Skip to main content

In organisational governance and management, businesses frequently use terms like policies, plans, procedures, processes, programmes, and practices. However, it’s easy to misunderstand their meanings and applications or use them interchangeably.

At ITLawCo, we believe in the importance of clarity. Understanding these distinctions is crucial for ensuring effective organisational management and compliance. This post breaks down each term.

Policies

Policies are formal, high-level statements that reflect the guiding principles or rules for an organisation. These documents influence and determine decisions and actions.

Purpose: To provide a framework for consistent decision-making and actions across the organisation. Policies ensure that the organisation adheres to legal requirements, ethical standards, and strategic objectives.

Example: A company’s data protection policy outlines the principles and rules for handling personal data to comply with privacy laws and regulations.

Plans

Plans are detailed proposals or strategies for achieving specific goals or objectives. They outline the steps and resources required to reach a desired outcome.

Purpose: To provide a roadmap for accomplishing tasks and achieving goals within a set timeframe. Plans help in coordinating activities and allocating resources effectively.

Example: A business continuity plan details the steps an organisation will take to continue operations during and after a disaster or disruption.

Procedures

Procedures are specific, detailed instructions on how to carry out particular tasks or activities. They outline the exact steps that must be followed to complete a task.

Purpose: To ensure consistency, accuracy, and compliance in the execution of tasks. Procedures help in minimising errors and enhancing efficiency.

Example: An incident response procedure provides step-by-step instructions for handling a cybersecurity breach, including notification, containment, eradication, and recovery steps.

Processes

Processes are a series of interconnected activities or tasks that convert inputs into outputs. They are broader than procedures and often encompass multiple procedures.

Purpose: To ensure that activities are carried out in a logical and efficient manner to achieve a specific outcome. Processes help in maintaining quality and consistency across the organisation.

Example: The procurement process includes a series of steps such as requisition, approval, purchase order creation, vendor selection, and payment.

Programmes

Programmes are ongoing cycles of activities that implement a policy and achieve strategic objectives. They are composed of multiple projects and processes that are coordinated to achieve long-term goals.

Purpose: To ensure the continuous implementation and improvement of policies through structured, sustained efforts. Programmes help in aligning organisational activities with strategic objectives.

Example: The business continuity programme is an ongoing cycle of activities that implements the business continuity policy. These activities are carried out by following the business continuity management lifecycle.

Practices

Practices refer to the habitual or customary ways of performing tasks. They are established methods that are widely accepted within an organisation or industry.

Purpose: To maintain consistency and reliability in task execution. Practices often evolve from a combination of policies, procedures, and processes and represent the standard way of doing things.

Example: Regular code reviews in a software development team to ensure quality and adherence to coding standards.

Relevant international standards

The international standards below provide structured frameworks and guidelines that help organisations clearly define and implement policies, plans, procedures, processes, and practices.

  1. ISO 9001: Quality management systems | Guidelines for establishing and documenting processes, procedures, and practices for quality and continuous improvement.
  2. ISO/IEC 27001: Information security management systems | Requirements for developing policies and procedures to manage information security risks.
  3. ISO 22301: Business continuity management systems | Framework for developing plans and processes to ensure organisational resilience and response to disruptions.
  4. ISO 31000: Risk management | Guidelines for establishing policies and procedures to identify, assess, and manage risks.
  5. ITIL (Information Technology Infrastructure Library) | Best practices and guidelines for IT service management, including processes and procedures for efficient IT service delivery.
  6. CMMI (Capability Maturity Model Integration) | Process level improvement training and appraisal programme to enhance processes and practices across projects and organisations.
  7. COSO framework | Model for internal controls and risk management, guiding the development of policies and procedures to manage risk and achieve objectives.
  8. PRINCE2 (Projects IN Controlled Environments) | Project management methodology providing best practices and processes for effective project management, including planning and managing project processes.

How we help

At ITLawCo, we understand the importance of clearly distinguishing between policies, plans, procedures, processes, programmes and practices. Each plays a vital role in the effective governance and management of an organisation. By defining and implementing these elements clearly, organisations can ensure consistency, compliance, and efficiency in their operations.

If you need assistance in developing or refining your organisation’s policies, plans, procedures, processes, or practices, our team at ITLawCo is here to help. Contact us today to learn more about our services and how we can support your business.