<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>PolicyBoard Guides</title>
    <link>https://policyboard.co.uk/blog/</link>
    <description>Policy review tracking insights for regulated UK organisations — schools, GP practices, councils, and charities.</description>
    <language>en-GB</language>
    <atom:link href="https://policyboard.co.uk/rss.xml" rel="self" type="application/rss+xml"/>
    <item>
      <title>GP Practice Policy Management: Staying CQC-Compliant</title>
      <link>https://policyboard.co.uk/blog/gp-practice-policy-management/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/gp-practice-policy-management/</guid>
      <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
      <description>How GP practices manage the policies CQC expects to see — what Regulation 17 requires, which policies matter most at inspection, and how to keep them current with minimal admin.</description>
      <content:encoded><![CDATA[<p>The CQC inspection report for a six-partner practice in the East Midlands noted "inconsistent documentation of policy review." The lead inspector had asked to see the infection prevention and control policy. The practice had one. It had been approved in 2021. There was no record of whether it had been reviewed against the 2022 updates to the relevant guidance, no approval signature, and no review date. The policy existed; the governance did not.</p>
<p>Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 requires registered persons to have "systems or processes established and operated effectively to ensure compliance" with regulatory requirements — including the secure maintenance of "accurate, complete, contemporaneous" records. In practice, that means the CQC expects to see policies that are current, approved, and evidenced as reviewed — not merely filed.</p>
<p>This guide covers what CQC expects to find, which policies matter most at inspection, and how small GP practices can stay on top of the review cycle without it consuming the practice manager's week.</p>
<h2>What CQC Actually Looks for in Policy Governance</h2>
<p>CQC inspectors work through the five key questions — Safe, Effective, Caring, Responsive, Well-led — and policies come up most consistently under Safe and Well-led. The inspector is not looking for a specific word count or template. They are looking for evidence of governance: that someone owns each policy, that it was reviewed and approved within a reasonable period, and that the approved version is what staff are actually using.</p>
<p>The common governance failures CQC finds at GP practices:</p>
<p><strong>Out-of-date policies.</strong> A medicines management policy that still references the 2018 NICE guidance when the practice updated its prescribing protocols in 2023. The policy says one thing; practice does another.</p>
<p><strong>No approval record.</strong> A policy revised by a partner, saved over the previous version, but never taken to the full partnership for approval. There is a current-looking document and no audit trail.</p>
<p><strong>Version conflicts.</strong> Two copies of the safeguarding policy — one on the shared drive, one printed and in the reception folder — that differ in the referral telephone numbers. Staff are using different versions.</p>
<p><strong>No review trigger for regulatory changes.</strong> The IPC guidance was updated. Nobody reviewed the IPC policy. There is no mechanism that would have prompted a review.</p>
<p>A policy register with review dates addresses all four. What CQC wants to see is not a perfect archive — it is a governance system that catches problems before they create risk.</p>
<h2>The Policies That Come Up Most at CQC Inspection</h2>
<p>CQC does not publish a single required policy list for GP practices. The relevant requirements come from Regulation 17, the CQC guidance on Regulation 17, and the specific key questions the inspection addresses. The policies that consistently come up:</p>
<p><strong>Under Safe (S key question):</strong></p>
<ul>
<li>Infection prevention and control policy — reviewed against the latest IPC guidance (updated regularly)</li>
<li>Medicines management policy — covering prescribing, dispensing, controlled drugs</li>
<li>Safeguarding children and vulnerable adults policies — must reflect current national and local guidance</li>
<li>Health and safety policy</li>
<li>Significant event (critical incident) policy</li>
</ul>
<p><strong>Under Effective (E key question):</strong></p>
<ul>
<li>Clinical audit policy — how the practice reviews and acts on clinical data</li>
<li>Patient records policy — accuracy, access, retention</li>
</ul>
<p><strong>Under Responsive (R key question):</strong></p>
<ul>
<li>Complaints policy and procedure — with evidence of how complaints have been handled</li>
</ul>
<p><strong>Under Well-led (W key question):</strong></p>
<ul>
<li>Governance framework document — who owns what, how decisions are made</li>
<li>Confidentiality and data protection policy — aligned with UK GDPR</li>
<li>Staff recruitment and employment policies</li>
</ul>
<p>This is not an exhaustive list. Different inspections raise different policies depending on what the inspection finds. But these are the areas where inadequate policy governance is most likely to affect the overall rating.</p>
<h2>The Review Cycle Problem at GP Practices</h2>
<p>GP practices typically have thirty to fifty policies. At an annual review cycle, that is one policy review every one to two weeks on a sustained basis. Add triggered reviews — when the IPC guidance changes, when a significant event triggers a policy look, when the practice expands or restructures — and the volume is significant.</p>
<p>The review cycle fails in small practices for a predictable reason: it relies on the same person who manages appointments, staffing, premises, compliance, and supplier contracts to also track when forty policies need reviewing. That person is the practice manager, and their time is not unlimited.</p>
<p>The standard failure mode is that reviews happen in clusters — typically before an inspection — rather than continuously. The inspection then finds a cluster of policies all reviewed in the same month, which may prompt questions about whether the reviews were substantive or perfunctory.</p>
<p>A structured approach distributes the workload:</p>
<ol>
<li>
<p><strong>Categorise by review frequency.</strong> Infection control policies reviewed every six months when guidance changes. Clinical governance policies reviewed annually. Administrative policies reviewed every two years. The <a href="/tools/policy-review-schedule-generator/">Policy Review Schedule Generator</a> helps you map this across your full policy library.</p>
</li>
<li>
<p><strong>Assign owners.</strong> Not all policies need to be reviewed by the practice manager. Clinical policies are reviewed by clinical leads. Safeguarding is reviewed by the designated safeguarding lead. Distributing ownership spreads the workload and puts subject-matter expertise in the review.</p>
</li>
<li>
<p><strong>Calendar the reviews.</strong> Tie review months to the clinical year — September safeguarding reviews aligned with the new academic year, February clinical governance reviews before the annual NHS England returns, and so on.</p>
</li>
<li>
<p><strong>Record the review, not just the date.</strong> CQC wants to see evidence of a substantive review. That means a record of who reviewed, what was checked, whether anything changed, and who approved the updated version. A date in a footer is not enough.</p>
</li>
</ol>
<p>Our <a href="/tools/cqc-compliance-policy-checker/">free CQC Compliance Policy Checker</a> lists the policy areas CQC inspectors cover under each key question. It is useful both for identifying gaps and for structuring a pre-inspection self-assessment.</p>
<h2>Common Questions From Practice Managers</h2>
<p><strong>How far back do CQC reviews actually go?</strong> Inspectors typically look at the most recent review date and whether the policy has been reviewed since any material changes in relevant guidance. For IPC policies, this means reviews against current national guidance. For safeguarding, alignment with the current Working Together to Safeguard Children guidance. Policies unchanged for more than three years will draw scrutiny regardless of the dates.</p>
<p><strong>Do we need a policy for everything?</strong> No. Policies need to be proportionate to your operating context. A two-partner practice does not need the same governance structure as a Primary Care Network with fifteen partners. CQC assesses policies relative to the complexity and risk profile of the service.</p>
<p><strong>Can we use national template policies?</strong> Yes, with adaptation. Template policies from Practice Index, the BMA, or NHS regional support organisations are a reasonable starting point. CQC expects them to be adapted to reflect your practice's actual arrangements — named staff, local referral pathways, specific premises. A generic template with no adaptation is a governance weakness.</p>
<p><strong>What if a policy was reviewed but not approved at partnership level?</strong> This is common and carries risk. A policy revised by one partner but not brought to the full partnership for sign-off lacks governance authority. The revision may be clinically correct but lacks the formal accountability CQC is looking for. Bring all policy revisions to the next partnership meeting and minute the approval.</p>
<h2>Managing Policy Governance Across a Primary Care Network or Merged Practice</h2>
<p>PCN arrangements complicate policy governance. Multiple practices may share policies on safeguarding, IPC, or clinical audit. The governance question becomes: who owns the shared policy, who approves changes, and how do individual practices evidence that they are operating to the current version?</p>
<p>The answer is usually a shared register with named leads for each policy and a clear approval chain. A policy shared between three practices but owned by nobody is a governance gap waiting to surface at inspection.</p>
<p>PolicyBoard is designed to handle this kind of multi-site arrangement — shared policies with a clear owner, practice-specific review records, and an audit trail that holds up at inspection. <a href="/">Join the waitlist</a> to be notified when it launches.</p>
<h2>Sources</h2>
<ul>
<li>Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, Regulation 17</li>
<li>CQC: Regulation 17 — Good Governance guidance</li>
</ul>
<p><em>This guide is written for practice managers, GP partners, and PCN leads managing policy governance at small UK primary care services. It covers general principles based on published CQC guidance and regulatory requirements. It is not legal or clinical advice — always verify requirements against current CQC inspection guidance and seek professional support for specific compliance questions.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>SharePoint for Policy Management: When to Move On</title>
      <link>https://policyboard.co.uk/blog/sharepoint-policy-management/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/sharepoint-policy-management/</guid>
      <pubDate>Thu, 25 Jun 2026 00:00:00 GMT</pubDate>
      <description>How small UK regulated organisations use SharePoint for policy management, where it runs out of road, and the criteria that tell you it is time for a dedicated tool.</description>
      <content:encoded><![CDATA[<p>The practice manager at a four-partner GP surgery spent most of Friday morning doing something that should not take most of Friday morning. The surgery keeps policies in SharePoint. Forty-three of them. When the CQC inspection notice arrived, the manager opened the document library, sorted by "Date modified," and started comparing dates to the last-review column in the spreadsheet she keeps separately because SharePoint does not have a review-date field. Three policies had no last-reviewed date recorded anywhere. One had been reviewed twice in the same month by different partners. She could not tell which version was current.</p>
<p>SharePoint is where this story starts. It is rarely where it ends well.</p>
<h2>What SharePoint Actually Does for Policy Management</h2>
<p>It is worth being precise about what SharePoint does well before getting to where it does not, because the failure mode often comes from expecting SharePoint to be something it was not built to be.</p>
<p>SharePoint does document storage competently:</p>
<ul>
<li><strong>Version history</strong> — every time a file is saved, SharePoint creates a new version. You can retrieve earlier drafts, see who saved them, and recover from overwritten changes.</li>
<li><strong>Permissions</strong> — you can restrict who can view, edit, and manage documents. Policy documents containing personal data or commercial-in-confidence information can be controlled.</li>
<li><strong>Search</strong> — within a Microsoft 365 tenancy, SharePoint search surfaces policies from any connected device.</li>
<li><strong>Co-authoring</strong> — multiple people can edit a document simultaneously. Useful when a policy owner and their line manager are working through a revision together.</li>
<li><strong>Integration with Teams and OneDrive</strong> — policies in SharePoint are accessible directly from Teams channels, which is where many staff spend their working day.</li>
</ul>
<p>For an organisation with fewer than twenty policies and one person who owns the management process, SharePoint does most of what is needed without any additional cost.</p>
<h2>Where SharePoint Runs Out of Road</h2>
<p>The limitations are not random — they follow directly from what SharePoint is: a file management system, not a policy governance system. Once you start expecting policy governance from it, the gaps become visible.</p>
<h3>Review scheduling is entirely manual</h3>
<p>SharePoint has no concept of a "review date." There is no field in the document library that triggers a notification when a policy is due for review. The closest you can get is:</p>
<ul>
<li>Add a custom metadata column called "Next Review Date"</li>
<li>Configure an alert that emails you when the column value equals today's date (which requires Power Automate, custom flows, and ongoing maintenance)</li>
<li>Or rely on a separate spreadsheet</li>
</ul>
<p>Most organisations do the third. The spreadsheet works until the person who built it leaves, or it is not shared with the right people, or it gets out of sync with the actual document versions in SharePoint. At that point you have the GP surgery situation: a document library and a spreadsheet that are telling different stories.</p>
<p>The <a href="/tools/policy-review-schedule-generator/">Policy Review Schedule Generator</a> does this in a browser in a few minutes — but the point is that SharePoint requires you to build your own scheduling system around it.</p>
<h3>Approval workflows require technical configuration</h3>
<p>For a policy to be formally approved — by a governing body, trustee board, practice partners, or council — someone needs to confirm the approval and timestamp it. SharePoint has approval workflows through Power Automate, but they require:</p>
<ul>
<li>Knowledge of Power Automate (a separate Microsoft tool)</li>
<li>Building the workflow for each policy type or routing requirement</li>
<li>Maintaining the workflow when approval authorities change</li>
<li>Troubleshooting when it stops working</li>
</ul>
<p>Small regulated organisations do not have IT departments. Expecting the school business manager or the parish clerk to configure and maintain Power Automate approval flows is not realistic. In practice, approvals happen via email and the record is an email chain that nobody can find at inspection time.</p>
<h3>Compliance dashboard does not exist</h3>
<p>You cannot open SharePoint and see: "12 policies current, 3 due for review within 30 days, 1 overdue, 4 no review date." That view does not exist. You can create it with SharePoint lists, calculated columns, and conditional formatting — but it will take half a day to build, will break when someone renames a column, and needs someone to maintain it.</p>
<p>The absence of a compliance view matters most when an inspection is announced. The first thing an inspector asks — whether CQC, Ofsted, or the Charity Commission — is "show me your policy register and tell me when each policy was last reviewed." In SharePoint, answering that question accurately requires manually checking every file's metadata.</p>
<h3>No sector-specific context</h3>
<p>SharePoint does not know that your school needs the statutory policies maintained-schools guidance requires, or that your GP practice needs policies covering every regulation CQC will inspect against. You have to build that context yourself: categories, required policies per regulator, sector-appropriate review frequencies. A policy management system designed for regulated organisations has that built in.</p>
<h3>Not accessible without Microsoft 365</h3>
<p>Parish councils, small charities, and independent schools often do not use Microsoft 365. Their staff may use a mix of Google Workspace, paper-based systems, or minimal IT infrastructure. For these organisations, SharePoint is simply not an option.</p>
<h2>When SharePoint Is the Right Answer</h2>
<p>The cases where SharePoint is genuinely the right answer for policy management:</p>
<ul>
<li><strong>Fewer than 30 policies</strong> and one person managing them</li>
<li><strong>No regulatory inspection requirement</strong> (the organisation is not CQC-registered, Ofsted-inspected, Charity Commission-regulated, or subject to external audit for governance)</li>
<li><strong>Already deep in Microsoft 365</strong> with IT support to configure and maintain workflows</li>
<li><strong>No multi-site complexity</strong> — single location, single management layer</li>
</ul>
<p>If all four are true, the cost of moving to a dedicated tool is hard to justify.</p>
<h2>The Signals That Tell You SharePoint Has Run Out of Road</h2>
<p>Most small UK regulated organisations discover SharePoint's limits at one of three moments:</p>
<p><strong>The inspection prep moment.</strong> An inspection notice arrives and someone needs to produce a complete, accurate policy register with last-reviewed dates within 48 hours. Producing that from SharePoint requires manual checking of every file. The first time this happens under pressure, organisations start looking for something better.</p>
<p><strong>The version conflict moment.</strong> Two people update the same policy. SharePoint creates versions, but the metadata — the review date, the owner, the approver — may not be updated consistently. An inspector asks for the current approved version and there is uncertainty about which one it is.</p>
<p><strong>The team handover moment.</strong> The person who built and maintained the SharePoint structure leaves. Their successor inherits a document library with inconsistent metadata, unmaintained workflows, and a spreadsheet that is three months out of date.</p>
<p>If any of these situations describes your organisation's current experience, the question is not whether SharePoint is the right long-term answer — it is not — but what you are moving to.</p>
<h2>What a Dedicated Policy Management System Does Differently</h2>
<p>The difference is not additional features bolted onto a document management system. It is a different design intent from the ground up:</p>
<ul>
<li><strong>Review dates are the core data structure, not a metadata field.</strong> The system is built around the assumption that every policy has a review cycle. Reminders fire automatically. Overdue reviews surface in a dashboard without anyone checking.</li>
<li><strong>Approval workflows are configured, not built.</strong> Different policies can route to different approvers — the governing body for statutory policies, the practice manager for clinical policies — without Power Automate.</li>
<li><strong>The compliance dashboard is the starting point.</strong> What is current, what is due, what is overdue — visible at login, not at the end of a manual audit.</li>
<li><strong>Sector context is built in.</strong> The system knows what a CQC-registered practice needs. The system knows what maintained schools guidance requires. You do not have to replicate that knowledge in a document library column.</li>
</ul>
<p>PolicyBoard is designed for exactly this: small UK schools, GP practices, charities, and councils that have outgrown SharePoint for policy management. Automated review reminders, approval workflows, compliance dashboard, and audit trail — without requiring Microsoft 365 or IT support to configure. <a href="/">Join the waitlist</a> to be notified when it launches.</p>
<h2>SharePoint Policy Management: The Practical Summary</h2>
<p>SharePoint works for policy management when the portfolio is small, the team is stable, and no regulator will ask for a timestamped compliance picture. It runs out of road when review scheduling needs to be reliable, when approval governance needs an audit trail, or when an inspection requires a complete compliance overview in minutes rather than hours.</p>
<p>The <a href="/blog/policy-management-beyond-sharepoint/">policy management beyond SharePoint guide</a> covers the common patterns in more detail. If you are evaluating alternatives, the <a href="/blog/what-to-look-for-policy-management-software/">what to look for in policy management software guide</a> covers the criteria that matter for small regulated organisations.</p>
<p><em>This guide is written for compliance leads, school business managers, practice managers, and council clerks at small UK regulated organisations evaluating their current policy management arrangements. It is not legal advice and is not an endorsement or criticism of any specific technology platform.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>Policy Tracking Software: What UK Compliance Teams Need</title>
      <link>https://policyboard.co.uk/blog/policy-tracking-software/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/policy-tracking-software/</guid>
      <pubDate>Wed, 17 Jun 2026 00:00:00 GMT</pubDate>
      <description>What to look for in policy tracking software as a small UK regulated organisation — the features that matter, and the enterprise extras you can safely skip.</description>
      <content:encoded><![CDATA[<p>A practice manager at a GP surgery searches for "policy tracking software" the week after an inspection flagged two expired policies. The first page of results is enterprise compliance platforms built for multinationals — feature lists three screens long, "request a demo" buttons, and pricing that starts where a small practice's entire software budget ends.</p>
<p>That mismatch is the whole problem. Most small UK regulated organisations do not need a compliance platform. They need to know which policies are due for review, get reminded before the deadline, and prove at inspection that every policy is current. This guide covers what policy tracking software actually has to do for a small organisation, the features worth paying for, and the ones marketed at you that you can safely ignore.</p>
<h2>What "Policy Tracking" Means (and Why It's Different from Document Storage)</h2>
<p>Policy tracking is keeping a live picture of your policies' review status: what exists, when each was last reviewed, when each is next due, who owns it, and which ones are overdue right now. That is a different job from storing the documents.</p>
<p>A shared drive or document library stores files. It does not track them. Nothing on a SharePoint folder tells you that the safeguarding policy is six weeks overdue for review, reminds the owner before the deadline, or produces an at-a-glance view of which policies are current. Storage answers "where is the file?" Tracking answers "is this policy current, and who needs to act?"</p>
<p>That distinction matters because the failure that surfaces at inspection is almost never "we lost the file." It is "the file exists but it is out of date and nobody noticed." Tracking software exists to catch the second one. (For the wider question of why document control matters in the first place, see our guide on <a href="/blog/why-document-control-important/">why document control matters in regulated UK organisations</a>.)</p>
<h2>The Features That Actually Matter for a Small Organisation</h2>
<p>When you strip away the enterprise marketing, a small regulated organisation needs five things from policy tracking software:</p>
<ol>
<li><strong>A policy register you can see at a glance.</strong> Every policy in one list with its owner, last-reviewed date, review cycle, and next-review date. If you cannot get the whole picture on one screen, the tool is working against you. Building one from scratch is straightforward — our <a href="/blog/how-to-build-policy-register/">step-by-step guide to building a policy register</a> walks through the structure — but a tracking tool should give you this as the home screen.</li>
<li><strong>Automated review reminders.</strong> Reminders that fire well before a deadline — not on the day it is already overdue — to the named policy owner, with escalation if the date passes. This is the single feature that prevents the expired-policy-at-inspection scenario.</li>
<li><strong>A traffic-light status view.</strong> Green for current, amber for due soon, red for overdue. A compliance dashboard you can show an inspector or a board in ten seconds beats a spreadsheet you have to interpret.</li>
<li><strong>An audit trail.</strong> A record of when each policy was reviewed, what changed, and who approved it. When an inspector asks for evidence of review, the audit trail is the answer — a date in a document footer is not.</li>
<li><strong>Export for inspection or audit prep.</strong> The ability to produce a clean register or compliance report when you need to hand evidence to CQC, Ofsted, an auditor, or a board.</li>
</ol>
<p>If a tool does those five well, it solves the actual problem. Everything beyond that is a question of whether the extra features earn their cost.</p>
<h2>The Features You Can Probably Skip</h2>
<p>Enterprise policy and compliance platforms bundle a lot that a small organisation will never use — and you pay for all of it. Be honest about whether you need:</p>
<ul>
<li><strong>Staff attestation at scale.</strong> Tracking that every one of 5,000 employees has read and acknowledged each policy is genuinely useful at enterprise scale. For a 60-person practice or a single school, it is often more process than the risk warrants.</li>
<li><strong>Multi-framework control mapping.</strong> Platforms that map policies to dozens of compliance frameworks simultaneously are built for organisations juggling many overlapping regimes. A single-sector UK organisation usually answers to one main framework.</li>
<li><strong>Workflow automation engines.</strong> Configurable approval workflows with conditional routing are powerful and complex. A small organisation's approval route is usually short enough to handle with a simple sign-off step.</li>
<li><strong>Integrations you have no system to integrate with.</strong> Connectors to enterprise HR, GRC, and identity platforms add to the price and the setup. If you do not run those systems, the integrations are dead weight.</li>
</ul>
<p>None of these features is bad. They are simply priced and designed for organisations far larger than the typical small UK regulated body — and paying for them is how small organisations end up with software that costs more than the problem it solves.</p>
<h2>How to Tell Enterprise Tools from Small-Organisation Tools</h2>
<p>The clearest signals that a tool is built for someone bigger than you:</p>
<ul>
<li><strong>Pricing is "contact us" rather than published.</strong> Hidden pricing usually means enterprise-tier, sales-led, and negotiated — a sign you are not the target customer.</li>
