Policies and procedure in the workplace: The ultimate guide 

Policies and procedure in the workplace: The ultimate guide

Policies and procedures are an important part of organisational life, giving "official" instructions and guidelines on how things are done, providing clarity on dealing with issues and establishing the expected behaviours and standards of employees. No one can pretend that an organisation’s policies and procedures are going to be the most exciting read, but they can prove to be very useful reference material in providing clarity for managers and employees, helping standardise approaches and minimising risk.

In this post, we're going to do a deep dive into the world of policies and procedures, looking at what they are, why they are important and how to manage them. We’re not expecting you to love policies and procedures, but we hope by the end of the article you'll view them a little more positively!

What are policies and procedures?

Policies and procedures are sets of principles and rules that provide structure and standardisation to processes carried out across an organisation. They can range from documents which outline overarching company principles through to detailed instructions on how to carry out specific processes, as well as associated guidelines for employees.

Generally, a policy will outline principles to follow, while procedures are more detailed and spell out the steps necessary to complete a task or undertake a set of actions. Usually, a procedure is likely to change more often than an underlying policy.

Although policies and procedures are distinct, a policy document can contain procedural information and vice versa. Sometimes, the line between what is a policy and what is a procedure can be fuzzy; there can also be forms, guidelines, checklists and even user guides that fall under the “procedural” umbrella.

Why policies and procedures are important?

We need policies and procedures in the workplace for multiple reasons. Let’s explore some of the key ones.

Helping employees complete tasks and get things done

In any given working day, employees complete multiple tasks, some relating to their role and others to more general processes. Additionally, employees may have to make several decisions during the working week. Policies and procedures provide essential baseline information for employees to get things done and make accompanying decisions.

Standardising processes

Most organisations seek to standardise processes across different divisions, regions and locations in order to drive efficiency, support customer experience, raise standards and provide consistency and simplicity across complex structures and diverse workforces. Having well-defined policies and procedures underpins this standardisation.

Supporting professional conduct

Policies and procedures define expected levels of professional conduct and behaviour, covering multiple aspects of organisational life including treatment of colleagues, interaction with customers, risk management and more. Having these policies and procedures is important for the smooth day-to-day running of any business.

Supporting compliance and certification

There are a range of different policies and procedures that must be followed for regulatory, legal and compliance reasons. Businesses need to enforce these policies, and may also need to show external regulators and other bodies they are doing everything they can to make sure they are followed. The way policies and procedures are managed and disseminated is a major component of this. Similarly, organisations may have to adhere to standards such as ISO 27001, ISO 9001 and demonstrate policies are being followed to the relevant certification body.

Minimising risks

It’s not just legal and regulatory compliance that is important - having the right policies and procedures helps minimise risks across other areas, such as:

  • Health and safety: ensuring the wellbeing of employees and third parties, especially in areas such as construction, engineering, manufacturing and mining
  • Brand reputation: helping to preserve business image by supporting good customer service, preventing legal action, ensuring there aren’t data breaches and more
  • Supporting employees: ensuring employees follow the correct procedures to limit their personal risk and liability
  • And many more!

Helping new starters

It can be an overwhelming and even confusing time when a person starts at a new company, with a lot to do and learn. Having clear policies and procedures helps new starters complete onboarding processes and settle in more quickly; in turn, a positive onboarding experience also reduces employee turnover.

Managing change

Organisations are in a constant state of flux, and managing change across the workforce can be hard. Having clear policies and procedures helps manage change and outline new ways of working, both large and small.

Support values and wellbeing

Values and employee wellbeing are increasingly being recognised as important components of employee experience. Ensuring policies and procedures align with company values and provide safeguards for wellbeing can make a tangible difference.

Supporting an employee value proposition

The employee value proposition (EVP) of a company spells out some of its key HR policies and procedures, such as opportunities for career progression, learning and training, flexible working, maternity and paternity leave, pay and benefits and so on. The EVP of an organisation is central to attracting and retaining talent.

Common policies and procedures that every workplace needs

What are some of the common policies and procedures found in the typical workplace? Here are some of the most widespread, and most important.

General conduct

Policies and procedures will present clear expectations about employees’ workplace conduct. This can cover everything from interacting with employees and customers to lifestyle choices outside work, such as use of alcohol and drugs. As part of this, there will also be established processes around misconduct and what happens if it arises, including disciplinary procedures.

Professional conduct

Some businesses have more specific conduct guidelines to cover aspects of professional life, depending on the industry sector. Accountants, lawyers, financial services and the gaming industry, for example, all have regulatory and professional considerations that will impact individual conduct and other organisational procedures.

Regulatory compliance

Some regulated industries also have very specific additional processes they need to carry out relating to regulatory compliance. For example, financial services have a range of policies around advertising, marketing and selling that must be adhered to. Other regulated industries with strict regulatory procedures include pharmaceuticals, healthcare, energy, gaming and professional services.

HR and employment policies

There are a range of other common HR and employment policies such as those regarding maternity and paternity leave, sick pay, absence, career advancement, secondments, performance management and more. These HR policies are often an important reference point for employees during their time at a company, as well as when they are considering whether to join in the first place. As already stated, HR policies are a key part of any employment value proposition (EVP).

Travel and expenses

Most companies will have a travel and expenses policy relating to booking travel and claiming back expenses. This might stipulate the kind of travel that can be booked, how to do it and the approval process required from a manager.

Ordering equipment and other transactions

Organisations will also have policies and procedures relating to other everyday transactions that might involve approval workflow, such as ordering office equipment.

Use of technology and social media

How employees use technology and social media involves a degree of trust. Most organisations have a set of policies and procedures covering acceptable usage of technology and digital channels, both internally and externally.

Health and safety

One of the most important areas of policy and procedure is ensuring the right health and safety measures are in place. In some industries such as mining, engineering, healthcare, construction and energy, these are heavily promoted, and are key priorities at an organisational, team and individual level.

Hybrid and remote work

The pandemic has dramatically increased remote working, and many companies are now figuring out their policies and procedures relating to hybrid work and how they can make these work in the future.

Employee onboarding

As already noted, employee onboarding is crucial and can impact employee turnover. Having the right onboarding policies and procedures in place makes a big difference.

Procurement and due diligence

Procuring new suppliers and providing the necessary checks is essential in establishing successful relationships with suppliers, providing value for money and protecting an organisation’s reputation. As a result, most companies have a range of procurement and due diligence policies and procedures in place.

Policies and procedures management best practices

How should you manage your policies and procedures? There are a range of best practices to follow that will help ensure employees can easily access the latest documents and information, safe in the knowledge that they are accurate and up to date.

Allow easy access for all

Policies and procedures are there to standardise processes and minimise risks, but they also help employees get things done in the best way possible, supporting productivity and underpinning a good employee experience. Ensuring your entire workforce can easily access the right policies and procedure at the point of need is key to them being followed; there should not be groups who do not have access, such as your frontline staff. A central policies and procedures library available through your intranet is a proven model that works.

Ensure a single source of truth

Have just one source of truth for your policies and procedures to avoid issues with multiple versions that cause confusion and result in employees performing the wrong actions. Having multiple versions also undermines employee trust in any central policies and procedures library.

Keep policies and procedures up to date

Policies and procedures must always be kept up to date so they are accurate. Even if changes are small, it’s always best to execute any updates as quickly as possible, minimising the risk of errors down the line.

Keep control over versions

Establishing robust version control over policies and procedures is essential to prevent multiple versions circulating. Having a clear convention for numbering different versions and using the right solution (such as a SharePoint library) will help.

Clear ownership and lifecycle management

Many of the above best practices are achieved by having clear, defined ownership of each policy or procedure, with named individuals responsible for executing the right lifecycle management processes around regular reviews, updating their policy and more.

Make policies and procedures findable

As well as making policies and procedures easy to access, employees also need to be able to find the right information or document when required. Ensuring policies and procedures are findable and discoverable is critical. There are various approaches which help with this, including:

  • Creating a search specific to your policies and procedures library
  • Using tagging to categorise different policies to make them browsable or filterable via search
  • Creating views to filter policies by owner, function, type and topic
  • Using personalisation to show relevant policies and procedures to individual users
  • Including policies and procedures in a wider intranet, enterprise or Microsoft search
  • Using the right titles to accurately indicate policies’ purpose and contents.

Driving personalisation and targeting to ensure variations

Some policies may not be relevant to different groups of employees based on their role, location, level of hierarchy and so on. For example, in large global companies, HR policies often vary from country to country. Leveraging personalisation and targeting to ensure users access the right policies based on their profile will drive relevance and make sure the right policies are followed.

