← Back to blog

Governance policy vs procedure difference: a 2026 NFP guide

June 25, 2026
Governance policy vs procedure difference: a 2026 NFP guide

TL;DR:

  • Governance policies define an organization's standards and are approved by the board, signaling accountability to regulators and funders. Procedures specify operational steps for staff to implement policies, and separation between them prevents confusion and reduces audit risks. Regular review and clear ownership of both documents ensure compliance and organizational clarity.

A governance policy is a formal statement of organisational intent, approved by the board, that defines what your organisation stands for and why certain standards exist. A procedure is the step-by-step instruction that tells staff how to carry out that intent in daily operations. Confusing the two is one of the most common governance mistakes in Australian non-profits, and it creates real compliance risk. The governance policy vs procedure difference matters because regulators, including the ACNC Governance Standards and NDIS Practice Standards, assess both separately. Getting this distinction right is the foundation of any credible governance framework.

What are governance policies and why do they matter?

Governance policies define the "what" and "why" of organisational standards. They set the boundaries within which your organisation operates, and they signal to funders, regulators, and the community that your board takes accountability seriously.

Hands completing governance procedure checklist

The board or senior leadership approves policies. That approval process is not a formality. It signals that the organisation's highest decision-making body has considered the risk, the values, and the regulatory context. Under the ACNC Governance Standards, charities must demonstrate that their board actively governs the organisation, and a well-maintained policy suite is direct evidence of that.

Governance policies also carry weight in funding relationships. A community services NFP that cannot produce a current conflict of interest policy or a financial delegation policy during a funding review faces serious credibility questions. Policies are not just internal documents. They are public-facing signals of organisational maturity.

Consider what happens without them. Non-compliance incidents cost more on average than when policies are followed. That cost includes regulatory penalties, reputational damage, and the staff time consumed by reactive crisis management.

Key characteristics of a governance policy:

  • Approved by the board or equivalent governing body
  • Written in plain language, stating intent and scope
  • Linked to relevant legislation or standards (for example, the NDIS Practice Standards or Aged Care Quality Standards (Strengthened))
  • Reviewed on a defined cycle, typically every one to three years
  • Accessible to all staff and relevant stakeholders

Pro Tip: If your policy document contains numbered steps or role-specific instructions, you have likely blended a procedure into it. Separate them.

How do governance procedures work in practice?

Procedures specify the "how", "when", and "who" for carrying out a policy. They are operational documents, owned at the department or team level, and they change more frequently than policies because they reflect the realities of day-to-day work.

A useful way to see this in practice: a child safe organisation might hold a Child Safety Policy approved by the board. That policy states the organisation's commitment to child safety and its obligations under the National Principles for Child Safe Organisations. The accompanying procedure then details exactly how a staff member reports a concern, who they contact, what form they complete, and within what timeframe. The policy sets the standard. The procedure makes it executable.

Procedures are also the primary evidence in audits and regulatory reviews. Auditors expect policies with board approval and clear governance structure, alongside procedures that demonstrate operational effectiveness with defined roles and measurable outcomes. A policy alone does not satisfy an auditor. They want to see the procedure working.

How to structure a governance procedure effectively:

  1. State the purpose and link it explicitly to the parent policy
  2. Define the scope, including which staff or roles the procedure applies to
  3. List each step in sequence, with the responsible role named at each step
  4. Include timeframes, forms, or systems referenced in the process
  5. Note the review date and the procedure owner

Procedures sit below policies in the governance hierarchy. They can be updated by a department manager without a board resolution, which gives your organisation the agility to respond quickly to operational changes or regulatory updates.

Policy vs procedure: key differences compared

Policies define "what" and "why", establishing the strategic guardrails. Procedures dictate "how", enabling tactical execution. Keeping them separate is not just good practice. It is what auditors and regulators expect to see.

DimensionPolicyProcedure
PurposeStates intent and organisational standardsDescribes step-by-step actions to implement the policy
Approval authorityBoard or governing bodyDepartment manager or process owner
LanguagePrinciple-based, high-levelSpecific, instructional, role-based
Frequency of changeInfrequent, formal review cycleUpdated routinely as operations evolve
Audit functionDemonstrates governance commitmentDemonstrates operational compliance

The compliance hierarchy is clear: policy sets the rule, procedure operationalises it. Policy without procedure is a statement of intent with no mechanism for delivery. Procedure without policy is an unanchored task with no governance rationale. Both gaps create audit findings.

Infographic comparing governance policy and procedure

Combining policies and procedures into a single document confuses staff and complicates audit processes. Separation aids clarity and organisational agility. When a regulator asks for your Complaints Policy, they do not want to receive a 12-page document that blends board-level intent with step-by-step staff instructions. That approach signals governance immaturity, not thoroughness.

