THE COMPLIANCE HIERARCHY MODEL
The relationship between policies and procedures follows a clear hierarchy:
Level 1: Policy (Strategic)
- Establishes an organization’s standards and expectations.
- Answers “what,” and “why,” regarding the compliance requirement.
- Broadly applies throughout the organization.
- Generally changes infrequently (i.e., annually or upon a change in regulation).
- Example: “Code of Conduct Policy”.
Level 2: Procedure (Tactical)
- Explains how the policy will be implemented.
- Answers “how,” and “who,” regarding the process/compliance implementation.
- Specific to departmental, or process-based operations.
- Will be updated regularly due to evolving workflows.
- Example: “Procedure for Reporting Code of Conduct Violation”.
Level 3: Execution (Operational)
- Execution of day-to-day activities based upon procedure.
- Creates audit trail/documentation.
- Demonstrates compliance in practice.
- Example: An employee reports a violation via the designated reporting channel.
DETAILED DEFINITIONS WITH EXAMPLES
What is a Policy?
Policies are written statements that define what an organization wants its employees to do (the “what”) and how they want them to do it (the “how”). The policies serve as a foundation for employee decision-making and behavior.
Characteristics of Effective Policies:
- Include broad applicability: Must be applicable to all departments within an organization, or at least to all employees within an organization.
- Must relate to strategic aspects: Policies should include organizational values, standards, and risk management.
- Must be relatively stable: A policy is subject to revision based upon changing regulations or annually.
Policy Example: Anti-Corruption Policy
“All employees and third-party representatives from giving anything of value to public officials or private individuals in order to receive an unfair competitive advantage for a business opportunity. Employees and third party representatives who violate this policy can be terminated and prosecuted.”
this policy may result in termination and legal prosecution.”
This policy answers: What is prohibited? (Giving something of value in exchange for an unfair advantage) Why? (Because it could result in termination of employment and/or criminal charges and also because of potential loss of reputation.) Who is responsible? (All employees and third parties).
What is a Procedure?
A procedure is a detailed, step-by-step set of instructions for implementing a policy. Procedures translate policies into actionable processes and create accountability.
Characteristics of Effective Procedures:
- Specific: Detail exact steps, responsibilities, and timelines.
- Tactical: Focus on “how to” execute the policy.
- Flexible: Update regularly as workflows evolve.
- Measurable: Include checkpoints and verification steps.
- Documented: Create audit trails and evidence of compliance.
Procedure Example: Anti-Corruption Reporting Procedure
- Employee identification – Employee recognizes that there is a possible act of bribery/corrupt activity with another employee.
- Employee documentation – Employee will document the suspected bribery/corruption activity (date of suspected bribery/corruption; names of employees involved; dollar amount; reasons why was this done).
- Employee reporting – Employee will send the documentation to the Compliance officer as soon as possible but no later than 48 hours after the bribery/corruption occurred via the Compliance hotline/compliance email.
- Compliance officer investigation – The Compliance officer will conduct an investigation within 5 business days of receiving the reporting regarding the alleged bribery/corruption activity.
- Compliance officer documentation – Upon conclusion of the investigation the Compliance officer will document the results of the investigation into the compliance database.
- Compliance officer escalation – In the event the Compliance officer’s investigation substantiates the allegations of bribery/corrupt activity, the Compliance officer will immediately report these issues to the General counsel, senior management/executive leadership.
- Compliance officer resolution – Once all corrective action has been completed, the Compliance officer will document the outcome of the investigation and any disciplinary action against the employees who engaged in bribery/corrupt activity.
This procedure answers: How do we report violations? Who handles the report? What happens next? How is it documented?
COMPARISON TABLE: POLICIES VS PROCEDURES
| Aspect | Policy | Procedure |
|---|---|---|
| Purpose | Sets organizational standards and expectations | Explains how to implement policies |
| Scope | Broad; applies across organization | Specific; applies to particular processes |
| Focus | Strategic (“what” and “why”) | Tactical (“how” and “who”) |
| Frequency of Change | Infrequent (annual or regulatory-driven) | Frequent (as workflows evolve) |
| Audience | All employees and stakeholders | Specific roles or departments |
| Enforcement | Violations have consequences | Compliance creates audit trails |
| Regulatory View | Demonstrates commitment to compliance | Demonstrates effective implementation |
WHY BOTH POLICIES AND PROCEDURES ARE ESSENTIAL
The Regulatory Perspective
Regulatory agencies and auditors evaluate compliance programs using a two-part test:
Part 1: Do policies exist? Regulators ask: “Has the organization established clear rules and standards?” A strong policy demonstrates organizational commitment to compliance.
