In Part 1 we defined a policy as a “course or principle of actions adopted…by a…business”. (Lexico, n.d.). Policies are what ensure that protocol has support and is exercised as intended by management. Businesses normally need two types of policies:
Organisational policies explain what the organisation believes in, how it acts in certain situations, and what it expects from staff. Some examples might be a staff Code of Conduct, a Gifts and Hospitalities policy, governing the giving gifts and entertainment to customers and vendors, or a Travel Policy.
Governance policies set out how an individual staff member or system must act in specific situations and normally come to apply the organisation’s protocol and govern its procedures. We discussed protocol in Part 2 and will explain procedures in Part 4.
When is a policy needed?
A policy is normal issued to mitigate risks:
A policy can mitigate internal risks which would affect the business’s performance. For example: A policy might be set to have two members of staff count money from the cash register to prevent theft.
A policy can also mitigate external risks which the organisation does not have control over. For example: A company might set a policy that staff may not travel to a certain country due to increased safety and security concerns.
A company sets a purchase to pay policy which requires that all transactions under $500 be paid using a credit card. This is because it is cheaper to process these payments than to make bank transfers or maintain cash.
Policies can also be used to give authority when a protocol isn’t needed. For example: The approval doesn’t have a value. For example: Staff who are travelling need to provide receipts upon return for reimbursement. The manager doesn’t have explicit authority to approve expenditure but:
The staff member travelling had the trip approved by someone who did have authority; therefore, was permitted to incur the expenditure already.
The manager, who may not have authority, can approve the expenditure reimbursements because he is only reviewing receipts and confirming compliance.
The policy itself normally has the following components:
A purpose – What is this policy coming to govern? Why do we need it?
Risks mitigated – By issuing this policy, what will we gain? How will we be more confident in our operations?
The policy – What are we supposed to do, and what are we not permitted to do?
Exceptions governance – What happens if someone feels there’s an exception? Who would approve an exception to this policy?
Monitoring – How will we confirm our compliance?
Roles and responsibilities – Who is responsible to complying, and how do they do so?
Policies are normally approved by the senior leaders. In many organisations these leaders have this authority delegated to them or they are approved by the Board of Trustees (or owner in a small business).