The Power of Agile Digital Policy

Author Kristina Podnar helps businesses get smarter, better and faster at creating digital policies and practices that unlock opportunity, liberate employees and increase the bottom line. While many people are intimidated by the word “policy,” Podnar encourages us to think of them as guardrails – “short statements that reflects the organization’s values … so we can create freedom, innovation and creativity.”

Her book “The Power of Digital Policy” is actually a handbook that provides specific ways for people and businesses to balance risk with opportunity. And the best thing is it doesn’t have to be a long and grueling process. With her Agile approach, you can go from zero to done in 5 days.

Accenture | SolutionsIQ’s Leslie Morse hosts at Agile2019 in Washington, D.C.

Learn More:

Listen on Apple Podcasts  Listen on Spotify

Full Transcript:

LESLIE MORSE: Hello and welcome to another edition of Agile Amped. I’m your host, Leslie Morse, and we are podcasting from the Agile2019 Conference in Washington, D.C. today. My guest for this chat is Kristina Podnar. She is the author of the book The Power of Digital Policy. She is a senior consultant based in Washington, D.C., where she helps companies and organizations to create digital policies and practices that unlock opportunity, liberate employees and increase the bottom line.

Kristina, thank you so much for being here.

KRISTINA PODNAR: Thanks for having me Leslie, so much fun.

LESLIE MORSE: Yeah, I’m really fascinated by this idea of digital policy and some of the aspects of not only like how it changes the way we run companies and operate day-to-day, but also how it implies these unwritten social contracts with our employees and our customers and all of this. So, this is going to be a meaty one that I’m looking forward to getting into.

KRISTINA PODNAR: Yeah. Well, it’s interesting because we’ve lived so long, right, without digital policies and really gotten ourselves into a lot of trouble. And I think we’re finally at the point in time in the game that everybody should step it up and really get things right in the digital space.

LESLIE MORSE: Yeah. So let’s start off with just defining like when we say digital policy, what does that mean?

KRISTINA PODNAR: So you know what, for me, the easiest way to think about it is guardrails.


KRISTINA PODNAR: Right? So digital policy sounds very intimidating, but if we think about them really as guardrails and the things that we should and should not do in the digital space, that’s all that they really are. They’re usually little short statements that reflect the organization’s values, what they’re really trying to achieve, the types of legislative regulatory parameters that they’re willing to work within. But I think more than not, it’s really sort of the edges, if you will, the far edges of things that we want people to not do so that we actually can create and stimulate freedom and innovation and sort of this creativity, if you will. Because there’s a lot of space there before you break those guardrails and go over the edge. So they kind of keep you contained and keep you safe. But inside, you can do a lot of really cool stuff.

LESLIE MORSE: Well that’s good cause you often think policy that is very stringent and strict, which, I guess there’s a connotation in there that you’ve got a bust for people.

KRISTINA PODNAR: Oh absolutely. In fact, you know one of the things that I love to do is work with organizations where we get to turn this on its head. And most recently we were actually working with a company that’s in the pharma space.


KRISTINA PODNAR: 21 days to get their content out the door. We got it down to three days.

LESLIE MORSE: That’s great.

KRISTINA PODNAR: It’s phenomenal, right? Bottom line results right there. But the great thing is, is all of a sudden, the employees who were responsible for content writing didn’t have to go through the crazy maze over and over and again, and let me tell you, total relief and actual excitement to be doing and creating content again.

LESLIE MORSE: That’s great. And so, the next thing I was going to ask you about was this idea of digital policy and agile and like, “Wait, we’re here at an agile conference, how does this all go together?” But that story of going from 21 days to three days, right? That idea of getting things out the door quickly, obviously there’s a connection there. So what was it that got you interested in digital policy and how did you end up here at Agile2019 talking about it?

KRISTINA PODNAR: Oh great question. So you know, I didn’t actually land in digital policy land. I started my career as a project manager, which sounded so romantic because it had the word manager in it, right? But I was actually asked to write Cold Fusion on my first day of work and I think I cried. And then I bought the book on Cold Fusion and I learned it really quickly and continued my career, including learning how to write Java when I was at Accenture. So a little bit nod there. And really, I got into the space because what I’ve realized over the last 20 years is that we continue to do the same thing over and over and again, and it’s never the safest of practices. And you know, back in 1995-96 it was okay to do really crazy, Wild Wild West stuff. But here it is, 2019, we need to get smarter, we need to get better and we should get faster at doing those things.