<li><strong>Onboarding requires an implementation project.</strong> If you need a consultant to get started, the tool assumes a scale and complexity you may not have.</li>
<li><strong>The free tier is a 14-day trial, not a usable free plan.</strong> Tools built for small organisations often let you start free at a sensible limit and pay only when you outgrow it.</li>
<li><strong>The feature list leads with governance, risk, and compliance breadth</strong> rather than the basics — register, reminders, dashboard. Breadth-first marketing targets buyers managing many regimes; small organisations are better served by depth on the basics.</li>
</ul>
<p>You are looking for a tool whose default configuration matches a small organisation out of the box — not one you have to scale down.</p>
<h2>A Quick Way to Decide</h2>
<p>Before you book a single demo, write down three things:</p>
<ol>
<li><strong>How many policies do you actually track?</strong> Twenty? Forty? Eighty? The number tells you whether you need a tool at all or whether a well-maintained register plus a <a href="/tools/policy-review-schedule-generator/">review schedule</a> is enough for now.</li>
<li><strong>What is the one failure you are trying to prevent?</strong> For most small regulated organisations it is "an expired policy is found at inspection." A tool that prevents that specific failure — through reminders and a status dashboard — is worth more than one with a hundred features that do not.</li>
<li><strong>What can you realistically maintain?</strong> A tool only works if someone keeps it current. Match the complexity to the time you have. For a fuller decision framework, our guide on <a href="/blog/what-to-look-for-policy-management-software/">what to look for in policy management software</a> covers the evaluation criteria in depth.</li>
</ol>
<p>Pick the simplest tool that prevents your one failure and that you can keep up to date. Anything more is paying for someone else's scale.</p>
<h2>Frequently Asked Questions</h2>
<h3>What is policy tracking software?</h3>
<p>Policy tracking software keeps a live record of your organisation's policies and their review status — what exists, when each was last reviewed, when each is next due, who owns it, and which are overdue. It typically adds automated review reminders, a traffic-light status dashboard, and an audit trail, so you can prove every policy is current.</p>
<h3>How is policy tracking different from storing policies on a shared drive?</h3>
<p>A shared drive stores the files; it does not track them. It cannot tell you a policy is overdue for review, remind the owner before the deadline, or show an at-a-glance view of which policies are current. Tracking software adds the review-status layer on top of storage.</p>
<h3>Do small organisations need policy tracking software?</h3>
<p>Not always. If you have a handful of policies, a well-maintained register and a review schedule may be enough. The case for software grows with the number of policies, the number of owners, and the cost of an expired policy being found at inspection. The trigger is usually when a spreadsheet stops being reliable.</p>
<h3>What should I look for in policy tracking software as a small UK organisation?</h3>
<p>Five things: a policy register you can see at a glance, automated review reminders before deadlines, a traffic-light status dashboard, an audit trail of reviews and approvals, and export for inspection or audit prep. Features built for enterprise scale — attestation across thousands of staff, multi-framework mapping, complex workflow engines — are usually more than a small organisation needs.</p>
<h2>Sources</h2>
<ul>
<li>CQC: Regulation 17 — Good governance</li>
<li>DfE: Maintained Schools Governance Guide</li>
</ul>
<p><em>This guide is designed for UK practice managers, compliance leads, school business managers, and governance officers evaluating how to keep their policies current. It is general guidance, not a product endorsement or legal advice — assess any tool against your own sector's requirements and your organisation's governance framework.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>Policy Review Template: UK Framework and Checklist</title>
      <link>https://policyboard.co.uk/blog/policy-review-template/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/policy-review-template/</guid>
      <pubDate>Wed, 10 Jun 2026 00:00:00 GMT</pubDate>
      <description>A reusable policy review template for UK regulated organisations — what each review must check, who signs off, and how to record it for inspection.</description>
      <content:encoded><![CDATA[<p>A compliance lead at a small housing association pulls up the fire safety policy two weeks before an audit. It was "reviewed" in 2023 — there is a date in the footer. But there is no record of what was checked, who approved it, or whether anything actually changed. The audit asks for evidence of review. A date in a footer is not evidence.</p>
<p>A policy review template fixes that. It turns "we looked at it" into a documented, repeatable process: what the reviewer checked, what changed, who approved it, and when the next review is due. This guide gives you a reusable framework you can apply to any policy, in any sector — schools, GP practices, housing associations, councils, or charities — plus the specific things each review must confirm and the review cycles UK regulators expect.</p>
<h2>What a Policy Review Template Actually Needs to Capture</h2>
<p>A useful policy review template is not a form you fill in once. It is a record that proves the review happened and shows what it found. At a minimum it should capture:</p>
<ul>
<li><strong>Policy name and reference</strong> — the exact title and any internal reference number, so the review maps to a specific document in your register.</li>
<li><strong>Version reviewed</strong> — which version you checked, so the audit trail links the review to the actual text.</li>
<li><strong>Review date and reviewer</strong> — who did the review and when.</li>
<li><strong>Statutory or regulatory basis</strong> — the legislation, regulation, or guidance the policy exists to satisfy (e.g. a CQC regulation, an Education Act section, a Health and Safety requirement).</li>
<li><strong>What was checked</strong> — a short checklist confirming the policy is still accurate, legally current, and reflects actual practice.</li>
<li><strong>Changes made</strong> — what was amended, or an explicit "no changes required" with a reason.</li>
<li><strong>Approval</strong> — who approved the reviewed version and at what governance level (board, governing body, committee, or manager).</li>
<li><strong>Next review date</strong> — driven by the policy's review cycle, not a guess.</li>
</ul>
<p>The difference between a real review and a footer date is the middle three rows: what was checked, what changed, and who approved it. Those are the rows an inspector or auditor reads.</p>
<h2>The Three Questions Every Policy Review Must Answer</h2>
<p>Most policy reviews fail not because the reviewer is careless but because "review this policy" is too vague. Break it into three concrete questions:</p>
<h3>1. Is it still legally accurate?</h3>
<p>Has the underlying law, regulation, or guidance changed since the last review? This is where most policies decay silently. Legislation gets amended, guidance gets reissued, and regulators update their frameworks — but the policy sits unchanged because nobody mapped it to its source.</p>
<p>A worked example of how fast this moves: in March 2024 the DfE withdrew its standalone "Statutory Policies for Schools and Academy Trusts" publication and folded its content into the governance guides. A school whose policy review process pointed only at the old publication would have been checking against withdrawn guidance. Mapping each policy to its current source — and re-checking that source at review time — is the single most valuable habit a review process can build in.</p>
<h3>2. Does it match what you actually do?</h3>
<p>Inspectors weight policy-to-practice alignment heavily. A policy that describes a process nobody follows is worse than no policy, because it documents a gap. The review must confirm the written policy reflects current practice — and where practice has drifted, decide whether to fix the practice or update the policy.</p>
<h3>3. Is it owned, dated, and findable?</h3>
<p>Who owns the policy? When was it last approved, and by whom? Can a member of staff find the current version in under a minute? A policy that exists but cannot be located is functionally missing at the moment it matters.</p>
<h2>A Reusable Policy Review Checklist</h2>
<p>Use this as the body of your review template. Run every policy through it:</p>
<ol>
<li><strong>Confirm the source.</strong> Identify the legislation, regulation, or guidance the policy satisfies. Check whether that source has changed since the last review.</li>
<li><strong>Check currency.</strong> Are all dates, named roles, contact details, and references still correct? Are any cited documents withdrawn or superseded?</li>
<li><strong>Check accuracy against practice.</strong> Does the policy describe what your organisation actually does? Interview the process owner if you are unsure.</li>
<li><strong>Check scope and completeness.</strong> Does it still cover everyone and everything it should? Have new activities, sites, or staff groups appeared that it does not address?</li>
<li><strong>Check readability.</strong> Can the people who must follow it understand it? A policy nobody reads is not a control.</li>
<li><strong>Record the outcome.</strong> Note changes made (or "no changes required"), the version number, and the reviewer.</li>
<li><strong>Route for approval.</strong> Send to the correct governance layer. Record who approved it and when.</li>
<li><strong>Set the next review date.</strong> Based on the policy's review cycle, not the calendar default.</li>
</ol>
<p>A 40-policy register run through this checklist annually is a working compliance system. Run through it once and forgotten is theatre.</p>
<h2>How Often to Review: What UK Regulators Expect</h2>
<p>Review frequency is not one-size-fits-all. It depends on the sector and the specific policy. The most common cycles across UK regulated organisations:</p>
<ul>
<li><strong>Health and social care (CQC-regulated).</strong> CQC Regulation 17 (Good Governance) requires providers to "assess, monitor and improve the quality and safety of the services" and to "maintain securely an accurate, complete and contemporaneous record" of their governance. Outdated policies are routinely cited in inspection reports as evidence of a governance failing, so most providers review core policies at least annually and immediately when guidance changes.</li>
<li><strong>Schools (Ofsted / DfE).</strong> The DfE governance guides recommend that governing bodies review statutory policies annually, with one notable exception: governing bodies "must also: agree on one or more equality objectives every 4 years, which must then be published." Safeguarding policies aligned to Keeping Children Safe in Education need annual review at minimum, and immediate review whenever KCSIE is reissued.</li>
<li><strong>Charities.</strong> There is no fixed statutory review cycle for most charity policies, but regular review is widely treated as good governance. Time policy reviews to the trustee meeting cycle so changes are formally approved and minuted.</li>
<li><strong>Housing associations and councils.</strong> Review cycles are usually set by the organisation's own governance framework and the relevant regulatory standards rather than a single statutory cadence — annual review of core compliance policies is the common baseline.</li>
</ul>
<p>The practical rule that holds across every sector: <strong>a regulatory change is an immediate review trigger, not a "wait for the annual cycle" event.</strong> For a fuller multi-regulator breakdown of review frequencies, see our <a href="/blog/how-often-should-policies-be-reviewed-uk/">guide on how often UK policies should be reviewed</a>.</p>
<h2>Turning the Template Into a Schedule</h2>
<p>A review template tells you how to review one policy. The harder problem is keeping forty review dates from slipping. A register with mixed review cycles produces dozens of due dates a year, and they do not arrive conveniently spaced.</p>
<p>Two things make this manageable:</p>
<ol>
<li><strong>A single register</strong> that lists every policy, its source, owner, last-reviewed date, review cycle, and next-review date in one place. If you do not have one yet, our <a href="/blog/what-is-policy-management/">plain-English guide to policy management</a> explains how the register sits at the centre of the whole process.</li>
<li><strong>A schedule built from the register</strong>, with reminders that fire well before each deadline — not on the day it is already overdue. The free <a href="/tools/policy-review-schedule-generator/">Policy Review Schedule Generator</a> takes your policies and last-reviewed dates and produces a colour-coded review schedule you can export to a calendar, so the next-review dates from your template stop living only in a spreadsheet nobody opens.</li>
</ol>
<p>The template is the quality control for each review. The schedule is what makes sure the reviews actually happen. You need both. For context on where the review stage fits across the full policy journey — from drafting through approval, distribution, and eventual retirement — see the <a href="/blog/policy-lifecycle-management-guide/">policy lifecycle management guide</a>.</p>
<h2>Frequently Asked Questions</h2>
<h3>What should a policy review include?</h3>
<p>A policy review should confirm the policy is still legally accurate, matches actual practice, covers everyone and everything it should, and is owned and findable. It should record what was checked, what changed (or that no changes were needed), who approved the reviewed version, and when the next review is due.</p>
<h3>How do you review a policy?</h3>
<p>Map the policy to its legal or regulatory source and check whether that source has changed. Confirm the policy still reflects what your organisation actually does. Check dates, named roles, and references are current. Record the outcome, route it to the right governance layer for approval, and set the next review date based on the policy's review cycle.</p>
<h3>How often should policies be reviewed?</h3>
<p>It depends on the sector and the policy. Many UK regulated organisations review core compliance policies at least annually. Schools review statutory policies annually (equality objectives every four years). Any regulatory or legislative change should trigger an immediate review regardless of the scheduled cycle.</p>
<h3>What is the difference between a policy review and a policy rewrite?</h3>
<p>A review checks whether a policy is still fit for purpose and records the outcome — it may conclude that no changes are needed. A rewrite is what you do when the review finds the policy is out of date, inaccurate, or no longer matches practice. Most reviews should result in either confirmation or targeted amendments, not a full rewrite.</p>
<h3>Who should approve a reviewed policy?</h3>
<p>It depends on the policy and your governance structure. Safeguarding, finance, and major compliance policies typically need board, trustee, or governing-body approval. Operational policies can often be approved at committee or management level. Record the approver and the approval date in the review template so the audit trail is complete.</p>
<h2>Sources</h2>
<ul>
<li>Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, Regulation 17</li>
<li>DfE: Maintained Schools Governance Guide</li>
<li>DfE: Keeping Children Safe in Education</li>
<li>Charity Governance Code</li>
</ul>
<p><em>This guide is designed for UK compliance leads, governance officers, school business managers, and practice managers who need a repeatable way to review their policies. It is general guidance based on published regulations and DfE guidance — verify against the current rules for your sector and your own governance framework before relying on any review cycle. It is not legal advice.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>Statutory Policies for Schools: UK Guide for 2026</title>
      <link>https://policyboard.co.uk/blog/statutory-policies-for-schools/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/statutory-policies-for-schools/</guid>
      <pubDate>Wed, 20 May 2026 00:00:00 GMT</pubDate>
      <description>What policies UK schools must have by law, what must be on the website, and how to keep them current — practical guidance for school business managers, MAT clerks, and governors.</description>
      <content:encoded><![CDATA[<p>A new school business manager opens the policy folder on the shared drive. There are forty-six documents. Some are dated 2019. Two are called "FINAL_v3" and "FINAL_v3_REAL". Three are duplicates with slightly different titles. The headteacher asks which ones are statutory.</p>
<p>That question — which policies must a school have, by law — sounds simple. The honest answer is that there is no single clean list. Statutory policy requirements come from different pieces of education legislation, different bits of DfE guidance, the Equality Act, data protection law, and Ofsted publishing rules. The combined list is real but it lives across half a dozen sources.</p>
<p>This guide pulls those sources together for school business managers, MAT clerks, governors, and anyone whose job description quietly includes "make sure the policies are right." It covers what counts as statutory, the policies that must exist, the ones that must be on the school website, and the practical question most lists skip — how to keep forty-plus policies current without it eating a working week every term.</p>
<h2>What "Statutory" Actually Means</h2>
<p>A policy is statutory when a piece of legislation, statutory regulation, or DfE guidance under statutory powers requires the school to have it. Three categories of source create the requirement:</p>
<ol>
<li><strong>Primary legislation</strong> — Acts of Parliament that name the policy or require the school to have one (e.g. the Education Act 2002, Equality Act 2010, Data Protection Act 2018).</li>
<li><strong>Statutory regulations</strong> — secondary legislation under those Acts that adds detail.</li>
<li><strong>Statutory DfE guidance</strong> — guidance issued under statutory powers that schools "must have regard to." Schools can deviate only with good reason and a documented rationale.</li>
</ol>
<p>Non-statutory policies are policies the school chooses to have because they are useful or expected — anti-bullying frameworks, mobile-phone policies, uniform policies — but where no specific law mandates them. Many schools treat non-statutory policies as functionally mandatory anyway, because Ofsted inspectors expect to see them and because they are good practice.</p>
<p>This guide focuses on the statutory list. The DfE's standalone "Statutory Policies for Schools and Academy Trusts" publication was withdrawn on 7 March 2024 — its content now sits inside the governance guides. For the current canonical view, cross-reference the Maintained Schools Governance Guide and the Academy Trust Governance Guide, which set out the statutory-policy expectations and review cycles this guide draws on throughout.</p>
<h2>Different School Types, Different Lists</h2>
<p>Statutory policy requirements are not identical across school types. The differences matter:</p>
<ul>
<li><strong>Maintained schools</strong> — the local authority is the employer; statutory requirements come through the Local Government Act, Education Act, and DfE guidance for maintained schools.</li>
<li><strong>Academies and academy trusts</strong> — the trust is the employer; the Academies Act 2010 and the Academy Trust Handbook overlay additional requirements (financial regulations, scheme of delegation, conflict-of-interest declarations).</li>
<li><strong>Free schools and special schools</strong> — additional sector-specific requirements depending on the school's funding agreement and pupil cohort.</li>
<li><strong>Independent schools</strong> — different framework entirely; Independent School Standards Regulations 2014 set the requirements rather than the maintained-schools rules.</li>
</ul>
<p>This guide focuses on maintained schools and academies, which together cover most state-funded education in England. If you run an independent school, the policy list looks similar but the underlying authority is different — start with the Independent School Standards Regulations, not the DfE governance guides.</p>
<h2>The Core Statutory Policies (England, 2026)</h2>
<p>The list below is grouped by theme. Each entry names the policy, the source of the requirement, and a one-line note on what it has to cover. Cross-check every entry against the current DfE governance guides — categories occasionally shift, and academy trusts may have additional requirements via the Academy Trust Handbook.</p>
<h3>Safeguarding and Child Protection</h3>
<ul>
<li><strong>Child protection policy</strong> — required under Keeping Children Safe in Education (KCSIE). Must be reviewed annually, approved by the governing body, and published on the school website.</li>
<li><strong>Behaviour policy</strong> — required under the Education and Inspections Act 2006 and Education Act 2011. Must cover sanctions, rewards, and a written statement of behaviour principles set by governors.</li>
<li><strong>Anti-bullying</strong> — most schools embed within or alongside the behaviour policy. Section 89 of the Education and Inspections Act 2006 requires "measures to prevent all forms of bullying."</li>
<li><strong>Online safety policy</strong> — required by KCSIE alongside the child protection policy; covers filtering, monitoring, and acceptable-use rules.</li>
</ul>
<h3>Equality and Inclusion</h3>
<ul>
<li><strong>Equality information and objectives</strong> — required by the Equality Act 2010 (specifically the Public Sector Equality Duty). Schools must publish equality information annually and review objectives at least every four years.</li>
<li><strong>Special Educational Needs and Disability (SEND) policy and information report</strong> — required under the Children and Families Act 2014 and SEND Regulations 2014. Must be published on the website and reviewed annually.</li>
<li><strong>Accessibility plan</strong> — required under the Equality Act 2010, Schedule 10. Must show how the school will improve access to the curriculum, the physical environment, and information for disabled pupils. Reviewed at least every three years.</li>
<li><strong>Supporting pupils with medical conditions</strong> — required under Section 100 of the Children and Families Act 2014.</li>
</ul>
<h3>Curriculum and Assessment</h3>
<ul>
<li><strong>Curriculum policy</strong> — required for maintained schools under the Education Act 2002; expected for academies via funding agreement.</li>
<li><strong>Relationships, Sex and Health Education (RSHE) policy</strong> — required under the Children and Social Work Act 2017 and the RSHE Regulations 2019. Must be published on the school website and consulted on with parents.</li>
<li><strong>Collective worship</strong> — maintained schools must provide a daily act of collective worship under the School Standards and Framework Act 1998. Most schools embed in the curriculum policy.</li>
<li><strong>Charging and remissions policy</strong> — required by Section 457 of the Education Act 1996.</li>
<li><strong>Provider access policy (Baker Clause)</strong> — required under Section 42B of the Education Act 1997 (as amended); maintained schools and academies must publish how they enable providers of technical education and apprenticeships to access pupils in years 8 to 13.</li>
</ul>
<h3>Data Protection, Records, and Records Management</h3>
<ul>
<li><strong>Data protection policy</strong> — required under the UK GDPR and Data Protection Act 2018. Schools are data controllers and must have a written policy.</li>
<li><strong>Information security / records retention</strong> — schools must have records-management arrangements that satisfy data protection law. Many schools document this as a separate policy or schedule.</li>
<li><strong>Freedom of Information publication scheme</strong> — required for maintained schools (which are public authorities under the Freedom of Information Act 2000). Academies are also public authorities under FOIA.</li>
<li><strong>CCTV / surveillance policy</strong> — required if the school operates CCTV, under the Data Protection Act 2018 and the Protection of Freedoms Act 2012 surveillance camera code.</li>
</ul>
<h3>Health, Safety, and Premises</h3>
<ul>
<li><strong>Health and safety policy</strong> — required under the Health and Safety at Work etc. Act 1974 (for any employer with five or more employees).</li>
<li><strong>First aid policy</strong> — required under the Health and Safety (First-Aid) Regulations 1981 and the DfE first-aid guidance for schools.</li>
<li><strong>Fire safety arrangements</strong> — required under the Regulatory Reform (Fire Safety) Order 2005. Most schools document this as a fire safety policy plus the fire risk assessment.</li>
<li><strong>Educational visits / off-site activity policy</strong> — expected by DfE guidance and HSE publications on off-site visits; treated as functionally statutory by most schools and trusts.</li>
</ul>
<h3>Staffing and Employment</h3>
<ul>
<li><strong>Pay policy</strong> — required for maintained schools under the School Teachers' Pay and Conditions Document. Academies typically have an equivalent under their funding agreement.</li>
<li><strong>Capability and disciplinary procedures</strong> — required for maintained schools under the Education (School Teachers' Appraisal) Regulations 2012.</li>
<li><strong>Whistleblowing policy</strong> — required by the Public Interest Disclosure Act 1998. Academies must include whistleblowing arrangements under the Academy Trust Handbook.</li>
<li><strong>Code of conduct for staff</strong> — expected via KCSIE and DfE guidance; most trusts treat as mandatory.</li>
</ul>
<h3>Complaints and Governance</h3>
<ul>
<li><strong>Complaints procedure</strong> — required for maintained schools under Section 29 of the Education Act 2002, and for academies under their funding agreement and the Education (Independent School Standards) Regulations 2014.</li>
<li><strong>Governors' allowances policy</strong> — maintained schools must publish allowances arrangements; academies do so through the trust scheme of delegation.</li>
<li><strong>Scheme of delegation</strong> — required for academy trusts under the Academy Trust Handbook. Sets out who decides what across the trust, the local governing body, and individual schools.</li>
<li><strong>Conflict of interest policy</strong> — required for academy trusts under the Academy Trust Handbook.</li>
</ul>
<p>That list is not exhaustive — it covers the statutory items that affect almost every school. Specialist provision (alternative provision, special schools, sixth-form colleges) adds further requirements; international links and boarding schools add more.</p>
<h2>Policies That Must Be on the School Website</h2>
<p>Statutory policy requirements are one thing; statutory website-publishing requirements are a separate, narrower list. The DfE's guidance for maintained schools and guidance for academies, free schools and colleges are the canonical sources.</p>
<p>The policies and information that must appear on the school website typically include:</p>
<ul>
<li>Admissions arrangements</li>
<li>Behaviour policy</li>
<li>Charging and remissions policy</li>
<li>Complaints procedure</li>
<li>Curriculum information</li>
<li>Equality information and objectives</li>
<li>SEND information report (and SEND policy)</li>
<li>Pupil premium strategy and use-of-funds report</li>
<li>PE and sport premium funding statement (primary)</li>
<li>Year 7 catch-up funding (where applicable)</li>
<li>RSHE policy</li>
