. 2. Use the “friend test.” Read it out loud. If it sounds weird or overly stiff, imagine explaining it to a friend at lunch. Rewrite it like that. 3. Replace jargon with real words. Say “retirement income you won’t outlive” instead of “longevity risk mitigation strategy.” Your clients are not Googling your vocabulary. 4. Stick to one idea per sentence. If your sentence is doing cartwheels and dragging a comma parade behind it, break it up. 5. Format like you actually want them to read it. Use line breaks. Add white space. Make it skimmable. No one wants to read a block of text the size of a mortgage document. Writing clearly isn’t dumbing it down. It’s respecting your audience enough to make content easy to understand. What’s the worst jargon-filled phrase you’ve seen in the wild? Let’s roast it.

SOPs don’t have to take hours to write. The hardest part is getting started. Most HR processes already follow repeatable steps. The key is finding a simple way to capture them. That’s where ChatGPT can help. Instead of spending hours writing from scratch, try using AI as your first draft partner. It won’t do the thinking for you. But it will give you a structured starting point you can edit into something solid. Here’s a simple way to make it work: ✅ 𝗦𝘁𝗲𝗽 𝟭: 𝗙𝗲𝗲𝗱 𝗶𝘁 𝘁𝗵𝗲 𝗽𝗿𝗼𝗰𝗲𝘀𝘀 → Write out the basics in plain language. For example: We onboard new hires by sending an offer letter, completing a background check, having them complete the onboarding process in the payroll system, setting up benefits orientation, and system access. ✅ 𝗦𝘁𝗲𝗽 𝟮: 𝗔𝘀𝗸 𝗳𝗼𝗿 𝗮 𝗱𝗿𝗮𝗳𝘁 𝗦𝗢𝗣 Prompt ChatGPT with:  Turn this into a step-by-step SOP with numbered instructions, responsible roles, and timing. → It will organize your thoughts into a clean format. ✅ 𝗦𝘁𝗲𝗽 𝟯: 𝗔𝗱𝗱 𝗿𝗲𝗮𝗹-𝘄𝗼𝗿𝗹𝗱 𝗱𝗲𝘁𝗮𝗶𝗹𝘀 AI can’t know your company’s quirks. This is where you layer in specifics: → Which payroll system? → Who owns IT access? → How long does each step take? ✅ 𝗦𝘁𝗲𝗽 𝟰: 𝗣𝗼𝗹𝗶𝘀𝗵 𝗳𝗼𝗿 𝗰𝗹𝗮𝗿𝗶𝘁𝘆 → Keep language short and action-focused. “HR sends payroll file by 3 PM Friday” works better than “HR should ensure payroll is completed in a timely manner.” ✅ 𝗦𝘁𝗲𝗽 𝟱: 𝗧𝗲𝘀𝘁 𝗶𝘁 𝗼𝘂𝘁 Hand the draft SOP to someone unfamiliar with the process. If they can follow it without asking you questions, you’re good. The best part? ChatGPT removes the hardest barrier: getting started. → You’re no longer writing SOPs from scratch. → You’re editing and refining. Strong SOPs reduce errors, speed up training, and keep teams consistent. They’re not glamorous, but they save headaches. What process in your HR world is screaming for an SOP right now? 👉 Share this with a colleague who’s been putting off documenting their processes. #HRCommunity #ChatGPTforHR #ProcessImprovement ♻️ I appreciate 𝘦𝘷𝘦𝘳𝘺 repost. 𝗪𝗮𝗻𝘁 𝗺𝗼𝗿𝗲 𝗛𝗥 𝗶𝗻𝘀𝗶𝗴𝗵𝘁𝘀? Visit my profile and join my newsletter for weekly tips to elevate your career! Stephanie Adams, SPHR Adams HR Consulting

