Using Office 365 for policy and procedure management - pros, cons and gaps

Copper Contributor
As policies and procedures are growing in number and importance for organisations, many are turning to Office 365 –and in particular SharePoint– as the place to hold these key documents. There are many reasons why you'd want to do this. In this discussion starter we explore why it's a good idea to use Office 365 for storing policies as opposed to storing them on one of the many available policy management cloud services. We also talk about the gaps and introduce our own policy management tool for Office 365, Teams and SharePoint which fills the feature gaps that most organisations are looking for.
To start, let's clarify what we mean by policy and procedure management, or policy management for short. Policy management is all about being able to manage the lifecycle of policy documents in a robust and process-driven way, from the creation of new policies, through to the dissemination of policies, through to policy review (to ensure they are still fit for purpose). If you know anything about SharePoint then you'll recognise straight away that it excels at document management. But by using some of the other tool set in Office 365 we can build a fairly capable policy management feature set that will suit many small organisations.
Let's look at what Office 365 and SharePoint can offer:


1) Document storage

This is one of the primary functions of Office 365, especially through SharePoint. By using SharePoint to store your policies you are keeping them in-house and under your control. One of the complaints of traditional cloud policy management tools is that you have to store your documents on their infrastructure. So if you decide to move provider, you have to find ways to migrate your policies or risk losing them. Storing documents in your Microsoft cloud is also more secure with confidentiality guaranteed by Microsoft.
2) Document metadata
Adding metadata such as tags, descriptions, department, owners, contacts, etc. is useful, especially if you have many policies and you want to make it easy for people to find the right one, without necessarily knowing the name of the policy. SharePoint document libraries make it very easy to add controlled metadata alongside each of your policies.
3) Document search
Microsoft Search is what powers document search in SharePoint. It enables you to search document titles and body content. Thanks to its integration with Microsoft Graph it can intelligently suggest results that are most relevant to the person searching. It also respects your document permissions (see next item in the list). Also notable is that you can set up search so that if a user types a certain keyword, say, expenses, then you can surface the expenses policy as the top search result. This is called promoted results.
4) Permissions and access control
SharePoint has powerful permissions and access control built in so you can control who owns a document, who can edit it, who can read it. And through integration with Active Directory groups you are able to control access in a very targeted way.
5) Document version control
SharePoint document libraries have a toggle in settings where you can switch on version control. This means all versions, including small changes that are made to a policy, are saved so you can refer back to them and if necessary roll-back. This is useful in a policy management context in case there is ever any litigation and you need to be able to go back to a previous version to see what was in place at the time of an incident.
6) Document creation workflow
The creation of policies often needs to be a controlled process. Ensuring that a policy is written using the correct template and that a policy is checked by the right people before publishing are typical things you'd want to control. Thanks to Power Automate, the workflow tool in Office 365, it's easy to create policy creation workflows.
7) Document review workflow
Similar to the above, you might want to set a review period for a policy so that say, once a year, the policy is reviewed by a group of people to check that it is still fit for purpose or might need updating. Again, Power Automate is the tool to help do this.
8) Easy integration with your intranet
Most organisations who have Microsoft 365 also have their intranet on SharePoint, Viva and Teams. Having policies and procedures available from your intranet is a no-brainer when it comes to raising awareness of them. If they are already housed on SharePoint then doing this a very easy task to set up.
Where are the gaps?
1) Document dissemination and targeting
Office 365 gives us tools for sharing a document - these are good for controlling who a document goes to but they can be pretty basic in terms of how they alert someone. If you share a document with a group then everyone will get a one-off email alert. That's it. There are no reminders and it's only on email too (no Teams or mobile notifications). It's also quite a manual process, so it's easy to make a mistake. If you had to do this with many documents it would take a long time as there is no way to bulk share documents.
2) Making a policy a mandatory read
There's no 'mandatory read' designation in SharePoint or Office 365. You could put a metadata flag against it which would be visible if a user goes to the document library, but that won't necessarily be tied to the sharing alert that goes out to people. You'd have to paste a message into the share alert informing people that this is a mandatory read. One way around this is to create a view of the library that filters to only show mandatory reads and show this on the intranet homepage so that people are aware of them. Another issue with this approach is that some policies are only mandatory for certain people. The above solution doesn't provide any granularity.
3) Policy acknowledgements
When a company sends out a mandatory read to its staff it wants people to acknowledge that they have read it. It's possible to request this attestation using Microsoft Forms. Essentially you build a simple form which allows people to click a confirm button once they have read a document. You can gather acknowledgements inside a SharePoint list. Once again though, this is pretty basic and the key criticism is that your list tells you who has read it but not who hasn't.
4) Recurring mandatory reads
Most mandatory policies need to be re-read by staff at least once a year. This means the policy owner would need to remember to send out an email asking people to re-read the policy each year. Again, this is open to human error and forgetfulness and is not a very robust way to manage critical policies.
5) Quizzes
Requesting people to read a policy is often not enough. Getting people to prove they have read it means you have to test their knowledge. There is no easy way to create a quiz inside Office 365.
6) Reporting and auditing
A robust policy management regime includes reporting so that policy owners and compliance managers on a micro level can show who has and who hasn't read a mandatory policy, which version they read, when they read it, the quiz score etc. On a macro level they'd want to be able to show policy reads across a department, location or even across the whole company. This is not possible using a home-built policy management system on Office 365.
7) New employee onboarding
When new starters join they typically have to read a lot of policies. Managing this as an ongoing, robust process is not easy. For example, what happens when a new starter joins, reads all the policies and then the following month you send out a whole lot of annual policy re-read emails to the whole company? Does the new starter have to re-read everything they only read last month, just so that they can be on the same re-read cycle as everyone else?
8) Alerts and notifications
A robust policy management tool would send out reminders to people to tell them to view a must-read policy. And then once they've read it, it would cease sending reminders. It would also send alerts on email, Teams, a mobile app perhaps, and ideally let the user choose how they want to be alerted. Similarly if someone had many policies to read you'd want alerts to aggregate policies into one notification so as not to bombard the user with too many alerts or emails.
9) Chasing and escalations
If someone ignores a must-read policy notification repeatedly, you'd want to be able to do something about it. This means you'd want to set a 'read by date' and then an escalation procedure so that say, the line manager and the compliance manager are warned when someone misses the read by date.
10) Integration through Teams
Now that people spend more and more time inside Teams, it's becoming ever more important to serve up information and notifications through Teams. There are many different ways to do this well but you can do it on a simple level by showing your policy library as an app in Teams.
How to fill the gaps?
There are two options to fill all the gaps that I've covered above. One is to build functionality using Microsoft's rich toolset, especially using tools like Power Automate, Power BI and some clever code. This is not an easy task by any stretch of the imagination but you'll have fun along the way and learn a whole lot! Another way is to look at our policy management for sharepoint software that is quick and easy to set up and lets you keep all your policies inside SharePoint and leverage the good stuff like version control, workflows etc. but whilst still delivering the gaps that bring you the sophistication that a robust policy management regime demands.
If you've tackled some of the policy management challenges described above, join the discussion and tell us what you've done and how you've done it.
10 Replies
Nice article and really love the product (based on demo's and youtube), but what was not clear, in any source I looked at, is that the product Xoralia is "stand-alone" running on an Azure Tenant of Content Formula and only uses Sharepoint as storage. Next to that to have AD users and AD user groups, office groups available, you need to have a connection between the customer tenant and Xoralia. This is a nightmare for our security officers, which in our case, was the reason not to proceed with Xoralia, but rather look for a solution that actually resides on our Sharepoint tenant.
Has a company actually used sharepoint add-in to house the companies policies and procedures, if so, how did that turn out? What was the additional cost for the add-in?