<li>Safeguarding/child protection policy</li>
<li>Supporting pupils with medical conditions policy</li>
<li>Accessibility plan</li>
<li>Provider access policy</li>
</ul>
<p>There are also required information items that are not policies but must be published — last Ofsted report, exam and assessment results, governors' details, and so on. The DfE guidance covers the full list. Treat the website list as a hard checklist: missing items create direct compliance gaps that Ofsted, the ESFA (for academies), and the DfE flag specifically.</p>
<h2>Statutory Policies for Multi-Academy Trusts</h2>
<p>Multi-academy trusts (MATs) layer additional requirements on top of the school-level list. The Academy Trust Handbook (annual edition published by the DfE / ESFA) sets out trust-level statutory requirements:</p>
<ul>
<li><strong>Master funding agreement and supplemental funding agreements</strong> — the legal contracts under which each academy operates.</li>
<li><strong>Articles of association</strong> — the trust's governing document, agreed with Companies House and the DfE.</li>
<li><strong>Scheme of delegation</strong> — describing decision-making authority across trustees, the executive team, and local governing bodies.</li>
<li><strong>Reserves and investment policies</strong> — required by the Academy Trust Handbook.</li>
<li><strong>Conflict of interest register</strong> — required by the Academy Trust Handbook for trustees, members, and senior leaders.</li>
<li><strong>Whistleblowing arrangements</strong> — required across the trust, with route to trustees.</li>
<li><strong>Anti-fraud and anti-bribery policy</strong> — expected under the Academy Trust Handbook.</li>
</ul>
<p>In a MAT, the question of which policies live at the trust level (single policy applied across all schools) and which live at school level (each school adapts to local context) is a governance design choice. Most trusts standardise safeguarding, finance, and HR at the trust level and let each school adapt curriculum, behaviour, and SEND policies to local need.</p>
<p>For a practical view of what trust-level governance looks like in practice, the DfE's Academy Trust Governance Guide sets out the principles and the roles. For the maintained-schools equivalent, see the Maintained Schools Governance Guide.</p>
<h2>Review Frequencies: How Often to Update Each Policy</h2>
<p>Statutory review frequency varies by policy. The most common cycles:</p>
<ul>
<li><strong>Annually:</strong> child protection, KCSIE-aligned policies (online safety, behaviour, anti-bullying), SEND policy, complaints procedure, health and safety.</li>
<li><strong>Every two years:</strong> RSHE policy (review and consultation cadence is typically biennial).</li>
<li><strong>Every three years:</strong> accessibility plan, equality objectives review.</li>
<li><strong>Every four years:</strong> equality objectives are required to be reviewed at least every four years (Public Sector Equality Duty).</li>
<li><strong>As needed (event-driven):</strong> any policy where legislation, KCSIE, the Academy Trust Handbook, or local safeguarding partnership procedures change. Treat regulatory changes as immediate review triggers, not as a "wait until the annual cycle" event.</li>
</ul>
<p>The full review-cadence picture is more nuanced — different funding agreements, Local Authority requirements, and trust-level rules can shift the dates. For a multi-regulator view of how cadence varies across CQC, Ofsted, the Charity Commission and councils, see our <a href="/blog/how-often-should-policies-be-reviewed-uk/">guide on how often UK policies should be reviewed</a>.</p>
<h2>What Goes Wrong (And What Inspectors Find)</h2>
<p>Three patterns recur across schools that fail their first Ofsted policy check:</p>
<ol>
<li><strong>Out-of-date child protection policy.</strong> KCSIE is updated annually, usually published in the summer term to take effect from 1 September. A child protection policy still referencing the previous year's KCSIE version on inspection day is a flag.</li>
<li><strong>Missing website items.</strong> Ofsted, ESFA, and the DfE all routinely check the published website list. Missing items (commonly: SEND information report, pupil premium strategy, provider access policy, accessibility plan) trigger immediate follow-up.</li>
<li><strong>Policy and practice mismatch.</strong> The policy says one thing; staff describe a different practice. Inspectors look for alignment between the documented policy, what staff describe, and the evidence (training records, incident logs).</li>
</ol>
<p>The first and second are operational. The third is a governance question — and it is the one inspectors weight most heavily. A current, well-aligned policy library is not just compliance; it is evidence of leadership.</p>
<h2>A Practical Workflow for Managing the List</h2>
<p>Forty-plus policies across multiple cycles, multiple owners, and multiple regulatory updates is not a job for a spreadsheet kept by one person. The practical workflow at school or trust level:</p>
<ol>
<li><strong>Build a policy register.</strong> Every statutory policy in one list with policy name, statutory source, owner, last reviewed, review frequency, next review date, and link to the live document. Our <a href="/blog/how-to-build-policy-register/">step-by-step guide to building a policy register</a> covers the methodology, and the free <a href="/tools/policy-register-template/">Policy Register Template</a> provides a starting structure.</li>
<li><strong>Set automated reminders.</strong> A register without reminders becomes a static list. Reminders need to fire at 90, 60, and 30 days before review date, to the named policy owner, with escalation if the deadline passes.</li>
<li><strong>Map to statutory sources.</strong> Every policy in the register should link to its source of authority — KCSIE section, Education Act section, Academy Trust Handbook clause, ICO guidance. When the source updates, you can immediately see which policies are affected.</li>
<li><strong>Use the Ofsted statutory checklist.</strong> Our <a href="/tools/ofsted-statutory-policies-checklist/">Ofsted Statutory Policies Checklist</a> walks through the policies inspectors expect to find at a maintained school or academy, with the legislation behind each one. Run it annually as a gap check.</li>
<li><strong>Calculate the review schedule.</strong> A 40-policy register with mixed cycles produces 40+ review dates per year. The free <a href="/tools/policy-review-schedule-generator/">Policy Review Schedule Generator</a> builds the schedule from your register and exports to your calendar so review deadlines don't get missed.</li>
<li><strong>Review at the right governance layer.</strong> Some policies (child protection, finance, scheme of delegation) require trust-board or governing-body approval. Others can be approved by a committee or executive. Map the approval route in the register so the right people are signing off.</li>
</ol>
<p>This is the work that turns a folder of forty-six documents into a working compliance system. Done well, it is invisible. Done poorly, it is the recurring fire your school business manager fights every term.</p>
<h2>Frequently Asked Questions</h2>
<h3>What is a statutory policy in a school?</h3>
<p>A statutory policy is one that legislation, statutory regulations, or DfE statutory guidance requires the school to have. The requirement may come from primary legislation (e.g. the Education Act 2002), secondary regulations, or guidance the school "must have regard to" (e.g. KCSIE).</p>
<h3>How many statutory policies does a school need?</h3>
<p>There is no fixed number. The DfE governance guides set out the statutory policies that apply to most schools — broadly in the region of 25-30 categories — but the precise number depends on the school type (maintained, academy, free school, special, sixth-form), pupil cohort, and the trust-level rules for academies.</p>
<h3>Which policies must be on the school website?</h3>
<p>The DfE guidance on what schools must publish online lists the policies and information that must appear on the website. The full list varies by school type — academies and maintained schools have slightly different requirements — but commonly includes the behaviour policy, SEND policy and information report, complaints procedure, RSHE policy, accessibility plan, equality information, and child protection policy.</p>
<h3>What is the difference between statutory and non-statutory school policies?</h3>
<p>Statutory policies are required by law or statutory guidance. Non-statutory policies are policies the school chooses to have because they are useful, expected, or good practice — but no specific law mandates them. Many non-statutory policies (anti-bullying frameworks, uniform, mobile-phone, lettings) are treated as functionally mandatory because Ofsted expects to see them.</p>
<h3>How often should statutory school policies be reviewed?</h3>
<p>Most statutory policies require annual review. KCSIE-aligned policies (child protection, online safety, behaviour) need annual review at minimum, and immediate review whenever KCSIE is updated. Some policies have longer cycles — accessibility plans run on a three-year cycle, equality objectives on a four-year cycle. Trigger-based reviews override the schedule when legislation or guidance changes.</p>
<h3>Who approves statutory school policies?</h3>
<p>Approval routes vary by policy and school type. Safeguarding, finance, and major operational policies typically require governing-body or trust-board approval. Curriculum and operational policies can often be approved at headteacher or executive level depending on the scheme of delegation. Academy trusts must follow the approval routes set out in their scheme of delegation.</p>
<h2>Sources</h2>
<ul>
<li>DfE: Keeping Children Safe in Education</li>
<li>DfE: What Maintained Schools Must Publish Online</li>
<li>DfE: What Academies, Free Schools and Colleges Should Publish Online</li>
<li>DfE: Maintained Schools Governance Guide</li>
<li>DfE: Academy Trust Governance Guide</li>
</ul>
<p><em>This guide is designed for UK school business managers, MAT clerks, governors, and trustees who need a practical view of statutory policy requirements. It is not legal advice. Statutory requirements change — verify against current DfE guidance and your funding agreement before treating any policy list as exhaustive.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>Document Controlling: UK Compliance Officer&apos;s Guide</title>
      <link>https://policyboard.co.uk/blog/document-controlling-guide/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/document-controlling-guide/</guid>
      <pubDate>Wed, 13 May 2026 00:00:00 GMT</pubDate>
      <description>Document controlling for UK compliance officers — what it means, why it matters in regulated organisations, and how to do it without ISO certification.</description>
      <content:encoded><![CDATA[<p>A practice manager opens the shared drive looking for the current data protection policy. There are six files. Three are dated. Two have "FINAL" in the filename. One is called "DPpolicy_v3_AMENDED_REAL_FINAL.docx". She opens the most recent and is not sure whether it has been approved.</p>
<p>That is the absence of document controlling — and it is the daily working reality of most small UK regulated organisations. The phrase "document controlling" sounds technical, ISO-flavoured, and somebody else's problem. In practice, for any organisation that has to evidence governance to a regulator or auditor, it is the difference between a controlled record and a guess.</p>
<p>This guide covers document controlling as a working compliance practice — what it means, why it matters in UK regulated organisations, and how to do it without an ISO 9001 certification programme. It is written for the people who actually have to do the work: school business managers, practice managers, council clerks, charity governance leads, and anyone whose job description includes "make sure the policies and procedures are current".</p>
<h2>What "Document Controlling" Actually Means</h2>
<p>The term comes from quality management — specifically ISO 9001, which sets out documented information requirements as part of a quality management system. In that context, document controlling is a formal process: every controlled document has a unique identifier, an owner, an approval record, a review cycle, and a controlled distribution list.</p>
<p>Outside ISO certification, document controlling means the same five things in plain language:</p>
<ol>
<li><strong>You can find the current version.</strong> Not three versions, not last year's version, not "the one in Sarah's email" — the current version, in a known place, in under a minute.</li>
<li><strong>You know who owns it.</strong> A named person responsible for keeping the document accurate. Not a generic "shared drive owner" or a job role no one currently holds.</li>
<li><strong>You know who approved it.</strong> A documented approval — name, date, and ideally what they approved (a version, a change). Without this, the document has no governance authority.</li>
<li><strong>You know when it was last reviewed and when it is next due.</strong> Not a date in the footer that no one checks. A live review schedule that surfaces what is due, what is overdue, and what is current.</li>
<li><strong>You can see what changed.</strong> A version history showing what was different in the previous version. This is the audit trail an inspector or auditor will ask about.</li>
</ol>
<p>If your organisation cannot answer all five for any given policy, procedure, or governance document, it is not under document control. It is under document storage — which is a different thing.</p>
<h2>Document Controlling vs Document Storage</h2>
<p>The distinction is not academic. It is the difference between two organisations sitting through the same inspection:</p>
<p><strong>Organisation A</strong> has a SharePoint site with 200 files in a folder hierarchy. Files are named informally. Some have approval dates in the footer; most do not. The practice manager knows where most of them are. When the inspector asks for the current safeguarding policy, the manager opens four files before finding the one that looks most current.</p>
<p><strong>Organisation B</strong> has the same 200 documents in a register. Each shows owner, status, last review date, next review date, and a clear "current version" marker. When the inspector asks for the safeguarding policy, the manager opens the register, exports the current document, and shows the audit trail of approvals.</p>
<p>Both organisations have the same documents. Only one is under document control. The first is taking notes during the inspection; the second is answering questions.</p>
<h2>Why It Matters in UK Regulated Organisations</h2>
<p>Every UK regulator that conducts inspections or audits expects evidence that documents are controlled — even when they do not use the phrase. Specifically:</p>
<h3>CQC (GP practices, dental practices, primary care)</h3>
<p>Regulation 17 requires records to be "accurate, complete and contemporaneous" and that systems "assess, monitor and improve" service quality. In practice, inspectors check whether policies are dated, approved, reviewed within stated timeframes, and known to the staff who follow them. An undated or unsigned policy fails Regulation 17 even if its content is good.</p>
<p>For CQC-specific policy expectations, the <a href="/blog/cqc-policy-requirements/">CQC policy requirements guide</a> covers the categories inspectors expect to find at a GP practice.</p>
<h3>Ofsted (schools, MATs, early years)</h3>
<p>The DfE's Keeping Children Safe in Education is updated regularly. Schools must show their safeguarding policy reflects the current version of the guidance — and that staff have been notified of changes. An out-of-date safeguarding policy contributes directly to a "safeguarding is not effective" judgement, one of the most serious findings a school can receive. Document controlling is what makes "current and notified" auditable.</p>
<h3>Charity Commission</h3>
<p>Trustees are accountable for ensuring the charity is well-run. Outdated policies are evidence of poor governance. The Commission's annual return asks whether the charity has reviewed its governing document — a "no" answer invites scrutiny. For charities working with children or adults at risk, safeguarding documentation is checked against the documented review cycle.</p>
<h3>ICO (data protection — all sectors)</h3>
<p>The UK GDPR's accountability principle requires organisations to demonstrate compliance — not just be compliant. The ICO accountability and governance guidance sets out the documentation expected: data protection policy, records-of-processing register, breach response procedure, subject access request procedure. After a breach, the ICO will ask for evidence the documents were current at the time of the incident. Document controlling provides that evidence.</p>
<h3>Internal and external audit</h3>
<p>For councils, NHS organisations, and audited bodies, internal auditors check governance documents are reviewed within stated timeframes. External auditors will note governance weaknesses where document review schedules have slipped. Persistent issues can lead to a qualified audit opinion.</p>
<p>The common thread: every regulator checks both the content and the control. A well-written policy that is not under document control is evidence the system is not working.</p>
<h2>What Document Controlling Looks Like Day-to-Day</h2>
<p>Theory is one thing. The day-to-day practice of document controlling at a small UK regulated organisation looks like this:</p>
<h3>A central register</h3>
<p>One list of every controlled document — policies, procedures, SOPs, protocols, terms of reference, code of conduct, scheme of delegation. Each entry shows:</p>
<ul>
<li>Document name and category</li>
<li>Document type (policy, procedure, register, etc.)</li>
<li>Owner (named person)</li>
<li>Last review date</li>
<li>Next review date</li>
<li>Approval status (approved, draft, under review)</li>
<li>Current version</li>
<li>Where the actual document lives</li>
</ul>
<p>If you are starting from scratch, our <a href="/tools/policy-register-template/">free Policy Register Template</a> is a working example of the columns this register needs. The same structure works for procedures with one extra column for "parent policy".</p>
<h3>A review schedule</h3>
<p>Different document types have different review cadences. A safeguarding policy is reviewed annually (more often when guidance changes). A medication-administration procedure is reviewed annually or when the prescribing system changes. A schedule of delegation is reviewed when governance arrangements change.</p>
<p>The schedule should surface what is due in the next 30, 60, and 90 days — not require someone to manually scan the register each month. Our <a href="/tools/policy-review-schedule-generator/">free Policy Review Schedule Generator</a> builds this calendar from a list of policies.</p>
<p>For regulator-specific cadences, the <a href="/blog/how-often-should-policies-be-reviewed-uk/">policy review frequency guide</a> covers what each regulator expects across CQC, Ofsted, the Charity Commission, and audit cycles.</p>
<h3>An approval record</h3>
<p>Every controlled document needs an approval record showing who approved which version, when. The approval record sits alongside the document, not inside it — so updating the record does not require reopening the document.</p>
<p>For policies, the approval body is typically formal (governing body, trustees, partners, full council). For procedures, the approval body is often just a line manager or department head. The approval workflow should match the document type.</p>
<h3>A version history</h3>
<p>Previous versions preserved (not overwritten) and accessible. Each version dated and labelled. When an auditor asks "was this policy current at the time of the incident on 14 March?", you can show the version that was in force on that date.</p>
<h3>Distribution and acknowledgement</h3>
<p>For critical documents (safeguarding, data protection, health and safety, infection control, medicines management), staff need to know about updates. At small scale, distribution is usually by email with an acknowledgement reply. Larger organisations may use formal attestation. The principle is the same: there is evidence staff know about the current version.</p>
<h3>An audit trail</h3>
<p>Every change recorded — who edited what, when, and what the change was. This is the difference between document storage (which most organisations already have) and document controlling (which most do not).</p>
<h2>Common Document Controlling Failures</h2>
<p>The same patterns appear in inspection reports and audit findings across sectors:</p>
<p><strong>Policies in document footers, not in a register.</strong> The "next review" date is in the footer of the Word document. To find what is overdue, someone has to open every file. So no one does, and policies drift past their review dates without anyone noticing.</p>
<p><strong>Multiple versions of the same document.</strong> "Safeguarding Policy v3", "Safeguarding Policy v3 AMENDED", "Safeguarding Policy v3 FINAL", "Safeguarding Policy 2024". No clear current version. Staff working from different files.</p>
<p><strong>No approval record.</strong> The policy exists. There is no record of who approved it or when. Governing body minutes do not reference the policy review. From a governance perspective, the document is not controlled — it is just a file.</p>
<p><strong>Owners who left the organisation.</strong> The policy register lists owners who left 18 months ago. Reviews are not happening because the named owner is no longer there to do them.</p>
<p><strong>Updated procedures, unchanged policies.</strong> Operational procedures get updated when systems change. The underlying policy still references the old procedure. Inspectors find the mismatch.</p>
<p><strong>Filing-cabinet documents.</strong> Still common in small GP practices, parish councils, and charity offices. Printed, signed, filed. No search, no version control, no reminders. When asked for a specific document, someone rummages through a cabinet.</p>
<p>All of these are document controlling failures. None of them are about the <em>content</em> of the documents — every example assumes the policies and procedures themselves are well-written. The failure is in the controlling.</p>
<h2>Document Controlling Without ISO Certification</h2>
<p>Most small UK regulated organisations do not hold ISO 9001 and do not need to. The full ISO documented-information apparatus — controlled distribution lists, formal change management procedures, mandatory training records — is overkill for a 30-person council or a five-trustee charity.</p>
<p>What they need is the practical principles of document control, applied at the right scale:</p>
<ul>
<li><strong>A central register, not a quality manual.</strong> One spreadsheet or one tool, not a stack of binders.</li>
<li><strong>Lightweight version control, not formal change management.</strong> Previous versions accessible, dated, labelled. Not a 12-step change process for every typo correction.</li>
<li><strong>Practical approval workflows, not committee structures.</strong> Policies route to the approving body that already exists (trustees, governors, partners). Procedures route to the line manager who already approves operational changes.</li>
<li><strong>Reasonable review cadences, not annual full audits.</strong> Annual minimum for policies, more frequent for procedures and operationally critical documents. Triggered reviews when systems or staff change.</li>
<li><strong>Inspection-ready, not certification-ready.</strong> The output is evidence for inspectors and auditors — not a recertification audit by a third party.</li>
</ul>
<p>For organisations that want a deeper read on the document-control framework that applies in regulated UK contexts (rather than ISO/manufacturing contexts), the <a href="/blog/control-of-documentation-uk-guide/">control of documentation guide</a> covers the regulator-by-regulator picture.</p>
<h2>A Practical Checklist for Compliance Officers</h2>
<p>If you are responsible for documents in a small UK regulated organisation and want to know whether you are under document control, work through these:</p>
<ol>
<li><strong>Can I list every controlled document in under five minutes?</strong> If the list is in someone's head or scattered across folders, it is not a register.</li>
<li><strong>For each document, do I know the current version, owner, last review date, and next review date?</strong> Without all four, you have document storage, not document control.</li>
<li><strong>Can I produce evidence of approval for every policy and procedure?</strong> Name, date, version. Not "we discussed it at trustees in March 2023."</li>
<li><strong>Do I know what is due for review in the next 90 days?</strong> If the answer is "I would need to check each file", the schedule is not working.</li>
<li><strong>Can I show what changed between the current version and the previous version of any document?</strong> Version history matters when an inspector asks about the policy at the time of an incident.</li>
<li><strong>Do staff know about updates to critical documents?</strong> Distribution and acknowledgement, not just "it is on the shared drive."</li>
<li><strong>Could I evidence document control to an external auditor without preparation?</strong> If an auditor walking in tomorrow would catch you scrambling, the system is not yet working.</li>
</ol>
<p>If you cannot answer "yes" to all seven, the gap is not in your policies — it is in your document control.</p>
<h2>Connecting It to Policy Management</h2>
<p>Document controlling sits at the centre of policy management. A policy without document control is a statement of intent without evidence the organisation is following its own commitments. The five principles above — current version known, owner known, approval recorded, review cycle live, change history kept — are the working definition of policy management at small-organisation scale.</p>
<p>Most small UK regulated organisations already have the policies. They have the procedures. They have the people who care about getting it right. The gap is the controlling layer — the register, the schedule, the approval record, the version history. Once that is in place, inspections become an evidence-gathering exercise, not a panic.</p>
<p>PolicyBoard is designed to be that controlling layer for small UK councils, MATs, GP practices, and charities — a central register of policies and procedures, automated review reminders, lightweight approval workflows, version history, and inspection-ready exports. <a href="/#waitlist">Join the waitlist</a> to be notified when it launches.</p>
<h2>Sources</h2>
<ul>
<li>ISO 9001:2015 — Quality Management Systems Requirements</li>
<li>CQC Regulation 17: Good Governance</li>
<li>DfE: Keeping Children Safe in Education</li>
<li>ICO: Accountability and Governance</li>
</ul>
<p><em>This guide covers general principles of document controlling for small UK regulated organisations. It is not legal, audit, or ISO certification advice. Always check the specific requirements of your regulator and seek professional advice where needed.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>Policy and Procedure Management Software: UK Guide</title>
      <link>https://policyboard.co.uk/blog/policy-and-procedure-management/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/policy-and-procedure-management/</guid>
      <pubDate>Wed, 06 May 2026 00:00:00 GMT</pubDate>
      <description>Why policies and procedures need managing together, what to look for in a tool, and how small UK regulated organisations avoid enterprise prices.</description>