Pro Tip: Label every document clearly as either "Policy" or "Procedure" in the title and document control header. This single habit prevents significant confusion during audits.

How should NFPs manage policy and procedure updates?

Governance documents go stale. Outdated policies create compliance failures and reputational damage, a risk known as "document rot." Regular review prevents it.

The update processes for policies and procedures differ significantly. Policy amendments require a formal approval process that can take weeks, involving board review, legal consideration, and sometimes stakeholder consultation. Procedure updates, by contrast, can be managed quickly at the department level, often within days. This difference in agility is one of the strongest practical reasons to keep them separate.

For Australian NFPs, a workable approach to document management includes:

  • Assigning a named owner to every policy and procedure
  • Setting a review date in the document control section, not just in a spreadsheet
  • Triggering an unscheduled review when legislation changes, for example, following updates to the Aged Care Act or NDIS Practice Standards
  • Requiring the board to formally note policy reviews in meeting minutes
  • Keeping a version history so auditors can see the document's evolution

Governance officers and compliance leads carry the day-to-day responsibility for this work. Boards carry ultimate accountability. The governance documentation essentials for NFPs make clear that document management is not an administrative task. It is a governance function.

Key takeaways

Governance policies and procedures are distinct documents that serve different functions, and treating them as interchangeable creates compliance risk that boards and executives cannot afford.

PointDetails
Policies set intentBoards approve policies to establish organisational standards and compliance obligations.
Procedures enable actionDepartment managers own procedures that translate policy intent into daily staff practice.
Separation reduces audit riskKeeping policies and procedures in separate documents prevents confusion and satisfies auditor expectations.
Update cycles differPolicy changes require board approval and weeks of process; procedure updates can happen in days.
Document rot is a real riskRegular, scheduled reviews of both documents prevent compliance failures and reputational damage.

What I have seen boards get wrong

After nearly three decades working across Australian human services, I have sat with a lot of boards who are genuinely committed to good governance. The gap I see most often is not a lack of intent. It is a structural confusion between policies and procedures that has built up over years.

The most common pattern: an organisation has a single document called "Complaints Policy and Procedure." It runs to 15 pages. The board approved it three years ago and has not touched it since. Meanwhile, the complaints team has been updating their internal process informally, with no document trail. When an NDIS audit arrives, the auditor finds a board-approved document that does not reflect current practice, and a current practice that has no board-approved policy behind it. Neither document is wrong on its own. The problem is the gap between them.

What I have found works is a simple separation rule applied across the entire document suite, combined with a governance calendar that brings policies to the board on a rolling schedule. It does not require expensive software or a complete rewrite. It requires discipline and a clear understanding of why boards need external compliance advice when these structures are being built or rebuilt.

The organisations I have seen handle audits with the least anxiety are not the ones with the most documents. They are the ones with the clearest separation, the most current review dates, and a board that can speak confidently to what their policies say and why.

What does your board's current policy review schedule look like, and who owns it?

— Rachel

Governance support for Australian NFPs

The Planning and Practice Hub works with non-profit boards, executives, and compliance officers across aged care, NDIS, child safe, and community services to build governance frameworks that hold up under scrutiny.

https://theplanningandpracticehub.com.au

Rachel Willis brings close to three decades of firsthand experience in Australian human services regulation. The Planning and Practice Hub's governance and compliance consulting covers policy development, procedure design, document management systems, and audit preparation. Whether your organisation is building its governance suite from scratch or addressing gaps identified in a recent review, the work is co-developed with your team, not handed over as a template. Connect with The Planning and Practice Hub to discuss what your governance documentation needs in 2026.

FAQ

What is the core difference between a policy and a procedure?

A policy states what an organisation will do and why, approved by the board. A procedure describes how staff carry out that policy in practice, step by step.

Who approves governance policies in a non-profit?

The board or governing body approves governance policies. Procedures are typically approved and maintained by department managers or process owners.

Why do auditors treat policies and procedures differently?

Auditors seek explicit linkages between policies and procedures to verify governance maturity. Policies demonstrate board-level commitment; procedures demonstrate operational effectiveness.

How often should NFPs review their governance policies?

Most governance frameworks recommend a review cycle of one to three years for policies, with unscheduled reviews triggered by legislative changes such as updates to the NDIS Practice Standards or Aged Care Quality Standards (Strengthened).

What happens if policies and procedures are combined in one document?

Combining them creates confusion for staff and complicates audit processes. Separate documents give each a clear purpose, owner, and approval pathway.