And so, what I realized is, let’s actually create a methodology. Let’s actually create a way for people to do things that are safe, that are sound, that help the organization. But really, like I said, help them unleash that creativity, that freedom, that innovation and really help drive the business. And in terms of thinking about it from an agile perspective, organizations can no longer take six to eight or nine weeks to come up with that policy, right? We’re doing projects that are done in an agile way and policy needs to be much like that. So when we’re actually creating our projects, when we’re starting to execute them in the agile way, we need to bring policies into the same methodology and in the same kind of way have them treated, so that you can get the stakeholders in, figure out what it is that you’re trying to do and get the ground rules defined, in my world, I’d say in five days, so that you can actually trek on and get the business of business done.

LESLIE MORSE: Yeah, that makes sense. What was it that put the fire in your belly about this? Because if you’ve written a book on it, you’ve got to be passionate about it. So what drove that passion for you? Or drives, I guess I should say, yeah. [Crosstalk 00:04:45].

KRISTINA PODNAR: … you still drives it. And actually you know what it was is, I have met so many really competent and good and smart people in the digital space, and a lot of people don’t know what they don’t know, and I didn’t know certainly what I didn’t know until I started this practice. And so I really wanted to share this and so my book is all about how do you actually get this done? How do you get the business of digital policy done? So it’s actually a handbook. It tells you exactly what to do, how to get it done.

It does have the model for the more traditional approach, but then it really focuses on the five-day Agile methodology. How do you get these policies developed, especially if you’re on a sinking ship, taking on water? And you have to put out a fire because either you’ve gotten perhaps a letter threatening lawsuits around accessibility or maybe the regulators are on your tail because of GDPR compliance, whatever it is. How do you get this done and assessed quickly? And so you can be in that sinking ship mode or you could be at the point where you’re trying to get to the gold standard, and I think this methodology applies to all worlds and is usable by all.

LESLIE MORSE: So once you get your arms around the steps of that methodology, I’m also guessing there’s a philosophical mindset or some guiding principles that people probably need to adopt to do this well. What can you share about that?

KRISTINA PODNAR: Well, yes, in fact you do have to have guiding principles. And I think the mistake that a lot of folks get into is thinking about the policies as being a policing tool or policing mechanism that you’re going to use to enforce the rules. When in fact, really what they’re there to do is enable and support digital throughout the enterprise. And so it’s this methodology and this balancing act of having risk and opportunity, because there’s two sides to every coin. So it’s really critical to understand where you are in the digital policy maturity realm, and then how are you actually treating those risks and opportunities to make the right decision for the business. And that’s what we always have to remember. We all have an opinion and whatever that opinion is at the end of the day, policies come from what’s right for the business and doing the right thing by the business.

LESLIE MORSE: And as you work with people on this, I see a fear or risk around it always being additive. Right? Every time something goes wrong, we add a new policy to make those guardrails tighter and tighter and tighter. So often when I think about retrospectives with teams, I ask the question, when’s the last time you stopped doing something in order to improve? So does that lens of this come when you think about digital policy as well?

KRISTINA PODNAR: Absolutely. Great question. We talked a lot about that in today’s workshop actually. So, one of the things that I advocate is that you measure the effectiveness of your policy. And people go, “Oh, I want to understand how many people are following my rules.” Well yeah, compliance is one aspect of that. But you also want to measure so you can understand. Are people actually able to comply with the policy because it’s realistic? Have you enabled them? Have you taught them what they need to know to actually adopt a policy? Are there resources to meet it? Is it realistic? Is a meeting a business goal? And, if it no longer is necessary, can we retire it? Because no, we don’t want 101 policies. We actually do want to keep them smaller in number and make sure that people are sane and able to utilize them.

