Company Policy: 8 Essential Policies Every Small Business Needs
What is a company policy and which ones does your small business need? 8 essential policies, how to write them, and how to deliver them.
Company Policy
8 essential policies every small business needs
My first employee dispute was about PTO. An employee took a Friday off, assumed it was paid, and was surprised when their paycheck was short. I assumed unpaid time off was the default since I had never said otherwise. We were both operating on assumptions because I had never written a PTO policy. It was a $200 problem that took three hours to resolve and damaged trust that took months to rebuild.
That was at 6 employees. By 12, I had a similar issue with every topic I had not documented: what counts as a sick day, whether personal devices can access company email, what happens if someone is consistently late. Each time, the answer was "we do not have a policy on that," followed by an awkward improvised decision that felt unfair to someone.
Company policies are not bureaucracy. They are answers to questions your employees will definitely ask, written down before the question creates a conflict. This guide covers what a company policy actually is, the 8 policies every small business needs, how to write them without a legal team, how to make sure employees actually read them, and the delivery-and-signature loop that turns a document into a defensible business practice. That loop (write the policy, deliver it during onboarding, collect an e-signature, store it in the employee's file, make it accessible in a portal) is exactly how FirstHR handles policy management for teams of 5 to 50.
What Is a Company Policy?
A company policy is a written document that defines a rule, standard, or expectation for how employees and the organization operate. It answers the question "what is our position on X?" where X is anything from time off to harassment to social media use.
The practical distinction between a policy you need and one you do not: if two reasonable people could interpret a situation differently and reach different conclusions, you need a policy. "Can I work from home on Fridays?" is a policy question. "Is theft allowed?" is not (that is already covered by law). Policies fill the gaps between common sense and the specific expectations of your company.
For the broader framework of how policies fit within HR operations, the complete HR guide covers the seven core HR functions, and policy management intersects with nearly all of them.
Why Company Policies Matter for Small Businesses
| Reason | Without Policies | With Policies |
|---|---|---|
| Consistency | Each situation handled differently based on founder's mood or memory | Same rules apply to everyone; decisions are predictable and defensible |
| Legal protection | No documentation that standards were communicated | Signed acknowledgments prove the employee was informed of expectations |
| Onboarding clarity | New hires guess the rules through trial and error | New hires read and sign policies on Day 1; expectations are explicit |
| Dispute resolution | Founder makes ad hoc decisions that feel arbitrary | Written policy provides the basis for fair, consistent resolution |
| Compliance | No evidence that federally or state-required standards are met | Documented policies with acknowledgments satisfy audit requirements |
For small businesses specifically, policies matter more per employee because there is no HR department to mediate disputes. When a conflict arises at a 15-person company, the founder resolves it. A written policy gives the founder a defensible basis for the decision ("our PTO policy states that requests require 5 business days notice") instead of an improvised judgment that may seem unfair. Research from the Work Institute shows that 20% of turnover happens within the first 45 days, and unclear expectations during onboarding (including policy gaps) is a consistent driver.
8 Essential Company Policies for Small Businesses
You do not need 40 policies at a 15-person company. You need 8 that cover the situations most likely to create conflict, legal exposure, or confusion. These 8 policies address the gaps where assumptions diverge and disputes emerge.
1. Equal Employment Opportunity (EEO)
States that the company does not discriminate based on race, color, religion, sex, national origin, age, disability, or genetic information. At 15+ employees, Title VII and ADA apply. Many states have lower thresholds. This policy is essential for every employer regardless of size because it establishes the standard and provides documentation if a discrimination claim arises. The compliance hub provides state-specific EEO requirements.
2. Anti-Harassment and Anti-Discrimination
Defines what constitutes harassment (including sexual harassment), how to report it, and how reports are investigated. Several states (California, New York, Illinois, Connecticut, Delaware, Maine) require written harassment policies and mandatory training at specific employee counts. Even without a state mandate, this policy protects the company legally by demonstrating that standards were communicated and a reporting process exists.
3. Attendance and PTO
Covers expected working hours, how PTO is earned and used, how to request time off, and what constitutes an unexcused absence. This is the single most common source of employee disputes at small businesses because expectations vary wildly without documentation. Include your PTO accrual rate, the request process, blackout periods (if any), and what happens to unused PTO at termination (varies by state). The onboarding plan guide covers how to introduce PTO policies during the first week.
4. At-Will Employment
Clarifies that employment is at-will: either party can end the relationship at any time, for any legal reason, with or without notice. This policy is essential in at-will states (49 of 50, Montana being the exception after probationary period) because it prevents implied contract claims. Include it in the offer letter, the employee handbook, and as a standalone signed acknowledgment.
5. Acceptable Use (Technology)
Defines how company devices, email, internet, and software should be used. Covers whether personal use is permitted, whether the company monitors activity, data security expectations, and what happens to access when someone leaves. This policy becomes critical the moment an employee uses a personal device for work or accesses company data from home. The IT offboarding checklist covers the access revocation side.