      <content:encoded><![CDATA[<p>A safeguarding policy says the practice will refer concerns to the local safeguarding partnership without delay. The procedure says how — who to call, what form to complete, where the log lives, who chases the response.</p>
<p>The policy is what you commit to. The procedure is what people actually do. They are not the same document, and managing only one of them is a quiet governance failure that surfaces at the worst possible moment.</p>
<p>Most small UK regulated organisations track policies in a spreadsheet, if they track them at all. Procedures live in shared drives, on practice intranets, in the head of the person who has been there longest, or in a folder labelled "SOPs" that has not been opened in two years. When an inspector or auditor asks "show me how you do X", the panic is the gap between the policy you have and the procedure no one can find.</p>
<p>This guide covers what policy and procedure management actually involves at small-organisation scale, what software needs to do, and how to evaluate options when most tools on the market are priced for organisations 10× your size.</p>
<h2>Policy vs Procedure: Why The Distinction Matters</h2>
<p>In governance theory, policies set principles and procedures set practice. In small UK regulated organisations, the practical distinction is sharper:</p>
<ul>
<li><strong>A policy</strong> is what trustees, governors, councillors, or partners approve. It sets out what the organisation commits to and why. It is reviewed annually by the body that approved it. It is the document an inspector asks for first.</li>
<li><strong>A procedure</strong> is what staff follow day-to-day. It is updated by the person who owns the activity, often without formal approval. It changes more often than the policy — when systems change, suppliers change, or the person who used to do it leaves.</li>
</ul>
<p>Both are needed. A safeguarding policy without a referral procedure is a statement of intent without a process. A medication-administration procedure without a medicines policy has no governance authority — staff are following an unapproved process.</p>
<p>The mismatch most small organisations live with: policies are formal, infrequently reviewed, and inspector-facing. Procedures are informal, frequently updated, and staff-facing. Tracking them in different systems (or different parts of the same shared drive) means the two drift apart. The policy still references the 2022 procedure. The procedure still references the 2021 policy. No one has noticed.</p>
<h2>Why Manage Them Together</h2>
<p>Three reasons one tool, not two, is the right answer for small UK regulated organisations:</p>
<h3>1. Inspectors and auditors look at the link</h3>
<p>The CQC inspector does not just want the safeguarding policy — they want evidence that the procedure matches the policy and that staff follow the procedure. The Ofsted inspector who asks about behaviour management wants the policy, the procedure, and the staff training records. The internal auditor who reviews financial controls wants the financial regulations (policy) and the day-to-day procedures (cash handling, expense approval, supplier onboarding) that operationalise them.</p>
<p>Managing them in one register makes that link auditable. Managing them in two systems means evidencing the link is a manual exercise every inspection.</p>
<h3>2. Procedures change more than policies — but still need governance</h3>
<p>A practice manager updates the appointment-booking procedure because a new locum joined and the old SOP referenced a phone system that was replaced. The change is sensible and operationally correct. The change has not been recorded against the underlying policy that says the practice will respond to patient appointment requests within agreed timeframes.</p>
<p>Six months later, an audit finds that a third of repeat-prescription requests were not actioned within the policy commitment. The reason is in the procedure update — but no one connected the dots because the policy and the procedure live in different files.</p>
<p>Lightweight version control across both gives the audit trail inspectors expect.</p>
<h3>3. The person managing one usually manages both</h3>
<p>In a small UK regulated organisation, the person responsible for policies is usually also responsible for procedures: the school business manager, the practice manager, the charity governance lead, the council clerk. They do not need two systems and two sets of reminders. They need one register that shows what is current, what is due for review, and where the gaps are between policies and procedures.</p>
<p>Two systems double the cost, the maintenance overhead, and the risk that something falls between them.</p>
<h2>What Small UK Regulated Organisations Actually Need</h2>
<p>The features list for a policy and procedure management tool that fits a small council, GP practice, MAT, or charity is shorter than enterprise vendors imply:</p>
<h3>A unified register</h3>
<p>One list of every governance document — policies, procedures, SOPs, protocols — with a clear marker for each type. Filterable by category, owner, status, or document type. Searchable by keyword.</p>
<h3>Linked relationships between policies and procedures</h3>
<p>When you open the safeguarding policy, you see the procedures that operationalise it. When you open the safeguarding referral procedure, you see the policy it sits under. This is not a complex graph database — it is a simple "parent policy" or "related procedures" field that makes the relationship explicit.</p>
<h3>Different review cadences for different document types</h3>
<p>Policies typically reviewed annually by the approving body. Procedures often reviewed more frequently — sometimes quarterly, sometimes when triggered by an operational change. The review cadence should be configurable per document, not assumed to be the same across the register.</p>
<p>The <a href="/blog/how-often-should-policies-be-reviewed-uk/">policy review frequency guide</a> covers regulator-specific cadences for policies. Procedures generally need more frequent review than that — at minimum, after any operational change to systems, suppliers, or staff who carry out the procedure.</p>
<h3>Different approval workflows for different document types</h3>
<p>Policies route to a formal approval body (governing body, trustees, partners, council). Procedures usually need only departmental or line-manager sign-off. The workflow should reflect that, not force every procedure update through the trustees.</p>
<h3>Audit trail across both</h3>
<p>Who changed what, when. Previous versions accessible. The same audit trail standard for both document types — because an inspector or auditor will ask about both.</p>
<h3>Inspection-ready exports</h3>
<p>Pull a current-status report for an inspector or board: all policies and procedures, owners, last review dates, next review dates, approval status. Without a custom report builder. The <a href="/tools/policy-register-template/">free Policy Register Template</a> is a working starting point for the columns this report needs.</p>
<h2>Where Enterprise Tools Misfit</h2>
<p>Mature enterprise GRC tools (NAVEX, MetaCompliance, Workiva, Mitratech, and the rest) handle policy and procedure management well at large scale. They do not fit small UK regulated organisations for the same reasons enterprise <a href="/blog/what-to-look-for-policy-management-software/">policy management software</a> does not fit:</p>
<ul>
<li><strong>Pricing model.</strong> Per-user or per-module pricing assumes a compliance team. A 30-staff organisation with one part-time governance lead pays for capacity that is not used.</li>
<li><strong>Implementation effort.</strong> Enterprise tools assume someone configures the document taxonomy, imports the library, and trains users. In a small organisation, that configuration time exceeds the time saved by the tool in its first year.</li>
<li><strong>Feature surface.</strong> Attestation programmes, learning management integrations, advanced analytics — useful at large scale, friction at small scale. The school business manager does not need a heatmap of policy attestation rates by department.</li>
<li><strong>Sales motion.</strong> Demos, scoping calls, security questionnaires, procurement sign-off. Small organisations need to sign up, import, and use the tool the same week.</li>
</ul>
<p>The mismatch is not feature scope but assumed buying process and operational scale. A tool for a 30-staff council needs to be self-serve, transparently priced, and usable in an afternoon. Most enterprise tools fail all three tests.</p>
<p>For organisations that need to manage policies across multiple sites or services (a multi-academy trust, a council with several departments, a charity with branches), the <a href="/blog/corporate-policy-management-software/">corporate policy management guide</a> covers the multi-site coordination requirements that overlap with policy-and-procedure scope.</p>
<h2>A Practical Evaluation Checklist</h2>
<p>Before paying for any tool, run through these questions:</p>
<ol>
<li><strong>Does it handle both policies and procedures in one register?</strong> If you need two separate modules with two separate licences, you are buying enterprise tooling.</li>
<li><strong>Can document types have different review cadences and approval workflows?</strong> Procedures are not policies — the tool should not pretend they are.</li>
<li><strong>Is the link between a policy and its procedures explicit and visible?</strong> Without this, you have document storage, not policy and procedure management.</li>
<li><strong>Can a non-IT person configure it in an afternoon?</strong> Setup workshops are a sign of enterprise pricing.</li>
<li><strong>Is pricing transparent and based on organisation, not user?</strong> "Contact sales" usually means a price designed for organisations 10× larger.</li>
<li><strong>Can I export the full register at any time?</strong> If export needs a support ticket, the data is locked in.</li>
<li><strong>Does it work for me without configuration on day one?</strong> A traffic-light dashboard, a register, automated reminders — these should be the default behaviour, not configurable extras.</li>
</ol>
<p>If a vendor pushes back on more than one of these, they are selling to a different buyer.</p>
<h2>Sector-Specific Notes</h2>
<h3>GP practices and primary care (CQC)</h3>
<p>Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 requires "systems and processes" — not just policies. In practice, CQC inspectors look at the procedures that operationalise each policy: the safeguarding referral procedure, the medicines management protocol, the infection control cleaning schedules, the significant event analysis process. Policies without matching procedures fail the "well-led" assessment.</p>
<p>The <a href="/blog/cqc-policy-requirements/">CQC policy requirements guide</a> lists the policy categories inspectors expect to find. Each category typically has one or more procedures sitting beneath it.</p>
<h3>Schools and MATs (Ofsted)</h3>
<p>The DfE's Keeping Children Safe in Education guidance is procedural as much as it is policy — it sets out what schools must do, not just what they must commit to. Inspectors will check the policy, then test whether the procedure matches the policy and whether staff follow it.</p>
<h3>Charities (Charity Commission)</h3>
<p>The Charity Governance Code is policy-level guidance. The Commission's expectations on safeguarding, financial controls, and risk management require both the policy (trustees commit to X) and the procedure (this is how X happens day-to-day). Trustees cannot delegate accountability for procedures, even though they do not write them.</p>
<h3>Health and safety (HSE — all sectors)</h3>
<p>The Health and Safety at Work Act 1974 requires a written health and safety policy for organisations with five or more employees. HSE guidance on writing a health and safety policy covers the policy itself; the procedures (risk assessments, accident reporting, COSHH, manual handling, lone working) sit beneath it.</p>
<h3>Data protection (ICO — all sectors)</h3>
<p>UK GDPR requires accountability — the ability to demonstrate compliance. The ICO accountability and governance guidance sets out the documentation expected: the data protection policy, the records-of-processing register, the breach response procedure, the subject access request procedure. Each policy implies one or more procedures.</p>
<h2>Connecting the Pieces</h2>
<p>Policy and procedure management at small-organisation scale is not a procurement project, and it is not two separate problems. It is one coordination problem: making sure every governance commitment has a working procedure, every procedure has an approved policy, and someone owns the link between them.</p>
<p>Enterprise tools solve this at a scale and price built for organisations with a compliance team. Small UK regulated organisations need the same coordination at a scale and price the existing person-who-also-does-policy-and-procedure can sign off without a procurement committee.</p>
<p>If you are evaluating tools, the <a href="/blog/what-to-look-for-policy-management-software/">policy management software evaluation guide</a> covers the policy half in more depth, and the <a href="/blog/policy-document-management-software-uk/">policy document management guide</a> covers what to do when the documents themselves (versions, attachments, file storage) are part of the problem.</p>
<p>PolicyBoard is designed to manage policies and procedures together — one register, configurable review cadences and approval workflows per document type, explicit links between policies and the procedures that operationalise them, and inspection-ready exports. <a href="/#waitlist">Join the waitlist</a> to be notified when it launches.</p>
<h2>Sources</h2>
<ul>
<li>CQC Regulation 17: Good Governance</li>
<li>Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, Regulation 17</li>
<li>DfE: Keeping Children Safe in Education</li>
<li>Charity Governance Code</li>
<li>HSE: Write a Health and Safety Policy</li>
<li>ICO: Accountability and Governance</li>
</ul>
<p><em>This guide covers general principles for small UK regulated organisations. It is not legal or procurement advice. Always check the specific requirements of your regulator and seek professional advice where needed.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>Corporate Policy Management Software: UK Guide</title>
      <link>https://policyboard.co.uk/blog/corporate-policy-management-software/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/corporate-policy-management-software/</guid>
      <pubDate>Wed, 29 Apr 2026 00:00:00 GMT</pubDate>
      <description>What &apos;corporate policy management software&apos; means for small UK councils, MATs, and charities — and what to look for when enterprise tools don&apos;t fit.</description>
      <content:encoded><![CDATA[<p>You run a small council, a multi-academy trust, or a charity with two or three sites. Someone — probably a procurement officer, a chief executive, or a clerk to the trustees — asks if you have "corporate policy management software." The phrase is precise enough to be specific, vague enough to mean almost anything.</p>
<p>Search the term and the top results are NAVEX, Xoralia, and Capterra. The pricing pages either say "contact sales" or assume an organisation with a compliance team. Your organisation has a school business manager who also runs HR. Or a clerk who also handles GDPR. Or a chief officer who also chairs the audit committee.</p>
<p>This guide covers what corporate policy management actually means at small-organisation scale, what the software needs to do for a UK council, MAT, or charity, and how to evaluate options when the buyers' guides on the SERP were written for a procurement team you do not have.</p>
<h2>What "Corporate" Means at Small-Organisation Scale</h2>
<p>In enterprise vendor copy, "corporate policy management" usually means the global function that sits inside Compliance, Legal, or Risk in a 5,000-person organisation. There is a head of compliance, a policy committee, and an attestation programme tied to annual training.</p>
<p>In a 30-person council, a 15-school MAT, or a five-trustee charity, "corporate" means something different and narrower:</p>
<ul>
<li><strong>Multiple owners across functions.</strong> The data protection policy is owned by the DPO, the safeguarding policy by the safeguarding lead, the procurement policy by the chief officer. No single person sees the whole register.</li>
<li><strong>Multiple sites or teams.</strong> A MAT has 15 schools that share trust-level policies and add school-level ones. A council has a handful of departments. A charity may have head-office policies and project-level ones.</li>
<li><strong>Cross-cutting governance.</strong> Trustees, governors, councillors, or board members have legal accountability for ensuring the policies exist, are current, and are followed — even though they do not write them.</li>
<li><strong>Inspection-readiness.</strong> Corporate, in this context, means "ready to evidence governance" — to Ofsted, CQC, the Charity Commission, an internal auditor, or a Local Government Audit Service appointee.</li>
</ul>
<p>What it usually does not mean: a 200-person policy team, an enterprise procurement budget, or a 12-month implementation cycle.</p>
<h2>Why Enterprise Tools Do Not Fit</h2>
<p>The corporate policy management category is mature. NAVEX PolicyTech, MetaCompliance, Mitratech, Workiva, and others have served large-enterprise compliance teams for years. Their feature lists are extensive — attestation tracking, policy authoring with templates, multi-language support, learning management integration, advanced analytics.</p>
<p>The mismatch for a small UK regulated organisation is not feature scope but assumed buying process:</p>
<ul>
<li><strong>Pricing structure.</strong> Enterprise tools price by user, by module, or by negotiated annual contract. A 30-seat council quote can be £8,000–£20,000 a year before implementation services. The buyer at a small council does not have that line item available.</li>
<li><strong>Sales cycle.</strong> Enterprise tools assume a 3–6 month evaluation: discovery calls, scoping workshops, security questionnaires, procurement sign-off. A practice manager or charity CEO needs a tool by next month, not next financial year.</li>
<li><strong>Implementation effort.</strong> Enterprise tools assume someone configures the policy taxonomy, sets up the approval workflows, imports the policy library, and trains users. In a small organisation, that someone is also the person who would use the tool — so any time spent configuring is time not spent doing the day job.</li>
<li><strong>Feature surface.</strong> Attestation programmes, advanced reporting, integration with HRIS — these are valuable in large organisations but become friction at small scale. The school business manager just wants to know which policies are due for review next month.</li>
</ul>
<p>For a small UK regulated organisation, "corporate" needs to mean light-touch coordination across functions and sites — not enterprise compliance tooling rebadged for smaller customers.</p>
<h2>What Small UK Regulated Organisations Actually Need</h2>
<p>Strip back the enterprise feature list and the requirement for small councils, MATs, and charities looks like this:</p>
<h3>A central register that anyone can find</h3>
<p>Every policy in one place, with its owner, category, status, and next review date visible at a glance. Not buried in a SharePoint folder hierarchy or in someone's spreadsheet. A school business manager covering for a colleague should be able to find the relevant policy in under a minute.</p>
<p>If your starting point is a spreadsheet, our <a href="/tools/policy-register-template/">free Policy Register Template</a> is a working example of the columns and structure you will need.</p>
<h3>Automated reminders that go to the right person</h3>
<p>Reminders 90, 60, and 30 days before a review date — sent to the policy owner, not a generic shared inbox. The reminders should not need configuration; they should just work, by default, the day a policy is added to the register.</p>
<p>Manual reminder calendars fail for the same reason manual policy registers fail: someone has to remember to maintain the calendar.</p>
<h3>Approval workflow that captures evidence</h3>
<p>Trustees, governors, or councillors approve key policies. The approval needs to be evidenced — a name, a date, ideally a comment. When an inspector or auditor asks "who approved this version of the safeguarding policy?", the answer should not require opening the minutes of three different meetings.</p>
<p>For schools, the academic year imposes a natural cadence: many statutory policies are approved annually by the full governing body or trust board. The approval workflow should match that rhythm without requiring the clerk to chase signatures by email.</p>
<h3>Multi-site visibility (where applicable)</h3>
<p>A MAT needs to see which policies are trust-level and which are school-level. A council needs to see how each department's local procedures relate to corporate-wide policies. A federated charity needs to see which policies are shared across branches and which are local.</p>
<p>This does not mean a complex hierarchy or permission system. At small scale, "multi-site" means the register can be filtered by site and a single dashboard can show overall status across the group.</p>
<h3>Inspection-ready exports</h3>
<p>Pull a current-status report for an inspector, an auditor, or a board meeting in under five minutes. Not a custom report builder — a standard "all current policies, owners, last review dates, next review dates" view that exports to PDF or CSV.</p>
<p>For CQC-regulated GP practices, the <a href="/blog/cqc-policy-requirements/">CQC policy requirements guide</a> sets out what inspectors expect to see. For Ofsted-inspected schools, the <a href="/tools/ofsted-statutory-policies-checklist/">Ofsted Statutory Policies Checklist</a> is a good starting point. For all sectors, the <a href="/blog/how-often-should-policies-be-reviewed-uk/">policy review frequency guide</a> sets the regulator-specific cadences inspection-ready exports need to support.</p>
<h3>An audit trail</h3>
<p>Every change recorded — who edited what, when, what the previous version said. This is the difference between a document store (which most organisations already have) and policy management (which most do not). Inspectors and auditors increasingly ask for the audit trail, not just the current document.</p>
<h2>What Most Enterprise Features Are Not Worth Paying For (At Small Scale)</h2>
<p>A small-organisation evaluation gets faster when you cross out features that look impressive but solve problems you do not have:</p>
<ul>
<li><strong>Built-in policy authoring with template libraries.</strong> You already have the policies. They are in Word documents. Importing them is more useful than rewriting them in a vendor's editor.</li>
<li><strong>Attestation programmes with quizzes and certificates.</strong> For 30 staff, an email confirming "I have read the policy" is sufficient evidence. Quiz-based attestation is procurement theatre at this scale.</li>
<li><strong>Multi-language support.</strong> A small UK regulated organisation operates in English. This feature drives up enterprise pricing and is not used.</li>
<li><strong>Custom workflow configuration.</strong> Enterprise customers value the ability to design bespoke approval flows. Small organisations usually need one or two flows: "owner review → manager approve" or "owner review → committee approve."</li>
<li><strong>Advanced analytics dashboards.</strong> A traffic-light view (green / amber / red by status) is enough. Heatmaps and trend analysis sound useful but are not what an inspector asks to see.</li>
</ul>
<p>The features worth paying for at small scale are the central register, automated reminders, lightweight approval workflow, multi-site filtering, and inspection-ready exports. Everything else is optional.</p>
<h2>A Practical Evaluation Checklist</h2>
<p>Before paying for any tool, run through these questions:</p>
<ol>
<li><strong>Is the price published?</strong> If the website says "contact sales," the pricing was designed for organisations 10× your size.</li>
<li><strong>Can I import my existing policy list in under an hour?</strong> If the answer is "engage our professional services team," walk away.</li>
<li><strong>Does it send reminders by default?</strong> Not "can be configured to" — does it, out of the box, the day after I add a policy.</li>
<li><strong>Can I generate an inspection-ready report without a configuration project?</strong> If yes, demo it. If no, the tool is too heavy for small-org use.</li>
<li><strong>What happens to my data if I cancel?</strong> Export should be a button. If it requires a support ticket and a notice period, the data is locked in.</li>
<li><strong>Can a non-IT person set it up in an afternoon?</strong> If the trial requires a setup call, it is built for the enterprise sales motion.</li>
<li><strong>Does pricing scale by organisation, not per user?</strong> Per-user pricing punishes multi-site organisations and small teams that share access.</li>
</ol>
<p>The right tool for a small UK regulated organisation should pass all seven without explanation. If a vendor pushes back on any of them, they are selling to a different buyer.</p>
<h2>Sector-Specific Notes</h2>
<h3>Small councils (parish, town, principal authority departments)</h3>
<p>Standing orders, financial regulations, code of conduct, complaints procedure, risk management, data protection, health and safety — all reviewed annually as part of the audit cycle, alongside the Annual Governance and Accountability Return. The JPAG Practitioners' Guide sets the practical proper-practices framework smaller authorities work to.</p>
<p>What matters: a register that aligns with audit cycle review dates, evidence of annual approval (often at the annual council meeting), and exportable reports the internal auditor can drop into their working papers.</p>
<h3>Multi-academy trusts (MATs)</h3>
<p>Trusts operate two policy layers — trust-wide statutory policies (often standardised across all schools) and school-level addenda (e.g. site-specific safeguarding arrangements). The DfE's academy trust governance framework sets out the governance expectations across that two-layer structure.</p>
<p>What matters: a register that can show "all schools current on this policy" at a glance, distinct trust-level vs school-level views, and approval workflows that route to the right body (members, trustees, local governing bodies) for each policy type.</p>
<h3>Charities</h3>
<p>The Charity Governance Code recommends annual review of key policies and a fuller governance review every three years. The Charity Commission's essential trustee guidance (CC3) makes governance accountability explicit, and safeguarding duties for trustees applies wherever the charity works with children or adults at risk.</p>
<p>What matters: trustee-friendly approval workflow (trustees may not be in the office daily), evidence-of-review timestamps for the annual return, and the ability to attach policies to specific charitable activities for restricted-fund compliance.</p>
<h3>Federations and group structures</h3>
<p>Some charities, councils, and MATs share back-office services through a federation or strategic partnership. In these cases, a "central" register that spans organisational boundaries can be useful — but only if each organisation retains visible ownership of its own policies. A shared dashboard that obscures ownership undermines individual governance accountability.</p>
<h2>Connecting the Pieces</h2>
<p>Corporate policy management at small-organisation scale is not a procurement project. It is a coordination problem: making sure every policy has a known owner, a known review date, and a known approval status — visible to whoever needs to see it, without phoning round.</p>
