Organizational Governance consists of a collectively accepted system of organizational leadership and enablement mechanisms. It is bi-directionally scalable, but it becomes less meaningful as it gets smaller.
Taxonomic Nitpicking: Governance vs. governance
The concept of governance varies widely and depends on the structure, size, maturity and culture of a social group. It can range from a constitutional federal republic system of government to the overall leadership structure of an enterprise, or from organizational policy lifecycle management to project communication.
To set expectations appropriately, I will make a distinction between “Governance” and “governance”. Consider the following example: You meet two engineers. The first one has a doctorate in nuclear engineering from MIT and the second has a two-year applied pre-engineering degree from Yavapai College. The expectation of what the two engineers can contribute to a medicinal radioactive isotopes program is different.
As there are many forms of Governance (including oppressive and dictatorial), this article will take “good” to mean positive corporate traits such as the ability to operate sustainably in the long term, provide clear direction and leadership, cultivate diverse opinions, practice equitability, enable and encourage progress and innovation, foster transparency and accountability, and act with integrity. This term is aligned with the overall leadership structure of an enterprise.
The other term, “governance”, is used in reference to an action, an activity lacking a deliberately and purposefully structured governing system. Alternatively, it is equated with leadership, management, or a process. This term is aligned with project communication.
Governance is How, not What
At its origin, Governance is the rule of an authority, or the “manner in which power is exercised” 2.
Governance is the entire system overseeing an organization, one that provides direction, forms a culture, and owns accountability for enabling an organization to operate and uphold integrity. It rests with an organizational governing body, which consists of a Board of Directors and Executive Management. A governing body is accountable and responsible for Governance institutionalization. It must provide a model for how missions, goals, and strategies are created, how integrity is fostered, how risks are managed, how culture is sustained, etc.
In addition to creating a model for “how”, a governing body is also accountable for enabling the “how” by establishing processes for operational and organizational leadership, talent and performance management, integrity and compliance assurance, management of risk, and the creation and enforcement of governing documents.
Risk Provides Governance Framework
The purpose of Governance is to achieve business objectives. To ensure sustainability and enable long-term development, an organization must understand the present and, more importantly, anticipate and prepare for the future. Thus, an organization must take risks. A risk-informed decision-making process will maximize an organization’s ability and preparedness to advantageously exploit risks.
In complex and dynamic environments, intuitive management of risk is limiting. A governing body should mitigate limitations by forming organizational structures that allow validation, objection, and cross-functional visibility. For example, creating oversight functions independent from operational management—such as risk management, compliance, and audit—will enable an organization to more objectively assess risks.
Compliance Enables Governance
The key determinant of successful governance is how well organizational objectives are followed. Compliance (in a broader meaning of the word beyond just “regulatory”) demonstrates that an organization is following objectives by assuring conformity to a system of rules and directions.
Compliance is not a given, and a governing body should not assume clarity, awareness, or execution of their objectives without proper investment in communication, education, alignment, accountability and enablement. It is the responsibility of a Governance system and a governing body to enable compliance within an organization.
When “Small” is Too Small for Governance
Research shows that 150 is about the maximum number of people that can sustain cohesion by interacting and engaging with each other without the need for formal structure 3. Theoretically, a group of 150 people systematically grows and allows acquaintances to form. Such small organizations or teams do not require the formality of a Governance system and structure; they just require clear leadership and structured management.
An Example of Governance and governance
Earlier, I made the distinction between Governance and governance. The point at which “G” becomes “g” is fluid and subjective. Everyone would agree that governing the United States requires Governance, but what about when it comes to policy lifecycle management?
I spent most of my career in the field of information technology and security where policy lifecycle management is called Governance. In some organizations it was truly a governing mechanism, but in most it was a formality.
Policies are part of a Governance structure, not Governance itself. Policies communicate organizational objectives through processes, controls and behaviors. They are goals of a governing body, but they are (or must be) organizationally “tuned”. Policies require enablement mechanisms (e.g. training, communication, resources) and enforcement mechanisms (e.g. detracting consequences). The most important part of any policy management is a measurement of its effectiveness and efficiency—and a percentage of compliance is not it. If a policy is not achieving its goals, it should be changed or replaced.
For example, consider an information security policy. In today’s data-driven world, data protection is crucial. A governing body states the need for the protection of information. Because the policy has an impact on the entire organization, various stakeholders are heard. Subject matter experts (SMEs) provide their recommendations, business leaders share operations impact, technology teams share implementation complexities, legal and HR state boundaries, and compliance and risk management teams provide checks and balances. The outcome is an agreed-upon system of rules that is organizationally “tuned”. Once a policy is published, funds and resources are required for communication, education and implementation of policy requirements. After a policy is effective, it is enforced and measured. The results of these activities provide information on the effectiveness and efficiency of the policy, thus triggering changes and improvements. This created policy upholds organizational information security practices and behaviors and is part of Governance.
In many organizations, the creation of an “information security policy” is much different. A policy is written by a siloed team (or an individual), unceremoniously published and left mostly unattended until an auditor or a customer asks for it. Such a document is a mere formality and does not provide meaningful direction or a control to an organization. Essentially, it does not support the organization’s Governance.
Both the aforementioned policies are written documents, but one has an agreed-upon and accepted structure of decision-making, controls and enablement mechanisms that govern certain aspects of an organization, while the other does not.
Organizational Governance is critical to the effective leadership of large and complex enterprises. Its purpose is to direct and control an organization. To be effective, a Governance system must be risk-informed, and to be successful, it must ensure that objectives are being followed and monitored. While small organizations of about 150 or less people can be successfully led without a system of formal governance structure, this is not the case for most organizations. Without establishing an agreed-upon Governance system, a business cannot be confident in its success.
- OECD Principles of Corporate Governance. (2004) Retrieved from http://www.oecd.org/corporate/ca/corporategovernanceprinciples/31557724.pdf
- Governance The World Bank’s Experience. (1994) Retrieved from: http://documents.worldbank.org/curated/en/711471468765285964/pdf/multi0page.pdf
- Harari, Y.N. (2015). Sapiens: A Brief History of Humankind.