And so I think, measurement is one aspect of doing this. The other thing that I really advocate in my book is how do you ensure that there’s a repository or a system that people can use to understand what policies apply to them? So not every policy will apply to your project, and I think the key is can we create a tool set that says, okay, if I’m a marketing executive or a marketing director who’s sitting in France and I’m looking to do an 18 month campaign, I am going to collect personal data and it’s going to be through mobile and social media channels. Just tell me the checklist of the things that I have to do. And not only tell me what I have to do but help me help procurement, help my vendor understand what they have to do. So it actually feeds the entire ecosystem and creates again that safety net, so that everybody can do the things that they need to get done and be creative, but still know that they’re playing within a safety zone.

LESLIE MORSE: That makes sense. It almost reminds me of when I was working with a retailer in the .com space and guided selling, like what are the questions that you ask about the family to figure out what’s the right kind of washer and dryer they need to buy.

KRISTINA PODNAR: Yep. Same concept.

LESLIE MORSE: The same sort of guided experience around policy. But you also brought up the idea of vendor, because that’s a whole other level of complexity. It’s one thing about engaging our employees and getting everybody on the same page around doing the right thing to protect our business, but vendors are another level of complexity. So how does the handbook help you figure that part out?

KRISTINA PODNAR: See I really talk about, not just third-party vendor management policies, but also how do you actually work with your procurement team to ensure that everybody’s on the same page and that these policies extend to your third-party vendors and also to those might not be thinking about. In fact, if we think about the majority of stories today in our headlines, right, it’s always, actually I shouldn’t say it’s always but, a lot of the times it’s really about the folks outside of your enterprise, right? It’s about the AWS hack. It’s about, maybe a credit card processor who forgot to secure some type of data on all of a sudden, oops, we have a moment.

And so, this really is about ensuring how do third parties get accredited, and how do they get screened, and how did they get filtered? And how do they get managed through the process so they’re part of your digital team, treated as that, and they actually understand and can buy into an execute against the policies? And oftentimes I think what we do is we forget to actually address that third wheel, if you will. And so, in the book I actually talk about how do you get that done and it does take working with procurement, and working with IT, and working with marketing and getting everybody on the same team, so that we actually understand and enable those vendors to meet our expectations.

LESLIE MORSE: I’m starting to get inspired by the idea of right, cross-functional teams coming together to work on policy. Because that’s probably something that elongates the traditional processes so much as, there’s all these people you have to go talk with and that sequential, more waterfall checklist of getting it done versus, who are all the people that are main stakeholders of this? Let’s get them around the table. What’s the impact to your business for making all these decisions?

KRISTINA PODNAR: And that’s actually one of the points that we talked about today in the workshop is, do you have procurement? Have you considered them for certain types of policies? Have you talked to HR if you’re talking about internal employees? Have you gone to finance, because they actually might have a prong in this thing as well? And so, it really is about ensuring that you understand who the stakeholders are throughout the organization, bringing them into the fold, and you can do that in a really agile way, which I think is the cool part. So, no longer writing out these, 25-page long documents and then sending them to somebody to mark them up and send them back to you in Microsoft Word. And here we are, month three, and their project hasn’t moved along. It’s really-

LESLIE MORSE: Yeah, talk about an impediment.

KRISTINA PODNAR: … Exactly, exactly. It’s about, bringing folks together and knocking it out, which is why I think, five days is perfect. And people go, “Oh, it’s five days?” And it’s like, yes, but here’s the deal. You’re not sitting with everybody eight hours a day, right? In this five-day methodology that I’ve mapped out, you literally have a kickoff meeting day one. So you’re taking maybe an hour to 90 minutes out of everybody’s day, getting everybody aligned. And then days two through four you’re actually working with people in 90-minute increments. So a lot of times what I’ll do is actually pull somebody out of procurement, but it’s only 90 minutes out of their day. And we actually work on these policies.

And by day five, you’ve actually gotten to the point where you have a really nice policy. Not only have we created it and documented it, we have buy-in. And, what’s really important is we understand how are we going to get that disseminated into the organization? How are we going to actually adopt it? And then how are we going to measure it? Which is kind of the key part, right? Because writing a policy shouldn’t be shelfware, right? It should be sort of an artifact, but it’s part of a process and it’s actually agreed to.

