top of page

“Where Is That Policy?” - Why Every Security Program Needs a Documentation Framework

Kim Sheridan

Jun 11, 2025

It sounds simple (and maybe even a little boring), but it’s foundational to program credibility and effectiveness.

If you've ever been in a meeting where someone says, “We definitely have a policy for that… somewhere,” you're not alone.


Security and risk management programs often build up documents over time—some inherited, some reactive, some written under pressure before an audit. The result? A patchwork of PDFs, outdated procedures, and policies no one’s quite sure are still valid.


One of the most practical investments an organization can make is creating a documentation framework—a structured approach to how you organize, maintain, and align your policies, procedures, and plans. It sounds simple (and maybe even a little boring), but it’s foundational to program credibility and effectiveness.


A Recent Case in Point


I recently worked with a post-secondary campus security department facing exactly this challenge. They had committed teams and strong institutional knowledge—but their documentation was scattered. It wasn’t always clear which documents were current, how policies related to operational programs, or what new staff were supposed to reference during training and orientation.


We created a tailored framework that:


  • Defined clear levels (policy, program, procedure, guideline, etc.),

  • Standardized templates and document ownership,

  • Mapped existing documents and identified critical gaps,

  • And set up a review cycle to keep it all relevant—not just filed and forgotten.


Now, instead of chasing document versions or undertaking another directionless SOPs revision project, they have a unified structure that supports consistency, compliance, and training. The framework didn’t just tidy up—it became a critical component of how their team operates and grows.


Why This Matters


Documentation may not be glamorous, but in security and risk programs, it’s your connective tissue. It links strategy to operations, people to process, and risk awareness to real-world response.


A documentation framework:


  • Reduces confusion and duplication,

  • Improves onboarding and training,

  • Supports audits, accountability, and change management,

  • And helps demonstrate maturity, not just activity.


So, if you’re still operating from unstructured “policy folders” with inconsistent file names and no update history, it might be time for a refresh.


And yes—it can even be enjoyable. (Okay, maybe just for some of us.)


If you're curious about what a documentation structure could look like for your team, I’d be happy to share some examples.


Let’s bring some order to the chaos—one policy at a time.

Sheridan Consulting Group acknowledges that we are located on the traditional territory of the Tsawwassen and Musqueam First Nations and of all the Hun’qumi’num speaking people who have been stewards of this land since time immemorial.
 

We are Fully licensed and insured.

©2025 Sheridan Consulting Group

  • Facebook
  • Twitter
  • LinkedIn
bottom of page