Editor's Note

This piece reflects the practice notes from AmpliSkill's Internal Policy Review consulting service — one of our five focused practices. The patterns described here are anonymized but representative of engagements across banking, manufacturing, and public-sector clients.

Most internal policies are written under one set of conditions and read, if they are read at all, under another. Between those two moments, a great deal of organizational reality has typically changed. The policy stays where it was. The reality moves on. And a quiet, accumulating gap opens up between what the document says and what the organization actually does.

Over the last two years, our consulting team has reviewed somewhere north of 300 internal policies across banking, manufacturing, the public sector, and a handful of conglomerates. We have read HR policies, risk policies, procurement policies, IT security policies, governance frameworks, codes of conduct, expense rules, vendor onboarding manuals, whistle-blower protocols, and more committee charters than I would care to count.

What follows are the patterns we keep seeing — not framed as a critique of any particular client, but as a working theory of why most policy environments end up where they do, and what it actually takes to fix them.

Section 01The drift problem

The first thing to understand about most large organizations' policy environments is that nobody designed them. They accumulated.

A regulator issues a circular. Someone in compliance writes a policy in response. A merger happens. Two parallel HR policies get filed side by side, and nobody is brave enough to consolidate them. A new CEO has a strong view about expenses, and a memo becomes a policy becomes a procedure. A near-miss in a regulatory audit produces a hurriedly drafted control document that nobody is willing to remove for fear of repeating the audit. Multiply this by twenty years and you have what most large organizations actually have: a policy estate that has drifted into existence rather than been built.

The consequences of drift are predictable. Policies contradict each other. The same topic appears in three different documents with three slightly different rules. Documents reference other documents that no longer exist. Approval thresholds are stated in absolute amounts that have been silently eroded by a decade of inflation. And nobody has the time, or the mandate, to do anything about it.

The single best predictor of whether a policy is being followed is whether anyone in the organization can find it in under sixty seconds.

Section 02Three patterns we see everywhere

Across the engagements, three structural patterns repeat almost without exception.

Pattern one: the document graveyard. Most organizations we work with have a policy library that is, on paper, comprehensive. They can produce a list of every policy that exists. What they cannot do is tell you which of those policies are actually being applied. Our typical finding is that 30 to 50 percent of nominally active policies are dead letters — either superseded, untaught, or simply unfindable by anyone outside the function that owns them.

Pattern two: the function-by-function silo. Each functional head has built a policy library that makes sense from inside their function. The risk team's policies make sense to risk people. The HR team's policies make sense to HR people. What is missing — almost always — is a coherent view across functions of how a single employee is supposed to navigate the whole estate. The result is that frontline managers carry around a private mental model of "the rules" that bears only a partial resemblance to any document.

Pattern three: the immortality of policies. Policies, once written, are extraordinarily hard to retire. Nobody wants to be the person who removed the policy that turns out to have been protecting the organization from something. So policies accumulate. The estate grows. The newest policies layer on top of older ones rather than replacing them.

Pattern recognition

The halving rule.

In every engagement we have done, the size of the policy estate that the organization actually needs is approximately half of what currently exists. Not 90%. Not 70%. Half. The other half is duplication, supersession, or accumulated noise. This number is remarkably consistent across industries.

Section 03The five-line test

Early on, we developed a simple diagnostic that has held up well. We call it the five-line test, and it goes like this.

For any policy in the estate, the policy owner should be able to write, in five lines or fewer:

  1. What this policy requires people to do.
  2. Who is required to do it.
  3. What happens if they don't.
  4. How we would know if they aren't.
  5. Who reviews and updates this policy, and when.

If the policy owner cannot answer all five — and roughly 60% of the time, they cannot answer at least two — the policy is probably not doing the work the organization thinks it is doing. It is sitting in the library, taking up cognitive load, and producing very little behavioural change.

Our experience is that running the five-line test across an entire policy estate is one of the most cathartic exercises a senior leadership team can undertake. It is also one of the most uncomfortable, because the answers it produces are almost always worse than the team expected.

Section 04What actually changes behaviour

If the diagnosis is that most policy estates are bloated, contradictory, and weakly enforced, the natural question is what to do about it. Here, our experience has produced a small number of strong opinions.

Consolidate ruthlessly. A policy estate of 300 documents almost always contains a coherent estate of 100 to 150. The work is not deleting policies; it is consolidating them. Three overlapping HR policies become one. Five procurement documents become two. The total surface area shrinks dramatically and the average quality goes up.

Make findability the first metric. A policy that cannot be found is a policy that does not exist. The single most useful intervention we have seen is the introduction of a single, searchable, well-tagged policy portal — with a search bar that actually works. Organizations that do this well report a step-change in compliance metrics within a year, often without changing the underlying rules.

Treat policies as products. Every policy needs an owner, a version, a review cycle, and a way for users to provide feedback when the policy is unclear or unworkable. The leading organizations we work with run their policy library the way good product teams run software: with releases, deprecation notices, and a backlog of user-reported issues.

The organizations that have the best policy environments are not the ones with the most policies. They are the ones that have made the smallest number of clear policies extraordinarily easy to find and apply.

What policy is for.

It is worth ending with a reminder of what policies are actually for. They are not, despite appearances, primarily for regulators or auditors — though those audiences matter. They are for the frontline manager who needs to make a decision today and wants to know whether the organization has thought about it before. They are for the new joiner who is trying to understand how this place works. They are for the ethics officer at 8pm on a Tuesday when something has gone wrong and someone needs to know what the right thing to do is.

Every policy you write is, at its best, a small gift of clarity to a colleague you may never meet, in a moment you will never see. The estate as a whole is the accumulated stock of those gifts — or, if poorly maintained, the accumulated debt of confusion, duplication, and quiet disregard.

Takeaways

What we've learned reviewing 300 policies

  • Most policy estates have drifted into existence. Nobody designed them; they accumulated. The first step to fixing them is to acknowledge this honestly.
  • The halving rule holds. Across industries, the policy estate the organization actually needs is roughly half what currently exists.
  • Apply the five-line test. If the policy owner can't answer five basic questions about a policy, that policy is probably not changing behaviour.
  • Findability beats rule changes. A searchable, single-source policy portal does more for compliance than most rule revisions.
  • Treat policies as products. Owners, versions, review cycles, and a feedback loop. The best teams run their policy library like a software product.

If your organization has not run a serious cross-functional review of its policy estate in the last three to five years, our experience is that there is meaningful improvement waiting. Not in the form of new policies — but in the form of clearer, fewer, more findable ones, owned by people who could pass the five-line test for each.

A
About the author

Ashok

Co-founder & CEO · Consulting Practice

Ashok is co-founder of AmpliSkill. He has two decades of general management experience across manufacturing, financial services, and public-sector advisory, and leads AmpliSkill's MDP practice and client relationships. He has personally led or reviewed policy harmonization engagements covering more than 300 internal policies.

More by this author → Get in touch →