Checking for employee attestation

There are some very important mandatory policies that you will want to ensure everyone reads; sometimes, you will need to demonstrate to external parties that this has been done. These external parties are likely to be regulators or certification bodies, but they can be customers too. Running an employee attestation process where you can track who has read which policy, who has confirmed they have done so or even who has agreed to adhere to what is the best way to achieve this.

Carry out auditing when you need to

Ensure you have some kind of auditing process around your policies and procedures that records who has made changes to policy documentation and when. This helps force policy and procedure owners to take their role seriously, and also demonstrates to regulators and certification bodies that you have a robust approach to policy management.

Making policies readable and digestible

Policies and procedures are there to be used and followed, not ignored. A 50-page document written in “legalese” is never going to be read by your employees, and while it may be important to have from a regulatory, legal, compliance or risk perspective, creating a shorter version that is readable, digestible and actionable is far more likely to result in policies actually being followed.

Allowing access at the point of need

Allowing access to policies and procedures at the right time, directly at the point of need, helps boost adherence. For example, if an employee is making a travel booking, arranging easy access to the travel policy if they need to review it can be useful, even if it is just a link on the requisite form. Similarly, making it simple for your new hires to access the policies and procedures they need to read and attest to during the onboarding process will drive efficiency.

Have an agreed naming convention

Have a standard naming convention in place for your policies and procedures to ensure employees can find the right document and avoid confusion.

How policy management software can help

Many of the best practices mentioned above are enabled by having the right policy management software. A dedicated solution such as Xoralia will ensure you have the best overall approach to policy management, supporting your users, policy owners and administrators. Let’s explore the main areas where policy management software can add value.


Managing policies and procedures involves a lot of simple, repeatable tasks that can be automated. Policy management software will automate many of these, dramatically reducing the administrative burden of policy owners and digital workplace teams and allowing them to focus on more meaningful and valuable work.

Provide easy access to policies and make them findable

Providing easy, centralised access to your policies for all your employees is at the heart of successful policy distribution. Policy management software will establish a central library, and provide search and browse tools to make them findable and discoverable.

Document versioning and control

Effective document versioning is essential to make sure employees only read the very latest versions of policies and procedures.

Lifecycle management

A good policy management solution supports policy owners and admins by helping them manage their policy through its lifecycle, from creation through to archiving. The solution should help them review the policy at regular intervals, add new versions, retire old ones and more.


Sometimes, policy management needs to be audited for compliance, regulatory or certification purposes. Policy management software should support this through providing audit trails, for example.

Tracking employee attestation

Employee attestation relating to reading and confirming mandatory policies and procedures is an onerous task. Policy management software should make this easy and effortless through automation – a relief for anyone who has managed this via email and spreadsheets in the past!


Policy management software allows you to carry out any reporting and measurement relating to policy management and distribution, including employee attestation.

Managing policies and procedures? Demo Xoralia today.

Managing policies and procedures is a critical activity that every organisation should commit to. Policy management software like Xoralia makes this much easier. Why not book a demo?

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

Xoralia 2.7.0 release notes 

Xoralia 2.7.0 release notes

Highlights of this release:

Mute reminder emails on weekends

We understand not all organisations work on weekends. So, we’ve given each of our Xoralia customers the options to mute notifications being sent from Xoralia on weekends, Saturday and Sunday.

Cleverly, our solution now summarises the emails that should have been received on the weekend (if any) such as document read reminders and document expiry reminders, and will provide a ‘weekend summary email’ per user on Mondays.

Reminder emails consolidation

Xoralia currently send emails as per the reminder email schedule, which is 30 days, 14 days, 7 days, 3 days ahead of read by date deadline. But, we understand this might be too many emails should reminders of different schedules (for example 14 days and 7 days) fall on the same day.

From the release date of Xoralia v2.7, all reminder emails will be consolidated. Remaining as email subject ‘Reminder – mandatory read task’, except now all documents regardless of reminder urgency will be consolidated into one simple email, highlight the read by date also.

Document read history recovery (within 90 days)

Perhaps a document is accidentally removed from the Xoralia library along with its read history, and after re-uploading the read history is deleted? Our new recovery feature allows for documents with the same name to be assigned its previous read history records. Provided the Document Name is the same in SharePoint and the document was only removed from SharePoint less than 90 days prior to re-uploading Xoralia will auto assign all the read history back to the document.

This covers mistakes, and intentional offline document scenarios, such as document offline reviews.

Read history re-instated for a user removed and re-added to an AD group

If a document reader ever gets removed or re-added to an AD group Xoralia recognises that is the same user from Active Directory being assigned the policy. Subsequently, read history within the document read history is now retained and reinstated.

New report: All overdue assignments

Its quite likely that one day you’ll want to view all overdue attestations/assignments across all libraries, Xoralia v2.7 covers that. With a click of one button you can see who has an outstanding assignment that is overdue, what document and its version is pending action, the read by dates and how many days the task is overdue by.

Visio documents within Xoralia

Pre Xoralia v2.7, the application only processed the following file types, 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx', 'pdf', 'csv', 'txt', 'odt', 'ods', 'odp'. Xoralia now also accepts and successfully displays ‘vsdx’ files (Viseo).

Date assigned and read by date displayed within the read report

To make it clear when documents were assigned to users, especially for assignment using AD groups, when have added the date assigned and relative read by date information on the read report. This will be useful in seeing when users were assigned the document and also if they read it on time.

Metadata refinement and re-arrangement

We have rearranged the metadata slightly as to simplify the user interface of Xoralia. The review date has been removed and it was superfluous to the expiry date (minus 45 days).

Bug fixes

Recurring documents

Pre v2.7 Xoralia recurring document logic was not functioning correctly. Subsequently the outstanding tasks for attestation after the relative read by deadline would have the deadline changed to the read end cycle, rather than be marked as overdue as intended. Also, when the document recurred, the algorithm was providing the document reader the full recurring date period of time to re-attest to reading the document.

Moving forwards, Xoralia will provide the user the relative amount of time to read the document with the status ‘unread’, after the relative date deadline the document will be marked as overdue. The document will continue to be marked as overdue until the document has been read, even after the document should have recurred. Only once the user has read the document will the document attestation assignment recur (as set within the assignment screen by the document owner), meaning the reader may be asked to read the document again immediately (if it is within the new recurring time frame only).

If the document has continuously been read on time, they will only need to attest to the document once within each recurrence period.

There is also an enhancement for all recurring scenarios – including read on time, overdue, read not on time, read with a new assignment read by date after recurrence, read after recurring date. Note, no existing data will be changed, but instead the new logic will be applied to each user as their assignments are read or on the existing recurring dates if the document has already been read with the current recurring cycle.

Select all to select throughout pagination

Within the read report, there is a feature to ‘Select all’ individuals within the tab which can be us to mark the document as read or unread for those records, or to ‘Send a reminder’ to the selected users. Previously the select all only worked per page, but the functionality has been enhanced so that it now caters for ‘Select all’ across all pages within the ‘Read’ or ‘Not read’ tab.

% read indicator in Documents I own

When users are added or removed from the AD group assigned to a document, the percentage read indicator will now display correctly as per increase or decrease in AD group

Dashboard statistics updated to reflect recurring documents

Dashboard metrics are now inclusive of recurring documents, giving a full truth representation of remaining unread documents, documents read on time and overdue documents.

How to ensure document attestation on your policies in Sharepoint

How to ensure document attestation on your policies

A fundamental pillar of successful policy management is to put measures in place to ensure that policies are acted upon by your employees. Employee attestation on your policies and procedures is a popular way to ensure your policy documents are being read and understood. It’s a relatively simple idea and straightforward process, but executing it successfully can be difficult.

In this article we’re going to look at employee attestation, what it is, why it is important, how to measure it, and how policy management software can help support it.

What is policy attestation?

Attestation for your policies is sometimes known as employee attestation, policy attestation or document attestation. It is a process by which employees confirm that they have read and understood your policies and procedures, and any changes to these policies.

At its simplest, policy attestation asks employees to confirm that they have read and understood a policy by checking a box or even electronically signing a policy. More sophisticated policy attestation solutions like Xoralia also offer additional quizzes and learning options to test to see if the policy has actually been understood by employees. Attestation can then be measured to track policy success for both compliance and business reasons, with reporting on the detail of who has completed the process in order to increase the numbers.

Why do you need policy attestation?

There are several reasons why it is very important to acquire attestation for your policies.

