How to make your compliance policies understandable.
You know the feeling when you spend hours and hours drafting, editing, revising and re-drafting a document, only to find out the masterpiece you poured your soul into has devolved into a convoluted pile of nonsense?
Just us? Coolcoolcool.
We’ve found that this phenomenon happens frequently with policy documents. It’s easy to get wrapped up in the little details we think we need to include, which leads to a jumbled mess rather than a coherent and useful policy. And that doesn’t help anyone, especially not the people who need the policy in the first place.
Here’s how to avoid all that by making your policies understandable.
First thing's first: Before we create or simplify a policy, does it need to be a policy at all?
If your policy will just restate the same guidance that’s in your Code of Conduct…don’t write it!! And if you’ve already written it, kill it. ☠️
Duplicative guidance only leads to confusion. Employees will question why you have a Code and a policy that say the same (or, worse, same-ish) thing—and which one is the “real” thing they have to pay attention to.
This is an invitation to mayhem, so avoid it at all costs.
Coincidentally, also the title of Broadcat’s thrash metal album.
If you have a policy on a topic that is also covered in your Code, it has to be more granular and more specific than what’s in your Code. Otherwise, stop right here. 🚫
Next, get in the right mindset: NO ONE reads policies for fun.
Let's be clear: No one reads your policies for fun—even if you require folks to attest they do. [Side note: if you require attestations, STOP IT. Attestations are fine if done for awareness purposes. Otherwise, you're pretty much asking employees to lie to you. 🤷]
People read policies because they want to do something but first want to check if it’s OK. In other words, they review policies to solve a problem. They do not proactively read them cover-to-cover just in case.
This is true of you, too—when’s the last time you sought out your company’s IT policies to read them just in case they might be relevant?
We’re pretty sure this is covered in section one.
This mindset matters because it allows you to flag which parts of the policy are most relevant for various groups of people. You need to know which part applies to them, when it applies, and what they need to do. That’s what your teams are looking for, and they’ll be frustrated if the important topics are buried or just plain hard to figure out.
This shift in perspective might also show you that shorter is not necessarily better. If you try to make something shorter just so that it won’t take too long to read cover-to-cover, you’re missing the point.
Nobody ever reads policies like they read books, so make it as long as you need, but make it navigable by focusing on headings and charts that tell people what to do. This might make the content a bit longer, but it’ll be easier for employees to use because they’ll be able to skim the content until they find what’s relevant.
Finally, be realistic and summarize well.
Reality check: Sometimes you need a policy for check-the-box legal reasons, even if those reasons don’t make sense. (And it’s not worth the argument with your legal department.)
Sometimes you just want to avoid this conversation.
This means that you might be stuck with documents that are often unattractive and hard to change. Couple that with the fact that most employees won’t read those documents anyway, and you face two major obstacles to actually doing your job.
So solve it with summaries.
Sometimes, to overcome obstacles, you need to bypass them completely and take the path of least resistance. In this case, that path is a one-page policy summary, i.e., a simple visual aid that you add to the front of your policy.
A one-page policy summary solves both of your problems:
1. It doesn’t require replacing or changing a current policy, so you can avoid a fight with your lawyers.
2. It doesn’t force employees to read the whole thing. A summary does the heavy lifting for them by highlighting the key rules that they’d otherwise spend too much time looking for.
What are those key rules? Just 4 categories—all of the guidance in your policies should fall within these:
1. What's OK
2. What's prohibited
3. What requires pre-approval
4. Manager responsibilities
And keep the summary itself super simple, like this:
This is a great exercise in empathy: It challenges you to get in the mindset of an employee who’s trying to figure out how to stay compliant. Like outlining a report, a one-page policy summary forces you to stick to a structure so that your content doesn’t go off the rails. After all, it’s not uncommon to spend so much time writing a policy that what you think the final product says and what it actually says are different. 😬
And that's it! Implement these tips, and you'll have super approachable and understandable policies in no time. 👍
Get policy templates, one-page summaries, charts, and MORE through Compliance Design Club!