Harsh truth: Most cybersecurity policies are terrible. After reading hundreds, here are the top 3 mistakes I see (and how you can avoid them): 1️⃣ Stale and static PDF policies kept in a share drive are often compliance "check the box" artifacts to satisfy auditors. No one reads or uses them during day-to-day operations. Write them using: - Google Docs/Sheets - Confluence - Notion to make sure they don't go out of date quickly. This also builds in version control and auditing capabilities. 2️⃣ No accountability If there isn't a single person in charge of making sure something gets done...it won't. I see stuff like this all the time: - "Vulnerabilities should be patched." - "Devices shall be inventoried" - "Incidents shall be reported." If your policy uses the passive voice, it's falling short. Go active instead. This forces you to put someone in charge: - "The engineering lead shall ensure remediation..." - "The director of IT shall inventory all devices..." - "All employees must report incidents..." 3️⃣ Vague or no references Along the same lines, sometimes policies talk about individuals or groups. But it's not even clear who these are! For example: - "The risk committee shall approve policy exceptions." - "Management is responsible for authorizing vendors." - "Data owners shall authorize release of information." If you are using terms like this, make sure: - Membership and voting of the risk committee is clear - Employees know who "management" is - Everyone can look up the data owners TL;DR - cybersecurity policies often: 1/ Are stale and static 2/ Provide no accountability 3/ Have unclear or no references What are the biggest mistakes you've seen?

In response to a recent post, Matt Strusinski asked if I could recommend "steps an organization could implement to ensure that their policies aren't too 'aspirational.'" See https://lnkd.in/eN2MWFzP. Of course! Here are my thoughts: 1. PURPOSE: It is important to remember the purpose of security policies. Typically, those are (1) to promote consistency within the org over time; (2) to document what you are actually doing (which can be important if you end up in litigation). For both reasons it is important policies reflect what the org is CURRENTLY doing. 2. POLICIES v. ROADMAP: The purpose of a policy is not to be aspirational. Future plans should be documented in a separate "roadmap." See https://lnkd.in/eHAqvUzr (better roadmaps). 3. POLICIES v. PROCEDURE: A policy explains WHAT the org does, whereas the procedure explains HOW it does it. Thus, the policy may to "conduct quarterly access reviews." The procedure would explain whose responsibility that is, when they do it, how they do it, and how it is documented. Having the team that will actually perform the procedure prepare the first draft of the procedure will tend to make it more useful. 4. DOCUMENT EXCEPTIONS: Emerson once wrote that "a foolish consistency is the hobgoblin of little minds," so there will be exceptions to almost every rule. It is important, however, that there be a procedure for documenting these exceptions. 5. DISLAIMERS: After an incident, an org may be accused of failing to live up to its own policies. Thus, policies should contain disclaimers, such as to make clear that the org understands the particular policy or control may not be appropriate or feasible in every situation. 6. FEEDBACK: After you have drafted or updated policies, get feedback from the relevant teams. If they tell you that the policy is not currently achievable, adjust the policy so it is not just aspirational. 7. TRAINING: This may come as a shock, but many of your employees won't actually read the policies. Thus, it is important to regularly train your employees on the policy. 8. TRANSLATION: It is even less likely that employees will read policies that are not in their language. Global orgs should have their policies translate into the different languages that their employees read. 9. ANNUAL REVIEW: Policies, Procedures, and Exceptions, should be reviewed and updated at least annually. 10. COMMON POLICIES: Larger organizations commonly have policies such as the following: • Overall information security policy • Identity and access mgmt. • Threat and vulnerability mgmt. • Log mgmt. • Patch mgmt. • Configuration mgmt. • User account mgmt. • Security awareness training and employee obligations • Software/application development security • Bring your own device (BYOD) • Data classification • Data privacy • Data retention • Cloud security • Physical security • Insider threat  Thanks for the suggestion, Matt Strusinski! Appreciate it!

Never assume people are reading your policies the way you wrote them I once rolled out an updated data classification policy for an organization that handled regulated financial data. I had worked with legal and information security to make sure the policy was accurate, aligned with regulatory requirements, and covered all use cases. It defined four data categories, from public to restricted, with clear handling rules. I published it on the intranet, announced it through a company-wide email, and moved on. A few months later, during a routine vendor risk review, we found out that several departments had been emailing spreadsheets with confidential client data to third-party vendors without encryption. These files should have been labeled “restricted” under our policy, but no one had marked them, and no protections were in place. When we followed up, the response was the same across multiple teams. They had read the policy, but they had different interpretations of what qualified as restricted. One team thought it only applied to personally identifiable information. Another believed the rules only applied to formal reports, not ad hoc files. A few people admitted they were still using the old classification from a previous policy version. That incident created a serious risk exposure. We had to contact the vendors, implement new controls, and retrain multiple business units. We also had to report the issue to our internal risk committee. That experience taught me something I should have realized earlier. Publishing a policy is not the same as landing it. Just because something is written clearly to you does not mean it is clear to your audience. Now, every time I roll out a policy or a control, I schedule short walkthroughs with key stakeholder groups. I ask how they interpret the requirements, and I explain exactly how the policy maps to their work. I include examples that reflect real scenarios from their environment. I also check back a few weeks later to confirm the message stuck. The hardest part was realizing that my job was not just to write the right thing. It was to make sure people understood it, remembered it, and followed it. That change in mindset has made every policy more effective and every rollout more trusted. #GRC