Ensure policies are read and understood

Policies are critical and help ensure employees follow the right rules to stay safe, compliant, efficient and more. Employee attestation is a major way to ensure that policies are actually being read, understood and followed by employees.

Demonstrate compliance

There are many legal and regulatory areas that require compliance. Third-party regulators and related certification bodies, as well as insurers, will expect there to be a mechanism to ensure employees are trained and updated on compliance-related matters. Policy attestation is an excellent way to show external regulators that this is the case and also demonstrate particular policies have been disseminated to the workforce.

Change management

Policy attestation can be an important ingredient in change management efforts, for example in introducing new ways of working, changes to procedures and more, particularly if a change needs to be rolled out quickly and you need to ensure it has reached all sections of your workforce. Again, attestation is an effective way to communicate new policies and changes to policies.

Employee onboarding

The employee onboarding process usually requires new starters to get up to speed quickly with processes and procedures. Employee attestation is a useful component of any employee onboarding process and ensures that nothing gets missed.

Policy management insights

Policy attestation gives you powerful data into how effective your policies are with insights into which policies are more easily understood, whether there are particular issues with understanding a certain policy or a section of it, and how different groups within your organisation are responding to policies.

Valuable trend data allows you to make adjustments and interventions to individual policies and the way they are managed, to improve overall policy effectiveness.

How can you measure policy management effectiveness?

There are various ways to measure policy management effectiveness, much of it being achieved through the employee attestation process. Useful measures both at the organisational and department level include:

  • The proportion of policies being read via attestation confirmation.
  • The proportion of policies being truly understood via additional quiz and learning challenges.
  • The speed to which the attestation process is being completed and understood.
  • Areas of policies that are not being fully understood, for example via responses to individual questions in any policy quiz questions.
  • The proportion of policies being updated and reviewed by policy holders (not related to employee attestation but very useful!).

Challenges of acquiring attestation and how policy management software helps

Acquiring attestation for policies has its challenges. Policy management software is designed to help overcome many of these, doing much of the heavy lifting around the attestation process.

Ticking the box

One key problem with attestation is that it can just end up literally being a box-ticking exercise with employees simply stating they have read and understood a policy, when they have actually done neither. While strictly speaking this may be acceptable from a compliance angle, it actually undermines the effectiveness of your policies. Policy management software like Xoralia can help by adding additional features, including using custom quizzes to actually test employees on the contents of the policy, or integrating a digital sign feature to emphasise the validity of the attestation.

Targeting the right employees

Often employee attestation for some policies is only required to be completed by a section of the workforce, such as a particular role, job family, division or employees working in a particular jurisdiction. But targeting the process to different groups can add a level of logistical complexity that takes additional time and effort. Policy management software like Xoralia makes targeting the process to different groups easy and straightforward, for with example with targeting based on their Active Directory profile.

Reporting on compliance to meet regulatory needs

Regulatory and certification third parties often need evidence to show that compliance has been achieved regarding the reading of certain policies, but also that there is a process in place for future changes. If you are using email and a spreadsheet this is challenging to demonstrate. Policy management software like Xoralia that delivers employee attestation provides more comprehensive and reliable evidence, and demonstrates you have a robust process in place.

Administration of attestation

Anyone who has tried to administer an employee attestation process manually using email and a spreadsheet will know it is very time-consuming, inefficient and frustrating. It is prone to errors and very difficult to do comprehensively. Policy management software makes managing the attestation process much easier, more efficient and far less time-consuming, principally by automating communication with employees and reporting.

Attestation for new employees

New starters are usually required to read multiple documents and policies when they first join an organisation. It can be hard for them to keep on top of everything they need to do, while it is also a lot of effort for policy administrators to remember to manage the process for each new starter.

Policy management software like Xoralia allows you to automate employee attestation for new starters so when they join they automatically have a number of policies they need to confirm they have read. This provides clarity for new starters on what they need to do, while allowing policy owners to “set and forget” so employee attestation is covered as part of the onboarding process.

Attestation for changes in the policy

Policies change regularly and sometimes it is critical that employees understand what has changed both from an operational and compliance standpoint, and often at short notice. However, communication around policy changes is traditionally hard as employees tend to be very busy and already overloaded with messages. The attestation process supports policy changes too to make sure the message gets through.

Win over internal stakeholders

Sometimes internal stakeholders don’t always buy into or give sufficient time to properly manage employee attestation processes for their team, department or part of the business. This might relating to launching employee attestation for policies that they manage, or getting their employees to carry out the process for other policies. When you don’t get the full cooperation of all parts of the business it makes employee attestation much harder to achieve.

Because using policy management software makes the attestation process so much easier for both users and administrator, they are more likely to buy into an overall enterprise-wide approach to attestation.

Attestation features in Xoralia

Xoralia is an advanced policy management software solution that includes a number of key features that support employee attestation.

Easy attestation

The easy attestation feature allows employees to preview and read a policy and then tick a box to confirm that they have read the document. Additionally, a quiz can be set to test the user’s knowledge of the policy to ensure it has been properly understood.

Quiz builder

The quiz builder allows content and policy owners to set their own questions for users about a policy. They can create custom questions, select from a pool of set questions and also set their own pass mark, all from an intuitive interface.

Reporting dashboard

Xoralia’s dashboard provides all the reporting that policy owners and central compliance teams need to track and drive the attestation process. It provides a breakdown of policy readership and attestation status, presenting an overall score of documents read and the average quiz score. It then allows you to break this down for each policy and by salient groups such as department, not only helping to drive compliance but also providing evidence to show to external third parties that employees are reading and understanding a new policy.

Need to support the attestation process? Get in touch!

Document or employee attestation is essential in ensuring there is effective communication and compliance relating to your policies. If you’d like to discuss how policy management software like Xoralia can support attestation then get in touch or even book a free demo.

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

How to keep your workforce safe with policies and procedures

How to keep your workforce safe with policies and procedures

Keeping employees safe is a major focus for organisations. Health & safety is an absolute priority from an ethical, legal, compliance, operational and reputational standpoint. Related topics such as employee wellbeing are also now high up on the corporate agenda. A key pillar for ensuring health & safety is having the right policies and procedures in place so that all employees follow the right steps to prevent and limit any safety incidents.

Most organisations will have safety policies in place, but then struggle to keep them up to date or ensure that they are properly followed. In this article we’re going to discuss health & safety policies and procedures, the contribution they make to workforce safety, how to develop them, and also how to overcome some of the challenges so that policies are effective.

Why does every organisation need safety policies?

Health & safety is critical in the workplace. It is imperative that your organisation has policies that keep employees safe:

  • It is the right thing to do from a moral and ethical standpoint.
  • There are legal requirements around ensuring employees are safe with an employer having a particular duty of care around health & safety.
  • Many industries will also have policies that must be adhered to keep customers and partners safe too.
  • There may be additional regulatory requirements for particular sectors where safety is a clear issue.
  • It ensures organisations can achieve any related certification that allows them to operate.
  • Ensuring safety is critical to support a company’s brand and reputation – an unsafe workplace or perception that customer safety is not guaranteed can have a major impact on an organisation’s reputation.
  • Supporting employee wellbeing supports a good employee experience helping to attract and retain talent, while also positively contributing to increased productivity.
  • Ensuring safety avoids huge potential fines and other penalties, as well as the costs and disruption of legal action.
  • Avoiding incidents minimises disruption to operations which can be significant if there is a safety issue which needs to be checked or monitored.
  • Ensuring safety avoids higher insurance premiums caused by safety issues or lack of health & safety elements in place.

What are some of the top safety policies that need to be in place?

There are a number of common health & safety and wellbeing policies that are important for all organisations. However, some critical safety policies will differ from organisation to organisation and across industry sectors. Top safety policies include:

  • Uniform or personal protective equipment (PPE)
  • Operating machinery and equipment
  • Maintenance of machinery and equipment
  • Training and learning relating to health & safety and related processes
  • Drugs & alcohol
  • Wellbeing policy
  • Safeguarding
  • Ergonomics for office workers – both for on-site and at home
  • Safety assessments for equipment
  • Working hours
  • Driving safely
  • Working environment
  • Incident reporting
  • Fire procedures
  • And many more!

Who is responsible for safety policies and procedures?

Different teams are usually responsible for different health & safety policies and procedures. These include:

  • Health & Safety teams or functions
  • Human resources
  • Facilities and real estate
  • Legal and compliance teams
  • Frontline support
  • Operations
  • And more.

Having multiple different policy owners can make it more challenging to ensure all health & safety policies are up to date.

What roles do policies and procedures play?

When it comes to health & safety, written policies that employees can easily find and access are critical. Policies play an important role in health and safety for several different reasons.