Part 2: Are procedures in place? Regulators ask: “Has the organization implemented a clear plan to follow those rules?” Procedures demonstrate that policies are not just aspirational—they are operationalized.
The Liability Gap: Organizations with policies but no procedures face significant risk. In DOJ investigations, prosecutors ask: “What steps did you take to ensure employees actually followed your policies?” Without documented procedures, your answer is weak.
The Defensibility Principle
When regulators investigate compliance failures, they evaluate whether your organization had a “reasonable compliance program” [1]. The DOJ’s guidance on compliance program effectiveness specifically looks for:
- Policies that set clear standards (the “what”).
- Procedures that implement those standards (the “how”).
- Training that explains both (the “why”).
- Monitoring and audit (the “verification”).
- Enforcement and discipline (the “consequences”).
Organizations that have only policies but no procedures fail this test. Conversely, organizations with procedures but no clear policies lack strategic direction.
COMMON MISTAKES IN POLICY/PROCEDURE DEVELOPMENT
Mistake 1: Confusing Policies and Procedures
The Problem: Organizations write documents that mix strategic guidance with tactical steps, creating confusion about what is a rule and what is a process.
The Fix: Separate strategic statements (policies) from step-by-step instructions (procedures). Use clear titles: “Policy: Anti-Corruption” vs. “Procedure: Reporting Suspected Violations.”
Mistake 2: Policies Without Procedures
The Problem: Organizations establish policies but fail to document how employees should actually comply. Result: inconsistent behavior and weak defensibility.
The Fix: For every policy, create at least one procedure that explains implementation. Map the relationship: Policy → Procedure → Training → Monitoring.
Mistake 3: Procedures Without Policies
The Problem: Organizations document detailed processes but lack a clear policy statement explaining why the process exists. Result: employees follow procedures mechanically without understanding the compliance objective.
The Fix: Begin procedure documentation with a policy reference. Example: “This procedure implements our Anti-Corruption Policy by establishing a clear reporting mechanism.”
Mistake 4: Outdated Procedures
The Problem: Procedures become obsolete as workflows change, but organizations continue referencing them. Result: employees ignore outdated procedures, creating compliance gaps.
The Fix: Establish a procedure review schedule (quarterly or semi-annually). Update procedures when workflows change. Version-control all documents.
Mistake 5: Lack of Enforcement
The Problem: Policies and procedures exist but are not enforced. Employees who violate them face no consequences.
The Fix: Establish clear consequences for policy violations [2]. Document all violations and corrective actions. Ensure leadership demonstrates commitment to enforcement.
IMPLEMENTATION CHECKLIST
Use this checklist to ensure your policies and procedures are defensible:
Policy Development
- Policy clearly states its name and the reason for its creation.
- Policy defines what a violation of this policy would be, i.e., what is expected of an employee regarding their behavior.
- Policy defines the disciplinary measures that will be used if an employee violates the terms of this policy.
- Policy is approved by Senior Management (i.e., CEO, Board, or Compliance Committee).
- Policy is created in writing and dated.
- Policy is communicated to all employees who are impacted by the terms of the policy.
- Policy is reviewed at least annually [4] and updated as needed.
Procedure Development
- Procedure has a clearly defined name and refers to the corresponding policy.
- Procedure provides the step-by-step directions for completing the task.
- Procedure indicates which party is responsible for the completion of each step and the timeline.
- Procedure indicates where to record or verify that the step was completed.
- Procedure generates documentation / audit trail for future reference.
- Procedure is communicated to the appropriate staff members.
- Procedure is tested and improved upon, as necessary, through employee feedback.
Integration & Training
- All employees complete a course of study for both the policy and the procedure.
- The materials used for training provide information about the “why” behind the policy and the “how” for the procedure.
- The training includes role specific examples and/or scenarios.
- Training completion is documented [3].