"If you’re covered by HIPAA and the information surrounding your #HIPAA authorization is deceptive or misleading (such as by implying that to receive treatment, the consumer must agree to have their data used for advertising purposes), that’s a violation of the FTC Act." - says Federal Trade Commission in new health information guidance. Additional points: - If you claim that you’ll delete personal information upon request, but in fact fail to deliver on that promise, that’s a violation of the FTC Act - Failing to take reasonable steps to protect and secure health information from unauthorized use or disclosure may be an unfair practice. What to do: FTC Act: (1) Review your data policies, procedures, and practices - The first step is understanding your data flows - The second step is ensuring you are implementing robust safeguards to protect the privacy and security of the health information, such as a written program, training and supervision, data retention, purpose, and use limitations; and (where appropriate) mechanisms to obtain the consumer’s affirmative express consent. You also need to make sure that your representations to consumers are clear and conspicuous and consistent with your practices. - The third step is periodically reviewing your practices (2) Review your entire user interface, including any claims you make, from the consumer’s point of view - Don’t make false or misleading claims that you are “HIPAA Compliant,” “HIPAA Secure,” “HIPAA Certified” or the like. - Don’t bury key facts in a privacy policy, a Terms of Use section, or other places where consumers aren’t likely to read and understand them. - Keep it simple for consumers so that where you ask for consent, that consent is meaningful. - Evaluate the size, color, and graphics of all of your statements to consumers to ensure they are clear and conspicuous. FTC data breach notification rule: - The FTC’s Health Breach Notification Rule requires companies that experience a breach of security of consumers’ identifying health information to notify affected consumers, the FTC, and, in some cases, the media - Applies if your business or organization has a mobile app, website, Internet-connected device, or similar technology that holds consumers’ electronic health information in a personal health record; You provide products or services or send or receive data to or from that kind of product; you deal with health information while providing services to companies that offer those products. #dataprotection #dataprivacy #healthdata #privacyFOMO https://lnkd.in/dcEf98hX

Building out a new policy for your company can be intimidating. But it doesn't have to be. Here are 4 simple steps to follow next time you have a policy to create: 1️⃣ Laws and Policies Identify all applicable state, federal, and local legal requirements. SHRM has a great resource for state laws - the State Law Comparison Tool. Evaluate your organizational policies as well. Do any of them directly apply, overlap, or impact the new policy? 2️⃣ Format Some areas that might be applicable to include: ✅ Title: Don't overthink this one ✅ Audience: Who does it apply to? ✅ Meat & Potatoes: What is the policy? ✅ Purpose Statement: Why does this policy exist? ✅ Definitions: What should be specifically defined? ✅ Impact/Outcome: What is the impact of the policy? ✅ Acknowledgement: Place for employees to acknowledge receipt 3️⃣ Language & Branding Use clear, concise language. Don’t write policies that are difficult to read. Bonus: keep it consistent with your organization's brand. 4️⃣ Buy-In This one is often skipped but is essential. Obtain buy-in from leaders and stakeholders. Once you have that, train your managers before rolling it out to the org. Building out a new policy for your company doesn't have to be intimidating. P.S. Wishing you had a template to help you get started? Check the link in the comments below. ⬇ ---------------------------------------------------------   I share career growth and high-impact business tips for HR professionals.   Follow me for practical, positive tips to grow your HR career!

