You should have a formal, structured policy framework in place. Clients often ask us to write a policy for them or update an existing policy and we always ask if they have a policy development framework. It’s simple – a good policy framework results in good policies. Policies that are well-drafted, consistent, easy to manage and update, and – most importantly – that people actually read and follow. These are all characteristics of good policies.

The benefits of a good policy framework

  • Promote and improve appropriate behaviour
  • Manage activities
  • Achieve consistency and efficiency
  • Reduce organisational risk

A lack of awareness often causes the problem

There are many organisations that don’t have a structured policy framework in place. This can lead to poor management of policies, unclear or confusing relationships between different policies, or policies that are of a widely different style, density and level of relevance in the organisation. Often this is not as a result of malice or a lack of diligence on the part of persons employed or engaged by organisations, but simply as a result of a lack of knowledge and understanding. For example, a policy drafter often confuses the difference between a policy, procedure, standard and guideline.

In our view, the key to efficient management of your organisation’s policies lies in two main documents:

  • the policy framework; and
  • the policy register.

You need a formal structured policy framework

What is a policy framework?

A good policy framework (sometimes referred to as a policy charter, policy guidelines, policy development guidelines, or policy mission statement) sits at the top of the policy hierarchy. It forms the capstone of all policies below it, and guides how they are to be developed. The policy framework:

  • presents the organisation’s philosophy regarding policy development, and establishes management’s mandate for and commitment to implementing that philosophy;
  • clearly sets out the organisation’s view on the difference between a policy, procedure, standard and guideline;
  • specifies the broad ownership of various policy categories;
  • records the format, style, naming and version control of policies; and
  • describes how policies must be approved, reviewed and updated.

This is sometimes given the name of a governance policy or resolution depending on who is responsible for policy statements. Often, the company secretary is responsible for policies. 

If you don’t have a policy framework, we can help you create one that suits your specific organisation. We can also draft various policies or procedures for your organisation.

What is a policy register?

A policy register sits below the policy framework, and manages the more specific details of the various policies within the organisation. The policy register lists all relevant information of the policies, including the:

  • policy name; 
  • policy content;
  • link to the most recent version of the policy;
  • person responsible for the policy;
  • last review date; and 
  • version number.

Good policy frameworks support a document hierarchy

The difference between a policy, procedure, standard and guideline is important. You may adopt various types of document in the hierarchy. They are all different and it is important not to confuse them. Some organisations have a single generic document that combines policy, procedure, standards or guidelines (the combination approach), whilst others have multiple separate ones.

We advocate policies containing concise policy statements defining the principles that the audience must respect and follow. We also favour short policies that are consistent in style and format that enable the audience to find the appropriate policy statements easily. Policy drafters should use hypertext linking to cross-reference other policies. Developing policies in this manner enable policies to focus on policy statements relevant to specific groups within or external to an organisation. This has the advantage of audiences not having to read irrelevant material.

The policy statements need to be supported by more detailed documents, including:

  • procedures that have been developed or adopted by the organisation, or
  • standards that the organisation believes establish the minimum measures that must be achieved.

Typically, policy, procedure and standards are mandatory. A policy may, however, also be supported by guidelines that enhance the awareness of readers of the laws, rights of third parties and business requirements that demand compliance with policy statements. An organisation often develops guidelines with awareness and training in mind.

Policy drafters should keep policies concise and address the flexibility and detail required in procedures, standards and guidelines. This is always subject to the requirement that a procedure or standard can be more stringent than the policy statement it supports but never less stringent. For example, the policy statement may be “The confidentiality of electronic records that are communicated by email is safeguarded”. The default procedure may be that no electronic records can be emailed externally as an attachment unless it is password protected. The procedure governing special or children’s information may require that the electronic record is encrypted. These would both comply with the policy requirement. However, a procedure that allowed an electronic record to be transmitted in MSWord or PDF form that can be opened by anyone or intercepting the email, falls short of the policy statement.

The need to clearly differentiate between policy, procedure and standards is emphasised by the ISO 9000 Quality Standards for the preparation of internal documentation. For example, these ISO standards expressly state that policies must be separate and distinct from procedures.

Is there a policy framework standard?

There is no policy framework standard and no general consensus as to what policies or how many should be in place, nor is there general consensus on policy design or content. However, we can help you follow best practice.

How to implement successful policies?

Implementing successful policies requires:

  • following a document hierarchy
  • taking into account the organisation’s own identified risks and business needs
  • identifying and developing procedures and standards that support the policy statements
  • being compatible with the organisation’s culture and are thus more likely to be accepted and supported
  • being aimed at different audiences
  • being kept up to date

What is a good approach to drafting?

To enable good policy development, we advise a policy framework that promotes a formal, structured approach to drafting. This will promote the consistency in look, feel and language (some of the characteristics of good policies) that makes policies and the documents supporting the policy (procedures, standards and guidelines) more easily understandable and easy to read. It also allows you to develop policies that are aimed at specific audiences.

Good policies based on well-structured approaches make it easy for employees and third parties to understand the governance and management approaches adopted by an organisation. They improve awareness and appropriate behaviour because targeted audiences only need to reference the document that is applicable to them and not lengthy detailed documents that address issues irrelevant to them.

Audience-driven approach to a policy framework

Generally, each policy is directed at different audiences because each audience has to know about different aspects of issues addressed in the policy. This is one of the characteristics of good policies.

Some policies are intended to address all or most of the persons employed or engaged by an organisation. For instance, an Acceptable Use of IT Policy may be required to ensure consistent and acceptable use of ICT and information processed using the ICT. This would typically apply to everyone from the CEO to the most junior person as they all use ICT and process the information in one form or another. All persons who have access to the ICT would have to understand what access controls are in place. Only a few may have remote access privileges so only those few may be subject to a Remote Access Policy and need to understand their obligations to protect the ICT and information remotely from the protections inherent in processing the information at work.

If a third party not employed by an organisation (like a vendor) is to be subject to a policy, you’ll have to get their agreement or consent. As non-employees are not subject to employment law and the disciplinary processes that your organisation may have established, the agreement should contain contractual provisions that outline the remedies and sanctions that the organisation can impose if the third party breaches any applicable policy.

Glossary: What’s in a name?

While you should consider the usual usage of words or terms, the guiding principle is what the audience will best understand. There are terms that are industry or organisation-specific. Only persons within these industries or organisations will understand and use that term. You should develop a glossary of terms that your policy framework uses. The glossary should be easily accessible. A glossary eliminates the need for you to have definitions in each of your documents.