Let's Talk Let's Talk

How to Write a Company Policy: A Practical Guide with Examples

April 20, 2026
Blog
0 Comments

Man working on how to write a company policy

Poorly written company policies create legal exposure, inconsistent enforcement, and confused employees. Most fail not from lack of effort but from vague language, weak structure, and poor rollout. This guide covers how to write a company policy that holds up in practice — the framework, the reusable structure, the command-word discipline, the legal red flags, and real examples of weak vs. strong policy language.

Key Takeaways

 

  • A policy is the what and why; a procedure is the how. Keep them in separate documents so each can evolve independently.
  • Follow a consistent structure across every policy — title, purpose, scope, definitions, policy statement, roles, procedures, exceptions, consequences, and revision history.
  • Use command words deliberately. Must and shall are mandatory; should is recommended; may is optional. Mixing them up creates legal exposure.
  • Write in plain, active voice. Aim for an 8th-grade reading level and sentences under 20 words.
  • Name the actor, specify the action, and quantify the standard — avoid vague terms like “appropriate,” “reasonable,” or “limited” unless defined.
  • Watch for legal red flags such as implied contracts, missing at-will disclaimers, overbroad NLRB-sensitive rules, and over-promised enforcement.
  • Policies aren’t “set and forget.” Review annually, assign a named owner, track acknowledgments, and measure whether the policy is actually changing behavior.

What Is a Company Policy?

 

A company policy is a formal written document that sets the rules, expectations, and decision-making framework for how your organization operates on a specific issue. Policies sit within a broader governance framework alongside the employee handbook, code of conduct, and standard operating procedures (SOPs).

Policy and procedure are often confused:

  • Policy — the what and the why: the rule and its reasoning.
  • Procedure — the how: the step-by-step instructions employees follow to comply.

Common categories include HR, code of conduct, attendance and leave, IT and data security, acceptable use, BYOD, confidentiality, remote work, expense reimbursement, health and safety, anti-harassment, and social media.

Why Well-Written Company Policies Matter

 

Strong policies:

  • Reduce legal liability and the risk of discrimination, wrongful termination, and retaliation claims
  • Create consistent decision-making across managers and departments
  • Support compliance with federal and state regulations — EEOC, DOL, OSHA, FMLA, ADA, Title VII, HIPAA, SOX, GDPR, and the NLRB’s rules on protected concerted activity
  • Align operations with ISO 9001, ISO 27001, SOC 2, and other certification frameworks
  • Reinforce culture and values in concrete terms
  • Speed up onboarding and training
  • Support risk management, internal controls, and business continuity

Before You Write: Pre-Work That Saves Rewrites

 

  • Identify the real trigger. A new regulation, a recurring conflict, an incident, or a compliance gap — write policies to solve specific problems, not to look thorough.
  • Run a gap analysis. Compare existing documentation against actual practice and external requirements (legislation, industry standards, accreditation criteria).
  • Define the audience. Does this apply to the whole company, to full-time staff only, to a specific department, or to contractors and vendors as well?
  • Audit your policy library. Check for overlap, contradiction, and outdated rules that the new policy will supersede.
  • Review applicable laws. Federal, state, local, and industry-specific regulations.
  • Engage stakeholders early. HR, legal, department heads, subject matter experts (SMEs), and frontline employees who’ll live with the policy.

Core Components Every Company Policy Should Include

 

Use this structure as a reusable template across your policy library:

  • Title and policy number — a numbering convention (HR-001, IT-002) supports version control and cross-referencing
  • Effective date and next review date
  • Purpose statement — one or two sentences on why the policy exists
  • Scope — who and what it applies to, including exclusions
  • Definitions — terms and acronyms used in the document
  • Policy statement — the core rules and expectations
  • Roles and responsibilities — policy owner, approver, enforcer (by title, not name)
  • Procedures or guidelines — how compliance happens in practice
  • Exceptions and escalation path — how waivers are requested and approved
  • Consequences of non-compliance — disciplinary action and grievance procedure
  • Related policies and references — links to parent policies, SOPs, and cited regulations
  • Approval signatures and revision history — for audit trails