<p>Enterprise tools solve the same problem at a scale and price built for organisations that have a compliance function. Small UK councils, MATs, and charities need the same coordination at a scale and price the existing person-who-also-does-policy can sign off without a procurement committee.</p>
<p>If you also need to think about <a href="/blog/policy-and-procedure-management/">policy and procedure management software</a>, the requirements overlap heavily — most small organisations need both, in one tool, without paying for two enterprise subscriptions.</p>
<p>PolicyBoard is designed for exactly this gap: a central policy register, automated email reminders, lightweight approval workflow, multi-site filtering, and inspection-ready exports — at a price point a school business manager, council clerk, or charity CEO can approve without a committee. <a href="/#waitlist">Join the waitlist</a> to be notified when it launches.</p>
<h2>Sources</h2>
<ul>
<li>CQC Regulation 17: Good Governance</li>
<li>DfE: Governance in Maintained Schools</li>
<li>DfE: Academy Trust Governance Guide</li>
<li>Charity Governance Code</li>
<li>Charity Commission: The Essential Trustee (CC3)</li>
<li>Charity Commission: Safeguarding Duties for Trustees</li>
<li>JPAG Practitioners' Guide (Smaller Authorities)</li>
</ul>
<p><em>This guide covers general principles for small UK regulated organisations. It is not legal or procurement advice. Always check the specific requirements of your regulator and seek professional advice where needed.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>Policy Lifecycle Management: From Creation to Retirement</title>
      <link>https://policyboard.co.uk/blog/policy-lifecycle-management-guide/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/policy-lifecycle-management-guide/</guid>
      <pubDate>Sun, 26 Apr 2026 00:00:00 GMT</pubDate>
      <description>The six stages of policy lifecycle management for UK schools, GP practices, charities, and councils — from drafting through approval, distribution, review, and retirement.</description>
      <content:encoded><![CDATA[<p>Policies do not stand still. They are created, approved, distributed, reviewed, updated, and eventually retired. Each stage has its own requirements, its own risks, and its own opportunities for things to go wrong.</p>
<p>Most organisations handle the first two stages (creation and approval) and then lose control. The policy sits in a shared drive, unreviewed, until someone asks about it during an inspection. That is not lifecycle management — it is storage with a prayer.</p>
<p>This guide walks through each stage of the policy lifecycle and explains what UK regulated organisations need at every step.</p>
<h2>The Six Stages of Policy Lifecycle Management</h2>
<h3>Stage 1: Creation</h3>
<p>A new policy is needed because:</p>
<ul>
<li>A regulator requires it (CQC, Ofsted, Charity Commission)</li>
<li>Legislation changes (new DfE guidance, updated KCSIE, UK GDPR amendments)</li>
<li>An incident exposed a gap (a safeguarding concern with no documented procedure)</li>
<li>The organisation starts a new activity (opening a new site, offering new services)</li>
</ul>
<p><strong>Before drafting, check whether the policy already exists.</strong> Duplicate policies with conflicting content are common, especially in MATs and GP practice groups where some policies are set centrally and others locally. Search your shared drives, the policy register, and ask colleagues before creating a new document.</p>
<p><strong>Drafting tips for small organisations:</strong></p>
<ul>
<li>Start with a sector-specific template where available — the DfE governance guides and professional associations publish templates for common school and healthcare policies</li>
<li>Focus on what staff actually need to do, not abstract principles. "If a child discloses abuse, do X, then Y, then Z" is more useful than "the organisation is committed to safeguarding"</li>
<li>Include the scope — who does this policy apply to? Which sites? Which staff groups?</li>
<li>Name the policy owner — who is responsible for maintaining and reviewing this policy going forward?</li>
</ul>
<h3>Stage 2: Approval</h3>
<p>A policy is not live until it is formally approved. The approval process depends on your organisation type:</p>
<table>
<thead>
<tr>
<th>Organisation</th>
<th>Typical Approver</th>
<th>Evidence Required</th>
</tr>
</thead>
<tbody>
<tr>
<td>School (maintained)</td>
<td>Governing body</td>
<td>Recorded in governing body minutes</td>
</tr>
<tr>
<td>School (academy/MAT)</td>
<td>Trust board or local governing body (depends on scheme of delegation)</td>
<td>Recorded in board/LGB minutes</td>
</tr>
<tr>
<td>GP practice</td>
<td>Partners or practice manager</td>
<td>Written sign-off with date</td>
</tr>
<tr>
<td>Charity</td>
<td>Board of trustees</td>
<td>Recorded in trustee meeting minutes</td>
</tr>
<tr>
<td>Parish/town council</td>
<td>Full council</td>
<td>Recorded in council meeting minutes</td>
</tr>
</tbody>
</table>
<p><strong>What the approval record should capture:</strong></p>
<ul>
<li>Which version was approved</li>
<li>Who approved it (by name or body)</li>
<li>The date of approval</li>
<li>Any conditions or caveats ("approved subject to updating the safeguarding lead's contact details")</li>
</ul>
<p>An email saying "looks fine" is not a formal approval. An undated signature on a document footer is better, but a timestamped record in meeting minutes or an approval system is best.</p>
<h3>Stage 3: Distribution</h3>
<p>An approved policy is useless if nobody can find it. Distribution means:</p>
<p><strong>Making it accessible.</strong> Staff need a single, known location where they can find current policies. Not a folder with 200 files — a structured, searchable location organised by category.</p>
<p><strong>Removing old versions.</strong> When a new version is approved, the old version should be archived (not deleted) and removed from general access. If staff can still find the old version in a shared drive, they may follow outdated procedures.</p>
<p><strong>Confirming awareness.</strong> For critical policies (safeguarding, data protection, health and safety), there should be evidence that staff have read them. This might be a sign-off sheet at a staff meeting, a record in the training log, or an attestation in a policy management system. The evidence level should match the risk — a sign-off sheet for safeguarding, verbal confirmation at a team meeting for less critical policies.</p>
<p><strong>Publishing where required.</strong> Schools must publish certain statutory policies on their website. Charities may need to share specific policies with the Charity Commission. Make sure published versions match the current internal versions.</p>
<h3>Stage 4: Implementation</h3>
<p>A policy only works if staff follow it. Implementation bridges the gap between documentation and practice:</p>
<p><strong>Training.</strong> When a new or significantly updated policy is introduced, affected staff need training on what has changed and what they need to do differently. This does not have to be a formal training day — a 15-minute briefing at a staff meeting may be sufficient.</p>
<p><strong>Embedding in processes.</strong> The policy should be reflected in the processes it governs. If the complaints policy says "acknowledge within 3 working days," the complaints workflow should include that deadline. If the safeguarding policy says "contact the designated lead immediately," staff should know who the designated lead is and how to reach them.</p>
<p><strong>Monitoring compliance.</strong> After implementation, check whether the policy is being followed. For clinical policies, this might be a spot audit. For governance policies, it might be checking that approval records match the policy requirements. For safeguarding, it might be a scenario exercise at a training day.</p>
<h3>Stage 5: Review and Update</h3>
<p>Every policy has a <a href="/blog/how-often-should-policies-be-reviewed-uk/">scheduled review date</a>. The review process:</p>
<ol>
<li><strong>Check against current requirements.</strong> Has legislation changed? Has regulatory guidance been updated? Has the organisation changed its operations?</li>
<li><strong>Check against practice.</strong> Is the policy still reflected in how things actually work? If staff have developed workarounds, the policy may need updating to match reality (or the practice needs changing to match the policy).</li>
<li><strong>Consult stakeholders.</strong> For significant changes, consult the people affected — staff, governors, trustees, or service users as appropriate.</li>
<li><strong>Update the document.</strong> Increment the version number, update the date, revise the content. Keep a record of what changed and why.</li>
<li><strong>Re-approve.</strong> Route the updated version through the approval process. Minor editorial changes (typo fixes, formatting) may not need full approval, but substantive changes always do.</li>
<li><strong>Redistribute.</strong> Replace the old version with the new one in all distribution locations. Update the website if the policy is published.</li>
</ol>
<p><strong>Triggered reviews</strong> happen outside the schedule when:</p>
<ul>
<li>Legislation or regulatory guidance changes</li>
<li>An incident or complaint reveals a gap in the policy</li>
<li>The organisation changes its operations, staffing, or premises</li>
<li>An audit or inspection identifies a concern</li>
</ul>
<h3>Stage 6: Retirement</h3>
<p>Policies are retired when they are no longer needed — because the activity they governed has ceased, the regulation they addressed has been repealed, or they have been consolidated with another policy.</p>
<p><strong>Retirement is not deletion.</strong> Archive the final version with a note explaining:</p>
<ul>
<li>When it was retired</li>
<li>Why it was retired</li>
<li>What replaced it (if anything)</li>
</ul>
<p>Regulators, auditors, or legal proceedings may require access to historical policies. An organisation that cannot produce its safeguarding policy from three years ago during a historical investigation has a problem.</p>
<h2>Where Organisations Lose Control</h2>
<p>The lifecycle is not complicated on paper. In practice, control is lost at the transitions:</p>
<p><strong>Creation → Approval:</strong> Policies are drafted but never formally approved. They enter circulation as "working documents" and nobody goes back to get sign-off.</p>
<p><strong>Approval → Distribution:</strong> The policy is approved in a governors' meeting but the document in the shared drive is not updated. Staff continue following the previous version.</p>
<p><strong>Distribution → Review:</strong> The policy is distributed and then forgotten. Nobody tracks the review date, and the policy drifts out of date.</p>
<p><strong>Review → Retirement:</strong> Outdated policies are left in circulation indefinitely because nobody has a process for retiring them. Staff are confused about which policies are current.</p>
<h2>Practical Lifecycle Management for Small Organisations</h2>
<p>You do not need an enterprise platform to manage the policy lifecycle. You need:</p>
<ol>
<li><strong>A <a href="/blog/how-to-build-policy-register/">policy register</a></strong> that tracks every policy through every stage — creation date, approval date, version, owner, review date, status</li>
<li><strong><a href="/tools/policy-review-schedule-generator/">Automated reminders</a></strong> that flag upcoming reviews before they become overdue</li>
<li><strong>Approval records</strong> — minutes, sign-off records, or timestamped approvals in a system</li>
<li><strong>A single source of truth</strong> for current policy documents — one location that staff know about</li>
<li><strong>An archive</strong> for superseded and retired versions</li>
</ol>
<p>PolicyBoard is designed to automate the lifecycle — from review reminders and approval workflows to compliance dashboards and audit trails. Built for UK schools, GP practices, charities, and councils. <a href="/#waitlist">Join the waitlist</a> to be notified when it launches.</p>
<p><em>This article covers general principles of policy lifecycle management. It is not legal advice.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>Control of Documentation: A UK Compliance Guide Beyond ISO</title>
      <link>https://policyboard.co.uk/blog/control-of-documentation-uk-guide/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/control-of-documentation-uk-guide/</guid>
      <pubDate>Sun, 19 Apr 2026 00:00:00 GMT</pubDate>
      <description>Document control for UK regulated organisations — what CQC, Ofsted, and the Charity Commission expect, how it differs from ISO quality management, and how to get it right.</description>
      <content:encoded><![CDATA[<p>"Control of documentation" means different things depending on who is asking. In ISO 9001, it refers to a formal quality management system requirement — clause 7.5, documented information. In a manufacturing or engineering context, it means drawing control, change management, and revision tracking.</p>
<p>But if you run a school, GP practice, charity, or council in the UK, document control means something more specific: can you prove to your regulator that your policies, procedures, and records are current, approved, and accessible?</p>
<p>This guide covers document control from the perspective of UK regulated organisations — not ISO certification, not manufacturing quality systems, but the practical governance requirements that CQC, Ofsted, the Charity Commission, and auditors expect to see. For the underlying argument on <a href="/blog/why-document-control-important/">why document control matters in regulated UK organisations</a>, start there and come back.</p>
<h2>Document Control in Regulated UK Organisations</h2>
<p>For most regulated UK organisations, document control applies primarily to:</p>
<ul>
<li><strong>Policies and procedures</strong> — safeguarding, health and safety, data protection, complaints, clinical governance, financial regulations</li>
<li><strong>Registers and records</strong> — risk registers, asset registers, training records, DBS check records, accident logs</li>
<li><strong>Governance documents</strong> — minutes, terms of reference, schemes of delegation, standing orders</li>
<li><strong>Compliance evidence</strong> — audit reports, inspection action plans, incident records, complaints logs</li>
</ul>
<p>The common requirement across all regulators: these documents must be <strong>current, approved, accessible, and traceable</strong>. An outdated policy is not just a paperwork problem — it is evidence that your governance systems are not working.</p>
<h2>What Each Regulator Expects</h2>
<h3>CQC (GP practices, dental practices, health services)</h3>
<p>Regulation 17 requires records that are "accurate, complete and contemporaneous." For document control, this means:</p>
<ul>
<li>Every clinical and governance policy has a named owner and a review date</li>
<li>Previous versions are retained (regulators may need to see what a policy said at a specific point in time)</li>
<li>Changes are traceable — who updated it, when, and why</li>
<li>Staff can locate and follow current procedures</li>
</ul>
<p>CQC inspectors follow threads: they ask a receptionist about a procedure, then check whether the documented policy matches. If the policy is version 2 but the practice is following version 1's procedures, that is a Regulation 17 concern.</p>
<h3>Ofsted (schools, academies, MATs)</h3>
<p>Schools must maintain statutory policies that are current and — for many — published on the school website. Ofsted checks:</p>
<ul>
<li>Statutory policies are in place and have been reviewed within required timeframes</li>
<li>The safeguarding policy reflects the latest Keeping Children Safe in Education guidance</li>
<li>Governing body minutes reference policy approvals</li>
<li>Published website policies match the internal current versions</li>
</ul>
<p>For schools in MATs, document control is more complex. Some policies are trust-level (standardised across all schools), others are school-level. Without clear version control, individual schools may be operating under outdated trust policies.</p>
<h3>Charity Commission</h3>
<p>The Charity Governance Code expects trustees to review governance arrangements regularly. Document control evidence includes:</p>
<ul>
<li>Board minutes showing policy approval decisions</li>
<li>A register of policies with review dates</li>
<li>Version history for key policies</li>
<li>Evidence that policies are distributed to staff and volunteers</li>
</ul>
<h3>Local authority audit</h3>
<p>Parish, town, and district councils are audited annually. Auditors check:</p>
<ul>
<li>Standing orders and financial regulations have been formally adopted at a council meeting</li>
<li>Governance documents are dated and signed</li>
<li>Risk management policies are current</li>
<li>Previous versions are archived (not overwritten)</li>
</ul>
<h2>The Five Elements of Document Control</h2>
<p>Regardless of your regulator, effective document control covers the same five areas:</p>
<h3>1. Identification</h3>
<p>Every controlled document has:</p>
<ul>
<li>A unique title</li>
<li>A version number (v1.0, v2.0, v2.1)</li>
<li>A date</li>
<li>A document owner</li>
</ul>
<p>Without identification, you cannot answer: "Which version is current?" If your safeguarding policy is stored as "Safeguarding Policy FINAL (2).docx" with no date or version number, it is not controlled.</p>
<h3>2. Approval</h3>
<p>Every document goes through a formal approval process before it becomes the current version. The approval record includes:</p>
<ul>
<li>Who approved it (governing body, trustees, practice manager)</li>
<li>When it was approved</li>
<li>Which version was approved</li>
</ul>
<p>Verbal approval is not an audit trail. You need written evidence — ideally timestamped in a system, or at minimum recorded in meeting minutes.</p>
<h3>3. Distribution</h3>
<p>Controlled documents must be accessible to the people who need them. For policies, this means:</p>
<ul>
<li>Staff know where to find current policies</li>
<li>Outdated versions are not accessible (or are clearly marked as superseded)</li>
<li>For critical policies, there is evidence staff have read them (training records, sign-off sheets)</li>
</ul>
<h3>4. Review and Revision</h3>
<p>Every document has a <a href="/blog/how-often-should-policies-be-reviewed-uk/">scheduled review</a> and a process for updating it when circumstances change. The review cycle includes:</p>
<ul>
<li>Checking content against current legislation and guidance</li>
<li>Updating the version number and date</li>
<li>Routing through the approval process</li>
<li>Replacing the previous version in all distribution locations</li>
</ul>
<h3>5. Retention and Archiving</h3>
<p>Previous versions are not deleted — they are archived. Regulators may need to see what a policy said at a specific point in time (for example, during an investigation into a historic safeguarding concern). Archived versions should be clearly labelled and inaccessible to general staff to prevent confusion.</p>
<h2>Common Document Control Failures</h2>
<p><strong>The shared drive problem.</strong> Policies live in a folder structure with no version control. Staff save working copies to their desktop. Three versions exist with different dates. Nobody is sure which is current.</p>
<p><strong>The website lag.</strong> The internal policy is updated but the version published on the school website is not. An inspector or parent reads an outdated version.</p>
<p><strong>The email approval.</strong> A policy is sent for approval via email. The practice manager replies "looks fine." Six months later, nobody can find the email, and there is no formal record of approval.</p>
<p><strong>The single point of failure.</strong> One person maintains the policy register, knows where everything is, and manages the review schedule. When they are on leave or leave the organisation, the system stops.</p>
<p><strong>The annual scramble.</strong> Policies are not reviewed on schedule. Instead, all reviews happen in a two-week panic before an inspection. The resulting reviews are superficial because there is no time to do them properly.</p>
<h2>Building Better Document Control</h2>
<h3>Start with a register</h3>
<p>You cannot control documents you have not catalogued. <a href="/blog/how-to-build-policy-register/">Build a policy register</a> that lists every policy, its owner, version, and review date. Our <a href="/tools/policy-register-template/">free Policy Register Template</a> does this in minutes.</p>
<h3>Set up automated reminders</h3>
<p>Manual tracking fails at scale. Use our <a href="/tools/policy-review-schedule-generator/">Policy Review Schedule Generator</a> to calculate review dates and import them into your calendar. Better still, use a system that sends reminders automatically.</p>
<h3>Separate the document from the tracking</h3>
<p>The policy document itself (a Word file, PDF, or web page) is not the same as the document control record (who approved it, when, which version). Keeping these separate means you can update tracking information without opening every document.</p>
<h3>Standardise naming and versioning</h3>
<p>Adopt a consistent format: "Policy Name v[version] [date]". For example: "Safeguarding Policy v3.0 2026-01-15". Avoid dates in filenames that do not match the actual review date, and never use "FINAL" or "LATEST" — these become meaningless after the second revision.</p>
<h2>Document Control Is Not ISO</h2>
<p>If you searched for "control of documentation" expecting ISO 9001 guidance, you may be wondering why this article has not mentioned clause 7.5. The reason: most small UK regulated organisations do not hold ISO certification and do not need to. The document control requirements from CQC, Ofsted, and the Charity Commission overlap with ISO principles but are specific to the regulatory context.</p>
<p>That said, if your organisation does hold ISO 9001 or is working toward it (some councils and NHS organisations require it), the document control framework described here aligns with clause 7.5 — you would simply add ISO-specific elements like documented information scope and external document control.</p>
<p>For the day-to-day mechanics of running document control — naming, versioning, approval, and review — our <a href="/blog/document-controlling-guide/">practical guide to document controlling</a> walks through the process step by step.</p>
<p>PolicyBoard is designed to automate the document control that UK regulators expect — version tracking, approval workflows, review reminders, and a compliance dashboard. <a href="/#waitlist">Join the waitlist</a> to be notified when it launches.</p>
<h2>Sources</h2>
<ul>
<li>CQC Regulation 17: Good Governance</li>
<li>DfE: Keeping Children Safe in Education</li>
<li>Charity Governance Code</li>
</ul>
<p><em>This article covers document control principles for UK regulated organisations. It is not legal advice.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>Policy Document Management Software: UK Buyer&apos;s Guide</title>
      <link>https://policyboard.co.uk/blog/policy-document-management-software-uk/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/policy-document-management-software-uk/</guid>
      <pubDate>Sun, 12 Apr 2026 00:00:00 GMT</pubDate>
      <description>Most policy management software is built for enterprises. Here is what small UK schools, GP practices, charities, and councils actually need — and what they can skip.</description>
      <content:encoded><![CDATA[<p>Search "policy document management software" and you will find 30-tool comparison lists, enterprise platforms with six-figure price tags, and feature matrices that include employee attestation engines, AI policy drafting, and GRC platform integration.</p>
<p>None of that is relevant if you are a school business manager managing 80 statutory policies, a practice manager tracking CQC compliance, or a governance officer at a small charity. Your requirements are different from a multinational corporation — and so is your budget.</p>
<h2>The Enterprise vs. Small Organisation Divide</h2>
<p>Enterprise policy management tools are built for organisations with dedicated compliance teams, hundreds of employees who need to attest to policies, and procurement processes that span months. They can cost thousands of pounds per year and require significant configuration.</p>
<p>Small UK regulated organisations have a different profile:</p>
<ul>
<li><strong>50-500 staff</strong> — the policy owner is also doing their main job (teaching, clinical work, financial management)</li>
<li><strong>No dedicated compliance team</strong> — the school business manager or practice manager handles governance alongside everything else</li>
<li><strong>Budget under £50/month</strong> — the tool needs to cost less than the admin time it saves</li>
<li><strong>No procurement process</strong> — the buyer can expense a modest subscription without board approval</li>
<li><strong>Regulatory-specific requirements</strong> — CQC Regulation 17, Ofsted statutory policies, Charity Commission governance code</li>
</ul>
<p>The gap between what enterprise tools offer and what small organisations need is where time and money get wasted.</p>
<h2>Features You Actually Need</h2>
<h3>1. A Policy Register That Tracks Everything</h3>
<p>The foundation. Every policy in one place with its owner, category, version, review frequency, and status. Not a shared drive folder — a structured register that you can filter, sort, and export.</p>
<p>This replaces the spreadsheet that nobody updates and the shared drive that nobody checks. You should be able to answer "how many policies are overdue?" in under 10 seconds.</p>
<h3>2. Automated Review Reminders</h3>
<p>The single most valuable feature for time-poor organisations. Email reminders sent automatically to policy owners — 90, 60, and 30 days before review deadlines. With escalation if the deadline passes without action.</p>
<p>Without this, you are relying on someone remembering to check a spreadsheet. The <a href="/blog/how-often-should-policies-be-reviewed-uk/">review frequency varies by regulator</a>, and the consequences of missing a deadline range from audit findings to enforcement action.</p>
<h3>3. Simple Approval Workflow</h3>
<p>When a policy is reviewed, the updated version needs formal approval. For schools, that means the governing body. For charities, the trustees. For GP practices, the partners or practice manager.</p>
<p>You need: route the policy to the right approver, record their approval with a timestamp, store the approved version. You do not need: multi-level approval chains, parallel approval tracks, or conditional routing based on content analysis.</p>
<h3>4. Compliance Dashboard</h3>
<p>A visual overview showing the health of your policy portfolio. Traffic-light status: green (current), amber (due within 90 days), red (overdue). Filterable by category, owner, or site.</p>
<p>This is what you show at a governors' meeting or pull up when an inspector asks about your governance. It takes the register data and makes it instantly understandable.</p>
<h3>5. Audit Trail</h3>
<p>Every review, approval, edit, and version change recorded with a timestamp and user name. This is not optional for regulated organisations — CQC, Ofsted, and auditors expect evidence that your governance processes work.</p>
<h3>6. Export for Inspections and Board Reports</h3>
<p>Generate a compliance report showing the status of every policy. PDF for board papers, CSV for further analysis. This should take minutes, not hours of compiling data from multiple sources.</p>
<h2>Features You Can Skip</h2>
<h3>Employee Attestation at Scale</h3>
<p>Enterprise tools track whether every employee has read and acknowledged every policy, with e-signatures, completion dashboards, and non-compliance escalation. If you have 80 staff and a termly staff meeting, this is overkill.</p>
