top of page

What Should a Policy Contain?

In this video series, Peter Rogers from Mango Global discusses what should a policy contain?

Peter meets with compliance consultants around the world to get insights into on ensuring that your policies are clear and concise.

This is #2 in a series 4 compliance conversations about policies. The question we answer in this conversation is "What should a policy contain or not contain?"

Check out the video here:

Nicholas, SRM, South Africa

I think first off, any policy needs to be appropriate to the organisation.

We have a thing here that we do, called the ‘McDonald’s test’.

If I can take somebody's policy and replace their company name with McDonalds, and the policy still reads and make sense, then the policy is not appropriate in terms of its content.

It means it's not company specific.

A policy should be appropriate to the company whether you're a: construction company, a manufacturing company, or a brewery.

It should contain some specific information with regards to the scope of activities for your business.

In other words, if you're a brewery, and you say you're a brewery, and I put McDonald's in your brewery name, then the policy is not going to make sense, which means it fails the McDonald's test.

That’s some of the things that a policy shouldn't have in it.

What a policy should also have is a grouping of commitments from the organisation, one that is specific to the organisation and speaks of the culture, and the nature and scale of the organisation.

It should also have a number of commitments.

From a health and safety perspective, we should commit to the elimination of hazards, reduction of risks and prevention of injury.

High-level values that the organisation ascribes to, and then ultimately, management commit to that, and workers then have the opportunity to hold management accountable to the commitments that they've made in the policy.

Sean, Kaizen Consulting, New Zealand

A policy should contain an overview of commitment of the company to that topic, whether it's an information security policy, quality, health and safety, environmental and so on.

It's a high-level commitment.

For example, let’s take a health and safety policy. It’s a high-level commitment on zero injury or zero harm, or reduction of accidents and the commitment of the company to continuous improvement and involvement of their employees.

What it shouldn't contain is the detail of how they're going to do that, not that the detail is not important, but that's when the company objectives and the strategy objectives come in.

As soon as you start putting all those details into the policy, then you end up having policies of 3, 4 or 5 pages, and it actually loses its impact on staying at that high-level commitment of the company.

Chris, FQM, United Kingdom

It’s important to recognize what and who your audience is.

If you are talking about a policy statement, where it's the whole organisation, it must contain the key information of what you're trying to portray, there's no point packing everything into the policy statement.

It's important to minimize the amount of words that's used in that type of document, because it's got to be clear, it's got to be concise, and it has to contain the key message of what your expectation is of the company level, and the people that will read it.

When it's a more detailed policy, where it's maybe referring to law and things like that it must contain the information that's relevant so that people can either read that information or know where to go to get that information.

Some of the things that's important about NOT including in a policy is the procedural aspect of it, the how-to aspect of it.

Some companies I’ve seen creating, 50 to 60-page policies, and effectively they've brought in processes and procedures into a policy, explaining what should be done, and then it's explaining how to do it.

A policy statement shouldn't go to that level.

Bryan, HSE Technology

The most effective policies are those that are simple and easily understood.

The object is really to communicate, so what it should contain is straightforward language dealing with the process or the activity at hand, it should be easily disseminated, easily understood and easy to read.

Policies get off track when you start to write too much information that doesn't necessarily directly apply to the task, activity, business process at hand, that tends to bog down and clutter up the communication process.

Policies is just communication in a written form. It's a way to make sure that everybody's expectations are aligned to the organisation and all the stakeholders.

It also sets up a chance to make sure that you have a forum to effectively communicate.

John, Many Caps, New Zealand

It's not a ‘this is how you do it’.

It shouldn't contain a whole bunch of do this, it's not an SOP, or a procedure.

It should contain:

  • Who's responsible,

    • This is what the target is going to be, and

    • How we're going to get there.

Jodie, Penarth Management, United Kingdom

I'm going to start with what it shouldn't contain, and that's War and Peace.

