What Are Business Policies and Why Do You Need Them?
Business policies are formal documents that establish rules, guidelines and expectations within your organisation. They ensure consistency, which is so important to your customers. And they provide direction on how your business operates, manages risk, and meets compliance obligations. Good business policies protect your organisation whilst enabling efficient operations and decision-making at all levels.
Quite often writing a new business policy can seem like a pain - but it can be an opportunity to challenge how your business manages a key task and make improvements at the same time.
Quality policy writing balances compliance requirements with operational reality, producing documents people actually use rather than circumvent. At Thornton & Lowe we can help you write policies for your business.
When Your Business Needs Written Policies
Understanding exactly when your organisation needs formal policies helps ensure you invest resources appropriately:
Legal and Regulatory Requirements: Most UK businesses must maintain certain baseline policies regardless of size, including:
Data Protection Policy – documenting GDPR compliance measures for personal data handling
Equality and Diversity Policy – demonstrating commitment to preventing discrimination
Modern Slavery Statement – required for larger organisations but increasingly expected from all businesses
Procurement and Tendering Requirements: Organisations pursuing public sector contracts face specific policy demands:
Government frameworks like Crown Commercial Services require bespoke policies tailored to particular contractual requirements
Local authority tenders demand evidence of detailed policies covering anti-bribery, environmental management, and business continuity. Often part of a PQQ or required on award.
While self-certification may suffice initially, organisations must provide actual policy documentation if shortlisted
Accreditation Standards: Various quality certifications require comprehensive policy documentation:
ISO standards (9001, 14001, 27001) mandate structured policies as certification elements
Industry accreditations like CHAS and SafeContractor require detailed health and safety documentation
Cyber Essentials certification assesses documented information security measures
Registration in Specialised Sectors: Regulated industries demand extensive policy frameworks:
Social housing providers need policies covering rent setting, allocations, service charges, safety procedures, maintenance protocols and more
Financial services organisations require documentation for anti-money laundering, customer treatment and complaint handling
Healthcare providers need detailed policies on care standards, medication management and safeguarding
The Policy Development Process
Conducting a Gap Analysis
Before writing a single word, conduct a thorough gap analysis to identify discrepancies between current documentation, actual practices, and requirements. This crucial first step prevents developing policies that either duplicate existing controls or miss compliance requirements.
Define your analysis scope first – whether examining your entire policy framework or focusing on specific operational areas. Gather all relevant existing documents along with applicable external requirements that will serve as assessment benchmarks (legislation, regulations, tender specifications, accreditation criteria).
Examine actual organisational practices through staff interviews, operational observations, and reviews of past incidents. This reveals critical gaps – areas where formal policies exist but aren't followed, or where effective practices operate without documentation. Pay particular attention to workarounds, as these indicate impractical or outdated policies.
Conduct a structured comparison against compliance benchmarks, assessing three dimensions for each requirement:
Whether appropriate policy documentation exists
Whether documentation reflects current practice
Whether current practice satisfies compliance requirements
This three-dimensional analysis reveals nuanced gap types requiring different remediation strategies. Prioritise identified gaps based on risk exposure, compliance significance, and operational impact to guide your development plan.
Policy Writing Best Practices
The foundation of effective policy writing lies in creating documents people will actually use. Begin by defining each policy's specific purpose, distinguishing between non-negotiable requirements and flexible implementation approaches. Engage the right stakeholders from the outset – subject matter experts, operational staff, compliance specialists, and leadership representatives.
Structure your policies consistently to help readers navigate requirements quickly:
Section
Purpose
Title
Clear, descriptive label identifying the policy's subject
Purpose Statement
Brief explanation of why the policy exists and its objectives
Scope
Description of who and what the policy covers (and exclusions)
Definitions
Explanation of technical terminology and acronyms
Policy Statements
Core rules, requirements, and standards
Responsibilities
Clearly defined roles for implementation and enforcement
Procedures
Step-by-step instructions (may be in separate documents)
Related Documents
References to other relevant policies and procedures
Review Date
When the policy will be reviewed and by whom
Use plain, straightforward language accessible to all staff regardless of technical background. Write in active voice with clear subject-verb relationships specifying who must do what. Keep sentences concise and focused on single requirements rather than bundling multiple obligations. Balance prescription with flexibility – use specific directives for critical compliance areas but focus on required outcomes rather than mandated methods where appropriate.
Consider implementation from the earliest drafting stages, identifying required resources, training needs, and potential barriers. Develop practical examples illustrating how the policy applies in common situations. Define clear roles and responsibilities for both compliance and implementation activities.
Implementation That Drives Compliance
Even perfect policies deliver no value without effective implementation. Begin with formal approval through appropriate governance channels, documenting decisions carefully as evidence for audits or accreditation.
Develop a comprehensive implementation plan addressing:
Phased implementation where immediate full compliance is impractical
Specific accountabilities for implementation activities
Create a multi-channel communication strategy explaining not just what the policy requires but why it matters. Develop training tailored to different roles and responsibilities, using diverse methods beyond traditional presentations. Most importantly, integrate policy requirements into existing workflows rather than treating them as separate compliance exercises.
Establish monitoring mechanisms providing early indicators of effectiveness – both activity metrics (measuring implementation actions) and outcome metrics (measuring compliance results). Create safe reporting channels for implementation challenges, addressing issues proactively rather than waiting for formal reviews.
