With Board of Directors focused on strategy and company performance, it’s easy to ignore something like policies. In fact, the word policy can be a bad word in some companies, with staff thinking that adding policies will make the company too bureaucratic, or less flexible.

It is easy to dismiss policies as a pain-in-the-butt exercise by HR and administration. And the truth is that many organizations go too far in adding policies and procedures effectively creating a rule for everything.

However policies are important, and they can be a significant aspect of Risk Management in a company. Adding policy can have substantial benefit if applied intelligently, addressing major issues relevant to an organization. If you are on a board, it’s highly beneficial to ask for access to company policies and check what policies the company has, and read through a few to ensure they are well done.

What is the Role of Policies in an Organization?

Policies have a very defined role in a company, and when written and applied correctly, they can provide enormous benefit. A few key outcomes of having good policies are:

  • Set clear expectations around what constitutes acceptable behavior for employees and contractors.
  • Ensure an organization complies with legal requirements, government directives and potentially other stakeholders, such as insurance requirements.
  • Sets controls on authority within the organization.
  • Sets expectations for how the organization will act towards staff, customers and all other stakeholders.
  • Assigns and accepts risk, which greatly assists in defending lawsuits.

Ultimately, good policy allows the Board to ensure oversight of key areas of risk in the organization.

What Type of Policies are we Talking About?

Policies can exist in any part of an organization, and the word “Policy” is often intermingled with procedures and legal agreements. I like to look at Company Policy and group what I find into three general groups:


Policies serve as a guideline and explains what to do and why. They set minimum expectations of conduct (Code of Conduct), ensure controls are in place (Spending Authority Policy), explain how decisions are made (Emergency Succession Policy) or can simply describe critical aspects of how a Board or Leadership Team want the organization to operate (Conflict of Interest Policy, Data Security Policy). These policies take more time to create and implement than legal agreements, but typically provide benefits to the entire organization. For the Board of Directors these policies are also critical to ensure we are appropriately managing risk.

Legal Contracts

OK, Legal contracts aren’t policies, but they are similar to policies as they describe critical aspects about how the organization will operate. Just as basic policies are critical to review, ensuring critical legal documents and contracts contain appropriate language to ensure risk is mitigated. Some of these legal policies are government requirements, such as ensuring GDPR compliance on your website, including having appropriate Privacy Policies and Cookie Policies. Other types of Legal Policies, such as Employment Contracts can have enormous financial commitments if done incorrectly.

Fixing Legal contracts are the easiest to implement, as you can often get templates for these policies from your corporate law firm. Implementation is simple, and just means transition to using the new document.


Many people think about procedures when they hear the word policies. Procedures describe how to do something, and are designed to formalize ways of doing business. Procedures become more critical as organizations mature and grow their number of staff, or where a process is to be repeated on a very regular basis (for example, you may have a procedure around running payroll, or maintenance on a hut. There are enormous downsides to procedures in that they typically aren’t flexible.

What to look for in Analyzing Company Policy

Access to Existing Policies

Having policies is great, but do the staff actually use these policies? One way to understand how much an organization uses policy is to ask for a comprehensive list of policies.

Ideally all the policy should be in a public folder on the network, and in some cases may still be kept in a physical binder. This means that getting access to the policies is easy, and takes seconds or minutes.

On the other end of the spectrum, sometimes getting access to a list of the policies can be a challenge. It may be that there is no place where all policies are stored, or only a few staff members know where the policies are kept.

Difficulty in accessing existing policies is a bad sign, likely correlating with staff not being well versed in club policies.

Check Policy Format

When you get a policy, it should be clear about who created the policy, who reviewed it and who approved it. A policy should also show a date it was approved, and ideally a revision number, this to ensure it is clear to all what policy is currently in use.

Having this information makes it clear to all staff which policy to use, and that it has been approved. For example, every policy should be clear about:

  • Who created the policy and ‘owns’ the policy for general upkeep. This could be almost anybody within the organization.
  • Who has reviewed the policy. This is often the CEO or a department manager, and is step to ensure policies aren’t sent willy-nilly for approval.
  • Who approved the policy. This could be the CEO, BOD or even a Committee Head. This is the person who agrees that this policy makes sense and should be implemented for the organization.

Review of Existing Policies

I like to actually see what policies an organization has, as well as read through the policies.

To begin with, by looking at what policies are currently in place you can see if an organization is reactive or proactive, as well as what types of issues they are having, and needing to create policies for.

In addition, you often get a glimpse of how different staff members think and operate. You also quickly learn whether the company is on the right track, or if there is a lot of work to do.

What Policies to Focus on

You can create a policy for almost anything in a company, and unfortunately if you hire a person with a policy background just may find out that you need a policy for everything.

I am not a lawyer, and am not providing legal advice, however below I highlight what I have found to be the most critical policies to address. I would note that different companies may require additional policies.

Critical Legal Policies

These are easy to implement, and a company can often just use industry-standard contracts supplied by company lawyers. It is a worthwhile investment to get your corporate lawyers to provide their standard documents and use them. If they require customization then ask the partner you work with to customize them.