6. Health and Safety
Outlines workplace safety standards, hazard reporting, emergency procedures, and the company's commitment to OSHA compliance. All employers regardless of size must provide a safe workplace under the OSH Act. For office-based small businesses, this policy covers ergonomics, fire evacuation, first aid kit location, and incident reporting. For businesses with physical operations, it is more detailed and industry-specific.
7. Code of Conduct
Defines expected behavior, ethical standards, and professional conduct. Covers honesty, respect, confidentiality, conflicts of interest, and the consequences of violating the code. This policy sets the cultural baseline: "this is how we behave here." It is broader than specific operational policies and serves as the umbrella under which other policies sit. The team culture guide covers how the code of conduct connects to the broader cultural norms you are building.
8. Social Media
Addresses employee conduct on social media regarding the company, its products, its customers, and its employees. Important nuance: the NLRA protects employees' rights to discuss working conditions on social media, so this policy cannot prohibit all company-related posts. It can set guidelines for representing the company, sharing confidential information, and distinguishing personal opinions from official positions.
Which Policies at Which Company Size
| Headcount | Essential Policies | Add When Ready |
|---|---|---|
| 1-5 employees | At-will statement (in offer letter), anti-harassment (required in some states), basic code of conduct | Wait on formal policies until you reach 5-8 employees unless state law requires earlier |
| 5-15 employees | All 8 essential policies above. California requires harassment prevention at 5+. | Remote work policy if applicable, expense reimbursement, confidentiality/NDA |
| 15-25 employees | All essential + Title VII and ADA now apply. Review EEO policy with an attorney. | Drug and alcohol policy, performance management policy, progressive discipline |
| 25-50 employees | All above + formalized handbook with annual review cycle | Data privacy, AI usage, whistleblower, leave policies beyond PTO (bereavement, jury duty) |
| 50+ employees | FMLA now applies. ACA applies. Full policy manual with legal review. | COBRA administration, mandatory benefit disclosures, workplace violence prevention |
The employee count thresholds are not arbitrary. Federal and state laws activate at specific headcounts: 15 employees triggers Title VII and ADA, 20 triggers COBRA and ADEA, 50 triggers FMLA and ACA. Each threshold adds compliance obligations that your policies must address. The compliance onboarding guide covers the specific requirements at each stage, and the employee vs contractor guide covers the classification decisions that affect which policies apply to which workers.
How to Write a Company Policy
Keep each policy to one page. Two pages maximum. The longer the policy, the less likely employees are to read it. If a topic requires more than two pages, split it into a policy (the rule) and a separate procedure document (the detailed steps). The HR document management guide covers how to organize, version, and store your policies.
Making Sure Employees Actually Read Your Policies
A policy that sits in a Google Drive folder nobody opens does not protect your business. The policy only matters when employees have received it, read it, and signed an acknowledgment confirming they understood it. That acknowledgment is the document you produce when a dispute arises: "The employee was informed of this policy on their start date and signed an acknowledgment. Here is the signed copy."
| Step | What Happens | What It Protects |
|---|---|---|
| 1. Include in onboarding | New hires receive all policies as a required onboarding task on Day 1 or during preboarding | Ensures every employee receives policies from the start, not months later |
| 2. Collect e-signatures | Each employee signs an electronic acknowledgment for every policy | Creates a defensible record that the employee received and read the policy |
| 3. Store in employee file | Signed acknowledgments are stored in the employee's personnel record | Provides retrieval-ready documentation for audits, disputes, or legal proceedings |
| 4. Make accessible via portal | All current policies are available in an employee self-service portal | Employees can reference policies anytime without asking the founder |
| 5. Re-sign on updates | When a policy changes, re-distribute and collect new signatures | Ensures employees are always acknowledged on the current version |
This five-step loop (deliver, sign, store, access, re-sign) is the difference between policies that protect your business and policies that exist on paper but carry no legal weight. Organizations with strong onboarding see 82% better retention (Gallup), and delivering clear policies during onboarding is one of the simplest contributions to that outcome. The onboarding checklist includes policy delivery as a standard Day 1 task. The employee directory guide covers how the same employee profiles that store policy acknowledgments also serve as the company's internal contact system.
Updating Company Policies
Policies are not static documents. Laws change, your company grows, and new situations arise that existing policies do not cover. A structured update process prevents your policies from becoming outdated and legally insufficient.
| When to Update | What Triggers It | What to Do |
|---|---|---|
| Annual review | Calendar reminder (January is common) | Read every policy. Confirm it still reflects current law and practice. Update dates and version numbers. |
| Headcount threshold | Crossing 15, 20, or 50 employees | Review which federal and state laws now apply and update or add policies accordingly. |
| Law change | Federal or state employment law update | Update affected policies within 30 days. Re-distribute and collect new signatures. |
| Incident | A situation arises that no current policy covers | Draft a new policy addressing the gap. Do not retroactively apply it to the incident that prompted it. |
| State expansion | Hiring in a new state | Review that state's employment law requirements and add or modify policies as needed. |
When you update a policy, the update is meaningless until employees acknowledge the new version. Re-distribute the updated policy, collect new e-signatures, and store the new acknowledgments alongside the original versions. Version history matters: you need to know which version each employee signed and when. The employee self-service portal guide covers how to make current policies accessible so employees always reference the latest version.
