The term "organisation" describes structure, whereas the term "policy" albeit mandatory, describes intention, and the term "control" typically defines how to achieve a business objective, manage a risk and/or ensure a process is followed.

A process however, is a collection of activities and procedures for doing something, e.g., taking one or more inputs and transforming these into one or more defined outputs. So, processes describe actual behaviour.

With this in mind, processes should map (be codified) to policies and controls accordingly. This not only makes things more visual but also more open to audit and measurement, and subsequently the manner of how such policies and controls are executed?

Without mapping these we are likely to end up with a plethora of disconnected policies and controls thus actual behaviour (processes) will simply grow organically on the shop floor. In this case, a policy that is not followed is of little use, and an ineffective control is not a control at all. This therefore begs the question, whether the composition of such policies and controls are just a wasted effort?