© ISO 2020 – All rights reserved

ISO 37000:2020(E)
ISO TC 309/WG1

Secretariat: BSI

Guidance for the governance of organizations

37000 DIS
Warning for DIS
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.
 1 © ISO 2020, Published in Switzerland

2 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized
3 otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the
4 internet or an intranet, without prior written permission. Permission can be requested from either ISO at the
5 address below or ISO’s member body in the country of the requester.

6 ISO copyright office

7 Ch. de Blandonnet 8 • CP 401
8 CH-1214 Vernier, Geneva, Switzerland
9 Tel. + 41 22 749 01 11
10 Fax + 41 22 749 09 47
11 [email protected]
12 www.iso.org

13

© ISO 2020 – All rights reserved 1

14 Contents
15 Foreword .......................................................................................................................................................................... 4
16 Introduction..................................................................................................................................................................... 5
17 1 Scope...........................................................................................................................................................................9
18 2 Normative references...........................................................................................................................................9
19 3 Terms and definitions ..........................................................................................................................................9
20 3.1 Governance and organization ........................................................................................................................... 9
21 3.2 Principles and outcomes .................................................................................................................................. 10
22 3.3 Roles ........................................................................................................................................................................ 12
23 4 Context of this standard ................................................................................................................................... 13
24 4.1 The need for guidance ....................................................................................................................................... 13
25 4.2 The governance of organizations .................................................................................................................. 13
26 4.2.1 Thread of governance ................................................................................................................................. 14
27 4.2.2 Governance and management ................................................................................................................. 14
28 4.3 Governance and stakeholders ........................................................................................................................ 14
29 5 The governing body ........................................................................................................................................... 15
30 Composition and structure...................................................................................................................................... 15
31 5.1 Competence........................................................................................................................................................... 15
32 6 Framework ............................................................................................................................................................ 16
33 7 Principles of governance .................................................................................................................................. 17
34 7.1 Purpose................................................................................................................................................................... 17
35 7.1.1 Principle........................................................................................................................................................... 17
36 7.1.2 Rationale..........................................................................................................................................................18
37 7.1.3 Key aspects of practices ............................................................................................................................. 18
38 7.2 Value generation ................................................................................................................................................. 20
39 7.2.1 Principle........................................................................................................................................................... 20
40 7.2.2 Rationale..........................................................................................................................................................20
41 The governing body is accountable for assessing and taking appropriate action to
42 ensure that that the organization’s value model continues to viable responding to
43 changes in the organizational context and operating conditions. ............................................. 20
44 7.2.3 Key aspects of practices ............................................................................................................................. 21
45 7.3 Strategy................................................................................................................................................................... 22
46 7.3.1 Principle........................................................................................................................................................... 22
47 7.3.2 Rationale..........................................................................................................................................................22
48 7.3.3 Key aspects of practices ............................................................................................................................. 23
49 7.4 Oversight ................................................................................................................................................................ 25
50 7.4.1 Principle........................................................................................................................................................... 25
51 7.4.2 Rationale..........................................................................................................................................................26
52 7.4.3 Key aspects of practices ............................................................................................................................. 26
53 7.5 Accountability ...................................................................................................................................................... 27
54 7.5.1 Principle........................................................................................................................................................... 27
55 7.5.2 Rationale..........................................................................................................................................................27
56 7.5.3 Key aspects of practices ............................................................................................................................. 28
57 7.6 Stakeholder engagement ................................................................................................................................. 28
58 7.6.1 Principle........................................................................................................................................................... 28
59 7.6.2 Rationale..........................................................................................................................................................29
60 7.6.3 Key aspects of practices ............................................................................................................................. 29
61 7.7 Leadership ............................................................................................................................................................. 30
62 7.7.1 Principle........................................................................................................................................................... 30
63 7.7.2 Rationale..........................................................................................................................................................30
64 7.7.3 Key aspects of practices ............................................................................................................................. 30

2 © ISO 2019 – All rights reserved

65 7.7.4 Dilemma examples ....................................................................................................................................... 32
66 7.8 Data and decisions.............................................................................................................................................. 32
67 7.8.1 Principle........................................................................................................................................................... 32
68 7.8.2 Rationale..........................................................................................................................................................32
69 7.8.3 Key aspects of practices ............................................................................................................................. 33
70 7.8.4 Dilemma examples ....................................................................................................................................... 34
71 7.8.5 Dilemma reconciliation .............................................................................................................................. 34
72 7.9 Risk governance .................................................................................................................................................. 35
73 7.9.1 Principle........................................................................................................................................................... 35
74 7.9.2 Rationale..........................................................................................................................................................35
75 7.9.3 Key aspects of practices ............................................................................................................................. 36
76 7.9.4 Dilemma examples ....................................................................................................................................... 37
77 7.10 Exercising social responsibility............................................................................................................... 37
78 7.10.1 Principle........................................................................................................................................................... 37
79 7.10.2 Rationale..........................................................................................................................................................37
80 7.10.3 Key aspects of practices ............................................................................................................................. 38
81 7.11 Organizational viability and success over time ................................................................................. 38
82 7.11.1 Principle........................................................................................................................................................... 38
83 7.11.2 Rationale..........................................................................................................................................................38
84 7.11.3 Key aspects of practices ............................................................................................................................. 39
85 Annex A (informative) Governance Tools and Resources ........................................................................... 41
86 A.1 Sustainability Practices .................................................................................................................................... 41
87 Bibliography ................................................................................................................................................................. 42
88

89

© ISO 2020 – All rights reserved 3

 90 Foreword

91 ISO (the International Organization for Standardization) is a worldwide federation of national standards
92 bodies (ISO member bodies). The work of preparing International Standards is normally carried out
93 through ISO technical committees. Each member body interested in a subject for which a technical
94 committee has been established has the right to be represented on that committee. International
95 organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO
96 collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
97 electrotechnical standardization.

98 The procedures used to develop this document and those intended for its further maintenance are
99 described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
100 different types of ISO documents should be noted. This document was drafted in accordance with the
101 editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

102 Attention is drawn to the possibility that some of the elements of this document may be the subject of
103 patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any
104 patent rights identified during the development of the document will be in the Introduction and/or on
105 the ISO list of patent declarations received (see www.iso.org/patents).

106 Any trade name used in this document is information given for the convenience of users and does not
107 constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions
108 related to conformity assessment, as well as information about ISO’s adherence to the World Trade
109 Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL:
110 www.iso.org/iso/foreword.html.

111 The committee responsible for this document is Technical Committee ISO/TC 309 Governance of
112 Organizations.

113

4 © ISO 2019 – All rights reserved

114 Introduction

115 The growth in volume and range of international guidance suggests that private, public and non-profit
116 sectors globally are showing an increasing interest in the good governance of organizations.

117 Good governance of organizations means that decision making within the organization is based on norms,
118 practices, behaviours, organizational ethos, culture, structures, and processes to create and maintain an
119 organization with clear purpose that delivers long term value consistent with the expectations of its
120 stakeholders. The implementation of good governance of an organization include a framework of
121 mechanisms, processes and structures that are appropriate for its internal and external context.

122 This guidance is directed at governing bodies but may also be useful to those that support it in discharging
123 its duties such as:

124 — those who govern organizations;

125 — managers and staff;
126 — governance practitioners;
127 — other interested stakeholders.

128 Organizations that apply this guidance will be better equipped to understand the competing expectations
129 of their stakeholders, and to apply the required creative entrepreneurship, culture, principles,
130 performance and accountability that are necessary to deliver the objectives of the organization according
131 to its purpose and values.

