Three elements form the backbone of a robust risk management framework, ensuring organisations can identify, assess and mitigate risks from third parties. These integral elements are policy, procedure and process.

To effectively govern and operate within third-party risk management, you need to be able to differentiate between these three concepts. But what are the differences between policy, procedure, and process and how do they create a cohesive system of transparency, accountability for your overarching third-party management strategy.

Below we provide a breakdown of the three elements:-

Policy: A policy is a high-level statement that outlines the organisation’s principles, values, rules, and expectations governing specific areas of operation.

Policies provide guidance on what should be done, why it’s important, and who is responsible. They set the framework for decision-making and behaviour within the organisation. Policies are typically broad in scope and apply across multiple functions or departments. Examples include a code of conduct policy, an information security policy, or a diversity and inclusion policy.

Procedure: Procedures are detailed, step-by-step instructions that outline the specific actions or activities to be taken to achieve a particular task or objective.

Procedures provide a clear and standardised approach to performing recurring tasks or processes within the organisation. They specify the sequence of actions, responsibilities, required resources, and expected outcomes. Procedures are more granular and operational than policies, focusing on the “how” of carrying out tasks. Examples include an employee onboarding procedure, a procurement procedure, or a customer complaint handling procedure.

Process: A process is a series of interrelated activities or steps that are performed to achieve a specific outcome or deliver a particular product or service.

Processes define the flow of work within an organisation, from initiation to completion, and encompass all the tasks, decisions, and resources involved in achieving the desired result. Processes may involve multiple functions or departments working together to achieve a common goal. They provide a holistic view of how work is done and are often depicted visually as flowcharts or diagrams. Examples include a sales process, a product development process, or a risk management process.

In summary, policies establish the overarching principles and rules guiding organisational behaviour, procedures outline the specific steps and actions required to carry out tasks, and processes define the overall flow of work within the organisation. Together, policies, procedures, and processes form the foundation for effective governance, operational efficiency, and compliance within an organisation.