✳ Integrating AI, Privacy, and Information Security Governance ✳ Your approach to implementation should: 1. Define Your Strategic Context Begin by mapping out the internal and external factors impacting AI ethics, security, and privacy. Identify key regulations, stakeholder concerns, and organizational risks (ISO42001, Clause 4; ISO27001, Clause 4; ISO27701, Clause 5.2.1). Your goal should be to create unified objectives that address AI’s ethical impacts while maintaining data protection and privacy. 2. Establish a Multi-Faceted Policy Structure Policies need to reflect ethical AI use, secure data handling, and privacy safeguards. Ensure that policies clarify responsibilities for AI ethics, data security, and privacy management (ISO42001, Clause 5.2; ISO27001, Clause 5.2; ISO27701, Clause 5.3.2). Your top management must lead this effort, setting a clear tone that prioritizes both compliance and integrity across all systems (ISO42001, Clause 5.1; ISO27001, Clause 5.1; ISO27701, Clause 5.3.1). 3. Create an Integrated Risk Assessment Process Risk assessments should cover AI-specific threats (e.g., bias), security vulnerabilities (e.g., breaches), and privacy risks (e.g., PII exposure) simultaneously (ISO42001, Clause 6.1.2; ISO27001, Clause 6.1; ISO27701, Clause 5.4.1.2). By addressing these risks together, you can ensure a more comprehensive risk management plan that aligns with organizational priorities. 4. Develop Unified Controls and Documentation Documentation and controls must cover AI lifecycle management, data security, and privacy protection. Procedures must address ethical concerns and compliance requirements (ISO42001, Clause 7.5; ISO27001, Clause 7.5; ISO27701, Clause 5.5.5). Ensure that controls overlap, such as limiting access to AI systems to authorized users only, ensuring both security and ethical transparency (ISO27001, Annex A.9; ISO42001, Clause 8.1; ISO27701, Clause 5.6.3). 5. Coordinate Integrated Audits and Reviews Plan audits that evaluate compliance with AI ethics, data protection, and privacy principles together (ISO42001, Clause 9.2; ISO27001, Clause 9.2; ISO27701, Clause 5.7.2). During management reviews, analyze the performance of all integrated systems and identify improvements (ISO42001, Clause 9.3; ISO27001, Clause 9.3; ISO27701, Clause 5.7.3). 6. Leverage Technology to Support Integration Use GRC tools to manage risks across AI, information security, and privacy. Integrate AI for anomaly detection, breach prevention, and privacy safeguards (ISO42001, Clause 8.1; ISO27001, Annex A.14; ISO27701, Clause 5.6). 7. Foster an Organizational Culture of Ethics, Security, and Privacy Training programs must address ethical AI use, secure data handling, and privacy rights simultaneously (ISO42001, Clause 7.3; ISO27001, Clause 7.2; ISO27701, Clause 5.5.3). Encourage a mindset where employees actively integrate ethics, security, and privacy into their roles (ISO27701, Clause 5.5.4).

"𝗕𝗲 𝗦𝗮𝗳𝗲" 𝗶𝘀 𝗮𝘀 𝗰𝗹𝗲𝗮𝗿 𝗮𝘀... "𝗣𝗶𝗰𝘁𝘂𝗿𝗲 𝗺𝘆 𝗱𝗼𝗴 🐕." Golden Retriever. Chihuahua. German Shepard. Poodle. Dachshund. Boxer. Beagle. Husky. 𝗪𝗵𝗲𝗻 𝗶𝗻𝗱𝗶𝘃𝗶𝗱𝘂𝗮𝗹𝘀 𝘀𝗮𝘆 “𝗯𝗲 𝘀𝗮𝗳𝗲,” 𝗶𝘁’𝘀 𝗹𝗶𝗸𝗲 𝘁𝗮𝗹𝗸𝗶𝗻𝗴 𝗮𝗯𝗼𝘂𝘁 𝘁𝗵𝗲𝗶𝗿 𝗱𝗼𝗴 𝘁𝗼 𝗮 𝗿𝗼𝗼𝗺 𝗳𝘂𝗹𝗹 𝗼𝗳 𝗽𝗲𝗼𝗽𝗹𝗲—𝗲𝘃𝗲𝗿𝘆𝗼𝗻𝗲 𝗽𝗶𝗰𝘁𝘂𝗿𝗲𝘀 𝘀𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴 𝗱𝗶𝗳𝗳𝗲𝗿𝗲𝗻𝘁. The truth is, 𝘃𝗮𝗴𝘂𝗲 𝗮𝗱𝘃𝗶𝗰𝗲 𝗹𝗶𝗸𝗲 "𝗯𝗲 𝘀𝗮𝗳𝗲" 𝗼𝗳𝘁𝗲𝗻 𝗹𝗲𝗮𝘃𝗲𝘀 𝘁𝗼𝗼 𝗺𝘂𝗰𝗵 𝗼𝗽𝗲𝗻 𝘁𝗼 𝗶𝗻𝘁𝗲𝗿𝗽𝗿𝗲𝘁𝗮𝘁𝗶𝗼𝗻, which can lead to confusion or, worse, unsafe behavior. Let’s change that.  Here’s why specifics matter:   🔸 𝐂𝐥𝐞𝐚𝐫 𝐚𝐜𝐭𝐢𝐨𝐧𝐬 eliminate guesswork.   🔸 𝐃𝐞𝐟𝐢𝐧𝐞𝐝 𝐡𝐚𝐳𝐚𝐫𝐝𝐬 explain the “why.”   🔸 𝐂𝐨𝐧𝐟𝐢𝐝𝐞𝐧𝐜𝐞 replaces uncertainty, empowering safer choices.  Instead of "be safe," say:   ✅ "Wear your hard hat while millwrights are working overhead. This will protect you from dropped tools, but stay clear of the area until work is complete."   ✅ "Always check your surroundings before crossing the street. Watch for turning vehicles to avoid a distracted driver’s mistake."   ✅ "Ensure machinery is locked out before repairs. This prevents accidental start-ups and keeps you safe from moving parts."  𝐒𝐩𝐞𝐜𝐢𝐟𝐢𝐜 𝐚𝐜𝐭𝐢𝐨𝐧𝐬 + 𝐡𝐚𝐳𝐚𝐫𝐝 𝐜𝐨𝐧𝐭𝐞𝐱𝐭 = 𝐦𝐞𝐚𝐧𝐢𝐧𝐠𝐟𝐮𝐥 𝐬𝐚𝐟𝐞𝐭𝐲.   Because safety isn’t just about avoiding risk—it’s about knowing 𝘩𝘰𝘸 to avoid it.  What’s one way you make safety clear in your workplace? Let’s share ideas that move beyond “be safe”! 👇 Take care 🚧 SAFT3RD 🚧 #safety #insurance #business #humanresources #management OSHA Construction Agriculture WorkersCompensation 🎬 𝙰𝚍𝚊𝚖 𝚁𝚘𝚜𝚎 & 𝚅𝚊𝚛𝚒𝚘𝚞𝚜 – 𝙸𝚗𝚜𝚙𝚒𝚛𝚊𝚝𝚒𝚘𝚗: 𝙺𝚎𝚟𝚒𝚗 𝙱𝚞𝚛𝚗𝚜