<p>What you actually need: evidence that staff know where to find policies and understand the key ones (safeguarding, data protection, H&#x26;S). A sign-off sheet at a staff meeting meets this requirement. A five-figure attestation module does not add proportionate value.</p>
<h3>AI Policy Drafting</h3>
<p>Several newer tools offer AI-generated policy templates. For most small organisations, this solves a problem that does not exist — you already have your policies. You need help managing them, not writing new ones from scratch. When you do need a new policy, sector-specific templates from bodies like the DfE or professional associations are more reliable than AI-generated content.</p>
<h3>GRC Platform Integration</h3>
<p>Governance, Risk, and Compliance platforms are enterprise tools. If you are a school, charity, or GP practice, you do not have one and do not need one. Integration with a tool you do not use adds cost without benefit.</p>
<h3>Custom Branding and White-Labelling</h3>
<p>Useful if you are a consultancy selling policy management as a service. Irrelevant if you are managing your own policies. The time spent configuring brand colours is time not spent on actual governance.</p>
<h3>Per-User Pricing</h3>
<p>Enterprise tools often charge per user because they assume every employee needs an account (for attestation). For small organisations, this model is punitive — you might need 3-5 admin users but the tool charges for 80 staff accounts. Look for per-organisation pricing instead.</p>
<h2>The Buying Process for Small Organisations</h2>
<p>The buyer at a school, GP practice, or small charity is not going through an RFP process. The practical buying criteria:</p>
<ol>
<li><strong>Can I try it without a sales call?</strong> If "request a demo" is the only option, the tool is probably priced for enterprise.</li>
<li><strong>Is pricing published?</strong> Hidden pricing means the sales team adjusts based on your budget. Published pricing means you know what you are getting.</li>
<li><strong>Can I set it up in a day?</strong> Enterprise tools require weeks of configuration. Small organisations need something that works within hours.</li>
<li><strong>Does it handle my regulatory context?</strong> UK regulatory requirements (CQC, Ofsted, Charity Commission) are specific. A tool designed for US HIPAA compliance will not help you prepare for a CQC inspection.</li>
<li><strong>Can I cancel without penalty?</strong> Monthly subscriptions with no lock-in reduce risk. Annual contracts with early termination fees are a commitment you may not want to make before proving the tool works for you.</li>
</ol>
<h2>Existing Options for Small Organisations</h2>
<p>The current market breaks into three tiers:</p>
<p><strong>Free / manual:</strong> Spreadsheets, shared drives, document footers. No cost, but no automation. Works for under 20 policies with a dedicated person tracking them. Breaks down at 50+ policies or when that person leaves.</p>
<p><strong>Mid-range (£19-80/month):</strong> Purpose-built tools targeting small-to-mid organisations. Some are sector-specific (schools, healthcare), some are cross-sector. This is the sweet spot for most regulated UK organisations.</p>
<p><strong>Enterprise (£5,000+/year):</strong> Full lifecycle management with attestation, AI, GRC integration. Designed for organisations with dedicated compliance teams and large procurement budgets.</p>
<p>The challenge in the mid-range tier is finding tools that understand UK regulatory requirements specifically. Most mid-range tools are US-focused or industry-agnostic.</p>
<h2>How to Evaluate Before You Buy</h2>
<ol>
<li><a href="/blog/how-to-build-policy-register/">Build a policy register</a> — understand your policy portfolio before choosing a tool</li>
<li><a href="/tools/policy-register-template/">Use the free Policy Register Template</a> — get structured data on what you have</li>
<li><a href="/tools/policy-review-schedule-generator/">Calculate your review schedule</a> — understand the workload</li>
<li><a href="/blog/what-to-look-for-policy-management-software/">Review the buyer's guide</a> — criteria-based evaluation checklist</li>
<li><a href="/blog/policy-and-procedure-management/">Consider whether you also need procedure management</a> — most small UK organisations need policy and procedure management together rather than two separate tools</li>
</ol>
<p>PolicyBoard is designed for exactly this gap — mid-range pricing, UK regulatory context, and the features that matter for schools, GP practices, charities, and councils. <a href="/">Join the waitlist</a> to be notified when it launches.</p>
<p><em>This article helps UK organisations evaluate policy management tools. It is not a product comparison or endorsement of specific vendors.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>How to Build a Policy Register: Step-by-Step Guide</title>
      <link>https://policyboard.co.uk/blog/how-to-build-policy-register/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/how-to-build-policy-register/</guid>
      <pubDate>Sun, 05 Apr 2026 00:00:00 GMT</pubDate>
      <description>Build a policy register for your UK school, GP practice, charity, or council — what to include, how to structure it, and a free interactive template.</description>
      <content:encoded><![CDATA[<p>An inspector asks: "How many policies does your organisation have?" If the answer involves opening a shared drive and counting files, you do not have a policy register. You have a collection of documents with no central record of what exists, who owns each one, or when they are due for review.</p>
<p>A policy register fixes that. It is the single source of truth for every policy your organisation holds — and building one takes less time than you might expect.</p>
<h2>What Is a Policy Register?</h2>
<p>A policy register is a structured record of every policy in your organisation. For each policy, it captures:</p>
<ul>
<li><strong>Policy name</strong> — the official title</li>
<li><strong>Category</strong> — safeguarding, health and safety, governance, data protection, HR, clinical, finance, or operational</li>
<li><strong>Owner</strong> — the person responsible for reviewing and maintaining the policy</li>
<li><strong>Approver</strong> — who formally approves the policy (governing body, trustees, practice partners)</li>
<li><strong>Current version</strong> — version number and date</li>
<li><strong>Review frequency</strong> — how often the policy should be reviewed (6 months, 12 months, 24 months, or 3 years)</li>
<li><strong>Last reviewed date</strong> — when the policy was last formally reviewed</li>
<li><strong>Next review date</strong> — calculated from last reviewed + frequency</li>
<li><strong>Status</strong> — current, due soon (within 90 days), or overdue</li>
<li><strong>Location</strong> — where the policy document is stored</li>
</ul>
<p>The register is not the policies themselves — it is the index that tracks them. Think of it as the table of contents for your governance.</p>
<h2>Why You Need One</h2>
<h3>For inspections</h3>
<p>CQC, Ofsted, and internal auditors will ask about your policy governance. A register lets you answer confidently: "We have 85 policies. 78 are current. 5 are due for review this quarter. 2 are overdue and under active review. Here is the full list."</p>
<p>That answer, with evidence behind it, demonstrates well-led governance. "I think we have most of them up to date" does not.</p>
<h3>For handovers</h3>
<p>When a school business manager, practice manager, or governance officer leaves, the policy register ensures their successor knows exactly what exists and what needs attention. Without it, institutional knowledge walks out the door.</p>
<h3>For efficiency</h3>
<p>Checking 100+ policy documents individually to find review dates takes hours. A register puts every deadline in one place. Combined with automated reminders, it removes the manual tracking entirely.</p>
<h2>Step 1: Audit Your Existing Policies</h2>
<p>Before building the register, you need to know what you have. Go through every location where policies might be stored:</p>
<ul>
<li>Shared drives and document management systems</li>
<li>SharePoint libraries</li>
<li>The school/practice website</li>
<li>Email attachments (policies that were approved via email and never filed properly)</li>
<li>Physical filing cabinets</li>
<li>Personal folders belonging to the previous policy owner</li>
</ul>
<p>For each policy you find, record:</p>
<ul>
<li>Name</li>
<li>Date (from the document — look in the footer, header, or metadata)</li>
<li>Location</li>
</ul>
<p>Expect duplicates. You will likely find two or three versions of the same policy in different locations. Note them all — you will deduplicate in the next step.</p>
<h2>Step 2: Deduplicate and Identify the Current Version</h2>
<p>For each policy with multiple versions, identify which is current:</p>
<ul>
<li>The most recently dated version is usually current — but check that it was formally approved</li>
<li>If you find a newer draft that was never approved, the last approved version is still current</li>
<li>Mark superseded versions for archiving (do not delete them — you may need them for audit purposes)</li>
</ul>
<h2>Step 3: Set Up Your Register Structure</h2>
<p>You can build a policy register in a spreadsheet, but an interactive template is faster. Our <a href="/tools/policy-register-template/">free Policy Register Template</a> lets you build the register in your browser and export it as CSV.</p>
<p>If you prefer a spreadsheet, create columns for:</p>
<table>
<thead>
<tr>
<th>Policy Name</th>
<th>Category</th>
<th>Owner</th>
<th>Approved By</th>
<th>Version</th>
<th>Review Freq.</th>
<th>Last Reviewed</th>
<th>Next Review</th>
<th>Status</th>
<th>Location</th>
<th>Notes</th>
</tr>
</thead>
</table>
<p><strong>Category options to use:</strong></p>
<ul>
<li>Safeguarding</li>
<li>Health &#x26; Safety</li>
<li>Data Protection</li>
<li>HR &#x26; Employment</li>
<li>Governance</li>
<li>Clinical / Care (for GP practices)</li>
<li>Finance</li>
<li>Operations</li>
</ul>
<h2>Step 4: Populate the Register</h2>
<p>Work through your audited policy list and add each current policy to the register. For each one:</p>
<ol>
<li><strong>Assign a category</strong> — this lets you filter the register when preparing for a specific inspection or audit</li>
<li><strong>Assign an owner</strong> — the person accountable for reviewing and updating the policy. For schools, this is often the head teacher (safeguarding), school business manager (finance, HR), or SENCO (SEND). For GP practices, it is often the practice manager or a named clinical lead.</li>
<li><strong>Record the approver</strong> — who formally signs off the policy. For schools: governing body. For charities: board of trustees. For GP practices: partners or practice manager.</li>
<li><strong>Set the review frequency</strong> — see our <a href="/blog/how-often-should-policies-be-reviewed-uk/">guide to review frequencies by regulator</a> for specific guidance. As a starting point:
<ul>
<li>Safeguarding: 12 months (some schools review termly)</li>
<li>Health and safety: 12 months</li>
<li>Data protection: 12 months</li>
<li>Clinical policies: 12 months</li>
<li>Governance/strategic: 24-36 months</li>
<li>Operational: 18-24 months</li>
</ul>
</li>
<li><strong>Calculate the next review date</strong> — last reviewed date plus the review frequency. Our <a href="/tools/policy-review-schedule-generator/">Policy Review Schedule Generator</a> does this automatically and exports to your calendar.</li>
<li><strong>Assess the status</strong> — current (next review is more than 90 days away), due soon (within 90 days), or overdue (past the review date)</li>
</ol>
<h2>Step 5: Identify Gaps</h2>
<p>With the register populated, you can now see what is missing. Cross-reference against regulatory requirements:</p>
<ul>
<li><strong>Schools:</strong> Use our <a href="/tools/ofsted-statutory-policies-checklist/">Ofsted Statutory Policies Checklist</a> to identify any missing statutory policies, and cross-check against our <a href="/blog/statutory-policies-for-schools/">guide to statutory policies for schools</a> for the full picture</li>
<li><strong>GP practices:</strong> Check against <a href="/blog/cqc-policy-requirements/">CQC policy requirements</a> and Regulation 17 — safeguarding, IPC, medicines management, information governance, complaints, health and safety</li>
<li><strong>Charities:</strong> Check safeguarding (mandatory if working with children/vulnerable adults), data protection, health and safety, conflicts of interest, reserves</li>
<li><strong>Councils:</strong> Standing orders, financial regulations, risk management, data protection, complaints</li>
</ul>
<p>Any gap is a priority — create the missing policy and add it to the register.</p>
<h2>Step 6: Maintain the Register</h2>
<p>A policy register is only useful if it is maintained. Build these habits:</p>
<p><strong>After every policy review:</strong> Update the version, last reviewed date, and next review date in the register. This should take 30 seconds.</p>
<p><strong>Monthly check:</strong> Scan the register for policies due within 90 days. Chase the policy owner if they have not started the review.</p>
<p><strong>After staff changes:</strong> When a policy owner leaves, reassign their policies immediately. Do not wait until the next review date — by then, nobody will remember who was responsible.</p>
<p><strong>After regulatory changes:</strong> When CQC, Ofsted, DfE, or the Charity Commission publish new guidance, check which policies are affected and bring forward their review dates.</p>
<h2>When to Move Beyond a Spreadsheet</h2>
<p>A spreadsheet register works for small portfolios (under 30 policies) with a single person managing them. You will outgrow it when:</p>
<ul>
<li>You have 50+ policies and reminders are getting missed</li>
<li>Multiple people own policies and coordination is difficult</li>
<li>You need approval workflow (who approved what, when)</li>
<li>Inspection prep requires generating compliance reports</li>
<li>You manage multiple sites with shared policies</li>
</ul>
<p>At that point, a purpose-built policy management system — with automated reminders, approval workflow, compliance dashboard, and audit trail — saves more time than it costs. See our <a href="/blog/what-to-look-for-policy-management-software/">guide to choosing policy management software</a> for what to look for, and our <a href="/blog/policy-tracking-software/">policy tracking software comparison</a> for a breakdown of what compliance teams actually need from a tracking tool. If you run a council, MAT, or charity with multiple sites, our guide on <a href="/blog/corporate-policy-management-software/">what corporate policy management means at small-organisation scale</a> covers the multi-site evaluation in more detail.</p>
<p>PolicyBoard is designed to replace the spreadsheet register with automated tracking for UK schools, GP practices, charities, and councils. <a href="/">Join the waitlist</a> to be notified when it launches.</p>
<p><em>This guide covers general principles of policy register management. It is not legal advice. Always check the specific requirements of your regulator.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>Why Document Control Matters in Regulated UK Organisations</title>
      <link>https://policyboard.co.uk/blog/why-document-control-important/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/why-document-control-important/</guid>
      <pubDate>Sun, 29 Mar 2026 00:00:00 GMT</pubDate>
      <description>Document control for schools, GP practices, charities, and councils — what regulators expect, what goes wrong without it, and how to get it right.</description>
      <content:encoded><![CDATA[<p>A CQC inspector asks to see your infection control policy. The practice manager opens the shared drive, finds three files named "IPC Policy," and is not sure which is current. One is dated 2023. One has "DRAFT" in the filename. One has no date at all.</p>
<p>That is a document control failure — and it happens in organisations of every size. The difference between a well-run organisation and one that scrambles before inspections often comes down to whether their documents are controlled or just stored.</p>
<h2>Document Control vs. Document Storage</h2>
<p>Document storage is putting files somewhere people can find them. Document control is knowing which version is current, who approved it, when it was last reviewed, and who has access to it.</p>
<p>The distinction matters because regulators do not ask "do you have policies?" — they ask "are your policies current, approved, and followed?" An organisation with 100 policies in a well-organised shared drive but no version control, no approval records, and no review schedule has document storage. It does not have document control.</p>
<h2>What Regulators Actually Check</h2>
<h3>CQC (GP practices, dental practices)</h3>
<p>Regulation 17 requires records that are "accurate, complete and contemporaneous." In practice, CQC inspectors look for:</p>
<ul>
<li>The current version of key policies (safeguarding, IPC, medicines management)</li>
<li>Evidence that policies have been reviewed and approved — not just that they exist</li>
<li>An audit trail showing when policies were updated and by whom</li>
<li>Staff awareness — can team members find and describe the policies relevant to their role?</li>
</ul>
<p>A policy with no review date, no approval record, or no evidence of staff awareness is a governance concern regardless of how well-written the content is.</p>
<h3>Ofsted (schools)</h3>
<p>Ofsted expects statutory policies to be current and accessible. The governing body must approve them, and certain policies must be published on the school website. Inspectors follow threads — they ask about safeguarding procedures and then check whether the safeguarding policy matches what staff describe.</p>
<p>Schools with poor document control often discover during inspection that their published website policies are outdated versions while the current version sits in a folder only the head teacher can access.</p>
<h3>Charity Commission</h3>
<p>The Charity Governance Code expects trustees to maintain oversight of policies. Outdated or unapproved policies are evidence of weak governance — and in serious cases, the Charity Commission can open a regulatory compliance case.</p>
<h3>Internal and external audit (councils)</h3>
<p>Parish and town councils are subject to annual audit. Auditors check that standing orders, financial regulations, and governance policies are current and have been formally adopted. An outdated financial regulation is an audit finding that appears in the annual report.</p>
<h2>What Goes Wrong Without Document Control</h2>
<p><strong>Version confusion.</strong> Multiple copies of the same policy in different locations, with different dates. Staff follow the wrong version. Inspectors find contradictions between the version on the website and the version in the policy folder.</p>
<p><strong>Missed reviews.</strong> Without a review schedule, policies silently expire. A policy due for annual review in September 2024 is still the "current" version in March 2026. Nobody noticed because nobody was tracking it.</p>
<p><strong>No approval evidence.</strong> The policy was reviewed — someone updated it, saved it, and moved on. But there is no record of who approved the updated version. When an inspector asks, the answer is "I think the governing body discussed it," which is not evidence.</p>
<p><strong>Orphaned policies.</strong> The person who owned a policy leaves the organisation. Nobody inherits it. The policy drifts, unreviewed, for years.</p>
<p><strong>Inconsistency across sites.</strong> MATs, GP practice groups, and multi-site charities often have different versions of the same policy at different locations. Without central document control, consistency is impossible.</p>
<h2>The Five Pillars of Document Control</h2>
<p>Effective document control for a regulated organisation covers five areas:</p>
<h3>1. Version Management</h3>
<p>Every policy has a version number, a date, and a clear indicator of which version is current. Previous versions are archived, not deleted — regulators may need to see what a policy said at a specific point in time.</p>
<h3>2. Approval Records</h3>
<p>Every policy has a formal approval — who approved it, when, and which version. For schools, this means governing body minutes. For GP practices, partner or practice manager sign-off. For charities, trustee approval.</p>
<h3>3. Review Scheduling</h3>
<p>Every policy has a <a href="/blog/how-often-should-policies-be-reviewed-uk/">defined review frequency</a> and a scheduled next review date. Someone is responsible for each policy, and reminders go out before the deadline.</p>
<h3>4. Distribution and Access</h3>
<p>Staff know where to find current policies and can access them when needed. For critical policies like safeguarding and data protection, there is evidence that staff have read and understood them.</p>
<h3>5. Audit Trail</h3>
<p>Every action on a policy — creation, review, approval, distribution — is recorded. This is what you show an inspector, auditor, or governing body to prove your document control works.</p>
<h2>Practical Steps to Improve Document Control</h2>
<h3>For organisations currently using shared drives</h3>
<ol>
<li><strong>Audit your policy folder.</strong> List every policy document, its date, and its owner. Delete or archive duplicates, drafts, and superseded versions.</li>
<li><strong>Create a policy register.</strong> Use our <a href="/tools/policy-register-template/">free Policy Register Template</a> to build a structured register with owners, review dates, and version numbers.</li>
<li><strong>Set review dates.</strong> Use our <a href="/tools/policy-review-schedule-generator/">Policy Review Schedule Generator</a> to calculate review dates and export them to your calendar.</li>
<li><strong>Establish naming conventions.</strong> "Safeguarding Policy v3.0 - Approved 2026-01-15" is findable. "safeguarding policy FINAL (2).docx" is not.</li>
<li><strong>Record approvals separately.</strong> Do not rely on document footers — maintain a register or minutes that record approval dates and approvers.</li>
</ol>
<h3>For organisations ready to move beyond spreadsheets</h3>
<p>A purpose-built policy management system automates version control, reminders, approvals, and audit trails. For an overview of what to look for, see our <a href="/blog/what-to-look-for-policy-management-software/">buyer's guide to policy management software</a>.</p>
<h2>Document Control is Not a Filing Task</h2>
<p>The most common mistake is treating document control as administration — something the office manager does when they have time. In reality, document control is a governance function. It is how you prove to your regulator that your organisation is well-managed, that your policies are current, and that your staff follow documented procedures.</p>
<p>For organisations subject to CQC, Ofsted, Charity Commission, or audit scrutiny, document control is not optional. It is the evidence base for your governance. If you are new to the discipline, our <a href="/blog/document-controlling-guide/">document controlling guide for compliance officers</a> sets out the practical steps.</p>
<p>PolicyBoard is designed to automate the document control functions that matter most for regulated UK organisations — version tracking, automated review reminders, approval workflows, and a compliance dashboard. <a href="/#waitlist">Join the waitlist</a> to be notified when it launches.</p>
<p><em>This article covers general principles of document control for UK regulated organisations. It is not legal advice.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>Moving Beyond SharePoint for Policy Management</title>
      <link>https://policyboard.co.uk/blog/policy-management-beyond-sharepoint/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/policy-management-beyond-sharepoint/</guid>
      <pubDate>Sun, 22 Mar 2026 00:00:00 GMT</pubDate>
      <description>SharePoint stores documents but does not manage policies. Here is why small UK regulated organisations are outgrowing it — and what to look for instead.</description>
      <content:encoded><![CDATA[<p>SharePoint is brilliant at storing documents. It handles version history, permissions, metadata, and search. For many organisations, it is the default home for policies — and for a while, that works.</p>
<p>Then someone asks: "Which policies are due for review this quarter?" And the answer is: open every policy document, check the footer, and add the dates to a spreadsheet. That is the moment SharePoint stops being a policy management system and starts being a filing cabinet with better search.</p>
<h2>What SharePoint Does Well</h2>
<p>Credit where it is due — SharePoint handles several parts of policy management effectively:</p>
<ul>
<li><strong>Document storage and version control</strong> — every edit is tracked, previous versions are accessible, and you can see who changed what</li>
<li><strong>Permissions</strong> — granular access controls mean the right people can edit and the right people can only view</li>
<li><strong>Search</strong> — staff can find policies by keyword (assuming they are named sensibly)</li>
<li><strong>Co-authoring</strong> — multiple people can work on a policy draft simultaneously</li>
<li><strong>Familiarity</strong> — most organisations with Microsoft 365 already have SharePoint, so there is no new tool to learn</li>
</ul>
<p>If your only requirement is "store policy documents where staff can find them," SharePoint does the job. The problems start when you need to actively manage the review cycle.</p>
<h2>Where SharePoint Falls Short for Policy Management</h2>
<h3>No Automated Review Reminders</h3>
<p>SharePoint does not know when a policy is due for review. You can add a "Next Review Date" column to a document library, but SharePoint will not email the policy owner 90 days before that date arrives. Someone has to check the library, compare dates, and send reminders manually.</p>
<p>For a school with 80+ statutory policies or a GP practice with 40+ clinical and governance policies, that manual check is a job in itself. And it is the job that gets deprioritised when inspection prep, staffing issues, or daily operations take over.</p>
<h3>No Approval Workflow (Without Significant Setup)</h3>
<p>SharePoint has approval features, but configuring them for policy-specific workflows — route to the governing body for statutory policies, to the practice manager for clinical policies, to the data protection officer for GDPR policies — requires Power Automate flows, custom columns, and ongoing maintenance.</p>
<p>Most small organisations do not have the IT capacity to build and maintain these workflows. The result: policies are reviewed informally, approvals are verbal or via email, and there is no audit trail when an inspector asks "who approved this policy, and when?"</p>
<h3>No Compliance Dashboard</h3>
<p>There is no built-in way to see a traffic-light view of your entire policy portfolio. You cannot open SharePoint and immediately see: 8 policies are current, 3 are due for review within 30 days, and 2 are overdue.</p>
<p>You can build a dashboard using SharePoint lists, calculated columns, and conditional formatting — but it requires technical knowledge, maintenance, and breaks when someone edits the list structure.</p>
<h3>No Sector-Specific Structure</h3>
<p>SharePoint is a general-purpose platform. It does not know that your school needs 25 statutory policies for Ofsted, or that your GP practice needs specific policies for CQC Regulation 17. You have to build that structure yourself — and keep it updated when regulatory requirements change.</p>
<h3>The Microsoft 365 Dependency</h3>
