The explosion of mobility for businesses of all sizes has led to an equally noisy explosion in the concern organizations have about letting employees run around the town – or the globe -- subscribed to expensive rate plans and using devices packed with sensitive corporate information.

The concerns are real and well known. That’s why it’s interesting that more organizations aren’t preoccupied with creating effective overall mobile policy documents. Observers confirm that there just hasn’t been great interest in creating documents that tie the entire mobile experience together under a single set of rules, regulations and guidelines.

“A lot of companies, for a lot of different reasons, have not gone down the path of actually creating a mobility or wireless policy,” says Dean Alms, the vice president of strategy for Visage Mobile. “It’s surprising how few have put pen to paper.” Visage Mobile and Strategy Analytics analyst Philippe Winthrop recently released a template for just such a document.

Certainly, companies have taken swings at creating mobile policies. Winthrop says that about half of the companies he talks to have some sort of mobility guidelines. The problems, he says, are that they often are old, superficial and only cover one element of the organization’s overall mobile efforts. They generally are not updated often enough to have a major impact.

Why is the need for mobile policies not met? A major challenge is that mobility is such a big topic that it is difficult to structure the enterprise-wide discussion that will lead to a comprehensive and effective mobile policy. For one thing, mobility has emerged in business, both at the small and medium-sized business (SMB) and enterprise level, from the grassroots upward. That makes it difficult for managers to truly know what is going on in the field, much less mandate changes in the way in which folks use their devices.

Indeed, many companies rely on employees to use their own devices and either compensate them through T&E or provide them with a stipend in their paychecks. Employees are then on their own to buy devices and select carriers and rate plans. While it slashes capital expense by eliminating the need to buy phones, employee-owned devices make policy creation problematic for two reasons: The company loses control of the make and model of the gear used in their businesses and no longer holds sway over how the devices are configured and managed.

If the phone belongs to the employee, it’s difficult to write a policy that mandates remote wiping capabilities – the ability to remote delete data – if the device is lost or stolen, to outlaw certain vulnerable applications or do other things that a reasonable policy may mandate. Employee-owned devices are not uncommon, however. This, no doubt, has reduced the prevalence of meaningful policies.

Alms points out that this grass-roots evolution of mobile devices means that various departments may use different devices under different conditions. The HR department may be partial to BlackBerries, while top-level managers like iphones. Reconciling these differences in established companies is much trickier than in greenfield scenarios. Managers at companies that are just starting out have a better understanding of the importance – and dangers – of mobility. For them, sensible policies can far more easily be integrated.

These layers of confusion all add up to one big issue: inertia. The desire to do nothing – and not be put at short-term risk – is, as always, a shining temptation and a winner in many executives’ book. “The biggest problem, first and foremost, is that organizations don’t know where to begin in creating policies,” Winthrop says. “They feel overwhelmed in all the different permutations.”

Another stumbling block is that while it’s easy to say that a mobile policy is aimed at handling concerns about expenses and security, the reality is that these are such broad topics that crafting a document requires input from just about everyone in the organization. This is difficult to do.

To many executives, that sounds like a guarantee that more of his or her time will be spent away from the organization’s core business. It also suggests the need to appoint somebody to be in charge. This person, in turn, would have less time for his or her core responsibilities. This hardly generates an enthusiastic response from executives.

Finally, it is difficult to keep a mobile policy timely enough to be truly useful. Savvy executives know that creating a mobile policy and not updating it on a regular basis is a fool’s errand since mobility evolves so quickly that a good policy today is antiquated tomorrow.

This is true on the security and use sides. Hackers and crackers are becoming more focused on the mobile sector. Though the industry has dodged significant bullets so far – the mobile world has never been as much of a target as the PC world -- keeping ahead of the game requires continual review of policies. The sector’s luck won’t last forever, and when the bad guys come, they will come with a take-no-prisoners attitude.

The speed with which things change is demonstrated by the growth of application marketplaces, which are sites from which users can choose from thousands of free and for-profit applications to download into their devices. A policy written as recently as mid-2008 and not updated since would likely not deal with these entities, at least in any detail. Today, of course, they are a big issue. “Management is trying to catch up to technology,” says Tim Colwell, the vice president of knowledge operations for AOTMP, an organization that aids in the management of IT and telecommunications.

The great variety in devices and the fact that the mobile world – and the threats to it – change so quickly leads people to shy away from specificity, even when they do create a policy document, Colwell says. Instead, people focus on things that, while important, are not indispensable to a successful program. “What we have found is that the policies tend to deal with procedural activities and procedures such as how to go about ordering a phone, repairing a device or statements that people shouldn’t use them to do anything illegal or immoral,” says Colwell.

It is possible for experts to offer a number of good tips on creating policy. Winthrop says that the template he and Visage Mobile created – and which is available at a wiki reachable through the Visage site – is a good place to start. Winthrop says the template is only one take on an ongoing process. It spells out in clear detail what the penalties are for non-compliance and deals in significant detail with rate plans, device choices, security, feature choice and other topics.

The axiom that the only constant is change is nowhere truer than in the corporate mobility. New opportunities and new challenges emerge on a strikingly frequent basis. For this reason, companies must commit to reviewing their policies and procedures on a frequent basis. Winthrop says that corporate mobility policies must be reviewed on at least an annual basis. In some cases, it is advisable to review matters as frequently as every three months.

The bigger picture suggests that the more important element is that a document be created that is flexible and able to change with the times. Says Colwell: “It’s almost as if you have to sit down with pen in hand today and say, ‘Here we are in 2009. I need to have a policy that covers things that I don’t understand or am not even aware of that will be here in 2011.’ There is a bit more forecasting in that.”