Provide absolute clarity on the detail

Many health & safety policies and procedures are very detailed with different paths to follow dependent on multiple circumstances. They tend to be mandatory and have no room for ambiguity. Policies provide absolute clarity on the detail, so everyone across the organisation knows what they need to do to ensure their own safety and the safety of others.

Training and onboarding

Policies are an essential reference point for training staff on safety matters and often play a part in onboarding new employees. Employees may need to get to know essential safety procedures before they can then fully carry out their role.

Essential reference point for incidents or extraordinary situations

For the vast majority of organisations, a health & safety incident will be relatively rare. However, sometimes these do occur or there can be an extraordinary situation – for example a weather event – where there is a heightened risk of an incident taking place. In these cases, employees may not necessarily know what to do and need to refer to a policy.

Satisfying regulators and other third parties

Having effective health & safety policies in place is the expectation of regulators and other relevant third parties such as certification authorities, insurers and even major customers. The relevant polices need to be in place and sometimes you may need demonstrate that this is the case, and even run attestation processes to show that employees have read and understand policies.

How do develop workplace safety policies

There are no hard and fast rules about how to develop health & safety policies but there are some good practices.

Ensure there Is clear ownership and responsibilities

To start with ensure that you have clarity around ownership of each policy and clear responsibilities relating to its creation, approval and making any changes.

Involve all the necessary stakeholders

Ensure that you involve all the business stakeholders who need to be involved in the creation and ongoing review of safety policies. Here a RACI matrix (Responsible, Accountable, Consulted, Informed) can be a helpful framework to think about which stakeholders to include. It’s also important to include any legal and regulatory compliance experts to make any necessary reviews.

Be consultative and involve employees

Ideally, policy creation should involve employees and incorporate their feedback. This can provide extremely valuable input that can help support the real-world implementation of policies and also support change management.

Ensure the policy is clear and understood

Health & safety policies must be written clearly and understood. Where possible they may also need to be translated. A policy should be written with the audience in mind, and may require additional guidance. Asking employees to review a policy before it is launched can help get suggestions to make it clearer. Running an employee attestation process can also produce insights into making further improvements.

Have change controls and review processes in place

Policies will need to be reviewed and changed, either due to some kind of trigger or event such as a change in the regulatory environment, or as part of a regular review cycle. It’s important to have a clear change control and review process in place.

The challenges of implementing safety policies and how policy management software helps

There are a number of challenges in implementing safety policies. Here, policy management software like Xoralia can make a difference.

Accessing policies and procedures

One of the major problems in policy management is establishing straightforward access to the actual policies so that they are easy to find. Sometimes all employees may have access, but actually policies are scattered across different pages of the intranet. At other times not all employees will have access - for example, frontline employees may not actually be able to reach all the policies they need to refer to.

A policy management solution like Xoralia can help by establishing a central library where all safety policies live and can be easily filtered and searched.

Version control

All too often there are multiple versions of the same policy in circulation, with earlier versions that have been superseded still being referred to. Policy management software helps establish version control with only the latest and up-to-date policy document being displayed. Because employees also know they can always find the latest version in the central policy library, they also don’t save versions on their local drives which leads to there being multiple versions in circulation.

Keeping policies up to date

One major challenge around policy management is ensuring that policy owners keep their individual policies up to date. Policy management software establishes clear ownership and uses automated notifications and workflow features to make it easier for policy owners to ensure their documents are always fully up to date.

Employee trust

Employees don’t always trust that the policies that they have are up to date or the very latest versions. This encourages bad habits such as people emailing policy owners for the latest version. Because policy management software can provide a central library of policies that are all up to date and easy to find, it can restore employee trust in the policies they access.

Employee attestation

Employee attestation is the key process that supports the dissemination of policies. Here, employees confirm they have read and understood policies, and reporting can track success and even provide evidence for compliance reasons. Policy management software will do all the heavy lifting on the employee attestation process and can even include additional features such as quizzes to test that employees have understood a policy.

Making changes and updates

Safety policies will need to be updated at regular intervals. Sometimes it will be necessary to let employees know about the change, but this can be very difficult to achieve successfully. Policy management software can use features such as personalisation, automated reminders and employee attestation to ensure employees are updated and have understood changes.

Onboarding and annual recurring policies

Employees need to know about safety policies and procedures as part of their onboarding. Some will also need to read policies each year as part of a recurring process. Organising both of these takes a huge administrative effort and doing so manually is highly inefficient. A policy management solution like Xoralia can automate much of the onboarding process relating to policies, as well as automate a , a recurring annual policy process.

About Xoralia

Xoralia is a leading policy management software solution that can support more effective management of your health and safety policies. It includes all the features mentioned in this article including a central policy library, employee attestation and more.

If you would like to find out more about Xoralia, why not book a free demo?

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

Does your organisation need security policy management?

Does your organisation need security policy management?

Security is a priority for all organisations. It covers many aspects of working life – the buildings we work in, the technology we use, the data we share with others, our professional behaviour and so on. Being safe in the workplace, cyber-security, data privacy, safeguarding confidential information and other related areas are topics that all employees need to be aware about. It’s also particularly important in some industry sectors.

Security is a big topic. But one of the challenges associated with ensuring security measures are in place is that if often relies on the awareness, knowledge and co-operation of employees. Only too often, employees and their carelessness are the cause of security issues, usually inadvertently but sometimes wilfully.

Because of this it is important to have security policies in place that provide clarity for employees on security and related matters.

To support the effective distribution of security policies, organisations must have active security policy management in place. In this article, we’re going to cover what a security policy is, why we need them and how they help minimise risk. We’ll also explore some of the different types of security policy as well as some good practice tips.

What is a security policy?

A security policy can be defined as any policy which helps to protect an organisation against security threats and vulnerabilities through risk prevention as well as processes to minimise any potential damage. It can cover both the security relating to a physical building as well as technology and digital channels, and include aspects such as overarching principles, specific procedures, terms of usage and staff training.

Why do you need security policies?

Security is a priority for every organisation. It’s an area where there is little room for compromise. Policies provide clarity and a critical backbone to ensure the right procedures are followed to maintain security and reduce the associated risks.

Specifically, policies help to:

  • Prevent specific incidents by reducing vulnerabilities.
  • Reduces and contain the potential damage when an incident occurs.
  • Drives compliance with regulatory and legal requirements.
  • Keep everybody safe, supporting an organisation’s duty of care to employees, customers and suppliers.
  • Keeps client and employee data secure.
  • Protect an organisation’s overall brand and reputation.

How do security policies help minimise risk?

More specifically, security policies help minimise risks in the following ways:

  • They educate employees about the approaches to take and steps to follow to support security, and are particularly important in onboarding new starters.
  • They keep employees up to date about any changes to security policies or procedures.
  • They are an essential reference point, providing absolute clarity and a definitive source of truth relating to security.
  • They support decision-making.
  • They support various different processes such as recruitment, procurement, due diligence on technology purchases, employee onboarding and more.
  • They can play a role in compliance-related reporting, particularly in regulated industries, and where standards such as ISO 27001 are important.
  • The provide essential information on processes to follow if there is an incident, so are often related to disaster recovery planning and crisis management.
  • They support the creation of new security policies and the review of existing policies.
  • They provide information on expected behaviours for employees.
  • They allow you take action against employees if they are putting security at risk through negligence or behaviour.

What are the different types of security policy?

There are many different types of security policy, with different aspects relating to scope, theme and type.


The scope of a security policy can vary. Sometimes they can be organisation-wide and more to do with general principles, for example, setting out a “zero trust” policy. Sometimes they can apply to something more specific such as a particular topic – for example relating to information management or building security. A security policy might also apply to something more granular like a particular building or a specific application or platform.


Security policies can cover different themes, including:

  • The physical security of buildings and other assets.
  • Cybersecurity principles and actions that must be followed.
  • Data protection and privacy, ensuring the protection of client and employee data.
  • Information management, covering sensitive and confidential information.
  • Personal security for staff when travelling or undertaking work.
  • Disaster recovery plans.
  • And more!


Security policies can also be of different types:

  • General principles to follow.
  • Detailed policy and procedures.
  • A terms of usage policy.
  • Guidelines for employees.
  • Security, recovery or incident response plan to follow.
  • Access control list on who can access which system.
  • External security documents produced by a third-party such as a property management company or technical vendor.
  • Part of employee training.
  • One of more of all the above!

What are some good practices in managing security policies?

The kind of good practices that help manage your security policies are not necessarily that much different to managing other kind of policies. However, they are potentially more important as security policies are critical.

