Policy Development

Policies fail in three ways: they don’t exist, nobody follows them, or they exist, are followed, and lead to poor outcomes anyway. A policy that gives a hiring manager unchecked authority to hire whoever they want — with no accountability to anyone — will be followed faithfully and produce consistently bad results. Hill Dogs Consulting works across all three failure modes.

The most common engagement starts with organizations where good practices exist informally but have never been documented. The goal is formalization that doesn’t alienate the people already doing things right — which means starting from current practice and building forward toward a more complete and defensible standard, rather than importing an external template and asking people to conform to something foreign. When policies have grown overly complex or ambitious beyond what the organization can realistically follow, we work to simplify and humanize them without losing their intent.

We have helped startups achieve PCI compliance to begin accepting payment information. We have helped large organizations whose policy libraries had become so complex that only auditors could parse them — rewriting from the ground up in language that the people subject to those policies could actually understand and apply. And we have helped companies undergoing significant business model shifts rework their policy landscape holistically, ensuring that new obligations don’t create overlap or conflict with existing ones.

We work across a broad range of frameworks: NIST, PCI, SOX, HIPAA, GDPR, ITIL, FedRAMP, TX-RAMP, COBIT, and others. Compliance requirements are often the trigger, but corporate culture plays an enormous role in whether policies stick, and we treat that as a design constraint.

A useful distinction between this practice and our Process and Procedures work: policy defines what will happen, process defines how, and procedure defines the specifics. The hiring example — policy says all candidates will be interviewed; process says phone screen first, then onsite; procedure says ask these questions and score using this rubric. The work looks quite different depending on where your need is.