Published

Shadow Policies: Increasing Legal Exposure & Liability

Are you scared of shadows? You should be, as they can cause serious legal, operational, compliance, risk, brand/reputation, and integrity liability. 

For the past several years organizations have been battling shadow IT. This is the use of information technology applications, devices, software, technology, and services within departments and bypassing IT and without their approval. Shadow IT has grown significantly over the past several years with the adoption of cloud-based applications and services. It introduces serious risk exposure to your organization through data breaches and potential compliance violations.

The risk of shadow policies is growing with organizations coming out of lockdown.

Now there is a new shadow to be scared of: shadow policies. These are rogue policies that are being written at all levels of the organization without proper review and approval. This puts the organization at significant risk to legal liability and exposure. Policies set a legal duty of care for the organization. If a manager is communicating to employees and clients a policy, this establishes a potential exposure to the organization. If an employee, client, or other third-party is harmed and they can point back to a policy that a manager communicated, it opens the doors of liability. 

The issue is that organizations do not have a handle on their policies. Many lack a consistent portal, template, style guide, and a policy on writing policies. It is like the Wild West, with every department writing their own policies. Any manager can open a word processor and write a document, call it a policy and communicate it to others. One financial services firm found one division that did not like the official anti-money laundering policy and completely rewrote it the way they thought it should be written, a rogue shadow policy. An insurance firm, entering lockdowns a year back, found they had over 20 policy portals in the organization with no consistency in how policies were written, approved, or communicated.

The risk of shadow policies is growing with organizations coming out of lockdown. A business might have carefully crafted back-to-work policies combined with personal protective equipment policies, vaccination policies, and more. The issue is rogue managers think they are a little smarter than the organization and are writing shadow policies contrary to the official ones. Perhaps they think everything is a hoax and writing policies opposite of the organization, or perhaps they do not think the organization is strict enough in safety and are writing policies that require vaccinations, and in writing so may be crossing discrimination lines. I am seeing huge issues in retail and hospitality organizations with store managers going different directions on policies than what has been officially approved by the organization. I have seen this in bank branches as well. Shadow policies are putting significant legal liability and exposure on the organization.

So how do you combat shadow policies? Here is what you need to do:

  • Write your policy on writing policies. Every organization should have a policy on writing policies (also called a meta-policy). This establishes the overall policy management framework, how policies are to be written and approved, and how they are maintained within the organization. 
  • Develop policy management templates and style guide. Official policies, whether in print or online, should be easily recognizable by the template they are in, how they are indexed and numbered, and the writing style and tone. 
  • Provide a central policy management portal. All policies should be on a central portal so employees can easily access and find the policies related to their role and function. Organizations need to move beyond department portals, providing a single go-to resource for all the organization’s policies and related forms, training, and communications.
  • Educate the workforce. Communicate to employees what a policy is and how they can be found. Instruct them that if they find anything that is being communicated as a policy that is not in a defined template and cannot be verified back on the enterprise policy management portal that they need to report, along how and where they should report it to.
  • Audit for rogue policies. Companies can utilize technology, such as e-discovery solutions, to scan file shares, servers and more to find rogue policies or even out-of-date policies that should no longer be accessible. 

Shadow policies, like shadow IT, are a growing concern for organizations and require a structured and continuous process – incorporating the elements defined above – to reduce liability. This is not a one-time issue to address but a continuous challenge to monitor.

Discover the 3 Keys to Successful Hybrid Risk & Compliance Programs


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.



The EU Whistleblower Protection Directive – How Are Member States Handling the Transposition?

With less than six months until the December 17th deadline, how are member states progressing with transposition into national law? Find out what obstacles remain and where to look for a leading example.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

ISO37002 and the EU Whistleblower Directive: A Complementary Coupling?

As the EU Whistleblower Protection Directive comes into force at the end of this year, many affected organizations across the EU will be implementing a whistleblowing program for the first time. How can the new ISO guidelines help organizations develop a compliant response to the incoming EU Whistleblower Protection Directive?

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.