Clear ownership

Always establish clear ownership of a security policy with a named person or people who are responsible and accountable for keeping a policy up to date. Without that clear ownership, it is all too easy for a security policy not to be managed properly. In particular, sometimes ownership is attributed to a department or team; while clearly a department will have responsibility, naming the individuals helps ensure that a policy needing updating doesn’t get missed.

Version control

Version control is a central pillar of policy management. You can’t have two, three or more versions of the same policy in circulation as people may follow the wrong policy or process. It also undermines confidence and trust in policies. Always carry out robust version control with elements such as clear policy numbering and in providing access to only the latest version through your policy library. This is an area where a solution like Xoralia can help.

Regular reviews

Regular reviews of security policies by subject matter experts and policy owners is essential to ensure policies are always up to date. Having a regular review – say every six months – is important. It will also be important to have a review when there is either an external change such as a new IT system or a security incident as circumstances have changed.

Central access

Providing easy, central access to your security policies so everybody can find them is a must. This might be through a central policy library on your intranet or perhaps through relevant intranet pages covering IT, legal & compliance and more.

Employee attestation processes

Employee attestation processes are where people positively confirm that they have read and understood a policy, or an update to a policy. By managing this process, it adds an extra “nudge” to increase the likelihood of:

  • new employees reading a policy
  • all employees knowing that a policy has changed
  • able to show regulators and other third parties that you are compliant in compliance areas where you need to show that employees are trained in and informed about areas relating to security.

Write policies so they can actually be used

No one is pretending that security policies are going to be the world’s most interesting or engaging documents, but all too often they are written in ways that make them hard to follow or make employees skip over sections.

Security policies are there to be followed. Use inclusive and accessible language, break documents up into steps so they are easier to follow, write additional guidelines, translate sections if necessary and more. Write a security policy that is there to be read and used by employees.

How Xorlia policy management software can help

Managing security policies is not always straightforward, but policy management software can help by doing a lot of the heavy lifting. Security policy management is much easier and far less time-consuming when you apply automation and ready-made features and functionality.

A robust policy management solution like Xoralia can:

  • Ensure everybody can access your security policies in a central policy library, for example reached via your SharePoint intranet.
  • Help employees find different types of security policy – and other policy types too - via a dedicated search or through browsing.
  • Enable robust version control to ensure that only the latest version of a security policy can be accessed.
  • Support policy owners manage their policy through content lifecycle features.
  • Drive personalisation and audience targeting so different groups can see and are notified about policies they must read.
  • Action employee attestation features so that employees must confirm they have read and understood a policy, with extensive reporting that can even be used with external third-parties.
  • Go further with an additional employee attestation feature to ask questions about the content of a policy to confirm it has been digested.
  • Use automation to send reminders to policy owners to review their security policy, as well as to notify new joiners about policies they need to read, and recurring policies that need to be read each year.
  • Integrate seamlessly with your Microsoft 365 digital workplace and SharePoint intranet.
  • And more!

Arrange a free Xoralia demo!

Security policies are critical and they need active management. A policy management solution like Xoralia will help. Why not arrange a free demo?

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

How automated policy management software can benefit your business

How automated policy management software can benefit your business

Policy management is an important area for many organisations, particularly those in highly regulated industries. It reduces risk, enables decision making, ensures you have robust reporting processes in place, drives efficiency, reduces accidents and more.

Employees need to have easy access to policies, be able to find what they need quickly and easily, and understand when there have been changes. Meanwhile policy owners need to keep their policies up to date, be confident that changes have been understood, and sometimes report on this for compliance purposes.

All of the above might sound straightforward, but it can take a lot of coordination and effort, particularly when everyone is extremely busy. It only takes one out-of-date policy in circulation to create risks with a range of potential negative outcomes. Understandably, many organisations decide to invest in policy management solutions like Xoralia that help them to establish a central policy library, carry out employee attestation process, support policy owners to manage their content and more, while significantly reducing the effort and time taken.

An essential key feature of a solution like Xoralia is its automation, that saves both huge amounts of time but also ensures that policy owners don’t forget to carry out aspects of policy management. In this post we’re going to explore why automation is so important in robust policy management software, and how it benefits a business.

Problems with traditional policy management

One of the problems with traditional policy management is that is has tended to be carried out manually, usually using email and spreadsheets. For example, a central compliance or policy team might have to:

  • Email policy owners to remind them to update or review a policy.
  • Use email to ask individuals to confirm they have read and understood a policy (“employee attestation”), and then send follow-up emails until they have confirmed they have done so, or send these via managers.
  • Use a spreadsheet to monitor compliance reporting relating to an employee attestation process.
  • Use email and spreadsheets to monitor compliance reporting and employee attestation around policies for new starters, which may differ from group to group.

As anyone who has used email and spreadsheets for policy management, employee attestation and compliance reporting, they can confirm that it is a significant undertaking and administrative burden that:

  • wastes huge amounts of time which could be spent on more value-added activities.
  • is highly inefficient and prone to errors, with areas being missed.
  • significantly increases the risk of policies going out of date or more than version of a policy being in circulation.
  • makes it harder to complete an employee attestation process and successfully report on it.
  • is extremely frustrating and tedious for the teams involved.
  • leads to less targeted efforts around policy management and attestation – for example aimed at specific groups within the organisation – as they are simply too difficult and time-consuming to manage.
  • weakens the ability of central compliance and policy teams to influence distributed policy owners.
  • leads to inconsistent approaches to policy management across an organisation.

The advantages of using an automated system

The digital workplace provides huge opportunities to automate workflows and basic, repetitive tasks. Workflow engines such as Power Automate and Nintex are evolving as “low code no code” platforms that mean even non-IT professionals can create simple automation. Specific products including policy management solutions like Xoralia are also embracing automation.

Policy management is an area where there are multiple opportunities for automation, with several advantages.

Saving time

Policy management involves multiple repetitive tasks that are very time-consuming. Chasing up on employee attestation processes. Reminding policy owners to update their policies. Notifying new starters about the policies they must read. All these can be automated, saving huge amounts of time for administrators who can then focus their efforts om more valuable and less tedious tasks.

Reducing errors

When everything is done manually, it leads to errors. People get missed and don’t have access to the right policy. Employee attestation processes aren’t complete. A policy doesn’t get updated. When you use automation, it reduces the chance of these simple but potentially damaging errors.

Standardising processes

Bringing automation to policy management helps standardise processes across different policy owners who might sit in different functions. It helps to bring a more robust approach to keeping policies up to date.

Completing the gaps for compliance and certification

As automation brings a more reliable and through approach to employee attestation processes it can provide better reporting for compliance and certification purposes, not only in the actual report, but also if you are letting a third-party regulator or certification body about how you approach employee attestation.

Automating policy management in Xoralia

Xoralia is built on SharePoint and takes advantage of the powerful workflow features within Power Automate to automate several aspects of policy management, allowing you to “set and forget” so your team can focus on more value-add activities. Xoralia’s automation focuses on three main areas.

Assignment for new joiners and leavers

Many of your policies will be assigned to different groups. When a person joins a group, they will automatically be assigned to that policy and get any notifications. This is particularly valuable for employee onboarding, as if you have a policy set for a new starter group, a new joiner will automatically be assigned and notified about the policies they need to read as part of your overall onboarding programme.

Recurring assignment notices

The need for employees to read policies is sometimes a recurring event. Sometimes for compliance, regulatory or professional reasons employees need to confirm annually they have read and agree to follow certain policies. The ability to set automatic policy notifications on a recurring basis is one of Xoralia’s most popular automation features, with the ability to set a number of days between reassignment. For example, this could be 90 days (quarterly), 365 days (annually) or any set time period – it is up to you.

Employee attestation

Employee attestation processes can involve a lot of chasing people up if done manually. Xoralia’s automation avoids this time-intensive task by automatically sending out notifications and reminders until the employee attestation process is complete. If you do want to remind someone manually, automatic reporting also can show who has yet to read or electronically sign a policy.

Want to automate aspects of policy management? Arrange a Xoralia demo!

Automation brings efficiency and accuracy to policy management. Xoralia is a policy management solution that uses automation to deliver value.

If there are aspects of managing your policies that could be automated, then why not arrange a free Xoralia demo?

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

Why compliance is critical and how to avoid compliance failure

Why compliance is critical and how to avoid compliance failure

Compliance with various legal and regulatory processes and procedures is a fact of organisational life. There are certain practices that must be carried out by organisations and their employees because it is the law, is mandatory for businesses in a particular sector or helps to minimise risk. Subsequently organisations spend a lot of time, effort and resources on making sure different areas of compliance are followed.

