At a recent engagement, I encountered several departments that asked me to help write their departmental policy on a particular subject. When I inquired as to the governance process for changing existing company policy, they looked at me blankly and said no, I didn’t understand – they needed a new policy, just for their department. After a little probing into the governance of their company policy (this enterprise had a single policy covering everything), and some further discussion, we ultimately settled on writing a new procedure and developing accompanying forms and workflows. I ended up helping this department rewrite their documents into the appropriate format, and working with them to better understand the hierarchy.
This got me to reflecting on how many times in my career I’ve heard confusion about policies, standards, procedures, and guidelines. Reasonable people will differ in their definitions, but here’s how I understand them to work best.
Differences and Similarities
Policies: Policies state the operating principles of a company. They provide broad guidance to the enterprise on legal and regulatory requirements, employee conduct, information security, and financial integrity, and many other topics. A company may have a single policy covering all of these areas in broad terms, or they may have separate polices for each one. A well-written company policy will provide employees with the why the company operates as it does.
Company policies are written and approved by the Board of Directors and/or C-level executives. They are mandatory for all employees and contingent staff. While exceptions may be granted, there must be an exception process in place that requires sign-off by executive management.
There is strong governance around company policies, including a policy about how and why a policy is changed. Changing a policy requires sign-off by the same body that wrote and approved the original; that is, the Board of Directors and chief executives.
Standards: These provide the rules and controls that will help enforce the policy. They are what all employees must do to adhere to company policy. Companies will have multiple standards, but – hopefully – there will be only one for a particular topic. For example, the General Accepted Accounting Practices (GAAP) standard must be adhered to by publicly traded companies, according to the Securities and Exchange Commission. It provides tried and true methods for treating various financial processes, such as depreciation, that are accepted by external oversight entities.
Technical standards bodies develop consistent specifications for technology that depends on multiple manufacturers that must work together, such as telecommunications carriers, phone manufacturers, and application developers.
Standards may be company specific, and they apply to everyone in the company. Even though they may be internally developed, they are usually based on industry best practice, such as login and password standards.
Standards often deal with the safety of employees, or the security of the company’s physical and information assets. Following company standards is mandatory. Standards, like policies, must be governed by a central body of experts in the field, or adopted from existing, external standards bodies. That means they are written, changed, and deleted by senior management only after an approval process has been followed. Like a policy, process exemptions and exceptions to a standard require a robust exception process.
Procedures: Procedures are instructions – how things get done. Good procedures are multi-level and move from a broad, cross-functional view of the process down to the detailed steps. They may be isolated to a single department, and changed by that department alone. However, changes should be done only after a thorough analysis of the impact of the change is completed. There may be unintended consequences to an upstream supplier or downstream customer, even if they are not directly involved in the process.
While procedures are not necessarily governed by a central body, review and signoff by at least middle-management is recommended. Procedures are linked to the higher-level policies and standards, so changes shouldn’t be taken lightly.
All of these documents have requirements in common – standards of their own that increase the probability of their being followed consistently and correctly.
Writing in plain, clear language is essential. Use a style guide, such as the Associate Press or Chicago Manual of Style, to guide what it means to be clear. In today’s world, the fact that English is a living language is more accepted, and even grammarians concede that avoiding split infinitives is less important than saying what you mean in the simplest way possible.
The documents discussed above are a hierarchy, with standards supporting policy, and procedures supporting standards and policies. The links between and among them should be explicitly stated and changes to one require the examination and analysis to see if changes are needed in other, related documents.
The entire set of policies, standards, and procedures should be stored in an online repository that can be accessed by all employees. Although there may be confidential information in a small percentage of documents, these need to be referenced and linked to their parent and child documents in an index. That index is not useful if it is not searchable.
Other document types are needed to have a complete set of documented expectations. Operational metrics, general guidance, checklists, and job aids are a few examples of information that people need to produce quality deliverables in their areas. However, these are typically tailored to the circumstance and developed to suite the situation.
So, next time you’re asked to write a “departmental policy”, feel free to advise “There’s no such thing. Let’s talk about what you really need!”
BPMInstitute.org provides training courses online and in person for individuals and groups. View courses related to the material you are reading on this page.BPM 101Decision Management and Business Rules 101OpEx 101Agile Business Analysis 101Methodologies and Approaches for BPMView the Learning Path for more courses »