How to Write a Company Policy in 7 Steps

 

  1. Define the purpose and trigger. What problem, risk, or regulatory requirement drives this policy?
  2. Research regulations, benchmarks, and internal context. Pull relevant laws, industry standards, peer benchmarks, and past incidents.
  3. Draft using a consistent template. Every policy in your library should follow the same structure.
  4. Write in plain, active-voice language. Assume a reader with no legal training.
  5. Review with legal, HR, and department stakeholders. Ask them what they understand their obligations to be — if their reading doesn’t match your intent, the language needs work.
  6. Obtain formal approval. Leadership sign-off creates accountability and documents the authorization.
  7. Communicate, train, and publish. Roll out through multiple channels — email, intranet, manager briefings, all-hands — and capture an acknowledgment.

At The Write Direction, the gap we see most often is between a legally sound draft and a document employees can actually understand. That’s where an editorial pass pays off.

Use the Right Command Words: Must vs. Should vs. May

 

Command-word discipline is one of the most overlooked parts of policy writing:

  • Must / shall — mandatory, non-negotiable, binding
  • Will — usually mandatory, but ambiguous because it also reads as future tense
  • Should — recommended but not required; discretion is allowed
  • May / can — optional or permitted; the employee has a choice

If a rule is mandatory, never write “should” — opposing counsel will argue the policy wasn’t binding.

Weak vs. Strong Policy Language: Real Examples

 

Vague command

Employees should make appropriate use of the company email.

Strong and specific

Employees must not use company email for personal business, mass chain messages, or non-work solicitations.

Passive, unclear ownership

Expenses will be submitted and reviewed.

Active with clear responsibility

The employee submits expense reports in Concur. The direct manager reviews and approves within five business days.

Ambiguous scope

This policy applies to all staff.

Precise scope

This policy applies to all full-time, part-time, and contract employees, including remote workers based outside the United States.

The pattern: name the actor, specify the action, quantify the standard, and define or remove words like “appropriate,” “reasonable,” and “limited.”

Readability Standards for Policy Documents

 

  • Target an 8th-grade reading level (measured with Flesch-Kincaid or a tool like Hemingway)
  • Keep sentences under 20 words where possible
  • Use descriptive H2 and H3 headings so readers can scan
  • Use bullet lists for conditions, steps, and exceptions
  • Add a quick-reference summary at the top of long policies
  • Follow plain English and WCAG accessibility principles — inclusive formatting, adequate contrast, screen-reader-friendly structure

Legal Red Flags to Avoid

 

  • Don’t create implied contracts. Avoid “permanent employment,” “guaranteed benefits,” or language that promises continued employment.
  • Include an at-will disclaimer where applicable in the US.
  • Avoid NLRB violations. Overly broad social media or confidentiality rules can illegally restrict protected concerted activity.
  • Don’t over-promise enforcement. If you commit to investigating every complaint within 24 hours, you must do it every time.
  • Don’t copy regulatory text verbatim. Summarize and cite the source (CFR, statute, or agency guidance).
  • Preserve your right to change the policy. Include: “The Company reserves the right to modify this policy at any time.”
  • Respect protected activity. Whistleblower, union organizing, and EEO-protected activity cannot be suppressed through policy language.

Best Practices That Make Policies Work

 

  • Use position titles (HR Director, IT Manager), not personal names
  • Spell out acronyms on first use — e.g., Equal Employment Opportunity Commission (EEOC)
  • Use inclusive, gender-neutral language
  • Reference related policies rather than duplicating content
  • Maintain a clear policy hierarchy — parent policies set direction, child policies handle specifics
  • Schedule annual reviews plus trigger-based reviews after regulatory changes, incidents, or restructures
  • Store policies in a central, searchable system (intranet, policy management software, or document management system)
  • Formally retire superseded policies, so employees always know what’s current

At The Write Direction, we routinely audit policy libraries for clients and find the same patterns — duplicated content, outdated regulatory references, and mandatory-language drift. Periodic editorial review keeps the library clean and defensible.

