A policy is a high level document/statement that is required by all MS standards such as ISO 9001, ISO 14001, and OHSAS 18001 etc. It is the top level document of the MS that needs to be prepared and approved by top management to define its overall intentions and directions with regard to Quality or Environment or Health & Safety etc. In all case it needs to:
- be appropriate to the organisation (i.e. not just a copy of someone else’s policy or downloaded at random from the internet
- include a commitment to comply with requirements (customer/legislation/standards/MS) and continual improvement (not continuous [1]
)
- be reviewed and update (at appropriate intervals as determined by top management)
- be communicated to all persons within the organisation and appropriate persons working for on behalf of the organisation (contractors/sub-contractors/suppliers/agents etc.)
In other words top management (the most senior people) should develop and write the policy (not just ask the management representative to find them/write a suitable form of text that they rubber stamp as approved). It should outline what the business is actually trying to achieve (in terms of Quality, Environment, Health & Safety etc.) and confirm its commitment to do so. It should not just be a sales/marketing device or document to meet one of the MS requirements. In practice many policy documents we see simply echo the requirements of the standards (as we have done above) and could have been written for ‘any company’ (just substitute your ‘own company’ name).
The policy needs to be reviewed and updated as the business/market/customer/regulatory requirements change and such changes communicated to all relevant personnel within and, as appropriate, out with the organisation. In practice many of these statements do not change from year to year and are stuck up somewhere to show commitment, but are not read and almost nobody knows what they say (although they could go and read it during an audit if required). Sometimes the statement is moved and then staff do not even know where to read it.
A procedure is a specified way to carry out a process or an activity, that may be documented or not.
So a documented procedure, often called an SOP or Standard Operating Procedure is a low-level document that defines how to do something, the procedure may describe the whole process from beginning to end including all the relevant activities or may be broken down into individual activities.
Take purchasing for example, it comprises three distinct activities that of: selecting and approving suppliers, raising purchase orders and verifying goods upon receipt. This may all be done by one dedicated person in a small company and only require one procedure ‘Purchasing Procedure’ outlining how each of the activities are carried and defining the key control points and authority.
In a larger company there may be specific functions or departments allocated to each activity and a documented procedure for each activity (as suggested below) that define not only the controls within the individual departments, but also the interaction between the various functions and departments and individual responsibilities and authorities for making decision and taking action:
- ‘SQA – Supplier Quality Assurance Procedure’ that describes how to select, evaluate, monitor, approve (authority) and develop suppliers to the mutual benefit of both parties.
- ‘Purchasing Procedure’ that describes how to: select a supplier (approved or not – link to previous procedure 1.) for a particular order, raise the purchase order, monitor and expedite delivery of the order, confirm its receipt (link to following procedure 3.) and sanction payment (possible link to accounting procedures – finance system).
- ‘GI – Goods Inward Procedure’ that describes how to receive goods, who is authorised to sign for goods, (POD – Proof of Delivery) documentation (link to previous procedure 2.), verification activity (possible link to GI Inspection procedure).
The concept of non-documented procedures is often alien to a generation of personnel who have been brought up on the principle that if it is not documented it is not defined. But, think of driving a car, can we read a procedure while driving? NO, so changing lanes is based on the maxim of Mirror, Signal and Manoeuvre i.e. a defined lane-changing activity that every competent driver learns, memorizes and puts into practice on a continuous basis. In practice, many people Manoeuvre, look in their Mirror to see who they just carved up and then perhaps Signal to justify such action.
Conclusion
In summary, a policy statement is a high level document, expressed by top management, to define its overall intentions and direction with regard to the operation of the organisation.
A procedure is a low level definition of how to implement particular parts the operation of the organisation. They may be defined in writing (documented) or communicated orally.