I've seen some so-called policy documents that are huge, and to me, that's not just setting the top-level framework.

I tend to think of a policy document being a much more short, succinct document. But also, I think it's important that it should be tailored and relevant to the organisation.

Some companies when they're setting up management systems get this wrong, because they try and start with the policy document without having understood the context of the organisation, and other things that will really help them. It should feed in with who they are, what they do, which in turn will help understand what legislation may drop out of it.

Richard, Smart Quality, United Kingdom

What we shouldn't have in a policy is the companies, ‘how brilliant we are’ type stuff and the marketing spiel, that's not the purpose, and it shouldn't be in there.

It should contain some key short messages about high level direction in terms of where the continuous improvement of the business is going, where we're trying to get to, but not in a marketing speak, in a business language that is short and to the point.

Gary, QSM Group, Australia

The content of the policy is actually vital to getting a document that's able to be understood, monitored and reinforced within the business.

I'd recommend you start with determining what the technical requirements are.

The management system standards provide guidance on what broad terms or broad requirements must be contained within, for example, a safety policy, quality policy or environment policy.

There are also regulators that provide useful guidance in that regard as well.

Once you determine the minimum technical requirements, it really is important that the policy is then developed with the input of a broader group of stakeholders - they would be representatives from various levels within the business - and they actually contribute towards developing a policy that is actually appropriate to the needs of the business, taking into account those technical requirements determined earlier.

One of the issues I see all the time in what we do, is you have policies for a business at 20 or 30 people that has clearly come from a multinational business. It's largely irrelevant to that business and becomes meaningless for the people that actually have to adhere to that policy.

Overly complex, overly wordy policies tend to be not very effective, and importantly, they're very difficult to be understood throughout the organisation.

You've got to remember that a policy is not a procedure.

  • A policy is telling you what is required.

    • A procedure is telling you is how you may go about meeting the requirements of that policy.

Effective policies are usually shorter in length, they're evolved by a group of stakeholders, and they're easily understood and enforced throughout the business.

Mark, Business Basics, Australia

Policies should information as to what the company believes in, and what the company is going to do from a broad level. You don't want to get too detailed and otherwise, it gets too complicated, and people will struggle to actually follow it.

It should contain:

  • An understanding of who we are

    • An understanding accountability statements, and

    • Enough detail that someone can have a clue as to what you're doing.

It shouldn't contain the detail as to we're going to fill out form a or we're going to fill out form B or we're going to meet every Tuesday.

That is too much information for a policy which is purely a philosophical document as to who we are.

Michael, Momentum Safety and Ergonomics, Australia

Policies are going to have things like visions and objectives and general targets and those sorts of things.

Some of the things that I don't think should be in a policy is too much detail, I think most policies should try and limit themselves to around about a page.

They're not 5 to 10-page procedures which go into the how-to and outlining lots of very specific targets.

They're high level, aspirational things that we want to see happening in our workplace.

Andrew, IRM Systems, Australia

A really important tip,

it should contain things that you're actually aiming to achieve as a business.

I’ve seen a lot of broad motherhood statements that are not very well defined ‘we want to be world's best practicing...’ and you ask them, ‘well, what is world’s best practice?’ And they say, ‘well, we don't actually know’.

You've got to realize, whether it's to external auditors or to your stakeholders or the public, you're making a commitment. You must go for something you're actually aiming to achieve.

Make it reasonable.

Make it realistic.

Keep out those broad statements that sound good, but are not really achievable.


  1. A policy should contain commitments that are specific to the organisation - Do not use a generic policy statement that has nothing to do with your business.

  2. A policy should be easily understood and concise - Avoid getting overly elaborate and wordy.

  3. A policy should tell you what is required. It is NOT a 'how-to' document.

  4. It should contain achievable goals, NOT grand wishful statements.

  5. This procedure will show you how to customise your businesses context of the organisation.

170 views0 comments

Recent Posts

See All


bottom of page