  • Employment Contracts: Employment contract are critical, as they provides clarity on staff entitlements like sick time and vacation. They also provides clarity on work expectations, confidentiality, dispute resolution, discipline, severance costs, IP ownership and may also deal with other risky situations, like harassment, public statements and more.
  • Independent Contractor Contracts: Having a good contract with Independent Contractors is critical, as there are enormous costs and risks associated with a bad contract. These contracts should have many of the provisions of the employment contract, and provide clarity on confidentiality, that contractors won’t be deemed employees, sets termination period, ensure IP ownership.
  • Terms and Conditions: Almost every business has some sort of Terms & Conditions, whether you’re a manufacturer, a travel company or a website. These Terms & Conditions are a contract that detail who assumes risks in using the product or service, either the company or the customer. They often clarify about legal recourse towards the company and also clarifies things like refunds and cancellations. Ultimately, T&C’s give the company more protection if something goes wrong. In addition to having T&C’s, it’s just as important to make them visible, so that your customers can see and agree to the T&C’s as part of the booking process.
  • Website Policies: If you are selling or taking personal information on your website, there are a range of other policies you will require. First off, you should check if you need to be compliant with GDPR, the General Data Protection Regulation that impacts any EU citizen that uses your site. Being compliant means having a way to track any cookies you use, as well as ensuring your users accept those cookies. It also will require you to have a Privacy Policy that describes how the organization will handle sensitive information from customers. Another aspect of website policy is the Cookie Policy, which discloses all the cookies you use, and is a part of GDPR compliance. GDPR fines can be in the hundreds of thousands. Make it easy to access these policies and view the T&C’s on the ACC Website.
  • Other Agreements: It’s useful to have a look at any other company-specific legal agreements. I typically ask to see the contracts with a company’s biggest customers and review those, noting whose contract is being used.

Critical Policies

Every company is different, however there are some policies that are somewhat universal. Many of the policies listed below provide significant risk mitigation, while others are just good practice to build a good company.

  • Code of Conduct: A code of conduct sets the minimum level of conduct for staff, contractors and often the Board of Directors. A good Code of Conduct also will describe how complaints are handled, and disciplinary language would tie in with the employment contract.
  • Data Security Policy: It’s hard to think of a company without confidential information, and any company with staff, contractors or customers is likely to have confidential data. Unfortunately, smaller companies struggle with IT security, and there is a real chance of nefarious individuals or organizations accessing private data. This policy sets expectations for data security and privacy requirements. This is a huge risk both for your company’s reputation and potentially financially. It is suggested to involve outside specialists in ensuring your companies data security procedures and network are secure.
  • Board Governance Policy: This is not a policy a small company would need, but when you add a formal Board of Directors, then this policy ensures the board understands their role, and can be assessed against this policy.
  • Emergency Succession Policy: This is a useful policy, as it forces the Board to consider how it would handle emergency succession. A big part of creating this policy is ensuring that critical passwords are written down, bank authorizations for others are complete and finally identifying who will take on the CEO duties if there is emergency succession. A few hours of planning can save weeks of chaos should you not have an Emergency Succession Policy.
  • Risk Management Policy: Risk Management is a massive part of what a Board does, though often it is not done formally. A Risk Management Policy will outline how the Board and senior leaders will manage risk. Note that risk management does not mean you mitigate every risk, but you work to understand risks and mitigate some risks and accept some risks.
  • Spending Approval Policy: As companies grow, more and more staff take on responsibility for spending money. Almost every company goes through a point in time when money gets spent, or a contract signed that shouldn’t have. The Spending Approval Policy is a simple policy to create, and it sets limits for staff to spend money or sign contracts, as well as assign authority to approve spending beyond limits.
  • Budget Approval Policy: A Budget Approval document is useful to set timelines and requirements for the budgeting process, as well as who is involved and when. What is even more important though is describing how changes to a budget are made. Who has authority to make changes and how are these changes communicated? One common example is how spending changes as revenues increase or decrease – will this automatically reset the budget, or does the budget have to be reforecast? Ultimately it is very important to ensuring the board approves all spending.
  • Conflict of Interest Policy: This is another standard policy that should be easy to write and implement, but would make it clear to all stakeholders that any conflict of interest must be disclosed and how the company will handle conflicts of interest.
  • Health and Safety Policy: Almost every company could benefit from an HSE Policy, but for companies that have workers engaging in dangerous work it is imperative. While many people look at HSE as a nuisance, this is about your company doing their best to protect their staff. In some cases there are substantial insurance and WCB savings to be made through adoption of HSE policies.
  • Employee Handbook: An employee handbook is typically a collection of policies relevant to a new employee, and is often provided to a new employee on their first day. This is an important beginning to a relationship with an employee, and should greatly assist in onboarding, explaining a lot of the quirks of your company, and ideally even start to communicate the culture of the company. A good Employee Handbook will set out a wide variety of employment related policies, such as IT use, Drug and Alcohol, Vacation Policy, Gift Acceptance, Workplace Harassment, and many more.

What to Do when your Companies Policies are insufficient?

How to implement change is much harder than understanding if there is a problem. Policy isn’t sexy, in fact it can be fairly boring, and nobody really wants to spend time solving this problem, in fact many leaders don’t have much legal training, and often may struggle to understand why having no or poor policy is a risk to the business.

Ultimately, as a Board member you are not in a position to drive a project to improve the policy, and you need the CEO and leadership to want to solve this problem. A first step is to talk to other Board members to gauge their thinking on this issue, and perhaps even try to explain why this is such a major issue.

Ideally you can build support at the board level around the need to improve policy, as CEO’s are often not energized in solving this problem. While some leaders quickly understand the risks of not having policy and quickly want to solve this issue, others will continue to see policy as a pain and something they want to minimize or delay. In these cases, having the Board as a whole identify the issue, and put policy on the Performance Plan for the CEO.

Ultimately, having a lean policy framework that provides flexibility in operating a company while ensuring expectations are clear, and that risk is minimized is a pragmatic approach to building a long-term, successful company.

My Governance Experience

I have been fortunate to have worked and learned extensively on Governance. I have worked on multi-year governance programs, sat on boards of both For-Profit and Not-for-Profit. Underlying my experience, I have been fortunate to study under Jay Lorsch at Harvard Business School, Harry Korine at London Business School. I have also been very interested in Governance with SMB’s and private businesses, and have completed the SME Board Effectiveness Program at the Rotman School of Management