Businesses and organizations rely on internal and external policies and procedures to document the way they do certain things. But if not written carefully, they can actually add risk.
Many of these are compliance based. In other words, they set out how in practice the business will deal with various legal obligations. Depending on the nature and size of the business, they could deal with things like privacy, anti-spam, workplace safety, money laundering, and the list goes on.
Having these policies can help reduce legal risk, and help ensure that employees do the right thing.
Sometimes businesses create policies and procedures that impose obligations on themselves more onerous than needed to comply with the law. There are a number of reasons for doing that. Perhaps the business feels a moral obligation to do better on the environment, for example. Or perhaps there is a strong corporate culture around customer service that goes far beyond consumer protection laws.
But perhaps the business does not really understand the laws in the area and the actual obligations they impose.
No matter what the reason, the risk is that by creating a more onerous policy / procedure than necessary, the business can increase its legal obligations. Sort of like writing its own more onerous laws.
That increased obligation may become the standard or promise to which the business is judged by customers, by regulators, and by courts.
That’s fine if it is a conscious decision, but not if it is an unintended consequence of misunderstanding the laws they must comply with.