For the specific compliance requirements that trigger policy updates, SHRM recommends tracking headcount-based legal thresholds as part of routine HR operations. The HR processes guide covers how policy management fits within the broader set of HR processes every small business runs.
Common Company Policy Mistakes
| Mistake | Why It Happens | The Fix |
|---|---|---|
| No written policies at all | Seems unnecessary at 5-10 employees | Write the 8 essential policies when you reach 5-8 employees. One afternoon prevents years of disputes. |
| Copying enterprise policy manuals | Found a 50-page template online and adopted it wholesale | Write policies for your actual company. A 12-person business needs 8 policies, not 40. |
| Policies exist but nobody has signed them | Delivered verbally or shared as 'optional reading' | Collect an e-signature for every policy from every employee. No signature = no legal protection. |
| Policies are inaccessible after onboarding | Shared once during orientation, then never referenced again | Store in a self-service portal where employees can access them anytime. |
| Never updating policies | Set-it-and-forget-it mentality | Review annually. Update when laws change or headcount thresholds are crossed. |
| Overly complex language | Written by or for lawyers, not employees | Write at a 7th-grade reading level. If employees do not understand it, the policy does not work. |
| Inconsistent enforcement | Policy exists but founder ignores it for some employees | Enforce every policy consistently. Selective enforcement creates legal liability and destroys trust. |
The most damaging mistake is inconsistent enforcement. If your attendance policy says unexcused absences result in a written warning, but you only enforce it for some employees, you have created evidence of discriminatory treatment. Every policy you write must be enforced the same way for everyone. If a policy is too strict to enforce consistently, rewrite it to a standard you can actually maintain. The small business HR guide covers how to build the management discipline that makes consistent enforcement sustainable. The performance review guide covers how to address policy violations constructively during formal reviews.
Frequently Asked Questions
What is a company policy?
A company policy is a documented set of guidelines that defines expected behavior, procedures, or standards for employees and the organization. Policies cover topics like attendance, harassment, technology use, PTO, and workplace safety. They establish consistent rules that apply to everyone, protect the company legally, and set clear expectations for employees from Day 1.
What company policies are required by law?
Federal law does not mandate a specific list of written policies for all employers, but several regulations effectively require them. OSHA requires safety policies. EEO laws require non-discrimination policies at 15+ employees. FMLA requires leave policies at 50+ employees. Many states mandate additional policies: California requires harassment prevention policies at 5+ employees, and several states require paid sick leave policies. Check your state requirements through your state labor department.
How many policies does a small business need?
A small business with 5-50 employees needs 7-10 essential policies: equal employment opportunity, anti-harassment, attendance and PTO, at-will employment, acceptable technology use, health and safety, code of conduct, and social media. You can add data privacy, remote work, and expense reimbursement as your business grows. More than 15 policies at a company under 30 employees is usually overkill and reduces the chance that employees actually read them.
What is the difference between a policy and a procedure?
A policy states what the company expects or requires. A procedure explains how to fulfill that expectation. For example, the PTO policy says employees earn 15 days per year. The PTO procedure says to submit a request through the employee portal at least 5 business days in advance. Policies set the rule. Procedures explain the steps to follow the rule. Small businesses often combine both in one document for simplicity.
How do you write a company policy?
Follow five steps: define the purpose (what problem does this policy solve), state the scope (who does it apply to), write the policy statement (the actual rule, in plain language), describe the procedure (how to comply), and define consequences (what happens if violated). Keep it under one page. Use simple language. Have an employment attorney review any policy that involves legal compliance. Share the policy during onboarding and collect a signed acknowledgment.
How do you make sure employees read company policies?
Three practices: deliver policies during onboarding as a required task (not optional reading), collect signed acknowledgments for every policy (electronic signatures count), and make policies accessible in a self-service portal so employees can reference them anytime. The signed acknowledgment is the critical step: it creates documentation that the employee received and read the policy, which protects the company if a dispute arises.
How often should company policies be updated?
Review all policies annually, even if no changes are needed. Update immediately when laws change (state or federal), when your company crosses legal thresholds (15, 20, 50 employees), or when an incident reveals a gap in existing policies. When you update a policy, re-distribute it to all employees and collect new signed acknowledgments. Track version history so you know which version each employee signed.
Do I need a lawyer to write company policies?
You do not need a lawyer to draft every policy, but you should have an employment attorney review policies that involve legal compliance: anti-harassment, anti-discrimination, at-will employment, FMLA leave, and any state-specific requirements. For operational policies like PTO, attendance, technology use, and social media, you can write them yourself using established templates and have them reviewed during your next legal consultation.