Procurement policy vs process: why your policy is collecting dust

Every CPO has written or inherited a procurement policy. It lives on the intranet. It was reviewed by legal. It covers approval thresholds, preferred suppliers, ethical sourcing principles, and compliance requirements. And in most organizations, it is systematically ignored by the people who actually make purchasing decisions.

This is not a policy problem. It is a process problem. The policy defines what should happen. The process determines what actually happens. Until organizations stop treating policies as documents and start embedding them as workflows, the gap between the two will continue to produce maverick spend, compliance failures, and CPOs who wonder why nobody follows the rules they spent months writing.

66.5%

Indirect spend managed through formal process in non-world-class orgs (Hackett Group)

95%+

Process compliance in world-class organizations (Hackett Group)

39%

Orgs that do not consider policy compliance in performance reviews (KPMG)

The PDF problem: why documents do not change behavior

A procurement policy is published as a document. It contains rules — approvals above $10,000 go to the procurement director, purchases above $50,000 require three competitive bids, certain categories must use preferred suppliers. These rules are reasonable. They are also unenforceable through a document.

KPMG's global procurement surveys have documented this gap repeatedly. The firm found that in many organizations, procurement policies are "established but not fully embedded in the purchase-to-pay process, nor is non-compliance generally reported or managed." In other words, the policy exists, but nobody checks whether it is followed, and there are no consequences when it is not.

PwC's Global Digital Procurement Survey, now in its fifth edition with over 1,000 respondents, found that transparency and compliance are among the primary drivers of digital procurement investment — not cost savings. Organizations are investing in source-to-pay suites specifically because manual policy enforcement at the document level does not work.

Policy versus process: the structural difference

Policy as document

A PDF on the intranet listing rules: approval thresholds, preferred suppliers, ethical standards, compliance requirements. Relies on employees reading, remembering, and following rules without system enforcement.

Result: 20-40% maverick spend; rules bypassed under time pressure

Process as system

Embedded workflows in P2P systems that enforce rules at the point of purchase: approval routing based on spend thresholds, catalog-only purchasing for specified categories, automated contract compliance checks.

Result: 95%+ compliance; policy enforced by system, not memory

The data from the Hackett Group confirms the magnitude of this gap. Non-world-class organizations manage only 66.5% of their indirect spend through formal procurement processes. The remaining third escapes the framework entirely. World-class organizations, which embed policy enforcement into automated P2P workflows, capture over 95% of indirect spend through their process.

Why complexity kills compliance

Order.co's research on procurement policy failures identifies a pattern that aligns with practitioner experience: most policies fail not because they are poorly written, but because they are too complex to follow under time pressure. An employee who needs to buy a $500 software subscription for a project launching next week is not going to navigate a six-step approval process with three sign-offs — they will use a personal credit card and expense it later.

That $500 transaction is then invisible to the procurement system. It does not appear in the PO register. It does not get counted against the supplier consolidation target. It does not trigger contract compliance checks. It becomes part of the non-PO spend that systematically understates an organization's true procurement footprint.

Brex's analysis of procurement compliance reinforces this: overly strict or complicated policies push employees to circumvent official channels, particularly for urgent or small-value needs. The irony is that the strictest policies often produce the lowest compliance rates because they make the legitimate path impractical.

"A policy that requires three approvals for a $1,000 purchase is not a compliance tool. It is an incentive to expense it personally and bypass procurement entirely."

The behavioral layer: awareness, incentives, and culture

The Hackett Group's research on procurement training reveals a telling gap: 100% of high-performing organizations provide online training on buying processes and policies, compared to only 33% of average performers. This suggests that non-compliance is frequently a knowledge problem, not a defiance problem. Employees do not bypass policy because they disagree with it — they bypass it because they do not know what it says or how to follow it.

KPMG's compliance survey found that approximately 39% of organizations do not consider adherence to compliance policies in performance or compensation decisions. When compliance is not measured, not reported, and not rewarded, it becomes optional. Employees rationally prioritize speed and convenience over rules that have no consequence when broken.

Veridion's analysis of maverick spend statistics cites research where 67% of high-performing companies identify the leading cause of maverick spend as employees' lack of understanding or disregard for procurement policy. The same data shows that 78% of compliance leaders believe the most common rationalization for rogue purchases is that they are "too small to matter."

What good looks like: policy embedded in process

An organization that has bridged the policy-to-process gap operates differently. The policy still exists as a document, but it is supported by a P2P system that enforces its rules automatically:

Approval thresholds are coded into the purchase requisition workflow. A requisition for $12,000 routes to the procurement director without anyone deciding whether it should. A $500 requisition routes to the team lead and closes in hours, not days.
Preferred suppliers are configured as catalog items. A category manager requisitioning IT hardware sees only approved vendors and negotiated prices. Selecting a non-preferred supplier requires a justification that gets reviewed monthly.
Non-PO spend is flagged automatically. P-card transactions and expense reimbursements are matched against category and supplier policies weekly, not quarterly or annually.
Compliance metrics are visible to every stakeholder. Business unit leaders see their own maverick spend percentage and can compare it against peer units. The incentive is social as much as structural.

PwC's survey data confirms that source-to-pay suites are now "the norm" for 94% of purchasing departments, driven primarily by the need for transparency and compliance. The technology to embed policy into process exists. The gap is in deployment — many organizations have the systems but have not configured them to enforce the rules they wrote.

What this means in practice

Three actions for procurement leaders who want their policy to produce actual compliance, not dust:

Audit your current P2P system configuration before revising your policy document. If your approval workflows cannot enforce your spend thresholds, or if catalogs are not configured for your preferred supplier categories, no amount of policy revision will improve compliance. Fix the system enforcement gaps first.
Reduce the friction cost of compliance. Measure the time from requisition to PO release for low-value, low-risk categories. If the process takes more than 24 hours for purchases under $5,000, employees will find workarounds. Streamline approval routing for the categories where 80% of maverick spend occurs.
Make compliance visible at the business unit level. Monthly reports showing each unit's policy compliance percentage, benchmarked against peers, create accountability that no document can achieve. When business unit leaders see their compliance score alongside their budget variance, policy adherence becomes a management conversation, not a procurement complaint.

Frequently asked questions

What's the difference between procurement policy and process?

Procurement policy defines the rules, principles, and standards that govern purchasing decisions — what is required, who can approve, ethical standards. Procurement process defines the specific steps and workflows to execute those policies — how to create a requisition, route approvals, generate POs, and process invoices.

Why do procurement policies fail?

The most common reasons are: policies not embedded in P2P workflows, excessive complexity that makes compliance impractical, poor communication and training, lack of compliance monitoring, and misaligned incentives where policy adherence is not measured or rewarded.

How much maverick spend is normal?

The Hackett Group reports that non-world-class organizations manage only 66.5% of indirect spend through formal procurement processes, implying maverick spend of 30% or more. World-class organizations achieve 95%+ process compliance through embedded controls and automation.

What's the first step to fix policy compliance?

Audit your current P2P systems to identify where policy enforcement is manual (or absent). Every policy rule that requires human judgment to enforce will be bypassed under time pressure. Automate enforcement at the point of purchase before revising the policy document.