132 Governing bodies hold management to account and ensure that the culture, norms and practices in the
133 organisation align with its purpose. This guidance sets out principles which will assist governing bodies
134 in discharging their duties effectively and efficiently, enhancing trust, inclusion, accountability,
135 responsiveness and equity. Governing bodies that apply this guidance can achieve effective performance,
136 responsible stewardship, and ethical behaviour.

137 As the organization becomes more important to its stakeholders, the need for good governance and the
138 expectation for transparency and accountability increases.

139 In applying this standard, stakeholders across countries and sectors can have increased confidence that
140 governing bodies are making decisions that are responsible, accountable, fair, transparent, with probity
141 and informed by:

142 — credible information and reliable data;

143 — stakeholders’ expectations;
144 — ethical and societal expectations;
145 — compliance obligations;
146 — open and honest reporting and reporting;
147 — natural environment limitations and impacts.

148 Sound decision-making increases the confidence of stakeholders in the organization, in terms of how it
149 conducts its business, including the way in which decisions are made, and the way it produces intended
150 outcomes.

151 The benefits of good governance can apply to

152 — the organization itself,
153 — owner stakeholders, and
154 — other stakeholders.

155 Examples of these benefits are listed in Table 1.

© ISO 2020 – All rights reserved 5

156 NOTE Where the benefits accrue largely to owner and/or other stakeholders as well as to the organization in
157 significant ways, they are listed under benefits to the organization. Benefits that accrue to one group frequently
158 interconnect with the benefits of other groups.
159
160 Table 1 — Examples of the benefits of good governance

Beneficiary Benefit

Organizations - Accurate and effective decision-making as a result of holistic consideration of the

organization and the context within it operates. This is of benefit to the organization
given the increasing complexity and rapidly changing business, economic,
regulatory, political and technical contexts.
- Improved organizational resilience in the face of negative leadership risks (as
examples, faltering leadership due to ineffective succession planning and personal
liability impacts), and increased ability to realize operational efficiencies as a result
of ethical behaviour by the organization's leadership, and effective delegation of
authority and responsibilities.
- Increased speed of organizational decision-making and action as a result of clarity
of leadership responsibilities and clear understanding of delegated authority.
- Improved organizational ability to remain resilient when negatively impacted (as
examples, fraud, non-compliance and environmental or utility impacts) and
increased ability to improve competitive advantage (as examples, automation and
artificial intelligence) through the recognition and realization of opportunities as a
result of improved governing body oversight of risk management and internal
controls.
- Increased owner stakeholder value generation as a result of improved alignment of
organizational activities with the agreed organizational purpose and strategy and
effective oversight of organizational performance.
- Increased access to, and reduced cost of, capital as a result of increased investor
certainty in the effective governing body oversight of matters impacting the
organization's sustainability and holistic decision making in this regard.
- Improved organizational value generation over the long-term for its stakeholders
due to positive impacts on the local and international social, economic and
environmental contexts in which the organization operates as a result of governing
body considerations for social and environmental responsibility and contribution
to the UN Sustainable Development Goals.
- Lower staff costs due to an increasingly attractive environment for skilled staff, who
are motivated not only by financial benefits, but also by intangible organizational
benefits such as fairness, transparency and organization attractiveness as a result
of effective and ethical leadership by the governing body.
- Effective and ethical leadership by an organization's governing body is
demonstrated, amongst other ways, in the organization's transparency with
stakeholders and perceived good corporate citizenship. This contributes to
increased organizational reputation, public image, public confidence and goodwill,
all of which are part of the organizations’ intangible assets.
- Increased viability of start-up initiatives as a result of increased investor confidence
in the organization's ability to remain resilient and true to the stated organizational
purpose due to increased leadership skill and attentive oversight; and increased
continued organizational viability as a result of attention by the governing body on
the organization's sustainability.

6 © ISO 2019 – All rights reserved

 Beneficiary Benefit

- Increased certainty of continued compliance with laws, regulations and good

practices, as perceived by the organization's stakeholders and society, as a result of
effective oversight by the governing body of the organization's compliance
management, leads to improved certainty of owner stakeholder investments and
involvement in the organization.
Owner - Improved shareholder relations and consequently investment certainty as a result
stakeholders of reduced minority-majority shareholder conflicts, executive-shareholder
conflicts and conflict between the shareholders and other stakeholders due to
effective shareholder engagement, limitations of executive authority, suitably
transparent decision making and reporting and protection of both small and large
investors by the governing body.
- Increased owner stakeholder trust in the organization due to effective delegation
and limitation of authority, and oversight of the exercise of this authority by the
governing body.
- Effective and ethical governance by the governing body includes suitable
transparency in its decision making and key operation indicators, and consistency
of terminology and application through the adoption of reporting frameworks and
standards; this supports owner stakeholders in their ability to hold the governing
body and its members accountable and benchmark the organization's results
against other similar organizations, allowing better management of their
investment and consequently adding value.
- increased transparency and access to information, demonstration of accountability,
and commitment to effective investor engagement by the governing body, leads to
increased investor confidence in the governing body's ability to direct the
organization to use the invested assets appropriately.
Other - Good governance includes actions by the governing body to direct their
stakeholders organizations to present suitably transparent, clear and consumable reports and
disclosures to its stakeholders, allowing regulators and society to evaluate the
organization's positive and negative impacts on the social, natural environmental
and economic context within which it operates, affording stakeholders the
opportunity to hold organization's to account, highlighting inappropriate practices
and with action, reduce harm to the public, economy and natural environment.
- Effective stakeholder engagement and relationship building is a cornerstone of
good governance and provides the organization with the ability to understand
stakeholder requirements of the organization and co-create services and products
of worth to stakeholders, increasing stakeholder value.
- Improved resilience of organizations of critical importance to societal functioning
as a result of good governance practices by their governing bodies leads to
increased institutional resilience at national, regional and organizational levels,
which benefits all stakeholders;
161

162 The governance of organizations is a system performed in the context of enabling principles in order to
163 achieve the organizational purpose, governance outcomes and the generation of value for the
164 organization and its stakeholders. This system operates in a context of externalities which are to be taken
165 into consideration.

166

© ISO 2020 – All rights reserved 7

167 Figure 1 illustrates the framework for governance of organizations and consists of the principles and
168 outcomes outlined in this document. These components might already exist in full or in part within the
169 organization. However, they might need to be adapted or improved so that the governance of the
170 organization is efficient, effective and consistent.

171

Value Generation

Accountability

Strategy
Purpose

Oversight
Where the colours represent:

Governance Outcomes
Enabling Governance Principles
Foundational Governance Principles

172

173 Figure 1 — Governance framework overview

8 © ISO 2019 – All rights reserved

174 Guidance for the governance of organizations
175 1 Scope
176 This document gives guidelines for the governance of organizations. It provides key principles, relevant
177 practices and a framework to guide governing bodies on how to meet their responsibilities so that
178 organizations can fulfil their purpose. It is applicable to all organizations, regardless of type, size,
179 location, structure or purpose.

180 2 Normative references

181 There are no normative references in this document.

182 3 Terms and definitions

183 For the purposes of this document, the following terms and definitions apply.

184 ISO and IEC maintain terminological databases for use in standardization at the following addresses:

185 — IEC Electropedia: available at http://www.electropedia.org/

186 — ISO Online browsing platform: available at https://www.iso.org/obp
187
188 3.1 Governance and organization

189 3.1.1
190 governance of organizations
191 system by which an organization (3.1.3) is directed, overseen and held accountable for achieving its
192 defined purpose
193
194 Note 1 to entry: This is a human based system.
195
196 3.1.2
197 governance framework
198 strategies, policies, decision-making structures and accountabilities through which the organization’s
199 governance arrangements operate
200
201 [SOURCE: ISO/IEC TR 38502:2017, 3.1]
202
203 3.1.3
204 organization
205 person or group of people that has its own functions with responsibilities, authorities and relationships
206 to achieve its objectives
207 Note 1 to entry: The concept of organization includes, but is not limited to sole-trader, company, corporation, firm,
208 enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or
209 not, public or private.

