Controlling and monitoring activities attempting to ensure acceptable risk responses include:
Strategically; policies are definite courses or methods of action selected by management from alternatives, considering the environment, to guide as well as determine present and future decisions. For example, an entity’s IT governance related policy may require IT management obtain signed Service Level Agreements (SLAs) for all deployed systems.
Directives serve or intend to guide, govern, or influence actions or goals. Furthermore, directives should be considered orders or instructions. When activated, entity proxy directives can be interpreted as conveying fiduciary requirements to the assignee. Internal or external central authorities may issue directives as well as individuals. For example, an external aviation agency may direct aircraft operators to carefully inspect a particular airplane wing. Internally, directives are usually documented in memorandums and reflect matters requiring immediate attention. Directives should receive the same due diligence as policies and procedures.
Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359
Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.