A Policy is a high level document describing an organisation goal or posture e.g. security policy but a procedure is an imperative or step by step process of achieving a specific outcome. E.g. how to harden a server.
Can be a little over critical both of employees and self? I like to get this just right and don't always accept that someone has 'tried their best'; however I am becoming more empathetic to officers feelings and now try to give constructive criticism as well as demonstrating what is expected.
Politely explain that the policy to expire passwords is set at an organisation level. If I turn it off for you, it is turned off for everyone. Having passwords changed regularly is one of the requirements of ISO270001 which states we must enforce regular Password changes, ideally 90 days or less. Auditors would pick us up on this pretty much immediately. At the end of the day, it's your call as CEO but I feel you should be aware of the consequences.