210 [SOURCE: ISO/IEC Directives Part 1:2019, Annex L 3.1]

211
212 3.1.4
213 organizational entity
214 organization (3.1.3) that has a distinct and independent existence
215
216 Note 1 to entry: In some cases, an organizational entity could be a legal entity.
217

© ISO 2020 – All rights reserved 9

218 3.1.5
219 governing documents
220 authoritative and unique set or collection of documents that establishes the organization’s existence
221 and accountability (3.2.2)
222
223 Note 1 to entry: Documents vary depending on type, location of the organization, and could include a deed of
224 incorporation, articles of association and charter.
225
226 [SOURCE: BS 13500, amended]
227
228 3.1.6
229 dynamic system
230 group of interrelated yet changing entities that rely on each other to exist
231
232 3.1.7
233 risk appetite
234 amount and type of risk that an organization (3.1.3) is willing to pursue or retain
235
236 [SOURCE: ISO Guide 73 - Risk management - Vocabulary]
237
238
239 3.1.8
240 due diligence
241 process through which organizations (3.1.3) proactively identify, assess, prevent, mitigate and account
242 for how they address the actual and potential adverse impacts as an integral part of decision-making
243 and risk management
244
245 [SOURCE: ISO 20400:2017, 3.3amended]
246
247
248
249 3.2 Principles and outcomes

250
251 3.2.1
252 principle
253 fundamental truth, proposition or assumption that serves as foundations for a set of beliefs or
254 behaviours or for a chain of reasoning
255
256 [SOURCE: BS 13500:2013, 2.14, amended]
257
258 3.2.2
259 accountability
260 obligation to another for the fulfilment of a responsibility
261

262 3.2.3
263 commons
264 shared resources that are available to everyone and limited in quantity
265
266
267 3.2.4
268 compliance
269 meeting all the organization’s compliance obligations (3.2.5)
270
271 [SOURCE: ISO 19600:2014, 3.17]

10 © ISO 2019 – All rights reserved

272
273
274 3.2.5
275 compliance obligation
276 requirements that an organization (3.1.3) mandatorily has to comply with as well as those that an
277 organization (3.1.3) voluntarily chooses to comply with
278
279 [SOURCE: ISO 19600:2014, 3.16]
280
281 3.2.6
282 ethical behaviour
283 behaviour that is in accordance with accepted principles (3.2.1) of right or good conduct in the context
284 of a particular situation, and consistent with international norms of behaviour
285
286 [SOURCE: ISO 26000:2010, 2.7]
287
288 3.2.7
289 organizational policy
290 position set by the governing body (3.3.3) providing intentions and guidance related to the purpose and
291 strategic direction of the organization (3.1.3)
292
293 3.2.8
294 organizational purpose
295 organization’s reason to exist which guides its performance objectives and provides clear context for
296 daily decision making by relevant stakeholders (3.3.1)
297
298 3.2.9
299 organizational values
300 beliefs about socially or personally desirable outcomes or actions defined by the organization as good
301 and important to be explicitly or implicitly shared and applied by the organization (3.1.3)
302
303 3.2.5
304 social responsibility
305 responsibility of an organization (3.1.3) for the impacts of its decisions and activities on society and the
306 environment, through transparent and ethical behaviour that:
307
308 — contributes to sustainable development (3.2.8), including the health and the welfare of society;
309 — takes into account the expectations of stakeholders (3.3.1);
310 — is in compliance (3.2.4) with applicable law and consistent with international norms of
311 behaviour; and
312 — is integrated throughout the organization (3.1.3) and practised in its relationships.
313
314 Note 1 to entry: Activities include products, services and processes.
315
316 Note 2 to entry: Relationships refer to an organization’s activities within its sphere of influence.
317
318 [SOURCE: ISO 26000:2010, 2.18]
319
320 3.2.6
321 stakeholder engagement
322 activity undertaken to create opportunities for dialogue between an organization (3.1.3)and one or
323 more of its stakeholders (3.3.1), with the aim of providing an informed basis for the organization´s
324 decisions
325
326 [SOURCE: ISO 26000:2010, 2.21]
327

© ISO 2020 – All rights reserved 11

328
329 3.2.7
330 sustainability
331 state of the global system, including environmental, social and economic aspects, in which the needs of
332 the present are met without compromising the ability of future generations to meet their own needs
333
334 Note 1 to entry: The environmental, social and economic aspects interact, are interdependent and are often
335 referred to as the three dimensions of sustainability.
336
337 Note 2 to entry: Sustainability is the goal of sustainable development (3.2.8).
338
339 [SOURCE: ISO guide 82:2014, 3.1]
340
341 3.2.8
342 sustainable development
343 development that meets the needs of the present without compromising the ability of future
344 generations to meet their own needs.
345
346 Note 1 to entry: Sustainable development is about integrating the goals of a high quality of life, health
347 and prosperity with social justice and maintaining the earth’s capacity to support life in all its diversity.
348 These social, economic and environmental goals are interdependent and mutually reinforcing.
349 Sustainable development can be treated as a way of expressing the broader expectations of society as a
350 whole.
351
352 [SOURCE: ISO 26000:2010, 2.23]
353
354
355 3.3 Roles

356 3.3.1
357 stakeholder
358 person or organization (3.1.3) that can affect, be affected by, or perceive itself to be affected by a
359 decision or activity
360
361 Note 1 to entry: Depending on the nature of the organization, stakeholders can include owner
362 stakeholders, and other stakeholders, including, customers, regulators, suppliers, employees.
363
364 [SOURCE: ISO/IEC Directives Part 1:2019, Annex L 3.2 amended]
365
366 3.3.2
367 owner stakeholders
368 owners, shareholders or members of the organization (3.1.3), who, through formal decisions, are
369 entitled to decision making powers exceeding that of the governing body (3.3.3)
370
371 Note 1: Depending on the nature of the organization, members could include those members of associations with
372 voting rights.
373
374 3.3.3
375 governing body
376 person or group of people who have ultimate accountability (3.2.2) for the whole organization (3.1.3)
377
378 Note 1 to entry: Every organizational entity has one governing body, whether or not it is explicitly established.
379 Note 2 to entry: A governing body can include, but is not limited to, board of directors, supervisory board, or
380 trustees.”

12 © ISO 2019 – All rights reserved

381 Note 3 to entry: Where the term governing body is used throughout this document, the term governing group (3.3.4)
382 will be applicable when the organization (3.1.3) is not an organizational entity (3.1.4).
383 [SOURCE: ISO/IEC 38500:2015, 2.9 amended]
384
385 3.3.4
386 governing group
387 person or group of people who govern an organization (3.1.3)
388
389 Note 1 to entry: In some cases, the governing group can include executive managers or persons who have a top
390 management role, while keeping management and governance roles separate.

391 Note 2 to entry: In some cases, the governing group can include a person or group of people representing an
392 organizational entity.