LESLIE MORSE: It’s part of how we live and breathe our day-to-day actions.

KRISTINA PODNAR: Exactly. It’s that contract that you actually create with everybody that matters at the end of the day.

LESLIE MORSE: Yeah. So two things are kind of coming up. One, the beauty of how this approach can help uplift an overall organizational agility, right, I think of the ceilings of organizational agility. We can get this much benefit by just adopting scrum at the team level, but if we don’t do this, right, it’s slowly pushing up that ceiling. And eventually policy does become one of those impediments that get in the way. So it’s huge for increasing or signaling of organizational agility.

But then I also just think about the digital era in society. You talked about, right, vendors and playing in. But sometimes it’s not even you or your vendor that maybe made a mistake, but if some adjacent industry that made some sort of error that we’re now having to go, “Uh-oh, well what are we doing about that?” So that ability to inspect and adapt, sense and respond really quickly to the volatility in the market. Because this is real stuff-


LESLIE MORSE: … and it is a quick way to lose customers if you’re going to make a mistake in this area.

KRISTINA PODNAR: And lose trust, which actually rolls back on your brand. And that’s what we have to keep remembering. It’s not just a one-off. It’s something that’ll stick with you and it’s going to roll back on the brand, on your reputation, and it’s going to actually have a lasting impact. And so what you want to do is, there’s always going to be that oops moment, but what you want to do is A, minimizes oops moments. And then if they do occur, which they certainly can and most doubtably they will, depending on what we’re talking about, you have to actually be able to understand how to deal with them. And that’s I think what policies actually do, is they help you understand what you can take on as a risk and what you can’t, and where can you recover and how do you recover so that it’s faster, easier, and you kind of get over that hump?

LESLIE MORSE: So when you found this discipline, can you tell us the story about the first time that you started doing this in real life and said, “There’s really something here?”

KRISTINA PODNAR: Yes, yes. Okay. So it was really early on. This is sort of scary. I’m going to tell you a quick story, but I’m going to actually tell you a funny story. So the first time I realized that we needed policies and the first time that I actually created a policy, was probably 1998. And I actually had a client website down for eight hours because I accidentally blew away all of their files. And so this was in the day where we believe that project managers could migrate data. And I realized that disaster recovery is really important and redundancy is really important. And I know that those are sort of just buzz words that we use a lot of time, but you’d be amazed that in 2019, we still have people who don’t have disaster recovery policies in place and they don’t actually have backups in place.

LESLIE MORSE: Or if they do have the policies, people don’t actually adhere to them.

KRISTINA PODNAR: And that’s a key. Right? I don’t know if you remember, probably a lot of your listeners do, Hurricane Sandy? I don’t know if you remember how many folks were down in the New Jersey area for weeks on end and there was no disaster recovery, there was no backup system, and it really was an uncomfortable time for a lot of people.

LESLIE MORSE: Yeah, absolutely. I can identify with that. A built a, when I had a startup, we built a large alumni platform for masters’ business school, and we did not have the right things in place and I accidentally went in, direct command line to the database, and updated all graduates to have the graduation year of 1979, because I didn’t do the select star, right, for this certain student that I needed to update. And it’s, you learn by failure often.

KRISTINA PODNAR: You do. And you know what, I think it’s really great that we did learn by failure and it was very excusable back in the late 1990s, early 2000s, but I think as we get to 2019 looking at 2020 ahead, I think we need to get beyond learning by failure so much and be a little bit more proactive and less reactive.

LESLIE MORSE: Yeah. And I think it’s, trust is the right thing there, When you talk about the brand. It would be like, there’s a level of quality and integrity, that if you’re going to play in the digital space, consumers today just expect you to be at that level. And if you’re not in the moment, you violate that kind of unwritten psychological contract, people are going to go away really fast. And, there’s times you just simply can’t rebuild that trust.

KRISTINA PODNAR: Especially for brands that have been around for a really long time and we’re talking about hundreds of years, right? I mean there are some household names and you don’t have the opportunity to rebrand yourself, so you better make it right the first time around.