Maintaining Your Policy Framework
Regular Review and Improvement
Establish risk-based review cycles rather than arbitrary timelines – high-risk policies may need quarterly reviews, whilst administrative policies might operate on biennial cycles. Most public sector procurement exercises will expect annual reviews of policies as a minimum.
Beyond scheduled reviews, establish clear triggers for reactive updates:
Conduct thorough reassessments during maintenance, evaluating continued relevance, operational alignment, and compliance effectiveness. Develop streamlined change management processes with different approval pathways based on modification significance. Document all changes comprehensively, maintaining clear audit trails and preserving previous versions for reference.
Communicate updates effectively, highlighting modifications explicitly rather than simply redistributing amended documents. Tailor communication to change significance – major revisions may warrant training sessions, whilst minor clarifications need only focused communications to affected teams.
Building Policy Writing Capability
Developing internal policy writing capability represents a strategic investment improving governance quality whilst reducing consultant reliance. Identify individuals with the right aptitude – analytical thinking, clear writing skills, and operational understanding. Build diverse policy teams combining technical specialists, operational representatives, and governance professionals.
Invest in structured skill development through training in business writing techniques, regulatory interpretation, and stakeholder consultation. Create practical tools supporting consistent development – templates, style guides, compliance checklists, and example libraries. Establish clear governance processes providing appropriate oversight without bureaucratic obstacles.
Build communities of practice connecting policy authors across your organisation, facilitating knowledge sharing and collaborative problem-solving. Recognise that effective policy authorship requires adequate resource allocation, particularly protected time for development activities. Maintain an appropriate balance between internal capability and external expertise, identifying areas where specialist knowledge justifies external support.
Prioritise policies based on risk assessment; consider phased development approaches; leverage existing industry templates where appropriate
Policy Writing for Specific Requirements
Different policy types require distinct approaches. Understanding these variations helps tailor your development process appropriately:
Compliance-Driven Policies require careful alignment with specific regulatory requirements. Begin with thorough regulatory analysis identifying exact obligations. Structure policies to demonstrate explicit compliance with each requirement. Maintain close connections between policy content and underlying regulations, allowing easy updates when requirements change.
Operational Policies focus on standardising internal processes. Involve process owners and operational staff extensively during development. Document current best practices rather than imposing theoretical procedures. Emphasise practical guidance over compliance language, using examples, workflows, and decision trees to illustrate application.
Governance Policies establish decision-making frameworks and organisational boundaries. Clearly define authority levels, approval processes, and escalation pathways. Balance prescription with appropriate delegation, allowing operational flexibility within defined parameters. Consider governance maturity when determining appropriate control levels.
Risk Management Policies outline approaches to identifying, assessing, and managing risks. Define risk appetite and tolerance clearly. Establish consistent assessment methodologies. Clarify roles and responsibilities across the three lines of defence. Link to broader governance frameworks ensuring integrated risk management.
Effective Policies as Business Assets
Good policies are valuable business assets – ensuring your core values are driven into operational delivery, defining operational boundaries, and guiding decisions at every level. They can translate abstract compliance requirements into practical guidance, making regulatory obligations achievable within everyday work.
The journey toward policy excellence requires moving beyond perfunctory documentation toward genuinely practical governance tools. This transition begins with recognising that policies serve dual audiences – satisfying external compliance requirements whilst guiding internal operations. It continues through rigorous gap analysis, collaborative development, and integration with operational systems.
By approaching policy development as a strategic capability rather than compliance obligation, you transform necessary documentation into genuine competitive advantage. The organisations that thrive in complex regulatory environments understand that policy excellence requires deliberate capability development, thoughtful governance processes, and ongoing investment in maintenance and improvement.
Thornton & Lowe Support?
At Thornton & Lowe we can help you develop policies which support your bidding process or simply help ensure best practice within your business. Contact us - we can help you understand what policies your business needs, write your policies and procedures or simply review existing policies and provide comments and feedback to help your team improve them.
Common Business Policies
Below is a list of policies that organisations commonly need to develop. This list can help you identify potential gaps in your policy framework:
In an ideal world, 4 weeks! While this may seem like a long time, it depends on how critical the policy is to the running of your business. We can work within your timelines, but if there isn't enough time for our usual process, we can draft a policy and highlight key gaps for your team to quickly add, ensuring you're up and running.
How much does it cost to write a policy?
The cost varies depending on the policy's complexity, importance, and the amount of research involved. For some policies, we may have something ready to use for free or can signpost you to helpful resources. However, if it's a more in-depth project - requiring interviews with your team, a review of your current practices, and comparison with best practices or legal/ISO requirements - our rate starts at £50 per hour.
What is the process for writing a policy?
The process generally involves understanding the specific needs of your business, researching best practices, and ensuring the policy aligns with legal or regulatory requirements. If you're on a tight timeline, we can provide a draft policy for your team to adjust. Otherwise, we follow a more detailed process to ensure the policy is comprehensive and effective for your business.
Do I need a consultant to write my policies?
While it's possible to write policies in-house, working with a consultant ensures that policies are well-researched, aligned with industry standards, and legally compliant. If you're unsure about the scope or whether your existing policies meet current requirements, our expert consultants can review and guide you.
What types of policies do businesses typically need?
Businesses often need policies related to health and safety, data protection, employee conduct, equality and diversity, and IT security, among others. We can help you identify the specific policies you need, tailored to your industry and business structure, ensuring they cover all essential areas while mitigating risks.