393 Note 3 to entry: Where an organization spans multiple organizational entities, it is governed by a governing group.
394 Additionally, where an organization exists wholly within an organizational entity (e.g. a subsidiary company or
395 department) it has a governing group that is responsible for maintaining the organizational entity’s thread of
396 governance within that organization.
397
398 3.3.5
399 executive manager
400 person who has authority delegated from the governing body (3.3.3) for implementation of strategies
401 and policies to fulfil the purpose of the organization (3.1.3)
402
403 Note 1 to entry: Executive managers can include roles which report to the governing body or the head of the
404 organization or have overall accountability for major reporting function, for example Chief Executive Officers
405 (CEOs), Heads of Government Organizations, Chief Financial Officers (CFOs), Chief Operating Officers (COOs),
406 Chief Information Officers (CIOs), and similar roles.
407
408 Note 2 to entry: In management standards, executive managers can be referred to as top management.
409
410 [SOURCE: ISO/IEC 38500:2015, 2.7]

411 4 Context of this standard

412 4.1 The need for guidance

413 Society, policymakers and other stakeholders are seeking, and have an increasing expectation of, “good
414 governance” and “good citizenship” from the organizations that impact their lives. This results in the need
415 to develop a common understanding of what constitutes good governance of organizations across all
416 jurisdictions, and therefore, a global consensus-based approach is needed.

417 This document on governance defines key principles and recommends best practices that guide the
418 governing body to meet its responsibilities so that the organization can fulfil its purpose. This guidance
419 is for the members of the governing body, those they oversee and those to whom the governing body is
420 accountable.

421 4.2 The governance of organizations

422 Governance of organizations is the system by which an organization is directed, overseen, and
423 accountable for achieving its defined purpose.

424 At its foundation this includes:

425 — setting the purpose, mission, vision, organizational ethos, organizational values, and culture to
426 give the organization direction;

© ISO 2020 – All rights reserved 13

427 — steering the strategy and balancing resources appropriately to achieve that purpose;
428 — exercising oversight of the organization’s performance, ensuring compliance and viability;
429 — engaging with and accounting to stakeholders.

430 4.2.1 Thread of governance

431 Governance is performed throughout the organization by various groups, including

432 - the governing body,

433 - owner stakeholders,
434 - management, and
435 - other internal functions of the organization.

436 The governing body is accountable for an effective governance framework across the organisation. The
437 governance framework should enable/empower all internal and external governance groups involved
438 in making decisions that affect the organisation.

439 Responsibility associated with decision making is a critical element of good governance. The framework
440 should therefore ensure that the decision-making levels match the responsibility and authority granted.
441 To this end, the scope and impact of possible decisions should be defined and aligned with the levels of
442 responsibility. This empowers staff to act appropriately and makes the whole organization more resilient
443 and agile. Decision-makers should be competent and adequately resourced to make the decisions for
444 which they are responsible. Controls should be implemented to ensure that governance systems are
445 adequate for the tasks they are to achieve.

446 4.2.2 Governance and management

447 “Governance” and “management” are distinct, necessary, and complementary within organizations. They
448 interact and influence one another, and it is the responsibility of the governing body to ensure that
449 throughout the engagement between them, the defined outcomes and value for the organization and its
450 stakeholders are achieved or improved.

451 Governance involves setting and being accountable for the purpose and parameters for the organization,
452 whereas management is about fulfilling the associated objectives within those parameters. This
453 distinction is important because it provides focus for each system and clarifies the responsibilities and
454 interfaces between the two. For example, if managers see the need to change organizational parameters
455 (such as culture or purpose) they should propose such a change to the governing body rather than
456 implement such a change themselves. Similarly, if the governing body sees a need for operational
457 changes, it should examine such a need from the perspective of organizational strategy. Management is
458 responsible for the establishment and operation of a system of internal controls. The role of the governing
459 body is to ensure it has independent assurance on the effectiveness of those internal controls and holds
460 management accountable.

461 Governance and management roles are sometimes unavoidably combined in the same person. Having an
462 executive manager as a member of the governing body is acceptable, as long as it is clear when this person
463 is functioning in their governing role and when they are functioning in their management role.

464 This document complements management standards by defining and guiding the role and functioning of
465 the governance of the organization/ organizational governance.

466 4.3 Governance and stakeholders

467 The aim of governance, and the duty of the governing body, is to create the conditions for, and to enable,
468 the organization to be successful over time. The pursuit of value of one kind or another is at the centre of
469 the definition of “success” for all organizations. Value is therefore of primary importance for the
470 governance of organizations. This value is defined through engagement with stakeholders.

14 © ISO 2019 – All rights reserved

471 The governing body should ensure that the organization treats owner stakeholders fairly in its
472 achievement of defined outcomes for the organization and its stakeholders.

473 5 The governing body

474 5.1 Composition and structure

475 The governing body is the person or group of people who are ultimately accountable for the whole
476 organization.

477 The composition and structure of the governing body will vary between organizations. The governing
478 body is a distinct role accountable to the organization’s stakeholders and consequently, held responsible
479 for the organization, its actions, decisions and behaviour. In order to ensure that the governing body, as
480 a collective, is suitably equipped for the matters at hand, appointments to the governing body should
481 consider

482 — competence (knowledge and understanding, skills, and experience),

483 — diversity,
484 — independence of thought,
485 — capacity, and
486 — integrity.

487 Every governing body member should continuously improve their knowledge regarding the
488 organization’s activities, legal requirements, and more broadly, the organization’s contexts. This
489 improving capability together with regular reviews of organizational practices should ensure a
490 continually improving governance environment.

491 Depending on the size of the organization, governing bodies may constitute committees to help them fulfil
492 their obligations. These committees may be statutory requirements, or may provide the governing body
493 with additional capacity, skills, independence, diversity and/or stakeholder representation. Should a
494 governing body make use of supporting committees, it is important to note that although the governing
495 body may delegate authority and responsibilities, it may never abdicate its accountability for the whole
496 organization.

497 At all times, the governing body acts as a collective, performing many interrelated activities in order to
498 exercise its authority and fulfil its accountability. Members of the governing body should act with probity
499 and in the best interests of the organization. They should:

500 — act ethically and with integrity within the power and authority afforded to them;
501 — promote organizational viability and success over time;
502 — exercise independent judgement;
503 — exercise reasonable care, skill and diligence;
504 — ensure that they have all the necessary information at hand when making a decision, and keep
505 themselves informed of the organization and its context;
506 — declare and appropriately manage conflicts of interest;
507 — promote a unified governing body, supporting governing body decisions outside of governing
508 body meetings, and ensure that dissenting positions are accurately recorded;
509 — ensure that when benefits from third parties are offered, these are managed in a compliant
510 manner;
511 — act in compliance with applicable laws, rules, and organizational policies.

512 5.2 Competence

513 The governing body should:

© ISO 2020 – All rights reserved 15

514 a) ensure it has the right combination of knowledge, skills and experience to understand the
515 operations of the organization and the markets in which it operates;
516 b) develop and competently use appropriate criteria for measurement that will indicate progress
517 towards the achievement of the organization’s objectives and strategic alignment of the
518 organization;
519
520 NOTE: Criteria for external performance results can also include comparative measures with
521 other, similar, partner or competitive organizations.

522 c) assess its own competence, including by drawing on the support of experienced and
523 independent professionals, with respect to the adequacy of its effectiveness, efficiency,
524 composition and member succession plans;
525
526 NOTE Such self-assessment could include the application of a maturity model as a means of
527 indicating progress towards a desired level of competence;

528 d) set an expectation of the appropriate quality and quantity of measurements and timeliness of
529 delivery.

530 6 Framework
531 Figure 2 depicts an overview of the governance framework.