Common Mistakes to Avoid

 

  • Copying a generic template without customizing it to your business, industry, and jurisdiction
  • Leaving vague terms (“appropriate,” “reasonable,” “limited”) undefined
  • Conflating policy and procedure in a single document
  • No named owner, approver, or review cadence
  • Publishing without training or acknowledgment
  • Letting superseded policies stay in circulation
  • Writing policies that contradict stated company values

How to Measure Whether a Policy Is Working

 

Track:

  • Acknowledgment rate — percentage of employees who have signed or digitally confirmed the policy
  • Incident or violation rate — before vs. after rollout
  • Manager consistency — spot audits on how different managers apply the same rule
  • Employee clarity feedback — short pulse surveys on whether the policy is understood
  • Case resolution time — how quickly HR, compliance, or grievance cases resolve under the new policy
  • Audit findings — how the policy performs in internal audits, external audits, and certification reviews

Frequently Asked Questions

 

What is the difference between a company policy and a procedure?

 

A policy is the rule and its reasoning — it tells employees what’s required and why. A procedure is the step-by-step instructions they follow to comply with that rule. A good policy still makes sense even when the underlying procedures change, which is why they’re usually documented separately.

How long should a company policy be?

 

Aim for one to three pages per policy. If you need more space, split it into related policies or move step-by-step detail into a separate SOP or section of the employee handbook. Clarity and usability matter more than length — a 10-page policy no one reads protects no one.

Who is responsible for writing company policies?

 

Usually, HR, compliance, or a department head owns the draft, with input from legal counsel, subject matter experts, and senior leadership. Larger organizations assign a named policy owner to every policy — the person accountable for keeping it accurate, current, and enforced across its lifecycle.

How often should company policies be reviewed and updated?

 

Review every policy at least once a year. Trigger an immediate review after regulatory changes (such as new EEOC guidance or state labor law amendments), major organizational restructures, significant incidents, or employee feedback flagging confusion. Set the next review date on the policy itself so it doesn’t slip.

What are the most important company policies every business should have?

 

Core policies include a code of conduct, anti-harassment and anti-discrimination policy, equal employment opportunity (EEO) policy, attendance and leave policy (including FMLA), remote work policy, IT and data security policy, acceptable use policy, social media policy, confidentiality and NDA policy, expense and reimbursement policy, and health and safety policy. Industry and jurisdiction often add more.

Can I use a company policy template I find online?

 

Yes, as a starting point — but never publish a template as-is. Customize it to your company’s size, industry, jurisdiction, and culture, and always have legal counsel review the final version before rollout. A template is a scaffold, not a finished policy.

How do I communicate a new company policy to employees?

 

Roll out through multiple channels — email, intranet, manager briefings, and coverage at a team or all-hands meeting. Require a digital or signed acknowledgment so you have a record of receipt. For significant policies, pair the rollout with training so employees understand not just the rule, but how to apply it in context.

Bring Clarity to Your Company Policies

 

At The Write Direction, we help businesses turn legal and operational requirements into policy documents employees can read, understand, and follow. Whether you’re building a policy library from scratch or auditing what you already have, our team writes and edits with compliance and clarity in mind. If you’re ready to make your policies work harder for your business, we’d love to help you get there.

Share

Leave A Comment

Your email address will not be published. Required fields are marked *

About

The Write Direction logo

Address:
2 Bloor Street West, Suite 700,
Toronto, ON, M4W 3E2

14 Wall Street, 20th Floor
New York, NY 10005

Phone:
(647) 699-6021

Email:
[email protected]

Subscribe

Follow Us

Hit enter to search or ESC to close

Book a Discovery Call