- Training is refreshed annually, or whenever a policy or procedure changes.
Monitoring & Audit
- The organization monitors the adherence to the procedures.
- Audit Trails indicate whether an employee followed the procedure.
- Investigations are conducted into alleged violations of the policy or procedure and documented.
- If corrective action is deemed necessary due to a violation, it is taken and documented.
- Results from monitoring and auditing activities are provided to senior management and the board of directors.
Enforcement
- Documented disciplinary actions are imposed on employees who violate the terms of the policy.
- Disciplinary actions are enforced consistently.
- The disciplinary actions taken are proportional to the severity of the offense.
- Documentation of enforcement decisions is made and reviewed.
WHAT WE GET RIGHT – FREQUENTLY ASKED QUESTIONS
Q1: Can a procedure be a policy?
A: No. A procedure is too specific and tactical to be a policy, however, it can be based on a policy. There needs to be a linkage between the two, for example: Policy (Strategic) → Procedure (Tactical).
Q2: How often should I review my policies?
A: At least annually, when regulations change, or as part of your strategic planning cycle. Your procedures could be reviewed quarterly or semi-annually because your workflow is changing constantly.
Q3: If I have a procedure with no policy what are the risks?
A: You are taking on a regulatory risk. When auditors and/or regulators see your process they will say “why is this process in place?” If you don’t have a policy outlining the compliance objectives for the process you will not have strategic backing. Always connect your procedures to an underlying policy.
Q4: Do all employees need to know all procedures?
A: No. Employees only need to know the procedures associated with their job function. All employees should be aware of the applicable policies, but only the compliance team needs to know the specifics of the reporting procedure.
Q5: How do I enforce that my employees follow procedures?
A: Monitoring, Training, Enforcement. Checkpoints or verification steps should be included within your procedures so there is an audit trail created. You should perform regular audits to confirm compliance and any violations should be addressed through documented corrective actions.
Q6: What is the relationship between policies/procedures and compliance training [5]?
A: A good compliance program starts with effective policies and procedures. The “what,” (policy), and the “how” (procedure), are equally important to teach to employees. By completing this training, employees have confirmed they understand their compliance obligations.
Q7: How do we handle policy/procedure violations?
A: Establish a clear escalation and investigation process [6]. Each time there is a violation, it should be documented, the investigation documented and the actions taken as a result of the violation should also be documented. There must be consistent and fair consequences for violations of policies and procedures. Documentation is essential to protect against future regulatory claims.
Q8: Is it possible to create one single document that includes a policy and procedure together?
A: In general, yes. However, creating a single document with a policy and a procedure together may confuse employees. A policy may refer to a procedure; however, the distinction between a policy and procedure should always remain clear. Policies are strategic; procedures are tactical.
Q9: Who is responsible for approving your policies and procedures?
A: Policies should be approved at the highest level within your organization (Board of Directors, CEO, Compliance Committee). Depending upon the scope of the procedure, Department Heads or Compliance Personnel may approve procedures. It is essential to document the approval of all policies and procedures.
Q10: How will a regulator view your company’s policies and procedures during a review of your company?
A: A regulator will assess whether your company has created adequate standards (policies) and how your company enforces these standards (procedures). In addition to assessing whether your company has implemented adequate policies and procedures, a regulator will review your company’s documentation to ensure that policies were communicated to employees, that procedures were followed and that when a violation occurred, that corrective action was taken to resolve the violation. Documentation is critical to protecting your company from future regulatory claims.
CONCLUSION
Compliance policies and procedures form the foundation upon which an organization develops a viable compliance program. A compliance policy defines how an organization will operate (standards) and sets its strategic objectives; a compliance procedure outlines the specific actions needed to implement those policies in measurable terms.
Developing either policies, procedures or both without developing the other creates gaps within the compliance process that increases the likelihood of an organization being exposed to potential regulatory risk. Developing policies and procedures on a systematic basis allows organizations to develop compliance programs that not only work but can be defended against potential audit or investigative challenges.
The Compliance Hierarchy Model provides a clear framework: Policies set the “what” and “why,” procedures explain the “how,” and execution creates the audit trail. When all three components are aligned and documented, your organization demonstrates the kind of comprehensive compliance program that regulators expect.