532

Value Generation
(Principle 2)
Accountability

(Principle 3)
(Principle 5)

Strategy

Purpose
(Principle 1)

Oversight
(Principle 4)
Where the colours represent:

Governance Outcomes
Enabling Governance Principles
Foundational Governance Principles

533

534 Figure 2 — Governance framework overview

16 © ISO 2019 – All rights reserved

535

536 The governance outcomes that can be achieved through the understanding and application of this
537 document are:

538 l) Effective performance. The organization is true to its purpose, performs as required, realizes
539 value for stakeholders and remains in compliance with its policies and stakeholder expectations;
540 m) Responsible stewardship. The organization makes use of resources in a responsible manner,
541 effectively balancing negative and positive impacts, considering its global context and ensuring
542 its long-term sustainability;
543 n) Ethical behaviour. The organization demonstrates: accountability, accurately and timely
544 reporting on its performance and stewardship of resources; fairness in its treatment of and
545 engagement with stakeholders; integrity and transparency in fulfilling its obligations and
546 commitments; and competence and probity in the manner in which it makes decisions.

547 The pursuit of purpose is at the centre of all organizations and therefore of primary importance for the
548 governance of organizations. This is the primary intent of the governance of organizations. It is important
549 this is achieved in an ethical, effective and responsible manner in line with stakeholder expectations. This
550 is “good governance” according to this standard.

551 This standard comprises 11 principles of governance as stated in 7.1 to 7.11. Of these 11, five principles
552 act as a foundation, offering an iterative-learning process:

553 1. Purpose
554 2. Value Generation
555 3. Strategy
556 4. Oversight
557 5. Accountability

558 Further to these are “enabling governance principles” which expand the guidance to cover the additional
559 responsibilities that the governing bodies of modern organizations need to meet the increasing
560 expectations of stakeholders. These enabling principles should be applied when applying the founding
561 principles.

562 6. Stakeholder engagement

563 7. Leadership
564 8. Data and decisions
565 9. Risk governance
566 10. Social responsibility, and
567 11. Sustainability

568 The interaction between these principles, the processes that connect them and other topics such as
569 management interaction, governance tools and reviews are covered in this document.

570 7 Principles of governance

571 7.1 Purpose

572 7.1.1 Principle

573 The governing body should ensure that the organizational purpose expresses its intentions with respect
574 to the organization’s stakeholders, society, commons and natural environment. Furthermore, it should
575 ensure that the organizational values and culture are aligned and deliver the organizational purpose.

© ISO 2020 – All rights reserved 17

576 This first principle is also the central point of all the other principles in this guidance standard. All other
577 principles are to be read in the context of the application of this principle.

578 7.1.2 Rationale

579 A clearly articulated organizational purpose is necessary to ensure that all organizational activities are
580 aligned with the organization’s reason for existence.

581 A clearly articulated organizational purpose with aligned organizational activities:

582 — Creates certainty for the organization’s stakeholders on the organization’s intentions and
583 behaviours in relation to them;
584 — Provides stakeholders with an understanding of the organization’s identity;
585 — Creates a point of reference for efficient and agile decision making;
586 — Provides a framework within which plans are created and executed in a focused manner, avoiding
587 unnecessary distractions;
588 — Puts organizational values into practice, providing the foundation for the organization’s culture;
589 — Provides the governing body with a basis on which to define the value that the organization is
590 trying to create for its stakeholders and the manner for doing so;
591 — Provides a basis on which stakeholders can assess the organization’s outcomes and the
592 achievement of stated objectives.

593 7.1.3 Key aspects of practices

594 Organizational purpose statements are generally driven by legal and/or tax requirements. However, they
595 should also express the organization’s intentions with respect to the organization’s context, namely, the
596 organization's approach with respect to

597 — stakeholders,
598 — society,
599 — commons, and
600 — the natural environment.

601 The governing body should determine and communicate the organizational purpose and values and
602 ensure they are embedded throughout the organization.

603 7.1.3.1 Determine the organizational purpose

604 An organizational purpose reflects the core value the organization brings to others and aligns to its core
605 identity. In determining the organizational purpose, the governing body should ensure that the following
606 have been taken into account:

607 a) Existing documentation relating to the purpose and scope of activities of the organization, such
608 as governing documents or other artefacts;
609 b) Views from a wide sample of stakeholders and relevant data sources to identify and understand
610 the historic, current and aspirational core identity of the organisation;
611 c) Those stakeholder group(s) the organisation is primarily seeking to serve;
612 d) Evidence of the important problems that are, or will be, faced including global threats that
613 evolve over time (e.g. climate change);
614 e) The range of plausible solutions to these problems and the balance between the solutions and
615 the associated anticipated risks, including those to the commons, social interests and the natural

18 © ISO 2019 – All rights reserved

616 environment.
617
618 The governing body should ensure that the essence of the organisational purpose is written down in a
619 summary statement. The organizational purpose should be available to all stakeholders and for those
620 with legal founding documents, the purpose should be reflected in them.

621 Purpose statements may require further interpretation once the governing body has determined the
622 organization’s strategic and value generation objectives, to ensure that the organizational purpose and
623 its consequences are understandable.

624 7.1.3.2 Determine organizational values

625 The governing body should:

626 — Engage with all relevant stakeholders to determine and promote an explicit set of organizational
627 values;
628 — Be clear about the expected ethical behaviour that expresses its organizational values through
629 for example, a code of conduct and/or code of ethics.

630 Having established the organizational values, the governing body should ensure that these values are an
631 active part of decision making. The governing body should use these organizational values to determine
632 the manner in which value is generated by the organization.

633 The governing body remains responsible for ensuring that the organizational values are monitored and
634 reviewed, and should assess whether the values remain aligned to and support the organizational
635 purpose. The effectiveness of the organizational values will be evident in the culture of the organization.

636 7.1.3.3 Communicate the organizational purpose and organizational values and their centrality

637 For the organizational purpose and organizational values to be a reference point for decision-making and
638 the basis for the organization’s culture throughout the organisation, the governing body should ensure
639 that a communication plan is created and effectively implemented. This plan should, at a minimum, result
640 in all stakeholders being:

641 — Aware of the organizational purpose and organizational values;

642 — Convinced of the centrality of these to the organisation.

643 7.1.3.4 Embed the organizational purpose and organizational values

644 The governing body should lead the organisation in fulfilling the organizational purpose and living the
645 organizational values. To achieve this, specifically it should ensure the following are aligned with the
646 purpose:

647 — Strategies formulated with management or by management;

648 — Performance indicators;
649 — Incentive structures;
650 — The organizational culture.

651

© ISO 2020 – All rights reserved 19

 The governing body manifests the organizational purpose by:

a) Establishing how the organization generates value over time (Value generation);
b) Directing the organization and steering its strategy (Strategy);
c) Overseeing the organization to ensure that it achieves its objectives within the parameters
set by the governing body (Oversight);
d) Demonstrating its accountability to the organization’s stakeholders (Accountability).

These are supported by:

1. Engaging stakeholders appropriately (Stakeholder engagement);

2. Leading ethically and effectively (Leadership);
3. Recognizing data as a valuable resource for decision making by the organization and
others (Data and decisions);
4. Determining the organization’s overall approach to governing risk (Risk governance);
5. Making transparent decisions that are aligned with societal expectations (Exercising
social responsibility);
6. Ensuring that the organization is viable and sustainable over time (Organization viability
and success over time).

By doing so the organization will credibly demonstrate

— Effective performance,
— Responsible stewardship, and
— Ethical behaviour in accordance with its organizational values.

652

653 7.2 Value generation

654 7.2.1 Principle

655 The governing body should determine the organization’s overarching value model which defines, creates,
656 delivers and sustains value over time.

657 7.2.2 Rationale

658 The focus for all organizations should be to fulfil their purpose by creating appropriate value over time.
659 To achieve this, organizations need to generate value, which represents something of worth to its
660 stakeholders. It can take different forms for the stakeholders of the organization and includes the impacts
661 on society and the natural environment. How an organization generates value is set out in its
662 organizational value model.

