NEWSLETTER

Hidden Risks and Policy Sprawl: How Outdated IT Policies Undermine Assurance and Cyber Resilience in Combined Authorities

Steve Macmillan

Combined Authorities and local councils are facing cyber risks that are increasing in frequency, sophistication, and impact.

As digital services expand and data sharing becomes more complex, the resilience of public-sector organisations is being tested in new and increasingly visible ways.

The UK Government’s own Cyber Action Plan highlights institutionalised fragmentation and legacy ITas systemic weaknesses undermining public-sector cyber resilience. Nowhere are these challenges more evident than in IT governance and policy management, with fragmented, outdated policy and portfolios obscuring risk rather than helping to manage it. Over time, unmanaged IT policies become a form of governance debt: a growing accumulation of obsolete, contradictory, or poorly applied documents that weaken assurance rather than strengthen it. This phenomenon is commonly referred to as policy sprawl.

The Anatomy of Policy Sprawl

In federated structures such as Combined Authorities, policy sprawl is often inevitable without a centralised governance approach. It typically manifests in several ways:

  • Conflicting versions
    Constituent councils or departments maintain different versions of core policies such as Acceptable Use, Access Control, or Remote Working.
  • Interpretation gaps
    Central policies exist, but it is unclear how they apply to delivery partners, shared services, or devolved teams.
  • Shadow governance
    Local adaptations are created in response to operational pressures but are never formally reviewed or approved by Information Governance (IG) or security leads.

The Department for Levelling Up, Housing and Communities (DLUHC) has previously warned that unclear risk appetite and accountability inhibit secure data sharing. That same ambiguity extends naturally into wider IT and cyber governance, as when authority and responsibility are scattered, policy becomes inconsistent and collaboration across councils turns into a legal, security, and compliance risk.

Why Cyber Resilience Depends on Rigorous Governance

Frameworks such as the National Cyber Security Centre’s Cyber Assessment Framework (CAF) exist to provide organisations with a consistent way to assess and improve their cyber security posture. They enable teams to identify gaps, weaknesses, and areas of risk with clarity and structure.

Crucially, the CAF places policy governance at the heart of effective operational controls. However, compliance is not achieved simply by having policy documents in place. Organisations are expected, at minimum, to demonstrate that policies are:

  • aligned to recognised frameworks and standards
  • implemented consistently across the organisation
  • monitored and reviewed regularly
  • demonstrably effective in practice

This is where many public-sector bodies struggle as evidence collation becomes difficult because policies are:

  • stored across multiple, disconnected systems
  • lacking version control, ownership, and review cycles
  • not linked to measurable control outcomes or operational evidence

These gaps are not trivial. The National Audit Office (NAO) has repeatedly highlighted maturity shortfalls in these foundational controls across government organisations, reinforcing that IT policy governance is not a “nice to have”, but a prerequisite for assurance.

The Operational Impact of IT Policy Sprawl

When policies are fragmented and ineffectively unmanaged, evidence collation becomes reactive rather than routine. This drains already stretched resources and increases the risk of non-compliance at critical moments.

In practice, outdated or unclear IT policies lead to:

  • Slower incident response
    Without clear escalation routes and decision-making authority embedded in policy, teams are forced into ad hoc judgement under pressure.
  • Inconsistent service protection
    Different teams, departments and contractors may interpret and apply policy in conflicting ways during incidents or operational changes.
  • Weakened assurance
    When auditors, regulators, or senior leaders request evidence, fragmented policies make it difficult to substantiate claims of compliance or control effectiveness.

Local government cyber incident reporting consistently references outdated IT practices and weak governance as contributing factors. This makes policy clarity not just a theoretical requirement, but an operational necessity.

Overcoming Policy Sprawl Through Structured Governance

To address these risks, authorities must move beyond static document storage and adopt a structured, defensible policy lifecycle.

A robust policy lifecycle ensures that IT policies are:

  • regularly reviewed and kept current
  • aligned to frameworks, standards and organisational risk registers
  • evidenced through change log reporting
  • clearly owned, approved, and accountable

Unmanaged IT policies are more than administrative clutter. They undermine an organisation’s ability to govern risk, respond decisively to incidents, and provide assurance to regulators, auditors, and senior leadership.

How Protocol Policy Systems Supports Resilient IT Governance

Protocol Policy Systems helps Combined Authorities and local government organisations reduce risk through a streamlined, cloud-based policy framework tailored to their operating environment.

Our Policy Management as a Service (PMaaS) offering is mapped to internationally recognised frameworks and standards  - CAF, ISO, PCI, and others - providing a defensible foundation for cyber and information governance.

This approach:

  • eliminates siloed policy documentation
  • embeds clear ownership, version control, and review cycles
  • centralises evidence tracking for audit and regulatory readiness

By implementing PMaaS, often in under six weeks, authorities can close the gap between today’s fragmented governance landscape and the resilient, assured future demanded by national standards.

Find out more about our work with Combined Authorities and local government here. Or speak to a member of the team about how we can support your IT policy requirements.

Sources & References
[1] Cyber Action Plan for the Public Sector
[2] UK Government Security - Beta
[3] Local Government Cyber Security Digital Standards
[4] Cyber Assessment Framework (CAF) Guidance
[5] Digital Transformation and Cyber Security Reports
[6] Cyber 360 Framework and Resources

Related Articles

Explore more insights on IT policy management in local government.

From IT Policy Documents to Defensible Controls: Tackling Policy Sprawl and Strengthening Assurance

A common misconception in IT governance is that a large volume of IT policy documents equates to strong security and compliance. In practice, quantity is not quality. As policy portfolios grow without structure or ownership...

Read More >

The Cost of Fragmented IT Policies: Operational Inefficiency, Cyber Exposure and Audit Burden

In the public sector, IT policy fragmentation is often dismissed as an administrative inconvenience. However, for Combined Authorities and Local Government, the reality is far more severe. The UK...

Read More >

IT Policy as a Strategic Enabler: Lifecycle Management, Accountability, and Future-Proofing

The line between IT and cyber resilience and corporate risk is rapidly disappearing in the local government sector. Recent UK government publications, including the Cyber Governance Code...

Read More >

< Modern Data Governance Practices For The AI Era

From IT Policy Documents to Defensible Controls: Tackling Policy Sprawl and Strengthening Assurance >

PROTOCOL POLICY SYSTEMS

Contact Us Today

Fill in the form or call us on (UK) +44 845 241 0099 or (NZ) +64 9 570 2233