Company policy essentials: focus on fundamentals

How to give your team confidence and space

Have you ever tried to read a company policy and felt like you were wading through quicksand? You're not alone. Many policies are so complex that they're rarely read, let alone followed. But it doesn't have to be this way.

Let's explore how to create streamlined policies that focus on fundamentals and how to make smart interventions when things go off track.

What are fundamentals?

These are high-level mandatory requirements that a target reader must do, or not do, for the policy to achieve its objectives. They are non-negotiable essential behaviours.

Many policy authors, passionate about their subject, include a lot of detail. As experts, they don’t struggle to understand the detail, and they may subconsciously like to show off their expertise. But their intended readers struggle; and if readers don’t understand, their behaviours may not follow.

When an author focuses on fundamentals, using simple language, they help their intended readers quickly grasp what matters most.

How to identify fundamentals?

Fundamentals are high level enough to pass all three WIN criteria:

• WHAT – they define “what” needs to be achieved, not “how”.
• IMPORTANT – they matter to owners and directors for the policy to achieve its objectives
• NEVER – the policy owner would never ignore non-compliance without an intervention. More on interventions below.

Using the classic risk-management bow-tie model can help identify these fundamentals: an event with a range of causes and a range of consequences.

• For policies managing risk, consider behaviours that make the causes less likely, or the consequences less severe. 
• Or, for policies managing objectives, consider behaviours that make the drivers of success more likely, or improve the outcomes.

For example, a fundamental for a policy on cybersecurity risk might be:

"You must apply system updates for critical vulnerabilities within 14 days of release."

It's clear, important, and non-negotiable. You can link to separate detail on what constitutes “critical” and how to apply updates.

Remember the UK NHS brought to a standstill in 2017 by a cyber attack?

It was a crude ransomware attack that only succeeded because this fundamental was missed.

It led to thousands of cancelled operations and appointments, diverted ambulances, and an estimated cost of £90m.

Making smart interventions

Once fundamentals have been defined, and policies have been fully implemented, non-compliance can still happen. The business environment is complex and always changing. When non-compliance does happen, it’s not unusual for businesses to either:

a) Ignore non-compliance.

This is often with a detail that isn’t a fundamental. But ignoring any non-compliance undermines the whole policy, and the whole suite of policies.

b) Default to disciplinary action.

This erodes trust and motivation. It can lead to surface-level compliance, or workarounds, or to issues and mistakes being concealed.

For smarter interventions, you need to REACT:

• ROOT – get to the root causes of non-compliance. For example, it may be a perceived conflict in priorities such as commercial pressure. We suggest starting from the place that people want to do the right thing.
• ENGAGE – depending on root causes, you may improve the way you engage intended readers in what’s expected in their role.
• ADJUST – you may update the fundamental requirement in the policy, or the supporting detail on how to achieve it.
• CONCEDE – you may agree that the business circumstances warrant an exception. Be rigorous about exceptions - formally approve and record them. Managed exceptions demonstrate impartiality.
• TACKLE – you may need to tackle unwanted behaviours with disciplinary action. This is deliberately last on the list. But clear fundamental requirements enable you to hold people to account if you need to.

Remember that every non-compliance, or request for clarification, or request for an exception is an opportunity to learn and improve.

Simple doesn’t mean easy

In conclusion, radically simplifying your policies to focus on fundamentals and uphold them isn’t easy.  As Mark Twain is meant to have said: "sorry for the long letter, I didn't have time to write a shorter one".

We’ve worked with experts in many organisations who have struggled to extract fundamentals from the mass of detail.

But, with perseverance, that focus has enabled them to create policies that truly guide their organisation. 

As Steve Jobs said: “Simple can be harder than complex” 

As you reflect on your company policies, you might ask yourself: are our policies focused on what matters most? Are we consistently upholding what matters most with smart, constructive interventions?

This is the third in a series of articles by our co-founder Steven Brown on our BRAVE perspective on transforming company policies into a strategic asset.

We described the four pillars of the BRAVE: Policies Accelerator in Managing Company Policies isn't Rocket Science.

'Focusing on fundamentals' is an element of the SCRIBE pillar: Write policies that users can understand. 'Making smart interventions' is an element of the SUSTAIN pillar: Monitor, uphold and improve each policy

Carolyn Clarke Michael Lucas Carrie Stephenson

#CompanyPolicies #CompanyCulture #TeamEngagement #WhatMattersMost #PolicyTransformation

We are Brave Within. We help owners and leaders manage their business for more enduring success.

Changing governance. From within. For good.

The 'BRAVE: Policies Accelerator' is our approach to making company policies a strategic asset, aligning team behaviours to sustained success.

If you found this article valuable, please share with a colleague.