663 The governing body determines an organizational value model to ensure the materialization of the
664 organizational purpose, fulfil its strategy, and to continue to attract and secure resources needed to do
665 so. The governing body has a stewardship function, which requires it to not only to create but also to
666 protect value. Where value is destroyed or at risk, the governing body is accountable to its stakeholders
667 for justifying its actions and indicating, where appropriate, how it will redress or reinstate that value.

668 The governing body is accountable for assessing and taking appropriate action to ensure that the
669 organization’s value model continues to be viable in response to changes in the organizational context
670 and operating conditions.

20 © ISO 2019 – All rights reserved

671 7.2.3 Key aspects of practices

672 The governing body ensures that the overarching organizational value model is determined and
673 communicated, and that the input, outputs and outcomes of this model are identified and measured.

674 The process for developing an organizational value model is depicted in Figure 3.

675 .

676 Figure 3: Organizational Value Model Development Process

677 7.2.3.1 Define

678 The governing body defines the organization’s value generation objectives such that they fulfil the
679 organizational purpose. To do this, the governing body consults a range of internal and external sources,
680 including

681 — owner(s) and other stakeholders,

682 — research organizations,
683 — advisory and consulting organizations, and
684 — non-governmental organizations.

685 The governing body ensures that the organization’s stakeholders are identified and their rights and
686 expectations are defined within the context of the organization’s purpose and organizational values. The
687 governing body ensures that value generation objectives are defined for each identified stakeholder.

688 7.2.3.2 Create

689 The governing body determines the organizational parameters and ensures that the strategy:

690 — Balances the achievement of the value generation objectives against potential impacts;
691 — Defines how resources should be allocated to meet the value generation objectives;
692 — Ensures an integrated approach to sustainable value creation.
693 7.2.3.3 Deliver

694 a) The governing body:

695 — demonstrates the organizational values by actively leading ethically and effectively and
696 ensuring ethical behaviours throughout the organization;
697 — delegates responsibilities and authority to executive management for the
698 implementation of the strategy and consistently and coherently influences decision-
699 making across all stakeholder engagements, and in its use of resources to maximize
700 value.
701 b) The governing body ensures that:

© ISO 2020 – All rights reserved 21

702 — value generation objectives are realized as planned within the organization’s defined
703 parameters;
704 — executive management accounts to the governing body for the delivery of the value
705 generation objectives and the governing body guides and directs executive management
706 as necessary;
707 — information about the organization’s performance is based on an integrated view of the
708 organization, including the achievement of value generation objectives;
709 — the impact of changing contexts on the value generation objectives are monitored and
710 appropriate responses are taken;
711 — assurance is obtained on the realization of the value generation objectives.
712 7.2.3.4 Sustain

713 The governing body ensures that:

714 a) The derived value is recognized and translated into performance metrics and these results
715 are evaluated against the defined value generation objectives;
716 b) Value is retained and delivered as required, such that:
717 — A balanced approach between the retention of the derived value in the organization to
718 secure the organization’s long-term sustainability and commitment to sustainability and
719 social responsibility, and the distribution of this value to stakeholders according to the
720 defined value generation objectives is determined;
721 — The governing body’s accountability is demonstrated by retaining and distributing value
722 in a transparent manner, reporting on and accounting for the associated processes,
723 decisions and results.
724 The achievement of organizational value from this model requires an integrated approach to value
725 generation. This “integrated thinking” includes the:

726 1) identification of all resources involved in the model;

727 2) measurement and tracking of the organization’s use of and impact on these resources;
728 3) reporting on the extent of the organization’s impact on these resources and the impact of
729 the resources on one another.
730 This overall approach aims to enhance the governing body’s ability to oversee the materialization of the
731 organizational purpose.

732 7.3 Strategy

733 7.3.1 Principle

734 The governing body is accountable for the organization’s strategy. The governing body should direct the
735 organization in accordance with its value generation model and dynamically steer the strategy.

736 7.3.2 Rationale

737 Strategy is the pattern of evolving intentions that provide direction for harmonizing and focusing effort
738 to realize the purpose and objectives of the organization.

739 The nature of strategies ranges widely, including emergent and deliberate, formal and informal. Effective
740 strategy provides a primary motivation for the organization and functions as a framework for decision
741 making to enable different components of the organization to align. Strategy is brought about through
742 and reflected in the general deployment of finite organizational resources.

22 © ISO 2019 – All rights reserved

743 By directly and indirectly balancing financial resources as well as time, human resources, attention and
744 rewards, the governing body dynamically steers the organization so as to establish and maintain an
745 appropriate balance between value generation under present conditions and innovation to generate
746 value in the future.

747 Innovation allows the organization to adapt to and shape its future context, which is an important
748 component of strategy. While service and product innovation is primarily a management level
749 responsibility, governing bodies should ensure that opportunities for innovation are systematically
750 created. Governing bodies should also innovate at the organizational and policy level.

751 7.3.3 Key aspects of practices

752 The governing body should direct the organization by providing an understanding of its intentions,
753 expectations and the operating parameters derived from the organization’s value generation model. This
754 direction should ensure that the most appropriate strategy is determined for the organization to deliver
755 the value generation objectives.

756 The governing body should continuously govern the strategy. This includes steering the strategy by
757 balancing resources to achieve its goals and protect its future by investing in innovation.

758 7.3.3.1 Direct the organization

759 The governing body should provide the organization with an understanding of its intentions and
760 expectations. It should also clearly define the operating parameters under which the organization’s value
761 is to be generated. This guidance should be determined within the organization’s operational context and
762 the expectations of the organization’s stakeholders. Such guidance should address matters such as the
763 organizational purpose, its commitment to continual improvement, and the manner in which the
764 governing body and the organization’s governing processes operate.

765 The governing body should:

766 a) Ensure that its governance framework is underpinned by reliable governing documents;
767 b) Translate the organization’s purpose and organizational values into clearly established and
768 regularly reviewed expectations that direct itself and those to whom it delegates;
769 c) State its expectations in governance policies, that include, for example, a code of conduct and/or
770 code of ethics, which are regularly reviewed and updated as necessary, to ensure that they remain
771 aligned with the organization’s governing documents and its changing context;
772 d) Define, understand and communicate how the organization intends to realize value for the
773 organization and its stakeholders by articulating the value model and strategy;
774 e) Ensure that its governance policies set appropriate expectations and parameters for all aspects
775 of organizational performance;
776 f) Design and implement an adequate internal control system, including an effective compliance
777 management system and an effective risk management system;
778 g) Ensure that its governance policies clarify the roles of all involved in governing the organization
779 in terms of their authority, accountabilities, performance and reporting requirements.

780 The responsibility for developing and approving policies should be clear. Policies should be developed
781 and/or approved by the governing body and not be open to change without the governing body’s
782 agreement. Managers should be empowered to create management policies consistent with
783 organizational policies and provide proposals for changes to organizational policy.

784 The governing body should ensure that principles of effective delegation are upheld. Delegates should
785 not be held accountable for things over which they have no authority or for expectations that have not
786 been stated. Accountable people can delegate their authority and thereby give responsibilities to others
787 in order to get things done. However, it should be clear that those who delegate remain accountable for
788 their delegate’s use of that authority.

© ISO 2020 – All rights reserved 23

789 NOTE The governing body may choose to delegate to others many of the tasks involved in implementing
790 governance, but it still remains accountable for those tasks. The only aspect of governance that cannot be delegated
791 by the governing body is its ultimate accountability to the organization’s stakeholders. This accountability is for
792 delivering value over time in a manner that meets the expectations of the stakeholders.

793 The governing body should direct but not manage. Instead it should ensure the clarity of roles and
794 responsibilities of all involved in the strategy process. The governing body should ensure that its
795 governance policies apply to the whole organization and cover topics such as:

796 h) the operating framework of the governing body;

797 i) purpose and results that the organization seeks to achieve;
798 j) the parameters within which results are to be achieved (e.g. organizational values and acceptable
799 levels of risk);
800 k) mechanisms of delegation and reporting.

