The comparative schematics below illustrate the ways in which two related governance tools operate to achieve efficient and effective outcomes for organisations governed by a board of directors.
Policies and procedures are usually created to set controls over an organisation’s activities and behaviour. While they are usually two parts of the one process, there are some distinctions which can be drawn between them.
Policies focus on principles which set boundaries (hence ‘guardrails‘) around the approaches that should be taken to strategy implementation and operations. They therefore offer one of the board’s key risk management tools. Policy boundaries may relate to such matters as limits on delegated powers assigned to officers and nominees of the board, investment mandates within which investment managers must ensure the organisation’s assets are held, or to standards of behaviour required of elected officers, staff, and volunteers, among a broad range of matters worthy of policy control.
Notably, the setting of boundaries allows some degree of ‘freedom’, or flexibility, for those expected to adhere to policies, to take action within the defined limits. Where policies incorporate a set of principles, this helps inform judgments about how to respond in various circumstances for which no procedure has been defined.
Procedures on the other hand, define steps in business processes, protocols, and workflows that should be adhered to in order to achieve consistency, meet specified standards, meet scope requirements, and ensure compliance. They therefore offer less flexibility, and so keep people ‘on track’ to perform certain functions in specified ways (hence “guiderails“).
Directors not only have responsibility for developing policies and procedures within their system of controls, but must also monitor activities, using data analysis, reports, and other measures to evaluate the performance and conformance of the organisation. Failing to do so could result in the entity going ‘off the rails‘.