Why you do what you do AND who’s responsible for doing it.
More important than the actual process to complete a task is the purpose behind why it is done at all. The driving force for any process must be backed up by a doctrine of some sort or the purpose of any process may get questioned and your systems break down. The policy is the ‘law of gravity’ so to speak for your systems. Policies govern the actions required for smooth operations and keep all responsible parties reading from the same sheet of music.
An example of a policy within an organization could be the I.T. offices’ requirement for updating login passwords every X number of days. Most should be painfully familiar with that policy and the common additional requirements of special characters, numbers, and upper/lower case lettering.
When an organization makes a decision to do something there is an impact. Sometimes that impact affects other parts of the organization. Other times the impact is felt by the customer. A policy is an explanation behind the impact regardless of who it affects. When an action is taking in an organization, it should always result from a business decision. That business decision could be anything but some examples are: to reduce cost, increase security posture, save time/resources, or most importantly — streamline day-to-day operations.
No matter what the business decision is, there will almost always be someone affected by the impact that disagrees with the supporting policy. That is why it is important to have buy-in from the majority of stakeholders. Adherence to policy regardless of the repercussions is hard to enforce when the majority oppose the impact.
Policy, like processes, can change or evolve over time. A policy is seldom set in stone. Even some of the most rigid human resources policies have evolved with changes in work culture over the years. The policy governing the work that is done inside your organization should be no different. The importance of policy to make sure everyone, affected by and conducting a process, achieves the same outcome. Consistency is extremely critical. While the process to an end-state may allow some flexibility on the steps to complete, policy dictates that the result be the same every time. That result is what becomes relied upon by all stakeholders.