801 7.3.3.2 Monitor and adjust the strategic balance of the organization

802 The governing body should actively engage with the affairs of and understand the material changes in the
803 organization’s operations and its external context. In monitoring the organization’s context, it should:

804 a) identify stakeholders and material matters;

805 b) ensure understanding of organizational purpose and objectives (dialogue between the governing
806 body and the organization’s stakeholders is based on a mutual understanding of purpose and
807 objectives).
808 c) engage relevant stakeholders when establishing the organizational and governance policies;
809 d) understand the external and internal contexts within which its decisions are made, in order to
810 ensure that its expectations are appropriate;
811 e) monitor the external contexts to ensure current, emerging and future risks and opportunities are
812 well managed and exploited for value generation;

813 The governing body should regulate the strategic balance of the organization directly and indirectly
814 through organizational culture and the deployment of financial resources.

815 7.3.3.3 Innovate for future viability

816 The governing body itself, as well as management and operations, should have an integrated
817 understanding of the process by which the organization generates value and the foresight to understand
818 the changing context within which it is operating.

819 7.3.3.4 Continuously steer the organization’s strategy

820 The governing body should establish clarity about its role in strategy. The governing body should
821 continuously steer strategy so that:

822 a) the organization responds to or shapes identified trends within the organizational context;
823 b) strategies and approaches are co-created with management;
824 c) management’s proposed plans and approaches are reviewed, assessed, and approved;
825 d) additional or alternative actions that may be required are identified and agreed with management
826 based on systematic monitoring of strategy execution;
827 e) strategic actions are identified based on a systematic follow-up on organizational performance
828 through a system for timely and regular performance monitoring and reporting on both “hard”
829 and “soft” dimensions both from within and outside the organization;
830 f) Strategic decisions are informed by credible information and data.

831 When steering the strategy, the governing body should consider:

832 g) the organization’s context;

24 © ISO 2019 – All rights reserved

833 h) stakeholder expectations;
834 i) timeframe and resource requirements;
835 j) the resultant impacts of the plans and the anticipated value realization;
836 k) risks and organizational resilience.

837 In directing the organization the governing body may face a dilemma between achieving specific value
838 generation objectives, and remaining agile in the face of changing circumstances and risks to the
839 organization’s achievement of its purpose. Rather than focusing on any one strategic objective to the
840 detriment of others, the governing body should steer the strategy to enable short- and medium-term
841 agility within a clear higher-level direction.

842 7.3.3.5 Strategically balance the organization

843 The governing body strategically balances the organization, directly and indirectly, through:

844 a) organizational ethos – the guiding belief system that is part of organizational culture and which
845 it should purposefully and responsibly develop;
846 b) governance policies;
847 c) succession planning – including the selection of the executive manager and other critical roles,
848 emergency succession arrangements, and its involvement in the selection of the senior
849 management team so as to assure future human resource adequacy;
850 d) governing body renewal - based on a formal, rigorous and transparent assessment of the
851 governing body which:
852 - reviews the competencies and time commitment that the governing body has to address
853 current and future needs of the organization; and
854 - identifies and closes any current gaps, and recommends ways for closing future gaps to
855 owner stakeholders;
856 e) governing body evaluations and development – of its own competencies, composition,
857 diversity, and effectiveness of working together and the competencies of its members through
858 regular reviews and formal, rigorous, and transparent evaluation of itself, committees, individual
859 members and those that support its work directly;
860 f) executive manager and senior management team performance – monitoring, evaluating and
861 developing individual and team performance, including organizational value driven behaviours
862 pertaining to sustainability and social responsibility dimensions, among others;
863 g) targets and key performance indicators (KPIs) – for responsible performance and
864 remuneration for itself and the executive manager. Also, ensuring that executive management
865 sets targets and KPIs for the rest of the organization that are consistent with the long-term
866 objectives, financial soundness, social responsibility and sustainability commitments made, and
867 measures performance against them;
868 h) decisions reserved for the governing body - these include those that shape the organization as
869 a whole, such as mergers and acquisitions, or those involving financial decisions and risks above
870 a pre-determined level, among others;
871 i) compensation and incentives – policies and outcomes that are fair, responsible, transparent
872 and that promote the achievement of strategic objectives and outcomes in the short, medium, and
873 long term, consistent with achieving the organizational KPIs.

874 7.4 Oversight

875 7.4.1 Principle

876 The governing body should oversee the organization’s performance and application of policies to ensure
877 that it remains within governance parameters, including laws, rules and voluntary obligations.
878

© ISO 2020 – All rights reserved 25

879 7.4.2 Rationale

880 To be accountable in the pursuit of organizational and governance policies, the governing body should
881 have effective oversight of the organization. In order to deliver this, it requires the following controls:

882 a) governing body competence – the governing body should have the appropriate organizational
883 values, knowledge, skills and experience consistent with the organization’s strategy, processes,
884 its activities or operations;
885 b) organizational capability – the governing body should assess the organizational capability,
886 including structures, resources, and knowledge, in order to be able to understand, steer and
887 report on organizational progress toward strategic objectives;
888 c) assurance processes – the governing body should determine processes to provide assurance
889 that the governing body and the organization achieve the intended outcomes and the
890 organization’s compliance obligations.

891 7.4.3 Key aspects of practices

892 7.4.3.1 Ensure organizational capability

893 The governing body should:

894 a) achieve compliance through a compliance management system;

895 b) ensure that the organization has adequate capabilities to operate at the desired level and align to
896 strategic balance requirements;
897 c) establish and adequately resource systems of internal control, compliance management and risk
898 management to ensure that the organization stays within its risk appetite and appropriately
899 protects the organization’s assets, and stakeholder rights and interests;
900 d) ensure that contractual and other relationships established with third parties are consistent with
901 organizational values and risk appetite;
902 e) through appropriate assurance processes (see 7.4.3.2), appraise applicable measurement criteria
903 and results against the governing body’s expectations. Such criteria can include
904 — managerial performance,
905 — financial levels (e.g. cashflow, profit and loss, balance sheet),
906 — ratios and trends (e.g. financial, and efficiency),
907 — project management (e.g. being able to adhere to organizational objectives),
908 — culture, including local norms,
909 — stakeholder perception, both formal and informal,
910 — human capital, including people development and staffing programmes to support
911 strategy,
912 — compliance management, and
913 — risk management processes and performance.
914

915 7.4.3.2 Ensure appropriate assurance provision

916 The governing body should ensure that appropriate internal control and assurance processes are in place
917 to satisfy its requirements for effective oversight and accountability to stakeholders. It should review the
918 effectiveness of the system and ensure that there is adequate internal and external assurance, such as an
919 internal audit function operating in conformance with internationally accepted standards to support the
920 governing body in its oversight role.

921 The governing body can demonstrate its commitment and communicate appropriately and clearly
922 throughout the organization about effectiveness of assurance systems and the review and improvement
923 of these systems and processes.

26 © ISO 2019 – All rights reserved

924 The governing body should ensure that there is an appropriate process to monitor, receive, assess and –
925 where necessary – respond to or act on relevant information. This could include overseeing remediation
926 of non-compliance, investigation of possible opportunities for improvement at all levels and ongoing
927 efforts to improve the assurance systems themselves.

928 Additionally, the governing body should have the right combination of knowledge, skills and experience
929 to be able to combine written reports and behavioural indicators to detect emerging patterns, trends,
930 risks and opportunities.