When there is a failure of compliance the consequences can range from mild to very severe. It can result in fines of millions of dollars or euros and huge damage to an organisation’s brand and reputation.

In this comprehensive guide we’re going to explore why compliance is so important and the areas that organisations need to think about in order to avoid compliance failure. We will look at what compliance is, the different reasons its important and the key areas that compliance relates. We also explore the industry sectors where compliance is a particular priority. We then go on to cover the reasons for compliance failure and the consequences of a failure to comply. Finally, we look the role that policy management can play and how software like Xoralia can reduce compliance-related risks.

What is compliance?

At a fundamental level compliance can be defined as the act of complying with a particular command or request. In terms of corporate life, compliance can be defined as the measures and practices put in place to make sure that specific legal and regulatory requirements and commitments are met and strictly adhered to. Compliance can also relate to internal policies, procedures and rules that are imposed within an organisation to reduce risk, maximise efficiency and support operations. Inevitably some internal compliance measures will be linked to external regulations too.

From an organisational point of view, compliance often involves demonstrating that you are doing everything possible to ensure compliance, for example designing processes and communicating with employees. There may well be related reporting around this, both internally and to external third parties such as regulators.

Why is compliance so important?

Compliance-related activities are not necessarily the most interesting or enjoyable elements of the working day, but they are important. While sometimes it can feel like compliance involves a lot of red tape and paperwork, and sometimes there can be more bureaucracy involved than is needed, fundamentally compliance is there for good reasons. Even if you feel some areas of compliance are unnecessary, the fact is that the relative policies, procedures and rules will need to be followed.

Let’s explore some of the reasons why compliance is so important.

It’s the law

Some compliance is based around following the law, protecting organisations and citizens, and wider society. Breaking the law is not an option, and compliance helps to reduce the risk of legal action being taken against your organisation and the individuals within it.

Reducing risk

It’s inevitable that things will go wrong in organisations. There are problems and issues that need to be overcome, with incidents and examples of fraud, accidents, and data breaches. But compliance significantly reduces the risk of things going wrong and the frequency of incidents. It also reduces the severity of the consequences when something does occur, such as reputational damage caused to a brand.

Protect customers

Compliance impacts various areas including the delivery of products and services to customers. External regulations and internal compliance are often there to ensure that consumers are protected and a business carries out its duty of care to it customers. Compliance can also relate to protecting suppliers.

Protect employees

Compliance also protects employees so that employment law is adhered to, that the workforce operates in a level playing field, that their working environment is safe, and more. It helps to create professional standards that influence the interaction between employees. Overall, compliance ensures organisations carry out their duty of care to their employees.

Compliance also ensures that employees don’t inadvertently break the law and reduces the chance of them being liable for something that goes wrong which could result in legal or disciplinary action.

Maintains standards and competition in particular sectors

Many sectors have specific regulations that must be adhered to that ensure certain standards are met, while also helping to support competition that is ultimately beneficial to customers.

Ensure safety

A safe working environment is critical, particularly in sectors where there is a chance of accidents. Compliance supports health and safety, for example in manufacturing, construction and utilities.

Establishes privacy

Privacy is becoming increasingly important as everything we do becomes more digital. Compliance protects the data and privacy of employees and customers.

Drive efficiency and productivity

Compliance with internally produced policies and procedures is also often about driving efficiency and raising productivity, an important area that ultimately hits the bottom line.

Supports certification

Some organisations need to establish certification around various different standards, ranging from security to safety to quality. These are externally audited. Compliance supports certification.

Supports ethical approaches

Most organisations and employees want to do the right thing. Taking ethical approaches is also very important for an organisation’s brand and reputation. Compliance helps employees and organisations to make the right decisions.

What are some of the key areas where compliance matters?

Compliance matters across a whole variety of areas. The specifics and emphasis placed on each will depend very much on the industry sector an organisation operates in, the related country and region and, to a certain extent, the appetite for risk that the organisation has.

Core business activities

Often there may be regulations relating to the core business activities of an organisation either due to a professional body that covers a particular sector, or due to legislation. For example, gaming companies have restrictions on what they can and cannot offer to customers. Restaurants must follow strict environmental standards and so on.

Finance and accounting

Finance and accounting are areas where it is critical to follow the right processes around reporting, recording and declaring information. Compliance helps minimise the chance of fraud and provides reassurance to authorities, investors, employees and customers.

Health & safety

Health & safety is an area where compliance is king and minimises accidents to protect employees, as well as reduce risks around reputational damage and legal action.

Data privacy and GDPR

Data privacy is an area that has come sharply into focus in the last few years thanks to legislation such as the General Data Protection Register (GDPR) and the California Consumer Protection Act (CCPA). A number of high profiles data breaches has also ensured the protection of consumer and employee data is an area of concern for individuals.


Accessibility related compliance relates both to the built environment and digital channels; this is an area where growing awareness has meant there has been more progress in recent years, but compliance is still patchy on the digital side.

Disclosure and reporting

Depending on the industry and for certain types of organisations, there will be various areas which require certain disclosure and reporting requirements. Some of these are formal, but others will be more around demonstrating to regulators that action is being taken.


Cybersecurity remains a significant problem for everyone. Compliance relating to cybersecurity matters is not necessarily required by regulators but is very important for certification such as ISO 270001. It will also be very important internally for organisations, and certain measures may also be demanded by key customers in B2B scenarios as well as by professional indemnity insurers.

HR and employment

Employment law requires compliance around particular processes including recruitment, promotion, disciplinary procedures and terminating positions. This is a key area where managers in particular must follow due process.

Sales and marketing

Sales and marketing processes will need to follow consumer laws, but in some sectors there are additional processes that must be followed, for example in financial services.


As the climate crisis starts to bite, environmental regulation and reporting will increasingly become important in the compliance landscape.

Which sectors is compliance particularly important?

Compliance is important for all organisations, but there is particular emphasis across some industry sectors or type of company. Here a failure of compliance can be a significant issue.

Sectors include:

  • Construction and engineering: these sectors have strict regulations to follow around health and safety, as well as relating to the specific construction and engineering projects.
  • Financial services: this sector is heavily regulated, for example with processes that must be followed to prevent the misselling of financial products and to reduce fraud.
  • Healthcare: healthcare depends on strict compliance with everything relating to the provision of care, as well as the protection of patient data.
  • Public sector and government: public sector organisations often have very strict processes around reporting and recording data, as well as other core activities such procurement and contracts.
  • Utilities and mining: this is another sectors where health and safety is critical and where there are also strong environmental regulations that must be adhered to.
  • Manufacturing: health & safety is important in manufacturing, not only the process but also to ensure that products are safe to use.
  • Professional services: sectors such as accountancy and the legal industry are subject to sets of regulations including relating to professional practices, conflicts of interest and how services are marketed.
  • Aviation and transport: there are regulations around safety, treatment of passengers and more.
  • Gaming: gaming is a sector which is heavily regulated, particularly with measures that are designed to reduce gambling addiction.
  • Listed companies: listed companies have many different rules relating to reporting and disclosure with different procedures in place to protect against fraudulent practices such as insider trading.

What are common reasons for compliance failure?

There are a number of common reasons for compliance failure. Of course, organisations can never complete eliminate the risk of not complying, but they can do a lot to mitigate the risks around it.

Lack of process

Compliance requires having the right processes in place that align with compliance commitments. Where there is a lack of formal or clear process, there is a risk of not following the right process steps of rules. A badly designed process can also create risks.

Lack of monitoring and controls

Important areas of compliance need much more than a fingers-crossed approach to hope that everything is being followed. Organisations will need to have the right monitoring tools and controls to support compliance.

Lack of training and awareness

Most compliance relies on the right actions, decision-making and even goodwill of employees. Where there is not the right level of training and awareness, there is a chance that employees will not follow the right steps, increasing the risk of non-compliance.

Lack of a compliance culture

Some organisations have a strong compliance culture and a low appetite for risk, particularly in sectors such as energy and financial services. In some organisations – or in particular teams within that organisation – there may be a higher appetite for risk where corners are cut and sometimes a blind eye is turned to non-compliance.

Leaders don’t set an example

In organisations where there is a lack of a compliance culture, it may be that leaders and senior managers don’t set an example, increasing the risk of behaviours that can lead to non-compliance, or a lack of maturity relating to monitoring and reporting.

Lack of ability to report to third parties

Sometimes compliance is down to demonstrating to third parties that approaches to supporting compliance are in place, such as employees completing annual training. Not having the right reporting software in place can undermine the ability to demonstrate successful compliance.

