Controlling risk with effective policy management

| August 10, 2018

The Importance of Policies and Procedures

Policies and procedures serve as the foundation of any business. They outline key processes, communicate expectations, reinforce organisational culture, and ensure compliance. They also act to protect employers during unfair dismissal claims, health and safety prosecutions, or liability claims. To that end, effective Policy Management plays a critical role in an organisation’s governance, risk, and compliance strategy (GRC).

What is Policy Management?

Policy Management is the business process of creating, communicating, and maintaining policies and procedures within an organisation. And it’s important to get right. Poor Policy Management leads to inconsistent, out-of-date documents that may not align with business objectives or corporate and regulatory standards.

Policy vs Procedure

A policy is considered a guiding principle that sets the direction of an organisation. A procedure is a specific set of steps followed in a consistent manner to achieve a result. They are often grouped as one because they act together to provide organisational direction and consistency.

The Policy Lifecycle

Create – Communicate – Manage – Maintain

In order to improve efficiency and reduce risk, a business must tend to all stages of the Policy Lifecycle. The Policy Lifecycle provides the framework for best-practice Policy Management, and outlines the various stages a policy will move through as it evolves from a business need, to an archived record.


The creation phase is where the policy or procedure is built, making it the most time consuming and resource intensive phase of the Policy Lifecycle.

The first step in the creation phase is to establish the business need for a policy or procedure. There are many reasons an organisation might decide a policy or procedure is required. To meet regulatory requirements, to protect an organisation legally, to establish work standards, and to clarify behavioural expectations are just a few examples.

Mature organisations will have a proactive process that identifies when a policy should be created.

A key aspect of the policy writing phase is consultation. Employees from a cross-section of relevant departments should have input into the policy where appropriate. Not only can workers offer valuable insight into the development process, they are more likely to adopt the policy if they are involved in its creation.

In order to keep polices and procedures clear and easy to understand, they should be succinct and written in plain English. Refer to existing organisational policies to maintain consistent style, format, and language.

Draft policies need to be circulated to all stakeholders for review and feedback. This should include stakeholders from all departments that will be affected by the policy. Any feedback or comment should be documented and further edits to the policy considered. Draft policies may undergo several edits as they move through the approval process.


Now that the policy is finalised and ready for adoption, it enters the Communication phase. And while communication can take on a number of forms, it is vital that policies are effectively communicated to employees, otherwise an organisation may open itself up to risk.

Most organisations have moved on from physically printing and storing their policies and procedures. Not only is it expensive, but it also complicates the process when policies go out-of-date and need updating. Employees shouldn’t have any doubts about where to go to find the latest version of a policy or procedure. Organisations should provide a centralised location that acts as a single source of truth.

Depending on the complexity of the policy, or its importance, it may require formal worker training. Training should include explaining to workers why the policy was created, what purpose it serves, and how it will be enforced.

A key aspect of Policy Training is testing for understanding. Organisations must demonstrate that their workforce understands the policies that govern them, and what it expected of them on a day-to-day basis. If formal training is required, organisations should implement a thorough Policy Training program that consists of engaging course content.

Regardless of whether an employee needs formal training on a policy, or whether they simply need to ready it and understand it, organisations must have a system in place that records Policy Acknowledgement. Policy Acknowledgement provides documented proof that an employee read and understood what was expected of them.


A policy can quickly become ineffective if it isn’t managed on an ongoing basis. The policy is there to provide stability in decision making and should be enforced consistently and predictably. Relevant department heads and supervisors need to constantly monitor for compliance and make decisions uniformly.

A key part of the Management phase is documenting instances of non-compliance. Policy violations (or policy exceptions) must be accurately recorded so as to provide valuable feedback when the policy is next reviewed.


It’s important that policies and procedures don’t become stagnant reference documents. They should be treated at dynamic documents that are maintained and adapted as an organisation grows, or circumstances change.

To than end, every organisational policy should undergo regular review. This should be done at least annually, however specific circumstances may require more frequent reviews. The review process should involve considering the incidents of non-compliance that were documented in the Management phase. It is here that organisations must decide whether the policy needs to re-enter the Creation phase, or whether it gets approved for another cycle.

The proper archiving of policies and procedures is vital in order to protect an organisation in the case of an incident, or questions from a regulator. Every version of a policy, along with a complete view of workflow history, needs to be stored in a secure location that can be easily accessed.

Once you understand the Policy Lifecycle, and the role it plays in mitigating risk, the inefficiencies of using a manual system to manage this process become glaringly obvious. Under a manual system, it’s easy for policies to go unseen, delays to occur, and audit trails to be lost.

Integrated systems such as myosh allows your organisation to centrally manage the entire Policy Lifecycle, and automate many of the key processes. Not only does it maintain all your documents in a centralised and secure online platform, but it can also manage other aspects of the policy lifecycle, such as approvals, annual reviews, policy acknowledgement, and training.