@NishaCurran our company of 50,000 staff uses SharePoint to run its Business Management System including policies, procedures, flowcharts, documents, audits etc etc.  It works well although I am looking for a better way to handle processes in flowcharts than using Visio which has done Ok for the last 10 years but isn't interactive.


Los Gallardos
Intranet, SharePoint and Power Platform Manager (and classic 1967 Morris Traveller driver)

@NishaCurran I will try to answer your question without getting too sales, as I am conscious this is a community website: yes we have a fair few companies who are using the Xoralia add-in successfully for policy management. On the whole adoption and feedback has been good. The key metric for us is reads versus not reads and this tracks way higher than manual ways (e.g. email) of collecting attestations. You can get pricing on the website.



Thank you for this most excellent resource.  It is a great starting point for myself (a first time SharePoint user building up my knowledge base).  And I perused Xoralia carefully.  It looks amazing!  And I would love to have it.  But I would want the premium functionality and, sadly, there is no reasonably priced package for a small company.  I have less than 20 employees and the price of a 1-100 user license would increase the burn rate to something that just isn't sustainable.  Especially since we are a company working on government healthcare grants (low margins) so time to scale is larger than usual.  Maybe talk to someone? A 1-20 employee package for less than 300 a year would be a win - win.  1) You can capture a demographic you are surely missing as only high margin companies like high tech can handle such a large upfront cost for something that can be technically, albeit painfully, handled with Word and record keeping (what a painful thought), and 2) You can capture the small fish that grow into big fish while getting them hooked (and dependent) on your product (yes, pun intended!).  The cost of migration to other platforms rises as a company grows in size, especially considering opportunity costs of a company experiencing healthy growth.  Hence, ignoring the small fish makes no sense whatsoever to me.  Especially since there is a self-install option for Xoralia.  This means there is almost no real cost to Microsoft whatsoever as all the small fish that disappear will eat up little to no fish food along the way.  Wow...this metaphor is getting a bit long in the shark tooth now.


Lastly, as I always want Microsoft to succeed (I'm a big fan and I can take some heat for it but I don't care)...I do question the name of this addon.  Whatever it translates isn't memorable do you say it?  If you can't easily say it, you can't easily spell it.  If you can't easy spell it, you can't easily remember it.  Just food for thought from a marketing perspective.  Still looks like an AMAZING product though and I hope to one day be a big fish that can use it ;)


Regardless, I really appreciate your article!  It has been really helpful, and I will put this information to good use.  Thank you very much.  You are appreciated!

I have similar concerns — did you find a solution?
@AmyStokes - we are in the first phase of a self-developed SharePoint site. We are loading policies and procedures. So far so good.

Hi @NishaCurran can you share some info on how you have built the attestation functionality? And tell us about some of the features your solution includes?

@Hawtrey great article - gave me a good idea of what we need to incorporate in a policy management system - we are a start up and have lots of policies and no system. My issue with Microsoft is that we have lots of 'bank staff' who work occasionally for us and need to access our policies but they do not need a Microsoft account. Adding them as guests to sharepoint sites has been problematic because they have to go though an authentication process (this has created a barrier - too much support was needed). 

If you have any suggestions I'd love to hear them! Thanks

Have you had a look at a tool to help you manage external users? take a look at This is a great tool for this purpose. That way you have all the benefits of keeping your policies and procedures in SharePoint.