What are the consequences of non-compliance?

There are a variety of different consequences associated with a failure to comply. There range from relatively mild to extremely serious.

Fines and worse

The consequences of an organisation found to have failed to company to regulations can result in a significant fine for a company that can stretch to millions of dollars, pounds or euros. Even if this is covered by an organisation’s indemnity insurance, it will mean premiums will rise. The consequences can even stretch beyond financial penalties with the potential for executives to be banned from practice or even jailed, if there is evidence of criminal activity.

Legal action

A failure of compliance can result in legal action. Whether this is successful or unsuccessful it will result in having to pay out legal fees, not all of which may be recovered. Sometimes organisations choose to settle out of court. Again, even if this is covered by insurance, it can mean premiums have the potential to rise.

Business disruption

One aspect of ongoing legal action or an investigation that is not often stated, is the significant business disruption it can cause. Senior leaders and internal teams may have to spend significant time and energy on focusing on it, while still having to manage “business as usual”. It can also be stressful and an ongoing distraction that can disrupt plans.

Processes may also have to be redesigned to avoid it happening again. It’s a disruption to operations and growth that nobody wants.

Suspension of activities

In rare occasions an organisation might have to suspend its activities due to a serious failure to comply, either because this is demanded by a regulator or authority, or because it is deemed necessary to make an urgent change to operations.

Reputational damage

A failure of compliance can cause significant reputational damage both with consumers but also internally with your employees. Data breaches, high profile accidents and financial misconduct all can damage confidence in your brand, and the record is permanently there on the internet. When there is an ongoing investigation or legal action it will also continue to appear in the news and cause damage.

The importance of policy management in compliance

Of course, there are huge amounts that need to be done to avoid compliance issues in some organisations, from introducing corporate governance procedures to redesigning processes to fundamentally shifting organisational culture. However, there are also more operational and tactical changes that can make a real difference, including introducing taking a more robust approach to policy management.

Having the right policies and procedures in place and making sure that employee can easily access and find these is a foundation for compliance. This ensures:

  • Employees are aware of the policies and procedures they need to follow.
  • There is clarity over the finer detail of the procedural steps and guidelines that must be adhered to.
  • There are no misunderstandings about what is mandatory for compliance and what isn’t.
  • External regulators can see that policies are being effectively managed, and an organisation is doing what it can to support compliance.
  • Organisations are protected in case they need to take action against employees who deliberately choose not to follow compliance-related rules.
  • Employees are protected in case organisations try to unfairly blame them for a failure to comply.

The role of policy management software to prevent compliance failure

However, sometimes policy management is easier said then done. Despite the best intentions to introduce robust policy management to prevent a failure to comply, in practice organisations trip up because:

  • Employees simply can’t find the policies they need, and therefore might not even be aware there are rules they need to follow.
  • Policies are not adhered to due to a lack of easy access.
  • There are multiple versions of policies in circulation causing confusion and employees not sure about which to follow, or even following the wrong policy or procedure.
  • It becomes very difficult to let employees know about a change to a policy.
  • It is impossible to report on effective policy management or the successful dissemination of policies to third-party regulators or certification bodies.

All of the above can result in an increased risk of compliance failure.

However, policy management software can do some of the heavy lifting around policy management and help to avoid many of the issues mentioned above. A policy management solution like Xoralia does this by

  • Creating a central policy library that everyone can access, and where everybody can find the policies they need.
  • Ensuring there is one source of truth with strict version control to eliminate duplication of policies circulating.
  • Enabling policy management lifecycle features such as review reminders to support policy owners in keeping polices up to date.
  • Including employee attestation and even e-learning features so that employees confirm they have read and understood a policy, and are tested to ensure that knowledge is embedded.
  • Using personalisation and targeting to ensure employees find and view the policies that are relevant to them, but also are aware when there are updates.
  • Enabling compliance reporting to help internal policy management but also to show to external parties to confirm compliance efforts.

It’s critical to minimise the risk of a failure of compliance

Compliance is king, particularly in regulated sectors and a failure to comply can be very serious. There are various measures and tactics that organisations can carry out to minimise risks around compliance failure, including introducing better policy management. If you’d like to see if Xoralia could help reduce risks in your organisation, then why not book a free demo?

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

Power automate workflows

Power automate workflows

Power Automate is a cloud-based workflow automation tool that helps individuals and organizations automate their business processes. With its easy-to-use interface and pre-built connectors, Power Automate allows users to create custom workflows that automate repetitive tasks, streamline business processes, and integrate with other applications.

One of the many use cases for Power Automate is creating template documents. This can be particularly useful for businesses that frequently create standardized documents such as contracts, proposals, or invoices. With Power Automate, users can automate the creation of these documents by using pre-built templates, merging data from other sources, and even automating the approval and sending process.

Other benefits that Content Formula utilise is the ability to automate the document lifecycle beyond the creation of the content using the template. This includes anything from a simple one step approval process to a multi complex stream of workflows triggered using different metadata but to the end user seems like a simple click of a button.

The project steps we take to set up these processes to ensure they are entirely relevant and valuable is first to run a discovery process. During this meeting we delve deep into your current business processes and also your desired process, then with our specialist knowledge we try to simplify the process even further before implementing the PowerAutomate flow.

While implementing the PowerAutomate flows, we also utilise the power of Active Directory groups. Either of the flows, for example a document review or approval process, the automated audience used can be linked to an Active Directory group. This allows for a dynamic approach to the document lifecycle, making sure the efficiency of document updates is kept at an all time high.

The process demonstrated in our video demonstrates a document review and approval process. These processes have been configured to take different actions and different styles and methods of communication to meet those requirements analysed during the discovery process.

In summary, our specialist knowledge in PowerAutomate, workflows and policy management solutions (enhanced with Xoralia) we can create efficient automated processes to meet multiple criteria.

Creating a change management policy: why it’s important and what to include

Creating a change management policy: why it’s important and what to include

Managing change is challenging for every organisation and its employees, especially in the fast-paced and ever-changing current business environment. Working patterns, use of technology, the services offered to customers and organisational culture are just some of the areas where there has been a shift in the past few years, and navigating through that change can take a lot of effort, at the organisational, team and individual level.

To help make any process of transition or change easier and more effective, many organisations chose to establish a formal approach to change management that can help with the adoption of new technologies and practices.

Having a policy is a good way to formalise the approach to change management. The level of formality required in the policy can vary depending on the organisation's needs. It can range from a comprehensive methodology that everyone must follow, to a set of guidelines that offer a more general direction or can be applied to different use cases. In both instances, having a change management policy can add value to your organisation.

In this article, we will explore different types of change management policies, the features that should be included in the policy, and how to disseminate the policy throughout the organisation.

What are some of the different types of change management policy?

Change management policies can vary based on the organisation's scope and focus. Some policies may cover the whole change management methodology and philosophy, while others may be more specific to managing change in certain areas to reduce risks.

More comprehensive policies will cover a broad range of change management areas, such as project management, IT change management, stakeholder management and changing user behaviour. Generally, these policies might have an overarching philosophy and set of steps, but then also provide detailed guidance on how to apply the methodology to different scenarios. This may be an integral part of an organisation's overall project methodology.

Sometimes change management policies are more specific to a certain scenario or use case and means there could be more than one within any organisation. For example, there might be a very specific policy for IT change management, which outlines the detail process that must be followed to ensure that technology changes are implemented correctly, as well as adopted.

Defining the scope of the policy

When developing a change management policy, it's essential to define the policy's scope and focus. This will help determine what needs to be included in the policy. The scope of the policy should clearly state who the policy applies to, what processes it covers, and to what extent it must be followed.

Establishing a definition of a policy provides the clarity that employees need and better positions it as an “official” document, which can then be placed in a central policy library that's easily accessible to everyone. This will also help ensure that the change management policy is visible, findable and up to date.

What should be included in a change management policy?

There is no standard set of elements to include in a change management policy and in practice policies may vary considerably from organisation to organisation, or even from function to function. However, here are some common features that are included in change management policies. .


As mentioned earlier, the scope of the policy should clearly state who the policy applies to, what processes it covers, and to what extent it must be followed.

Policy information:

The policy should also include information such as the version of the policy, the date it was issued, the date it was last reviewed, who is responsible for the policy, and who has reviewed the policy. This helps to ensure that everyone understands the importance of the methodology and that they are confident they are using the latest version.