If you missed Colorado's new biometric #privacy law that takes effect next July, here's a brief summary and checklist to comply. ⤵️ Data controller obligations include:   🔹Consent before biometric data can be collected/processed 🔹Written policies with: (1) retention schedules for biometric identifiers and data; (2) biometric #DataSecurity incident response protocols; and (3) guidelines requiring deletion of biometric identifiers in-line with the law's requirements 🔹Public disclosure of the written policies (if no exception applies) 🔹Informing consumers that biometric identifiers are being collected, the specific purpose for which they are collected, and the length of time they will be retained 🔹Informing consumers if biometric identifiers will be disclosed to a processor and the specific purpose for doing so 🔹Not disclosing biometric identifiers to entities other than processors unless an exception applies 🔹Not selling, leasing, or trading biometric identifiers 🔹Generally not: requiring biometric identifiers to provide goods/services, charging different prices for consumers who exercise rights or withhold biometric identifiers, or purchasing biometric identifiers unless specific conditions are met 🔹Compliance with all other requirements under the #Colorado Privacy Act for the biometric data they process, whether or not they are otherwise subject to the law.   #Employers also have obligations regarding consents for processing employee biometric data, and some written policy and deletion requirements above may also apply to employee biometric data processing.   Some controllers will have to offer and fulfill a new type of consumer access right, including to describe of the biometric data processed, where it was collected, why it is processed, and the third parties it is disclosed to. Here are some steps to comply if your organization is in-scope for this law: 🔸Identify where consumer and employee biometric data is collected and processed in your organization 🔸Determine whether processors or third parties receive or process biometric identifiers 🔸Plan to stop disclosures that are sales, leases, or trading of consumer biometric identifiers by July 2025 🔸Assess consent processes before biometric identifiers are collected or processed 🔸Check that any practices that require consumers to provide biometric identifiers are consistent with the law's restrictions 🔸Validate retention periods and compliant deletion processes for biometric data are defined and followed 🔸Review and revise consumer disclosures to include the required details about #biometrics processing, purposes, retention periods, and disclosures 🔸Confirm incident response policies address incidents for biometric data 🔸Update or draft publicly available policies to address new requirements, and 🔸Consider whether annual reviews are required under the law for retained biometric identifiers (this may be required if identifiers are kept for longer than a year).