1) The foundation for the consistent, reliable and predictable operation of a businessAs with modern societies that were all built on a foundation of laws, the same goes for enterprises and running such successfully. You need policies to lay the foundation for consistent, reliable, predictable operation of a business. Without some kind of expense policy, employees can spend money on whatever, and without security policies, things like acceptable use of devices cannot be regulated.
2. ComplianceNothing says compliance like a policy. Auditors, in general, have very little understanding for verbatim accounts of how you do this and that. Policies and extracts are required. ISO 27k even lists a policy as one of the main requirements.
3. Demonstrating adherence to and respect for relevant laws and regulationsBeyond mere compliance, policies are also good for proving adherence not only to the text of a law but also the spirit of the law—in acquiring and keeping a banking license, for example, policies show lawmakers that you mean business.
4. As a disciplinary justificationWhen you have to let an employee go, and you're stuck with doing business in countries that either make this a rather difficult matter for legal reasons or because of the strength of unions, you need to be able to demonstrate behavior that is in conflict with policies, as well as policies that allow for disciplinary measures if not followed.
5. As an awareness and educational tool for top managementAs a consultant, you're brought in because there's a perceived need to analyze and usually fix something. Arguing, explaining and discussing with top management is easy, but they also need a concrete output from your efforts. So, instead of delivering a report with finger pointing, I usually prefer to deliver a few policies of "how things should be" augmented by an "action plan/improvement plan/roadmap" that leads towards the policy-dictated better place. Approving the actual content of policy with the top management of a company gives a lot of opportunities to discuss details and create awareness around important issues.
6. To bring an out of control IT department/employee back in lineYou may have met this guy – Mr. Recalcitrant Knowitall, who thinks everything you're trying to do is wrong and wants to keep sitting on his hoard of hoarded knowledge that makes him indispensable for all the wrong reasons. Sometimes a well-written reasonable policy, clearly backed by management can turn this guy around. I've seen it happen.
7. To raise the bar of knowledgeA well-written policy can raise the bar of the lowest common denominator for the level of knowledge in a security or IT department. To the extent that colleagues will follow them, telling them to do this in that way and that in this way will help a lot, even if they at the time don't know why. Tell them that this is the way, explain why and let them challenge. Sometimes discussion beats learning by doing and failing. This is the first item out of seven so far that actually impacts the level of security for your company. Scary.
8. To drive fundingNothing beats using compliance to drive funding (ironically, since compliance is stupid mostly), but using an actual gap between an agreed policy and reality is actually a good justification for spending increases. Or, depending on managements mood, policy changes.
9. A good security policy prevents breachesNah. Not really. Kidding.
10. Management commitmentA policy using the words of your management, that's been hashed out and agreed between these and you, is a great tool for actually getting management committed to security. Every time you pull it out, they'll like the words and phrases used, and thus be favorable to whatever you're doing. Except Monday morning. And Friday afternoon. And except if it hurts the business. Or if it's annoying. The conclusion seems obvious, right? There are plenty of good reasons to have security policies, but very few reasons to expect them to directly influence your defensive posture. To achieve that, define a security strategy and work from there, building your pyramid bottom up just like the Egyptians. Focus on the basics first.