Definition of change management and relative scenarios:

It's helpful to define what is meant by change management. This term can mean different things to different people and cover elements such as adoption, support, training, communications, stakeholder management, user research and more. It is also useful to explain the different use cases that the change management policy covers, such as external projects, internal projects, IT changes and technology roll-outs, product launches and more.

Steps for change management:

Most change management methodologies have defined steps that indicate the kind of change management effort required over the lifespan of a project and potentially beyond. These steps should be clearly outlined in your policy, providing an overview of what needs to be done at each stage and also the reasoning behind it.

Very often change management policies are based on a change management philosophy such as ADKAR, which is a popular five-step model that we use here at Content Formula. With ADKAR, each step relates to different stages of changing user opinion and behaviour, so there is a very logical sequence and rationale behind the different stages.

Detail of change management techniques:

The change management policy also needs to cover the detail of some of the specific change management techniques and tactics to follow, so that people can make the right change interventions and actions at the optimum time. Techniques outline in the policy could also be illustrated and supported by useful assets such as diagrams, presentations and even spreadsheets. There could also be specific techniques around areas such as budgeting, risk reduction, documenting change processes and more.

Link to valuable resources

Change management is a topic where there tend to be a lot of useful resources available, as well as expertise. Your policy might include links to valuable resources, both internal and external, that can be useful reference points. There may also be a team or experts that people can contact to ask questions or seek support.

How should I disseminate a change management policy?

The way you disseminate a policy is important and will depend on factors such as whether it is mandatory, how often it is updated and if it is just being applied to a specific group such as project managers. Generally, it should sit where all your other policies sit – ideally in an easily accessible policy library, perhaps available through your intranet. Here a policy management solution like Xoralia can help in establishing one source of truth where policies can easily be found.

A policy management solution can also help you inform employees about the policy or when there are changes. If the policy is mandatory or very important, you can use employee attestation features so that all employees or a particular targeted group have confirmed they have read and understood the policy; with Xoralia you can even ask them questions to help embed understanding of the policy.

Implementing a change management policy

Change is an inevitable part of organisational life, and it is essential that organisations are prepared to manage change effectively. Creating a change management policy ensures there is a structured and systematic process in place and will help employees and organisations navigate the ever-changing workplace.

If you’d like to see how Xoralia can support you with your change management policy, then book a demo!

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo

How to create a policies and procedure manual

How to create a policies and procedure manual

Organisations spend a lot of time and energy trying to make employees follow particular policies and processes. This helps to drive efficiency, minimise risk, standardise operations, ensure compliance, support customer service and more. While creating and managing policies and procedures isn’t necessarily the most exciting activity, it’s undoubtedly critical.

One of the ways that organisations do this is by establishing a policies and procedures manual that provides employees with the “official” line on different aspects of work, including the way processes are carried out and any associated rules. It also provides guidelines to support decision-making. Given the importance that many teams stress on creating robust policies and procedures, it’s often surprising how informal their approach to doing so is. In this post, we’re going to explore some of the ways that can help you to create and implement an effective policy and procedures manual or handbook.

What is a policies and procedures manual?

A policies and procedures manual is usually an overarching document or collection of documents or pages that gathers together a number of related policies and procedures. It’s usually different from a single policy or procedure because it generally consists of a collection of them.

Examples of a policy and procedures manual include:

  • an employee handbook which might be read or referred to when a person has joined the company as part of the onboarding experience
  • a series of sales processes and procedures for sales staff
  • processes to follow for call centre staff
  • a bundle of different IT policies to follow.

A manual might also be referred to as a handbook or even sometimes a playbook, although the latter term tends to be more around providing different options on how to get things done.

Why is a policies and procedures manual important?

For many of the reasons already stated, policies and procedures are a key part of organisational life. They ensure an organisation runs smoothly in the day-to-day in a consistent way, ensuring compliance with legal and regulatory commitments, and supporting professional conduct. An organisation without clarity over different policies and procedures is opening the door to risk, inefficiency, and chaos.

The “manual” or “handbook” for policies and procedures is a standard, effective, familiar and trusted way for employees to access what they need to know, providing an essential reference point and one source of truth.

Seven tips for creating and implementing a policies and procedures manual

It’s worth bearing in mind that establishing a good policies and procedures manual encompasses many of the general best practice approaches to managing policies. However, it is slightly different from managing a single policy.

Here are seven tips for creating and implementing a policies and procedures manual.

1. Work out the scope

The first thing to consider is always the scope of your manual. This will usually be focused on a particular theme such as employment, health & safety or professional responsibilities. Your manual might also be geared towards a particular group or role, such as managers, sales staff or plant workers.

In working out the scope, it’s always worth getting a balance between the information you want to convey and the main questions that a person will ask when making decisions or following process in their everyday work. You don’t want to make a manual too long, overwhelming or confusing so it puts employees off from using it.

2. Manage each section as a separate policy

A manual is made up of a series of policies. It really helps to manage each section of the handbook as a separate policy. For example, different teams might be responsible for different sections of the handbook, so breaking it into sections makes governance and lifecycle management easier. Moreover, if you need to update a certain section you then don’t want to have to update the whole of the employee manual.

Perhaps most importantly, having different sections as separate policies even if presented as a single handbook, will naturally make it more digestible and easier to navigate for users.

3. Establish robust governance and lifecycle management

Governance and lifecycle management are essential pillars of managing policies. Always ensure this is applied to your handbook with clear ownership and responsibilities, and processes for reviewing and renewing each section.

You can use a dedicated solution like Xoralia to support the management of each section, for example notifying owners when they need to review the policies, they are responsible for, and providing dedicated views of the status of each policy. It cannot be stressed how important this element of policy management is otherwise sections of your handbook can go out of date.

4. Present in digestible chunks via one source of truth

A policies and procedure manual must always be presented via one source of truth. Having two versions of a policy – for example reproducing an original policy as part of a manual so there are two versions – is never a good idea. Not only does it mean that you have to maintain and update two documents or pages, but there is the risk of one section contradicting the other. It can also cause confusion for users when results are presented in search.

However, presenting a whole handbook to users can present a challenge, especially if you are managing policies within separate documents or pages. In this case you may want to present a landing page as an overview of the handbook that then breaks down into separate pages or links out to different documents, ensuring that you have that one source of truth. Within SharePoint, embedding an original document within a page via the file viewer web part can also be an option. Taking this kind of approach also means your handbook is presented in a more granular and digestible format for people to find what they need and avoids people having to plough through an enormous and unwieldy PDF.

5. Reference other policies

It can be tempting to cram too much into a handbook and sometimes you may need to refer to other policies within your company, but which might be more peripheral to your handbook. Usually, it’s better to link to other policies rather than including or repeating that policy within your handbook structure; otherwise, things can get complicated very easily and employees can get overwhelmed with too much information.

6. Make it easy to read and access

Sometimes a policies and employee handbook can be written too much from the standpoint of the person or team responsible for it, rather than for the user. This is a mistake because a policy and procedure manual is there to be read and referenced. If it’s complicated, difficult to access or written in off-putting “legalese” then it won’t get used.

Of course, sometimes it is necessary to have detailed version of policies that do need to be written from a risk, legal or compliance view to protect an organisation and its employees. However, on a practical level, nobody is actually going to read the small print, so it’s always important to have a readable and actionable version of a policy. It may also be important to make sure your policies are translated into a particular language or languages if you’re working in a global company with a multi-lingual workforce.

Your manual also needs to be easy to access and reachable from channels that employees have access to. An intranet is usually a good place for people to access a central policy manual.

7. Consider using policy management software

Policy management software can help with all the above, from supporting governance to version control to establishing one source of truth to present your handbook. A solution like Xoralia takes away a lot of pain and effort associated with policy and procedure management and ultimately helps employees to follow the right processes and make the right decisions.

Creating the perfect policy and procedure manual

Creating and implementing a strong policy and procedure manual that will help employees in their daily work is important. By following the right approaches, it can also be relatively straightforward to achieve, but it’s important to get the details right. Using policy management software like Xoralia can make this easier to achieve and do much of the heavy lifting.

If you’d to see how Xoralia can help you, why not get in touch or even arrange a free Xoralia demo.

Book a live demo

Find out more about Xoralia policy management software

During the demo, we'll walk you through Xoralia’s various features and functionality, providing plenty of time for you to ask our experts questions along the way.

Book a demo
PHP Code Snippets Powered By : XYZScripts.com

We use cookies to give you the best experience on our site. By continuing to use our website, you are agreeing to our use of cookies. To find more about the cookies, please see our Cookie notice

You can also read about our Privacy policy

Contact Support

If you have a question about Xoralia software, please fill out the form below and a member of our support team will be in contact with you shortly.