<p>SharePoint requires Microsoft 365 infrastructure. Many small organisations — parish councils, small charities, independent schools — do not use Microsoft 365. They use Google Workspace, or a mix of platforms, or minimal IT infrastructure. For these organisations, SharePoint is not an option at all.</p>
<h2>The Real Cost of SharePoint Policy Management</h2>
<p>The licence cost is not the problem. Most organisations already pay for Microsoft 365. The real cost is time:</p>
<ul>
<li><strong>Setup time</strong> — building document libraries, metadata columns, views, and (if ambitious) Power Automate flows</li>
<li><strong>Maintenance time</strong> — fixing broken views, updating metadata schemas, troubleshooting permission issues</li>
<li><strong>Manual tracking time</strong> — checking review dates, chasing policy owners, compiling reports for governors or inspectors</li>
<li><strong>Training time</strong> — teaching staff where to find policies, how to use metadata, and why they should not save policies to their desktop</li>
</ul>
<p>For a school business manager who spends 2-3 hours per week on policy administration, the question is not "can SharePoint do this?" but "is SharePoint the most efficient way to do this?"</p>
<h2>What to Look for Instead</h2>
<p>A purpose-built policy management tool replaces the manual tracking, ad-hoc workflows, and spreadsheet dashboards with a system designed for the job. The <a href="/blog/what-to-look-for-policy-management-software/">features that matter for small UK organisations</a> are:</p>
<ol>
<li><strong>Policy register</strong> with custom review frequencies per policy — not a document library you have to configure yourself</li>
<li><strong>Automated email reminders</strong> — 90, 60, and 30 days before review, sent to the policy owner without anyone having to check</li>
<li><strong>Approval workflow</strong> — route to the right approver based on policy type, with timestamped records</li>
<li><strong>Compliance dashboard</strong> — traffic-light status across your entire policy portfolio, visible in seconds</li>
<li><strong>Audit trail</strong> — every review, approval, and edit recorded for inspectors and auditors</li>
<li><strong>No infrastructure dependency</strong> — works in a browser, no Microsoft 365 required</li>
</ol>
<p>The key difference: a policy management tool is <strong>active</strong>. It chases people, flags problems, and generates reports. SharePoint is <strong>passive</strong> — it holds documents and waits for someone to check them.</p>
<h2>When SharePoint is Still the Right Choice</h2>
<p>SharePoint remains appropriate if:</p>
<ul>
<li>Your organisation has fewer than 20 policies and a single person manages them</li>
<li>You have IT capacity to build and maintain Power Automate workflows</li>
<li>Your staff are already trained on SharePoint and comfortable using it for policy access</li>
<li>You are not subject to regulatory inspection (no CQC, Ofsted, or audit requirements)</li>
</ul>
<p>For larger policy portfolios, multi-site organisations, or any organisation where an inspector will ask "show me your policy governance" — a dedicated tool will save more time than it costs.</p>
<h2>Next Steps</h2>
<ol>
<li><a href="/blog/how-often-should-policies-be-reviewed-uk/">How often should policies be reviewed?</a> — review frequencies by regulator</li>
<li><a href="/blog/what-to-look-for-policy-management-software/">What to look for in policy management software</a> — evaluation criteria for small UK organisations</li>
<li><a href="/blog/policy-tracking-software/">What compliance teams need from a policy tracking tool</a> — a practical breakdown of tracking requirements</li>
<li><a href="/tools/policy-review-schedule-generator/">Try the Policy Review Schedule Generator</a> — calculate your review dates and export to calendar</li>
</ol>
<p>PolicyBoard is designed for UK schools, GP practices, charities, and councils that have outgrown SharePoint for policy management. Automated reminders, approval workflows, and compliance dashboards — no Microsoft 365 required. <a href="/">Join the waitlist</a> to be notified when it launches.</p>
<p><em>This article discusses general approaches to policy management. It is not an endorsement or criticism of any specific platform.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>CQC Policy Requirements: What Inspectors Actually Check</title>
      <link>https://policyboard.co.uk/blog/cqc-policy-requirements/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/cqc-policy-requirements/</guid>
      <pubDate>Sun, 15 Mar 2026 00:00:00 GMT</pubDate>
      <description>The policies CQC inspectors expect to see at GP practices — mapped to Regulation 17 and the five key questions, with review frequencies and inspection tips.</description>
      <content:encoded><![CDATA[<p>A CQC inspection notification lands. You have two weeks. The first question from the practice manager: "Are our policies up to date?"</p>
<p>If the answer involves opening 40 Word documents to check footer dates, you already have a problem. This guide maps the policies CQC inspectors expect to find at GP practices, explains how they connect to Regulation 17 (Good Governance), and sets out a practical framework for keeping them current.</p>
<p><strong>Scope:</strong> This article focuses on GP practices and primary care. CQC also regulates dentists, pharmacies, hospitals, and care homes — each has sector-specific requirements. Care home policy requirements are not covered here. If you run an education setting rather than a healthcare one, see our guide to <a href="/blog/statutory-policies-for-schools/">statutory policies for schools</a> for the equivalent list.</p>
<h2>How CQC Inspections Work in Primary Care</h2>
<p>CQC assesses GP practices against five key questions:</p>
<ol>
<li><strong>Safe</strong> — Are patients protected from abuse and avoidable harm?</li>
<li><strong>Effective</strong> — Does care achieve good outcomes?</li>
<li><strong>Caring</strong> — Do staff treat patients with compassion?</li>
<li><strong>Responsive</strong> — Are services organised to meet patients' needs?</li>
<li><strong>Well-led</strong> — Does leadership ensure high-quality, sustainable care?</li>
</ol>
<p>Your policies sit under <strong>Well-led</strong> (governance and management) but evidence from those policies feeds into every other question. A safeguarding policy evidences "Safe." A complaints policy evidences "Responsive." An outdated infection control policy undermines "Safe" and "Effective" simultaneously.</p>
<p>Inspectors do not typically ask for a policy index and tick them off a list. Instead, they follow threads. They ask a receptionist: "What happens if a patient discloses abuse?" If the receptionist describes a process that matches the safeguarding policy, and that policy has been reviewed within the last year, and there is evidence staff were trained on it — that is good governance in action. If the policy says one thing and the receptionist describes something different, that is a Regulation 17 concern.</p>
<h2>The Policies CQC Expects to See</h2>
<p>There is no single definitive CQC list of required policies for GP practices. Instead, the expectation flows from the regulations themselves. Based on the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 and published CQC inspection guidance, these are the policies inspectors expect to be in place:</p>
<h3>Safeguarding (Regulation 13)</h3>
<ul>
<li><strong>Safeguarding adults policy</strong> — referral pathways, designated safeguarding lead, training requirements</li>
<li><strong>Safeguarding children policy</strong> — aligned with local safeguarding partnership procedures, including FGM and Prevent</li>
<li><strong>Chaperone policy</strong> — when chaperones are offered, how they are trained, and DBS check requirements</li>
<li><strong>Mental Capacity Act and Deprivation of Liberty Safeguards policy</strong> — staff understanding of MCA assessments</li>
</ul>
<p><strong>Review frequency:</strong> At least annually. Review immediately if local safeguarding procedures change or following any safeguarding incident.</p>
<h3>Infection Prevention and Control (Regulation 12)</h3>
<ul>
<li><strong>Infection prevention and control (IPC) policy</strong> — hand hygiene, PPE, sharps disposal, decontamination of equipment</li>
<li><strong>Cleaning schedules</strong> — documented schedules with evidence of completion</li>
</ul>
<p><strong>Review frequency:</strong> At least annually. Review immediately after any infection outbreak or change to IPC guidance.</p>
<h3>Medicines Management (Regulation 12)</h3>
<ul>
<li><strong>Prescribing policy</strong> — including repeat prescribing, high-risk drugs, and controlled drugs</li>
<li><strong>Medicines storage and security policy</strong> — fridge temperature monitoring, controlled drugs registers, access controls</li>
<li><strong>Vaccine management policy</strong> — cold chain management, fridge failure protocols</li>
</ul>
<p><strong>Review frequency:</strong> At least annually. Review if prescribing guidance changes or after medication incidents.</p>
<h3>Staffing and Recruitment (Regulation 19)</h3>
<ul>
<li><strong>Recruitment policy</strong> — pre-employment checks (DBS, references, qualifications, right to work), locum procedures</li>
<li><strong>Induction policy</strong> — what new staff and locums must complete before seeing patients</li>
<li><strong>Training and development policy</strong> — mandatory training requirements, CPD tracking</li>
</ul>
<p><strong>Review frequency:</strong> At least annually. Review if recruitment legislation or DBS requirements change.</p>
<h3>Information Governance (Regulation 17)</h3>
<ul>
<li><strong>Data protection and confidentiality policy</strong> — aligned with UK GDPR and Data Protection Act 2018</li>
<li><strong>Information security policy</strong> — password management, device security, remote access</li>
<li><strong>Subject access request procedure</strong> — how patients access their records</li>
<li><strong>Data breach response plan</strong> — notification procedures, ICO reporting thresholds</li>
</ul>
<p><strong>Review frequency:</strong> At least annually. Review immediately after any data breach or ICO guidance update.</p>
<h3>Complaints and Feedback (Regulation 16)</h3>
<ul>
<li><strong>Complaints policy</strong> — aligned with the NHS complaints procedure, including timescales for acknowledgement and response</li>
<li><strong>Significant event analysis (SEA) policy</strong> — how the practice investigates incidents and near-misses, and what actions follow</li>
<li><strong>Duty of candour policy</strong> — the legal requirement to be open with patients when things go wrong (Regulation 20)</li>
</ul>
<p><strong>Review frequency:</strong> At least annually. Review after significant complaints or changes to NHS complaints framework.</p>
<h3>Health and Safety</h3>
<ul>
<li><strong>Health and safety policy</strong> — risk assessments, fire safety, COSHH, lone working</li>
<li><strong>Business continuity plan</strong> — what happens if systems fail, premises are inaccessible, or key staff are unavailable</li>
<li><strong>Emergency drugs and equipment policy</strong> — what emergency equipment is held, where, and how it is checked</li>
</ul>
<p><strong>Review frequency:</strong> At least annually. Review after incidents, premises changes, or new risk assessments.</p>
<h3>Clinical Governance</h3>
<ul>
<li><strong>Clinical audit policy</strong> — how the practice conducts and acts on clinical audits</li>
<li><strong>Consent policy</strong> — how consent is obtained, documented, and reviewed for different procedures</li>
</ul>
<p><strong>Review frequency:</strong> At least annually.</p>
<h2>What Regulation 17 Specifically Requires</h2>
<p>Regulation 17 does not list individual policies. It requires <strong>systems and processes</strong> that ensure compliance with all other regulations. In practice, this means:</p>
<ol>
<li><strong>Records must be "accurate, complete and contemporaneous"</strong> — your policies are records. An undated or unsigned policy does not meet this standard.</li>
<li><strong>Systems must assess, monitor and improve quality</strong> — you need to show that policy review is part of a systematic governance cycle, not an annual panic.</li>
<li><strong>Risks must be identified and mitigated</strong> — your policies should reflect current risks. If your practice started offering minor surgery last year but the clinical governance policy still only covers standard consultations, that is a gap.</li>
<li><strong>Feedback must be sought and acted on</strong> — policy changes should be traceable to feedback, incidents, or audit findings.</li>
</ol>
<p>Inspectors may ask:</p>
<ul>
<li>"How do you know which policies are due for review?"</li>
<li>"Who is responsible for each policy?"</li>
<li>"How do you ensure staff are aware of policy changes?"</li>
<li>"Can you show me the approval record for this policy?"</li>
</ul>
<p>If your answer to the first question is "we check the spreadsheet" or "the practice manager keeps track," the follow-up will test whether that system actually works.</p>
<h2>Common Findings in GP Practice Inspections</h2>
<p>Based on published CQC inspection reports, these are recurring policy-related issues:</p>
<p><strong>Policies not reviewed within stated timeframes.</strong> The policy footer says "review annually" but the last review date is two years ago. This directly contradicts the practice's own governance standards.</p>
<p><strong>Policies that do not reflect current practice.</strong> The infection control policy references procedures that predate the practice's refurbishment. The safeguarding policy lists a named lead who left 18 months ago.</p>
<p><strong>No evidence of policy approval.</strong> The policy exists but there is no record of who approved it or when. Governing body minutes do not reference policy review.</p>
<p><strong>Staff unaware of policy content.</strong> The policy is comprehensive but staff cannot describe the procedure it sets out. This suggests distribution and training are not working.</p>
<p><strong>No systematic oversight.</strong> There is no schedule, no register, and no way to tell which policies are current and which are overdue. The practice relies on individuals remembering to check.</p>
<h2>A Practical Framework for CQC Readiness</h2>
<h3>Step 1: Build Your Policy Register</h3>
<p>List every policy the practice has. For each one, record:</p>
<ul>
<li>Policy name and category (safeguarding, IPC, governance, etc.)</li>
<li>Current version date</li>
<li>Policy owner (who is responsible for reviewing it)</li>
<li>Review frequency</li>
<li>Next review date</li>
<li>Status (current, due soon, overdue)</li>
</ul>
<h3>Step 2: Map Policies to Regulations</h3>
<p>Cross-reference your policy list against the categories above. Identify gaps — do you have a data breach response plan? A duty of candour policy? A locum induction procedure?</p>
<h3>Step 3: Set Review Reminders</h3>
<p>For each policy, set reminders 90, 60, and 30 days before the review date. Assign the reminder to the policy owner, not a generic practice inbox. Our <a href="/tools/policy-review-schedule-generator/">Policy Review Schedule Generator</a> can calculate your review dates and export them to your calendar. To check your overall coverage against what CQC inspectors expect, try our <a href="/tools/cqc-compliance-policy-checker/">free CQC Compliance Policy Checker</a> — it scores your coverage across all 24 policy categories and maps gaps to the five key questions.</p>
<h3>Step 4: Document Approvals</h3>
<p>Every policy review should produce a dated record: who reviewed it, what changed (if anything), who approved the updated version. Store this centrally — not in the document footer.</p>
<h3>Step 5: Make Policies Accessible</h3>
<p>Staff need to find and read policies quickly. A shared drive with 200 files in one folder is not accessible. Organise by category, label clearly, and ensure every team member knows where to look.</p>
<p>If you are evaluating systems to manage this process, see our <a href="/blog/what-to-look-for-policy-management-software/">guide to policy management software</a> for evaluation criteria.</p>
<h2>Connecting Policies to Your Wider Governance</h2>
<p>Policy management is one part of your governance framework. It connects to:</p>
<ul>
<li><strong>Clinical audit</strong> — audit findings should trigger policy reviews</li>
<li><strong>Significant event analysis</strong> — SEA outcomes should feed into policy updates</li>
<li><strong>Staff training</strong> — policy changes should trigger training updates</li>
<li><strong>Patient feedback</strong> — complaints and survey results should inform policy improvements</li>
</ul>
<p>A well-managed policy register sits at the centre of this system. It is not a filing task — it is how you prove to CQC that your practice is well-led.</p>
<p>For a wider view of how each policy moves through creation, approval, distribution, review, and retirement, see our guide to <a href="/blog/policy-lifecycle-management-guide/">policy lifecycle management</a>.</p>
<p>PolicyBoard is designed to automate the policy register, review reminders, approval workflows, and compliance dashboard that CQC expects to see. <a href="/#waitlist">Join the waitlist</a> to be notified when it launches.</p>
<h2>Sources</h2>
<ul>
<li>CQC Regulation 17: Good Governance</li>
<li>CQC: How We Monitor GP Practices</li>
<li>BMA: How to Prepare for a CQC Inspection</li>
</ul>
<p><em>This article covers CQC policy requirements for GP practices in England. It is not legal or clinical advice. Always refer to the latest CQC guidance and consult your professional advisors.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>Policy Management Software: 2026 UK Buyer&apos;s Guide</title>
      <link>https://policyboard.co.uk/blog/what-to-look-for-policy-management-software/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/what-to-look-for-policy-management-software/</guid>
      <pubDate>Sun, 08 Mar 2026 00:00:00 GMT</pubDate>
      <description>A criteria-based buyer&apos;s guide for UK schools, GP practices, charities, and councils choosing policy management software — features that matter, features that don&apos;t.</description>
      <content:encoded><![CDATA[<p>You have searched "best policy management software" and found listicles ranking 15 enterprise tools you have never heard of, priced at thousands per year. None of them mention Ofsted statutory policies, CQC Regulation 17, or the fact that your entire IT budget might be less than their onboarding fee.</p>
<p>This guide is different. It covers the features that actually matter for small-to-mid UK regulated organisations — schools, GP practices, charities, and councils — and the features that sound impressive but add nothing at your scale.</p>
<h2>The 7 Features That Matter</h2>
<h3>1. Policy Register with Review Dates</h3>
<p>The single most important feature. A central list of every policy, who owns it, when it was last reviewed, and when the next review is due. Without this, everything else is decoration.</p>
<p>What to look for:</p>
<ul>
<li>Custom review frequencies per policy (safeguarding policies need different cycles to expenses policies)</li>
<li>Category grouping by policy type or regulator (CQC, Ofsted, Charity Commission, H&#x26;S, GDPR)</li>
<li>Status indicators — at a glance, which policies are current, due soon, or overdue</li>
<li>Multi-site support if you are a MAT, GP practice group, or charity with branches</li>
</ul>
<p>What to avoid: systems that force a single review frequency across all policies. Your safeguarding policy and your staff uniform policy do not have the same risk profile.</p>
<h3>2. Automated Reminders</h3>
<p>The reason spreadsheets fail. If the system does not actively chase policy owners before review deadlines, you are relying on someone remembering to check a spreadsheet every week. They will not.</p>
<p>What to look for:</p>
<ul>
<li>Email reminders at 90, 60, and 30 days before review date (configurable)</li>
<li>Escalation to a line manager or governance lead if the deadline passes</li>
<li>Reminders sent to the policy owner, not a generic inbox nobody checks</li>
</ul>
<p>Review frequency <a href="/blog/how-often-should-policies-be-reviewed-uk/">varies by regulator</a>, so reminders need to support different cycles for different policies. If you need a starting point, the <a href="/blog/policy-review-template/">policy review template framework</a> covers how to categorise policies by review frequency and set up a rolling calendar. The test: if your practice manager is on leave for two weeks, will overdue policies still get flagged? If the answer is no, the reminder system is not robust enough.</p>
<h3>3. Approval Workflow</h3>
<p>When a policy is reviewed and updated, someone needs to formally approve the new version. For schools, that is the governing body. For charities, the trustees. For GP practices, the partners or practice manager.</p>
<p>What to look for:</p>
<ul>
<li>Configurable approval routes (different policies go to different approvers)</li>
<li>Timestamped approval records — who approved, when, which version</li>
<li>The ability to reject and return for revision with comments</li>
</ul>
<p>Why it matters: <a href="/blog/cqc-policy-requirements/">CQC inspectors</a> and Ofsted will ask who approved a policy and when. "I think the head teacher looked at it" is not an adequate answer. A timestamped audit trail is.</p>
<h3>4. Compliance Dashboard</h3>
<p>A visual overview showing the health of your policy portfolio. This is what you show inspectors, auditors, and governors to demonstrate that governance is under control.</p>
<p>What to look for:</p>
<ul>
<li>Traffic-light status (green / amber / red) across all policies</li>
<li>Filterable by category, owner, site, or regulator</li>
<li>Exportable reports for board meetings, inspections, and audits</li>
</ul>
<p>What separates useful from useless: a dashboard that shows 100% green because it only tracks the 20 policies someone remembered to add is worse than no dashboard at all. The system needs to make it easy to capture your complete policy portfolio.</p>
<h3>5. Audit Trail</h3>
<p>Every action on every policy — creation, edits, approval, review — recorded with a timestamp and user name. This is not about catching people out. It is about proving to your regulator that your governance processes work.</p>
<p>Specific scenarios where the audit trail saves you:</p>
<ul>
<li>CQC asks when your infection control policy was last reviewed and who approved it</li>
<li>Ofsted queries when your safeguarding policy was updated after the latest KCSIE guidance</li>
<li>Your internal auditor needs evidence that financial policies were reviewed before year-end</li>
<li>A trustee disputes whether they approved a particular policy</li>
</ul>
<h3>6. Version Control</h3>
<p>When you update a policy, the previous version should be preserved — not overwritten. Regulators sometimes need to see what a policy said at a specific point in time, particularly during investigations.</p>
<p>What to look for:</p>
<ul>
<li>Automatic versioning on every save or approval</li>
<li>The ability to view and compare previous versions</li>
<li>Clear labelling of the current active version vs. archived versions</li>
</ul>
<h3>7. Export and Reporting</h3>
<p>You need to get data out of the system — for board reports, inspection prep, and audit evidence.</p>
<p>What to look for:</p>
<ul>
<li>PDF or spreadsheet export of policy status, review history, and compliance reports</li>
<li>Formatted reports suitable for presenting to governors, trustees, or auditors</li>
<li>The ability to generate an evidence pack for a specific inspection or audit</li>
</ul>
<h2>Features That Sound Good but Don't Matter at Your Scale</h2>
<p><strong>AI policy drafting.</strong> Several enterprise tools now offer AI-generated policy templates. For a 200-person school or a GP practice, this adds cost without adding value. You already have your policies — you need help managing them, not writing new ones from scratch.</p>
<p><strong>Employee attestation with e-signatures.</strong> Enterprise compliance tools track whether every employee has read and signed every policy. If you have 50 staff and a termly staff meeting where you cover key policies, a six-figure attestation module is overkill.</p>
<p><strong>Integration with GRC (Governance, Risk, and Compliance) platforms.</strong> If you are a school, charity, or GP practice, you do not have a GRC platform. Integrations with tools you do not use add complexity without benefit.</p>
<p><strong>Custom branding and white-labelling.</strong> Useful for consultancies selling policy management as a service. Irrelevant for an organisation managing its own policies.</p>
<h2>The Pricing Reality for Small Organisations</h2>
<p>Enterprise policy management tools can cost thousands of pounds per year. That pricing model assumes a large procurement team, a lengthy sales cycle, and an organisation with hundreds or thousands of employees.</p>
<p>For a school, GP practice, small charity, or parish council, the maths does not work. You need a tool that:</p>
<ul>
<li>Costs less per month than a few hours of admin time saved</li>
<li>Does not require a procurement process or board approval for the budget</li>
<li>Can be set up in hours, not months</li>
<li>Charges by organisation, not per-user (otherwise multi-site costs spiral)</li>
</ul>
<p>The buyer at these organisations is not a CTO or a VP of Compliance. It is a school business manager, a practice manager, or a governance officer who can expense a modest monthly subscription without a purchase order. The tool needs to match that buying process.</p>
<h2>A Practical Evaluation Checklist</h2>
<p>Before committing to any policy management tool, run through these questions:</p>
<ol>
<li><strong>Can I import my existing policy list?</strong> If the first step is manually re-entering 100+ policies, the migration cost may outweigh the benefit.</li>
<li><strong>Does it send reminders automatically?</strong> Not "can it" — does it, by default, without configuration?</li>
<li><strong>Can I see a dashboard within 10 minutes of setup?</strong> If the tool requires a week of configuration before it is useful, that is a week you will not have during inspection prep.</li>
<li><strong>Does it handle different review frequencies?</strong> Your safeguarding policy and your social media policy are not on the same cycle.</li>
<li><strong>Can I export an inspection-ready report?</strong> If you cannot pull a compliance summary for CQC, Ofsted, or your auditor in under five minutes, the tool is not solving your actual problem.</li>
<li><strong>What happens if I cancel?</strong> Can you export your data, or are your policies locked inside a proprietary platform?</li>
<li><strong>Is pricing transparent?</strong> If the website says "contact sales," the price is probably designed for organisations 10 times your size.</li>
</ol>
<h2>How PolicyBoard Fits</h2>
<p>PolicyBoard is designed specifically for small-to-mid UK regulated organisations. Policy register with custom review cycles, automated email reminders, approval workflow, compliance dashboard, audit trail, and inspection-ready exports — at a price point a school business manager can approve without a committee.</p>
<p>If you are buying for a council, MAT, or charity with multiple sites, see our specific guidance on <a href="/blog/corporate-policy-management-software/">corporate policy management software</a> — the same evaluation criteria, applied at small-organisation scale rather than enterprise.</p>
<p>If you also need to manage the policy <em>documents themselves</em> — versions, attachments, file storage — read our companion guide on <a href="/blog/policy-document-management-software-uk/">what small UK organisations actually need</a> from a policy document management system. And if your organisation tracks procedures alongside policies, our guide on <a href="/blog/policy-and-procedure-management/">policy and procedure management software</a> covers what to look for when one tool needs to handle both.</p>
