Is it a policy, process or procedure?

Policies, processes, and procedures are distinct yet interconnected components of organisational governance, due to a number of factors confusion often arises over what constitutes a policy, process and procedure.

Policies set the overarching principles and guidelines that shape decision-making and actions within an organisation, as well as providing a framework for consistency and alignment with organisational goals and values.

Processes define the series of steps or actions required to achieve a specific outcome or execute a task.

Procedures, on the other hand, detail the specific methods, tools, and rules to be followed at each step of a process.

The confusion stems from their interdependence and the tendency to overlap in practical application, for example policies may reference processes and procedures, and vice versa, blurring the lines between them. Moreover, organisations may use the terms interchangeably or fail to clearly articulate the distinctions, leading to misunderstandings among employees and stakeholders.

Clear communication and documentation are crucial to mitigating this confusion. Organisations must define each element distinctly, ensuring that policies remain broad and strategic while processes and procedures remain detailed and operational. By doing so, they can enhance clarity, compliance, and effectiveness in their governance structures.

Here are some tips to ensure your policies are written in a way that avoids including process information and maintains clarity and effectiveness - 

Define scope and intent: Start each policy with a clear statement of its scope and intent, essentially what the policy aims to achieve without diving into specific actions or steps.

Think about principles and guidelines: Policies should articulate principles, values, and high-level guidelines rather than specific procedures, a policy should answer the questions of "what" and "why" rather than "how."

No detailed instructions: Don’t include any step-by-step instructions or specific methods in a policy, that type of detail belongs in a procedure.

Language: Use language that is broad and flexible, allowing for interpretation and adaptation to different contexts within the organisation.

Involve stakeholders: Involving stakeholders such as policy owners, subject matter experts, and affected parties, in the policy development process will ensure that you draft a comprehensive and accurate representation of the intended scope.

Provide Training and Guidance: Offer training and guidance to employees so they develop a clear understanding of policies versus processes and procedures. Clarify roles and responsibilities in interpreting and implementing policy directives.

The table below illustrates the differences between a backup policy document and a backup process document.

In summary, the backup process document focuses on operational details and technical procedures, while the backup policy document emphasises strategic principles, guidelines, and compliance requirements.

The process document is targeted at IT operations and technical staff, whereas the policy document applies broadly to all employees and stakeholders.

The process document has detailed, step-by-step instructions, whereas the policy document provides high-level statements and guidelines.

Lastly the process document guides implementation and daily operations, while the policy document sets the framework and standards for backup management across the organisation.

Click Here to download our FAQ – Effective Policies for IT Security