LESLIE MORSE: Yeah, absolutely. So when you do some of this work, do you ever get into conversations? You mentioned marketing before, but really kind of the aspect of PR?

KRISTINA PODNAR: Oh, absolutely.

LESLIE MORSE: And, right, talking about, should things go wrong and kind of proactive response strategies?

KRISTINA PODNAR: Yeah, absolutely. And so what I find a lot of times is that folks don’t actually think twice about PR and really basic communication skills. How many folks do we have that are practicing social media? In fact, a lot of enterprises are getting to the point where they’re saying like, “Wow, there’s a power to having the employees go out and really promote the brand and talk about our brand.” Which is great, until something goes wrong. And then, I think understanding what do we do when something goes wrong? What is the response plan to that? And so you need to have that plan in place. With social media it’s very simple probably. The first time you make that mistake, first rule is, hands off the keyboard. Right? I’m emotionally involved in the situation right now. Even with the best of intentions, I did something or caused some kind of a situation. The worst thing I can do is to continue the conversation. Step away, bring in somebody else, and let’s triage the problem.

But then understanding really quickly what does that mean? Did I make a mistake that is really easy to dismiss in the sense that, it was a typo or a misspelling, no big deal? Or is it a much bigger deal? I point a lot of people back to the instance of Amgen, a pharmaceutical, where a gentleman who was an employee with the best of intentions in Denmark shared and liked the company’s press release. And you would think, “Wow, that’s great.” He showed a press release, right? He liked a press release. And oh, by the way, it was on LinkedIn. So what else could be better? It’s official word. However, in the EU you are not allowed to promote pharmaceutical products if you’re an employee of the company.


KRISTINA PODNAR: Right. And so that would’ve been a really great example of how do we actually triage the situation really quickly? We have somebody who thought they did the right thing with the best of intentions, didn’t know any differently. Right? How do we triage the situation, which obviously is now a legal issue? How do we actually address that with the regulators? How do we actually address that with the employee so he understands what actually went wrong? And how do we, as a company then, start to talk about that? Because again, it doesn’t have to be somebody doing something with ill will. It could be really for good reasons, but something happens that you weren’t intending to. And so I think you need to actually have not just the oops moments where you think of like the craziest things that could go wrong in a bad way, but even when, oops, things went kind of right, but kind of wrong, and can you recover from them?

LESLIE MORSE: Yeah. So do you find when you’re working with clients, are they coming to you after the oops situations where it’s kind of reactive? Or, do you have people coming to you more proactively saying, “We probably need to get a little bit better at this?”

KRISTINA PODNAR: It’s a mix. It’s a mix. And so, I’ve had three organizations come to me who say, “We’re the gold standard. Can you give us the stamp?” And I have not been able to give out the gold standard stamp yet because nobody’s been perfect. Unfortunately, or fortunately, I think it’s just a reflection of where we are. But I would say about 70% of the time people really are trying to be proactive. They understand that there’s the European Union’s GDPR, General Data Protection Regulation. California has a similar law that’s coming on the books as of January. So I think a lot of folks understand that this is an area they have to be proactive about. But I think they’re also starting to understand that there’s opportunities out there that, not having the right policies for, actually preclude you from taking advantage of them. Things like accessibility.

So yes, having accessible digital channels is the legal standard in the United States because we have the Americans with Disabilities Act. In the UK, Israel, Australia, Canada, et cetera, it is a legal mandate. Well, all of that being said and done, also let’s look at the numbers, right? One in four Americans has a disability of some sort. Those individuals have purchasing power, they have family and friends who also have purchasing power. And so is that an audience that you want to ignore or do you want to actually embrace that audience and make adjustments to your digital by becoming accessible and insuring that you can reach them and really create a long, lasting, trusting relationship?

LESLIE MORSE: Yeah, and there’s so many facets of it that you can consider. And I really, I got sort of hooked when you talk about California and my brain went to the worst case scenario. So I want to talk a minute about the future of digital policy and where you think things are going. Because I’m imagining what happens here in the United States if every single state comes out with a different set of compliance things. And how can we, as a society of business leaders, proactively engage in conversation that gets us all doing the right thing? Because having to design for 50 different nuances and variations, that’s just a level of complexity I don’t think any of us can get our brain wrapped around.

