What Is Policy Management? A Plain-English Guide

You have a safeguarding policy. A data protection policy. A health and safety policy. Possibly 80 more. Someone wrote them, someone approved them, and now they sit in a shared drive folder — or worse, a filing cabinet — with a "next review" date buried in the footer.

That is policy management, done badly. Here is what it looks like done properly.

Policy Management in 30 Seconds

Policy management is the process of creating, approving, distributing, reviewing, and retiring the policies your organisation needs to operate legally and effectively.

For UK regulated organisations — schools inspected by Ofsted, GP practices regulated by CQC Regulation 17, charities governed under the Charity Governance Code, and councils subject to audit — policy management is not optional. Your regulator expects you to have current, approved policies that staff can find and follow.

The word "management" is doing the heavy lifting. Having policies is easy. Keeping them current, getting them approved, proving staff have read them, and knowing which ones expire next month — that is the management part, and it is where most organisations struggle.

What Policy Management Actually Covers

Policy management has five stages. Most organisations handle the first two and neglect the rest.

1. Creation

Someone drafts a new policy — usually because a regulator requires it, legislation changes, or an incident exposed a gap. At this stage, the key question is: does this policy already exist somewhere else in the organisation? Duplicate policies with conflicting content are common, especially in multi-site organisations like MATs (multi-academy trusts) or GP practice groups.

2. Approval

The draft needs sign-off from the right people — a governing body, a board of trustees, a practice manager, or a line manager depending on the policy type. The approval workflow matters because your regulator may ask: who approved this, and when?

For schools, the governing body formally approves statutory policies. For charities, trustees are responsible. For GP practices, the practice manager or partners sign off. Without a clear approval trail, an inspector has no evidence the policy was properly authorised.

3. Distribution

Approved policies need to reach the people who follow them. A safeguarding policy locked in the head teacher's office is useless. Staff need to know where to find current policies, and for critical policies (safeguarding, data protection, health and safety), they need to confirm they have read and understood them.

4. Review

Every policy has a shelf life. Legislation changes, your services change, and what was accurate two years ago may be wrong today. How often you review depends on your regulator — but annual review is the practical minimum for most policies, with safeguarding and high-risk policies reviewed more frequently.

This is where manual tracking breaks. When review dates are stored in document footers, spreadsheet cells, or someone's memory, things get missed. A policy that was due for review six months ago will not remind you — it just sits there, quietly out of date, until an inspector asks to see it.

5. Retirement

Policies that are no longer needed should be formally retired — not just deleted. You may need to demonstrate to an auditor that a previous policy existed and when it was superseded. A clear archive with dates prevents confusion.

Why Manual Policy Tracking Fails

Most organisations under 500 staff track policies using one of these methods:

Spreadsheets. A shared Excel file or Google Sheet with columns for policy name, owner, review date, and status. This works until someone forgets to update the spreadsheet after reviewing a policy, or two people edit conflicting copies, or the spreadsheet grows to 200 rows and nobody checks the review dates anymore.

SharePoint or shared drives. Policies live in a folder structure. Review dates are either in the document footer, in the filename ("Safeguarding Policy v3 May 2024"), or nowhere. Version history exists but nobody checks it. Finding the current version of a specific policy means opening the folder and hoping you pick the right file.

Document footers. The review date is printed at the bottom of the policy PDF. This means someone has to open every document to check whether it is due for review. For 100+ policies, that is hours of work — so it does not happen.

Filing cabinets. Still common in small GP practices and parish councils. Policies are printed, signed, and filed. There is no search function, no version control, and no reminders. When an inspector asks for a specific policy, someone rummages through a cabinet.

All of these methods share the same weakness: they are passive. None of them tell you when something needs attention. The burden falls on a person — usually a school business manager, practice manager, or governance officer — to remember to check, chase, and follow up. That person is also doing their actual job.

What a Policy Management System Does

A purpose-built policy management system replaces the spreadsheet with something that actively manages the review cycle. The core features:

• Policy register — a central list of every policy, its owner, category, review frequency, and current status (try our free Policy Register Template to get started)
• Automated reminders — email notifications 90, 60, and 30 days before a policy review is due
• Approval workflow — route policies to the right approver (governing body, trustees, management team) and record their sign-off with a timestamp
• Compliance dashboard — a traffic-light view showing which policies are current (green), due for review soon (amber), or overdue (red)
• Audit trail — a complete history of who reviewed, approved, and updated each policy, and when
• Version control — previous versions are preserved and accessible, not overwritten
• Export — generate a compliance report for inspectors, auditors, or governors showing the status of every policy

The value is not in storing documents — you can store documents anywhere. The value is in the active tracking: reminders that go out automatically, dashboards that show problems before an inspector finds them, and an audit trail that proves your governance is current.

When Does Manual Tracking Stop Working?

There is no magic number, but common tipping points:

• 20+ policies — too many to track reliably in someone's head
• Multiple policy owners — coordination becomes difficult without a shared system
• Multi-site organisations — MATs, GP practice groups, and charity branches need consistency across sites
• Inspection preparation — pulling together evidence for CQC, Ofsted, or audit becomes time-consuming without a central register
• Staff turnover — when the person who "knew where everything was" leaves, institutional knowledge goes with them

If you recognise any of these, your current approach is probably costing you more time than it saves.

Next Steps

1. Read our guide to policy review frequencies to understand what your regulator expects.
2. Audit your current policies — how many do you have, and when was each last reviewed?
3. Identify your biggest risk — which policies would cause the most damage if found to be out of date during an inspection?

PolicyBoard is designed for exactly this problem — automated review reminders, approval workflows, and a compliance dashboard for UK schools, GP practices, councils, and charities. Join the waitlist to be notified when it launches.

This article is a general guide to policy management for UK organisations. It is not legal advice.