I've seen variations on this crop up a few times in practice tests. The answers vary:
- Policy, because that will include any applicable regulations.
- Regulations, you have to follow the law even when it's in conflict with your policy.
What answer would you give if this came up in an exam, if "it depends" isn't one of the options?
I use this to help me keep track of the hierarchy: https://www.complianceforge.com/word-crimes/policy-vs-standard-vs-control-vs-procedure
Just add 'Regulations' to the bottom of the pyramid as being the most important (or bare minimum depending on how you look at it). Also, depending on the type of policy, it doesn't have to reference a regulation to justify it's existence.