KRISTINA PODNAR: Well we already live in that world, right? Because we actually have 50 states with 50 different data breach notification laws.

LESLIE MORSE: I ain’t even thought about that.

KRISTINA PODNAR: Right. And a lot of people don’t. Right? And so, when I’m working with organizations, they go, “Ahh, I have a database and I don’t actually know what state individuals are in,” and validly so.

LESLIE MORSE: And what’s governing law is that where we operate or where the consumer lives and all of that.

KRISTINA PODNAR: Right. So here we go down complexity road, right? And so the question is what do you want to do? And so my advice always in that situation is, follow California law, it’s the most stringent. It makes it easier if you just say, “Look, oops, we had a data breach. California has a standard. We know we’re going to meet all of the other state standards in the process.” And I think we’d probably see something very similar in terms of data privacy.

But, I think where we’re really at is we need to just adopt these guiding principles that ensure that whether it’s GDPR, whether it’s LGDP in Brazil, whether it’s POPIA in South Africa, whether it’s you know, CCPA in California, whether it’s the next big acronym, I don’t care. There are eight basic principles in terms of data privacy that we all need to be thinking about. And if we adopt them, we’re going to meet whatever regulation comes our way. And they are things like, privacy by design and children’s online protection and consent and notification and data breach. And so, if we actually go down this path and get those eight in place, we will be safe for what I call the tsunami of privacy regulations that are sure to come our way.

Because California has a start. Even though we had the failed Washington Privacy Act, WPA, fail. We’re talking about Ohio, New Jersey and others being on its tail. And so, before federal law is going to be in place, we definitely will need a way to deal with it. And I think for any executive out there, getting fundamental principles in place is the right answer and then everything else will be much, much easier.

LESLIE MORSE: Yeah, and I think you as our large body of agile coaches that are listeners and scrum masters and everything, just the awareness that this needs to be part of the conversation is huge for where we are. Just sort of from a societal transition standpoint is, we’ve truly become a borderless digital economy in all ways, right? That is the reality of where we live now. We don’t need to be talking about that as the future. It is today.

KRISTINA PODNAR: It’s reached us now and I think what’s really wonderful, you sort of just mentioned it which is, we have a lot of agile coaches, and who better to get organizations up and running quickly and get us to the point where we understand this practice and have embedded it into the organization and were caught up quote-unquote.

LESLIE MORSE: Yeah, and I think just knowing that there’s ways to do this differently , I think is is huge. And so, they’re probably also going, “Well, I need to learn more. This isn’t enough.” So, if people want to immerse themselves in this and start finding out ways to have more conversations with their clients or, right, it’s someone in an organization that want to take this to the next step, where should they go?

KRISTINA PODNAR: I would suggest going to The Power of Digital Policy. There is a really great resource center that I’ve started out there. One of the things that’s really handy is an interactive map. What privacy policies have actually been adopted already around the world and what’s proposed is out there. You can also take a survey to assess where are you in terms of your digital policy maturity state, what you need to actually do to get it to the next level. You can look at very specific recommendations around the type of policy your organization ought to have and get all kinds of insight depending on where you are in the organization at the

LESLIE MORSE: That’s great. Any final thoughts you want to leave with listeners today?

KRISTINA PODNAR: There’s no day like today. Let’s get it done.

LESLIE MORSE: Yeah, it’s a little bit like automated testing, every day that passes that you’re not writing automated tests is a day too many.


LESLIE MORSE: Same thing with this kind of conversation, I imagine.

KRISTINA PODNAR: Exactly, and there’s such an opportunity and I think that for those folks that are stepping up and taking advantage of it, what a great competitive differentiator.

LESLIE MORSE: Yeah, absolutely. That’s a really great point. Fantastic. Kristina, thank you so much for being with us today.

KRISTINA PODNAR: Thanks Leslie, this was so much fun.

LESLIE MORSE: Yeah, it was great. And thank you for listening to this episode of Agile Amped. If you learned something new, please tell a friend, coworker, or client about the podcast and subscribe to hear more inspiring conversations.