How to write (or rewrite) a DOA policy that is readable, enforceable, and aligned with the way work actually happens - including governance, exceptions, and ownership.
If you need a primer on what delegation of authority covers and why it drifts, start with Delegation of Authority (DOA) 101.
Definition: A delegation of authority policy is the governing document that establishes the principles, scope, ownership, and rules by which an organization assigns, manages, and enforces decision rights and approval limits — serving as the constitutional foundation for all downstream authority artifacts including matrices, delegations, and workflow rules.
Most DOA policies fail for a simple reason: they read like they were written for auditors, not operators. A good DOA policy does satisfy audit requirements — but it does it by making day-to-day authority obvious. A 2025 EY/Society for Corporate Governance study found that roughly 90 percent of companies maintain a DOA policy. The problem is rarely "we don't have a policy" — it's that the policy was written once, lives in a shared drive, and doesn't connect to how people actually make decisions.
A policy that works in practice addresses eight areas. These aren't sections you write once — they're commitments to how the organization operates:
| Policy Section | Purpose | Key Content |
|---|---|---|
| Purpose and scope | Establishes what the policy covers and who it applies to | Business units, entities, geographies, decision domains in scope |
| Governance principles | Sets the philosophy: centralized vs. distributed, risk appetite | How authority is structured (by role, function, entity); escalation philosophy |
| Authority matrix reference | Points to the operational rules | Where the matrix lives, how it's maintained, how to interpret it |
| Delegation and sub-delegation rules | Governs how authority is granted and transferred | Who can delegate, limits on sub-delegation, time-bound vs. permanent |
| Exception and escalation process | Provides a path for edge cases | How to request exceptions, who approves, documentation requirements |
| Roles and responsibilities | Assigns ownership at every level | Policy owner, matrix owner, process owners, system owners, individual delegates |
| Review and maintenance cadence | Keeps the policy current | Event-based triggers, quarterly reviews, annual refresh cycle |
| Compliance and consequences | Establishes accountability | What constitutes a violation, investigation process, consequences |
Most DOA policies are written in legal-governance language because that's who drafted them. The people who actually need to use the policy — managers making approval decisions under time pressure — need clarity, not nuance. McKinsey's research found that 72 percent of senior executives believe bad decisions are as common as good ones. Much of this stems from governance frameworks that are technically correct but practically unusable.
The policy should tell people exactly where to find the authority rules and how to read them. If the matrix lives in a spreadsheet on someone's drive, adoption will be low regardless of how well the policy is written.
Every organization has acting roles, interim coverage, and vacation backup scenarios. If the policy is silent on these, people default to informal arrangements — email approvals, verbal agreements, "just this once" shortcuts — that never expire and create audit exposure.
Our recommendation: Define time-bound delegation as a first-class concept in the policy, not an exception to it. Every temporary grant should have an automatic expiry date and a documented handback process. This single change eliminates one of the most common audit findings we see.
"Annual review" is necessary but insufficient. Effective policies define a mixed cadence: event-based updates triggered by role changes, re-orgs, or new entities; monthly or quarterly reconciliation of key authority mismatches; and an annual full policy and threshold review aligned with budget and planning cycles.
West Monroe's 2026 Speed Wins research found that 44 percent of executives cite bureaucratic processes as the top cause of slow decisions. A good cadence balances governance rigor with operational speed — reviewing often enough to catch drift, but not so often that the review itself becomes the bottleneck.
A policy without consequences is guidance. Define upfront what constitutes a violation, how it's investigated, what happens (counseling, escalation, disciplinary action), and who owns the process. This isn't about punishment — it's about making clear that authority governance matters.
Aptly helps connect the policy to reality: centralized authority matrices, tracked delegation issuance, time-bound coverage with automatic expiry, and audit-ready version history. The policy sets the rules; Aptly makes them operational.
Next step: If your policy is in good shape but your change management process isn't, read Authority Change Management Playbook.
Most effective policies are 10–20 pages, plus appendices for the authority matrix and delegation templates. Shorter policies tend to leave too many gaps for interpretation; longer ones become inaccessible. The goal is a document that a manager can read in 30 minutes and use the same day.
Typically the board or a board committee approves the policy framework, while the CFO or General Counsel owns the operational content. Day-to-day matrix updates should not require board approval — that level of governance overhead makes the system unresponsive to organizational changes.
The policy framework itself should be reviewed annually. The operational components (matrix thresholds, delegation rules) should update on a mixed cadence: event-driven for role changes and re-orgs, quarterly for reconciliation, and annually for full recalibration aligned with budget cycles.
The policy establishes governance principles, ownership, scope, and the rules for how authority is managed. The matrix is the operational artifact that maps specific decision types, thresholds, and conditions to approver roles. The policy governs the matrix; the matrix operationalizes the policy.
Connect with our team for a discovery session to learn more about how Aptly can help within your organization. If you are already a client and need support, contact us here.