<p><a href="/">Join the waitlist</a> to be notified when PolicyBoard launches.</p>
<h2>Sources</h2>
<ul>
<li>CQC Regulation 17: Good Governance</li>
<li>DfE: Keeping Children Safe in Education</li>
<li>Charity Governance Code</li>
</ul>
<p><em>This guide helps UK organisations evaluate policy management tools. It is not a product comparison or endorsement of specific vendors.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>What Is Policy Management? A Plain-English Guide</title>
      <link>https://policyboard.co.uk/blog/what-is-policy-management/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/what-is-policy-management/</guid>
      <pubDate>Sun, 01 Mar 2026 00:00:00 GMT</pubDate>
      <description>Policy management explained for UK schools, GP practices, charities, and councils — what it covers, why manual tracking fails, and what to look for in a system.</description>
      <content:encoded><![CDATA[<p>You have a safeguarding policy. A data protection policy. A health and safety policy. Possibly 80 more. Someone wrote them, someone approved them, and now they sit in a shared drive folder — or worse, a filing cabinet — with a "next review" date buried in the footer.</p>
<p>That is policy management, done badly. Here is what it looks like done properly.</p>
<h2>Policy Management in 30 Seconds</h2>
<p>Policy management is the process of creating, approving, distributing, reviewing, and retiring the policies your organisation needs to operate legally and effectively.</p>
<p>For UK regulated organisations — schools inspected by Ofsted, GP practices regulated by CQC Regulation 17, charities governed under the Charity Governance Code, and councils subject to audit — policy management is not optional. Your regulator expects you to have current, approved policies that staff can find and follow.</p>
<p>The word "management" is doing the heavy lifting. Having policies is easy. Keeping them current, getting them approved, proving staff have read them, and knowing which ones expire next month — that is the management part, and it is where most organisations struggle.</p>
<h2>What Policy Management Actually Covers</h2>
<p>Policy management has five stages. Most organisations handle the first two and neglect the rest.</p>
<h3>1. Creation</h3>
<p>Someone drafts a new policy — usually because a regulator requires it, legislation changes, or an incident exposed a gap. At this stage, the key question is: does this policy already exist somewhere else in the organisation? Duplicate policies with conflicting content are common, especially in multi-site organisations like MATs (multi-academy trusts) or GP practice groups.</p>
<h3>2. Approval</h3>
<p>The draft needs sign-off from the right people — a governing body, a board of trustees, a practice manager, or a line manager depending on the policy type. The approval workflow matters because your regulator may ask: who approved this, and when?</p>
<p>For schools, the governing body formally approves statutory policies. For charities, trustees are responsible. For GP practices, the practice manager or partners sign off. Without a clear approval trail, an inspector has no evidence the policy was properly authorised.</p>
<h3>3. Distribution</h3>
<p>Approved policies need to reach the people who follow them. A safeguarding policy locked in the head teacher's office is useless. Staff need to know where to find current policies, and for critical policies (safeguarding, data protection, health and safety), they need to confirm they have read and understood them.</p>
<h3>4. Review</h3>
<p>Every policy has a shelf life. Legislation changes, your services change, and what was accurate two years ago may be wrong today. <a href="/blog/how-often-should-policies-be-reviewed-uk/">How often you review depends on your regulator</a> — but annual review is the practical minimum for most policies, with safeguarding and high-risk policies reviewed more frequently.</p>
<p>This is where manual tracking breaks. When review dates are stored in document footers, spreadsheet cells, or someone's memory, things get missed. A policy that was due for review six months ago will not remind you — it just sits there, quietly out of date, until an inspector asks to see it.</p>
<h3>5. Retirement</h3>
<p>Policies that are no longer needed should be formally retired — not just deleted. You may need to demonstrate to an auditor that a previous policy existed and when it was superseded. A clear archive with dates prevents confusion.</p>
<h2>Why Manual Policy Tracking Fails</h2>
<p>Most organisations under 500 staff track policies using one of these methods:</p>
<p><strong>Spreadsheets.</strong> A shared Excel file or Google Sheet with columns for policy name, owner, review date, and status. This works until someone forgets to update the spreadsheet after reviewing a policy, or two people edit conflicting copies, or the spreadsheet grows to 200 rows and nobody checks the review dates anymore.</p>
<p><strong>SharePoint or shared drives.</strong> Policies live in a folder structure. Review dates are either in the document footer, in the filename ("Safeguarding Policy v3 May 2024"), or nowhere. Version history exists but nobody checks it. Finding the current version of a specific policy means opening the folder and hoping you pick the right file.</p>
<p><strong>Document footers.</strong> The review date is printed at the bottom of the policy PDF. This means someone has to open every document to check whether it is due for review. For 100+ policies, that is hours of work — so it does not happen.</p>
<p><strong>Filing cabinets.</strong> Still common in small GP practices and parish councils. Policies are printed, signed, and filed. There is no search function, no version control, and no reminders. When an inspector asks for a specific policy, someone rummages through a cabinet.</p>
<p>All of these methods share the same weakness: <strong>they are passive.</strong> None of them tell you when something needs attention. The burden falls on a person — usually a school business manager, practice manager, or governance officer — to remember to check, chase, and follow up. That person is also doing their actual job.</p>
<h2>What a Policy Management System Does</h2>
<p>A purpose-built policy management system replaces the spreadsheet with something that actively manages the review cycle. The core features:</p>
<ul>
<li><strong>Policy register</strong> — a central list of every policy, its owner, category, review frequency, and current status (try our <a href="/tools/policy-register-template/">free Policy Register Template</a> to get started)</li>
<li><strong>Automated reminders</strong> — email notifications 90, 60, and 30 days before a policy review is due</li>
<li><strong>Approval workflow</strong> — route policies to the right approver (governing body, trustees, management team) and record their sign-off with a timestamp</li>
<li><strong>Compliance dashboard</strong> — a traffic-light view showing which policies are current (green), due for review soon (amber), or overdue (red)</li>
<li><strong>Audit trail</strong> — a complete history of who reviewed, approved, and updated each policy, and when</li>
<li><strong>Version control</strong> — previous versions are preserved and accessible, not overwritten</li>
<li><strong>Export</strong> — generate a compliance report for inspectors, auditors, or governors showing the status of every policy</li>
</ul>
<p>The value is not in storing documents — you can store documents anywhere. The value is in the active tracking: reminders that go out automatically, dashboards that show problems before an inspector finds them, and an audit trail that proves your governance is current.</p>
<h2>When Does Manual Tracking Stop Working?</h2>
<p>There is no magic number, but common tipping points:</p>
<ul>
<li><strong>20+ policies</strong> — too many to track reliably in someone's head</li>
<li><strong>Multiple policy owners</strong> — coordination becomes difficult without a shared system</li>
<li><strong>Multi-site organisations</strong> — MATs, GP practice groups, and charity branches need consistency across sites</li>
<li><strong>Inspection preparation</strong> — pulling together evidence for CQC, Ofsted, or audit becomes time-consuming without a central register</li>
<li><strong>Staff turnover</strong> — when the person who "knew where everything was" leaves, institutional knowledge goes with them</li>
</ul>
<p>If you recognise any of these, your current approach is probably costing you more time than it saves. For organisations that overlap with quality-management or ISO-adjacent obligations (councils, larger charities), our <a href="/blog/control-of-documentation-uk-guide/">document control guide</a> covers the same problem from the documentation-control perspective.</p>
<h2>Next Steps</h2>
<ol>
<li>Read our <a href="/blog/how-often-should-policies-be-reviewed-uk/">guide to policy review frequencies</a> to understand what your regulator expects.</li>
<li>Audit your current policies — how many do you have, and when was each last reviewed? Our step-by-step guide on <a href="/blog/how-to-build-policy-register/">how to build a policy register</a> walks through the columns and categories you need.</li>
<li>Identify your biggest risk — which policies would cause the most damage if found to be out of date during an inspection?</li>
</ol>
<p>PolicyBoard is designed for exactly this problem — automated review reminders, approval workflows, and a compliance dashboard for UK schools, GP practices, councils, and charities. <a href="/#waitlist">Join the waitlist</a> to be notified when it launches.</p>
<p><em>This article is a general guide to policy management for UK organisations. It is not legal advice.</em></p>
]]></content:encoded>
    </item>
    <item>
      <title>How Often Should Policies Be Reviewed? UK Guide</title>
      <link>https://policyboard.co.uk/blog/how-often-should-policies-be-reviewed-uk/</link>
      <guid isPermaLink="true">https://policyboard.co.uk/blog/how-often-should-policies-be-reviewed-uk/</guid>
      <pubDate>Sun, 22 Feb 2026 00:00:00 GMT</pubDate>
      <description>Policy review frequencies for CQC-regulated GP practices, Ofsted-inspected schools, charities, and councils — with regulatory citations and a practical review schedule.</description>
      <content:encoded><![CDATA[<p>Your organisation has 150 policies. Some were last reviewed three years ago. An inspection is due next quarter. Which ones need updating first — and how often should you be reviewing them?</p>
<p>This guide covers the actual review requirements for CQC-regulated GP practices, Ofsted-inspected schools, Charity Commission-registered charities, and local councils, with direct references to the regulations that apply to each. No generic advice — just the rules, the frequencies, and a practical framework for keeping on top of them.</p>
<h2>The Short Answer: It Depends on Your Regulator</h2>
<p>There is no single UK law that says "review all policies every 12 months." The review frequency depends on which regulatory framework your organisation operates under, the type of policy, and how your operating environment changes.</p>
<p>Here is how it breaks down:</p>
<table>
<thead>
<tr>
<th>Regulator / Framework</th>
<th>Key Requirement</th>
<th>Typical Review Cycle</th>
<th>Trigger for Immediate Review</th>
</tr>
</thead>
<tbody>
<tr>
<td>CQC (Regulation 17)</td>
<td>Systems must keep records "up to date"</td>
<td>Annual minimum recommended</td>
<td>Incidents, complaints, regulatory changes</td>
</tr>
<tr>
<td>Ofsted</td>
<td>Statutory policies must be current at inspection</td>
<td>Annual for most; safeguarding reviewed termly by many schools</td>
<td>Changes to DfE guidance, safeguarding concerns</td>
</tr>
<tr>
<td>Charity Commission</td>
<td>Governance Code recommends regular review</td>
<td>Annual for key policies; full governance review every 3 years</td>
<td>Changes in charity activities, new legislation</td>
</tr>
<tr>
<td>HSE</td>
<td>Health &#x26; safety policy must reflect current risks</td>
<td>Annual minimum</td>
<td>Workplace incidents, changes to processes or premises</td>
</tr>
<tr>
<td>ICO</td>
<td>Data protection policies must reflect current processing</td>
<td>Annual recommended</td>
<td>New data processing activities, breaches, regulatory updates</td>
</tr>
</tbody>
</table>
<p>The common thread: annual review is the practical minimum for most policies, but certain categories need more frequent attention, and any significant change to your organisation should trigger an immediate review regardless of schedule.</p>
<h2>CQC-Regulated Organisations: What Regulation 17 Actually Requires</h2>
<p>If you run a GP practice, dental practice, or other CQC-registered service, Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 is the relevant provision.</p>
<p>Regulation 17 does not specify a calendar frequency. Instead, it requires providers to:</p>
<ul>
<li><strong>Assess, monitor and improve</strong> the quality and safety of services through regular audits</li>
<li>Maintain records that are <strong>"complete, legible, indelible, accurate and up to date"</strong></li>
<li><strong>Identify risks</strong> to health, safety, and welfare, and implement proportionate mitigation</li>
<li><strong>Respond to findings without delay</strong> — waiting until an annual review date does not satisfy this requirement</li>
</ul>
<p>In practice, CQC inspectors check whether your policies reflect your current operations. A policy written in 2022 that references pre-pandemic procedures will raise questions. The standard is currency, not a specific interval.</p>
<p><strong>What this means for your review schedule:</strong> Set an annual review cycle as a baseline, but build in triggered reviews whenever your services, staffing, or clinical protocols change. CQC inspectors will look at the date on your policies, but more importantly they will check whether the content matches what they observe during inspection.</p>
<p>For a detailed breakdown of the policies CQC inspectors expect to see, read our <a href="/blog/cqc-policy-requirements/">CQC policy requirements guide</a>.</p>
<p><strong>High-priority policies for GP practices:</strong></p>
<ul>
<li>Safeguarding (adults and children)</li>
<li>Infection prevention and control</li>
<li>Medicines management</li>
<li>Complaints procedure</li>
<li>Information governance and data protection</li>
<li>Health and safety</li>
<li>Staff recruitment and training</li>
</ul>
<p>For a structured assessment of your coverage against the full CQC policy expectation, try our <a href="/tools/cqc-compliance-policy-checker/">free CQC Compliance Policy Checker</a> — it scores you across 24 policy categories and maps gaps to CQC's five key questions.</p>
<h2>Ofsted-Inspected Schools: Statutory Policies and Review Cycles</h2>
<p>Schools face a specific obligation: certain policies are <strong>statutory</strong> — meaning the school must have them by law. Ofsted inspectors confirm these are in place, current, and followed.</p>
<p>The DfE's governance guide for maintained schools and academy trust governance framework set out which policies schools and trusts must publish. Safeguarding is the area where currency is most heavily scrutinised.</p>
<p><strong>Annual review (minimum) — these policies should be reviewed at least once per year:</strong></p>
<ul>
<li>Child protection and safeguarding policy (many schools review termly)</li>
<li>Behaviour policy</li>
<li>SEND (Special Educational Needs and Disabilities) policy</li>
<li>Complaints procedure</li>
<li>Admissions policy (for admission authorities)</li>
<li>Pay policy</li>
</ul>
<p><strong>Review when legislation changes:</strong></p>
<ul>
<li>Relationships, Sex and Health Education (RSHE) policy — check the latest DfE RSHE guidance for current requirements and implementation dates</li>
<li>Data protection policy — review whenever data processing activities change</li>
</ul>
<p><strong>Review when circumstances change:</strong></p>
<ul>
<li>Accessibility plan — when building modifications or new SEND needs arise</li>
<li>Health and safety policy — after incidents or changes to premises</li>
</ul>
<p><strong>Safeguarding deserves special attention.</strong> The DfE's Keeping Children Safe in Education guidance is updated regularly. When a new version is published, your safeguarding policy needs reviewing against the updated requirements — not at the next scheduled annual review, but immediately.</p>
<p>Governing bodies are ultimately responsible for ensuring statutory policies are in place and reviewed. In practice, school business managers often maintain the review schedule, chasing policy owners for sign-off before deadlines. Our <a href="/tools/ofsted-statutory-policies-checklist/">Ofsted Statutory Policies Checklist</a> lists every statutory policy schools need to have in place, and our <a href="/blog/statutory-policies-for-schools/">full guide to statutory policies for schools</a> explains which ones are required, which must be on the website, and how often each must be reviewed.</p>
<h2>Charities: The Governance Code and Trustee Obligations</h2>
<p>For Charity Commission-registered organisations, the Charity Governance Code is the primary best-practice framework. Compliance is voluntary (the code operates on an "apply or explain" basis), but the Charity Commission expects trustees to demonstrate good governance.</p>
<p>The code recommends:</p>
<ul>
<li><strong>Full governance review every three years</strong> — covering board effectiveness, policies, and procedures</li>
<li><strong>Annual review of key policies</strong> by trustees — including safeguarding, conflicts of interest, reserves, and risk management</li>
<li><strong>Continuous monitoring</strong> — policies should be updated whenever the charity starts new activities, changes its operating model, or faces new legal requirements</li>
</ul>
<p>Beyond the code, certain policies are mandatory under general UK law:</p>
<ul>
<li><strong>Safeguarding policy</strong> — required if working with children or vulnerable adults (Charity Commission safeguarding guidance)</li>
<li><strong>Health and safety policy</strong> — written policy required for organisations with 5 or more employees</li>
<li><strong>Data protection policy</strong> — required under UK GDPR if processing personal data</li>
<li><strong>Equality and diversity policy</strong> — Equality Act 2010 obligations apply</li>
</ul>
<p>The Charity Commission's essential trustee guidance (CC3) makes clear that trustees have a duty to ensure their charity is well run. Outdated policies are evidence of poor governance — and in serious cases, the Commission can intervene.</p>
<h2>Local Councils: Audit and Governance Obligations</h2>
<p>Small parish, town, and district councils face governance obligations through the Governance and Accountability for Smaller Authorities framework (published by the Smaller Authorities Proper Practices Panel) and their internal audit requirements.</p>
<p>Key review points:</p>
<ul>
<li><strong>Standing orders and financial regulations</strong> — review annually, typically at the annual council meeting</li>
<li><strong>Risk management policy</strong> — review annually as part of the Annual Governance and Accountability Return (AGAR)</li>
<li><strong>Data protection policy</strong> — review annually</li>
<li><strong>Health and safety policy</strong> — review annually</li>
<li><strong>Code of conduct</strong> — review when local government standards guidance changes</li>
<li><strong>Complaints procedure</strong> — review annually</li>
</ul>
<p>Internal auditors will check that policies are current as part of the annual audit cycle. The external auditor (appointed by Smaller Authorities' Audit Appointments Ltd) expects evidence that the council has reviewed its governance arrangements.</p>
<h2>Building a Practical Review Schedule</h2>
<p>Rather than reviewing all 150 policies in January, spread the workload across the year. Here is a framework — for a ready-to-use structure, see our <a href="/blog/policy-review-template/">practical policy review template</a> which covers the full process from categorisation to sign-off:</p>
<h3>Step 1: Categorise by Review Frequency</h3>
<table>
<thead>
<tr>
<th>Category</th>
<th>Review Frequency</th>
<th>Examples</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Critical / Safeguarding</strong></td>
<td>Every 6 months or when triggered</td>
<td>Safeguarding, child protection, infection control</td>
</tr>
<tr>
<td><strong>Regulatory / Statutory</strong></td>
<td>Annually</td>
<td>H&#x26;S, data protection, SEND, complaints, admissions</td>
</tr>
<tr>
<td><strong>Operational</strong></td>
<td>Every 18-24 months</td>
<td>IT acceptable use, travel, expenses, uniform</td>
</tr>
<tr>
<td><strong>Strategic / Governance</strong></td>
<td>Every 2-3 years</td>
<td>Constitution, scheme of delegation, strategic plan</td>
</tr>
</tbody>
</table>
<h3>Step 2: Stagger Reviews Across the Year</h3>
<p>Assign each policy a review month based on its category and natural timing:</p>
<ul>
<li><strong>September</strong> — safeguarding and child protection (aligns with new school year and DfE guidance updates)</li>
<li><strong>October-November</strong> — operational policies (before winter term)</li>
<li><strong>January</strong> — financial policies (before year-end)</li>
<li><strong>March-April</strong> — data protection (aligns with ICO review cycles)</li>
<li><strong>May-June</strong> — governance policies (before AGM or annual council meeting)</li>
</ul>
<h3>Step 3: Set Up Triggered Reviews</h3>
<p>Calendar-based reviews are not enough on their own. Build in triggers:</p>
<ul>
<li><strong>Incident trigger</strong> — any safeguarding incident, data breach, or workplace accident triggers immediate review of the relevant policy</li>
<li><strong>Legislation trigger</strong> — new or amended legislation triggers review of affected policies within 30 days</li>
<li><strong>Organisational change trigger</strong> — new services, restructuring, or premises changes trigger review of operational policies</li>
<li><strong>Staff change trigger</strong> — new policy owners should review their inherited policies within their first month</li>
</ul>
<h3>Step 4: Track It</h3>
<p>A review schedule only works if someone tracks it. Spreadsheets break down at scale — review dates get missed, version history is unclear, and there is no audit trail showing who approved what.</p>
<p>If you are evaluating tools, our <a href="/blog/what-to-look-for-policy-management-software/">guide to policy management software</a> covers the features that matter for small UK organisations.</p>
<p>A policy register — even a simple spreadsheet — gives you a single view of every policy with its review date, owner, and approval status. This is what inspectors ask for, and building it before an inspection is announced means it is accurate rather than assembled under pressure.</p>
<p>At minimum, your tracking system needs:</p>
<ul>
<li>Each policy's review date and review frequency</li>
<li>The policy owner responsible for the review</li>
<li>A clear approval workflow (who reviews, who approves)</li>
<li>Automated reminders before review dates</li>
<li>An audit trail for inspections (when was it reviewed, by whom, what changed)</li>
</ul>
<h2>What Happens When Policies Expire</h2>
<p>The consequences of an expired policy depend on which regulator finds it:</p>
<p><strong>CQC:</strong> An outdated policy contributes to a finding of inadequate governance under Regulation 17. In serious cases, this can lead to enforcement action, requirement notices, or conditions on registration. CQC inspection reports are public — a governance failure is visible to patients, commissioners, and the public.</p>
<p><strong>Ofsted:</strong> Missing or outdated statutory policies will be noted in the inspection report. For safeguarding policies specifically, an out-of-date policy can contribute to a "safeguarding is not effective" judgement — one of the most serious findings a school can receive.</p>
<p><strong>Charity Commission:</strong> Failure to maintain adequate governance can lead to the Commission opening a regulatory compliance case. In serious cases, trustees can be suspended or removed. The Commission's annual return asks whether the charity has reviewed its governing document — a "no" answer invites scrutiny.</p>
<p><strong>Internal/external audit:</strong> For councils and other audited bodies, an expired policy is a governance weakness that will appear in the audit report. Persistent issues can lead to a qualified audit opinion.</p>
<h2>A Sector-by-Sector Summary</h2>
<table>
<thead>
<tr>
<th>Sector</th>
<th>Minimum Review Cycle</th>
<th>Critical Policies</th>
<th>Biggest Risk</th>
</tr>
</thead>
<tbody>
<tr>
<td>GP practices (CQC)</td>
<td>Annual + triggered</td>
<td>Safeguarding, infection control, medicines</td>
<td>Regulation 17 enforcement action</td>
</tr>
<tr>
<td>Schools (Ofsted)</td>
<td>Annual + triggered</td>
<td>Safeguarding, SEND, behaviour</td>
<td>"Safeguarding not effective" judgement</td>
</tr>
<tr>
<td>Charities</td>
<td>Annual for key policies; 3-year governance review</td>
<td>Safeguarding, reserves, conflicts of interest</td>
<td>Commission regulatory case</td>
</tr>
<tr>
<td>Councils</td>
<td>Annual + audit cycle</td>
<td>Standing orders, financial regulations, risk</td>
<td>Qualified audit opinion</td>
</tr>
<tr>
<td>All sectors</td>
<td>Annual for H&#x26;S and data protection</td>
<td>Health &#x26; safety, data protection</td>
<td>HSE enforcement, ICO fines</td>
</tr>
</tbody>
</table>
<h2>Next Steps</h2>
<ol>
<li><strong>Audit your current policies</strong> — list every policy, its last review date, and its owner. Identify anything overdue. Not sure where to start? Read our guide to <a href="/blog/what-is-policy-management/">what policy management covers</a>.</li>
<li><strong>Map to your regulator's requirements</strong> — use the sector-specific guidance above to set the right frequency for each policy.</li>
<li><strong>Stagger your review calendar</strong> — spread reviews across the year so they are manageable alongside day-to-day work.</li>
<li><strong>Set up reminders</strong> — at minimum, calendar alerts 90, 60, and 30 days before each review date.</li>
<li><strong>Document your reviews</strong> — keep an audit trail showing when each policy was reviewed, by whom, and what changed. This is what inspectors look for.</li>
</ol>
<p>Tracking policy review dates in spreadsheets works for small portfolios, but once you have 50 or more policies across multiple categories, a purpose-built system saves hours and removes the risk of something slipping through. Try our <a href="/tools/policy-review-schedule-generator/">free Policy Review Schedule Generator</a> to calculate your review dates, or explore all our <a href="/tools/">free policy management tools</a>. If your current setup is SharePoint plus a spreadsheet, see <a href="/blog/policy-management-beyond-sharepoint/">why organisations are moving beyond SharePoint</a> for the limitations to watch for. PolicyBoard is designed to automate review reminders, approval workflows, and compliance dashboards for exactly this situation — <a href="/#waitlist">join the waitlist</a> to be notified when it launches.</p>
<h2>Sources</h2>
<ul>
<li>CQC Regulation 17: Good Governance</li>
<li>DfE: Keeping Children Safe in Education</li>
<li>DfE: Governance in Maintained Schools</li>
<li>DfE: Academy Trust Governance</li>
<li>Charity Governance Code</li>
<li>Charity Commission: The Essential Trustee (CC3)</li>
<li>Charity Commission: Safeguarding and Protecting People</li>
<li>Smaller Authorities Proper Practices Panel (JPAG)</li>
</ul>
<p><em>This article covers general guidance for UK regulated organisations. It is not legal advice. Always check the specific requirements of your regulator and seek professional advice where needed.</em></p>
]]></content:encoded>
    </item>
  </channel>
</rss>