931 Assurance processes can include a wide range of approaches including the use of the following resources
932 to inform the governing body:

933 a) reports and proposals from managers;

934 b) direct inspection by the governing body, or via their delegates, such as audit committees;
935 c) internal controls, compliance management and risk management systems (e.g. audits) that report
936 directly to the governing body;
937 d) external auditors reporting to stakeholders and the governing body;
938 e) informal feedback mechanisms within the organization;
939 f) direct or indirect relevant information received from internal and external stakeholders.

940 NOTE Channels for information can include whistle blowing processes, formal employee and customer
941 feedback mechanisms.

942 7.5 Accountability

943 7.5.1 Principle

944 The governing body should demonstrate is accountability for the organization and fulfil its duties in a
945 manner which increases trust and transparency.

946 7.5.2 Rationale

947 The governing body is and remains collectively accountable for the organization as a whole and may
948 delegate responsibility and commensurate authority.

949 Although responsibilities and the accountability for responsibilities may be delegated by the governing
950 body and cascaded throughout the organization, the governing body remains accountable for the actions
951 and inactions of the organization as a whole to the organization’s stakeholders.

952 Accountability requires an understanding of responsibilities through engagement with a broad range of
953 stakeholders and answering for whether responsibilities have been met and in what way they have been
954 met, or not. It also requires a remedy when responsibilities have not been met.

955 Responsibility can derive from sources including

956 a) law or regulations,

957 b) ethical or moral conventions, and
958 c) recognized standard practices.
959
960 Accountability derives from the authority given to the governing body. Authority and therefore
961 responsibility for delivering the purpose of an organization is conferred to a governing body by
962 stakeholders who grant the authority, endow resources to pursue that purpose and give boundaries of
963 acceptable actions when fulfilling that purpose.

964 The authority can be conferred by stakeholders

© ISO 2020 – All rights reserved 27

 965 — directly (e.g. by owner stakeholders), or
966 — indirectly (e.g. by society via the law or by social licence).

967 Stakeholder groups confer some aspects of authority for an organization. The governing body is
968 accountable for how they have interpreted the authority, whether or not they have achieved the
969 associated results, the process by which this has been achieved and its intended and unintended
970 consequences, and whether it reflects appropriate and efficient use of the resources endowed.

971 It is likely that stakeholders will not all have the same views of acceptable actions and the governing body
972 decides how to balance these different perspectives in a transparent way.

973 7.5.3 Key aspects of practices

974 The governing body should delegate responsibility and commensurate authority whilst retaining
975 accountability for the organization.

976 The governing body should address the elements of accountability. Action could include:

977 — ensuring the guidance of the governing body is communicated to and interpreted by management
978 with sufficient clarity. Reasonable and adequate interpretation should be regularly monitored;
979 — formulating, maintaining and developing relationships with external stakeholders and internal
980 stakeholders to whom delegation occurs and the organization is dependent upon. The governing
981 body communicates with and is responsive to stakeholders regarding its decisions, actions,
982 inactions, performance, outcomes, and, where relevant, mutual goals. In holding itself fully
983 accountable, the governing body seeks to engage stakeholders in identifying, understanding and
984 responding to material topics and concerns, which in turn influences strategy and organizational
985 and governance policies, to build value;
986 — ensuring the governing body is action, process and outcomes oriented;
987 — disclosing relevant organizational policies, actions, processes, performance and outcomes to
988 stakeholders;
989 — disclosing the organization’s ownership structure;
990 — demonstrating transparency and integrity when reporting to stakeholders, including:
991 o ensuring that the organization’s reports enable stakeholders to make informed
992 assessments of the organization's current and enduring performance prospects;
993 o considering alternative communication mechanisms and media to appropriately meet
994 stakeholder expectations;
995 o providing clear guidance to managers, considering the application of appropriate
996 frameworks and/or standards;
997 o ensuring that compliance obligations are met and that assurance is provided over the
998 integrity of the information used for decision-making and reporting;
999 o reporting on the organization’s performance in an integrated manner considering
1000 financial and non-financial information, its impact on the resources it uses, and its
1001 impact on the context within which it operates;
1002 — formalizing procedures to periodically measure the performance of the governing body itself
1003 against its set objectives and targets and articulating the consequence of not fulfilling its
1004 obligations.

1005 7.6 Stakeholder engagement

1006 7.6.1 Principle

1007 The governing body should ensure that the organization’s stakeholders are appropriately engaged.

28 © ISO 2019 – All rights reserved

1008 7.6.2 Rationale

1009 Demonstrating sound and mutually beneficial stakeholder relationships based on ethical and effective
1010 stakeholder engagement behaviours and practices, helps organizations create value over time.

1011 Organizations have a variety of stakeholders, each with distinct types and levels of involvement, and with
1012 diverse and sometimes conflicting interests and concerns. Consequently, organizations have a range of
1013 relationships with their stakeholders.

1014 Stakeholders, and in particular non-owner stakeholders, can have strong relationships with the
1015 organization that need additional consideration beyond the legal, regulatory, or contractual
1016 accountability required in the case of owner stakeholders. There are a number of reasons for this,
1017 including:

1018 — Asymmetric relationship. Their individual ability to affect – or be affected by - the organization
1019 is often limited in the short term. An individual stakeholder relationship may not have a
1020 significant impact on an organization, but a number of relationships taken together may;
1021 — Cumulative effects. Over time and collectively, society, the environment and the economy could
1022 have a fundamental effect on the organization or organizations – and vice versa. For example,
1023 pollution caused by the organization could adversely impact the environment over time – and
1024 rising sea levels could adversely affect the organization;
1025 — Legitimacy. The legitimacy of the organization to pursue its purpose and to operate in society,
1026 its environment and the economy is partly derived from non-owner stakeholders.

1027 In order to ensure that the organization’s stakeholder relationships are effective and the value for the
1028 organization is maximized over time, stakeholders need to be identified and their expectations
1029 understood. The scope of stakeholder engagement may not, for example, extend to all those who merely
1030 have knowledge of or views about the organization.

1031 Identification and classification of stakeholders is varied and organization dependent. For example,
1032 distinctions may be made on the basis of whether the governing body is governing on behalf of
1033 stakeholders or merely taking their interests into consideration when governing.

1034 Owner stakeholders should be involved in holding the governing body accountable for the whole
1035 organization. It is expected that these stakeholders are aware of their powers and exercise them in a
1036 responsible manner, taking account of the governing body’s need to reflect the best interests of all the
1037 organization’s owner stakeholders and ensure the fair and proper treatment of all stakeholders. The role
1038 of other stakeholders, in this case, would be to uphold their fair and proper rights and obligations, and to
1039 ensure that the organization is held accountable for these.

1040 The governing body remains accountable for ensuring the organization’s stakeholder relations are based
1041 on ethical and effective engagement behaviours and practices. The governing body provides leadership
1042 in this regard and delegates responsibilities and accountabilities to the organization. The governing body
1043 oversees that the associated behaviours and practices are ethical and effective and create value for the
1044 organization over time. The governing body demonstrates accountability through engagement with and
1045 disclosure to these stakeholders of the organization’s performance in this regard.

1046 7.6.3 Key aspects of practices

1047 The governing body should ensure that the organization’s stakeholders are identified, prioritized,
1048 appropriately engaged and consulted to understand their expectations and that effective engagement is
1049 maintained. In addition, the governing body should ensure that the organization has effective
1050 relationships with stakeholders and that stakeholders are engaged in measures to achieve the
1051 organization’s purpose and to mitigate or optimize the organization’s risks and opportunities. To be
1052 successful, the governing body should:

© ISO 2020 – All rights reserved 29

1053
1054 — maintain relationships with stakeholders;
1055 — ensure that stakeholder relationship goals are incorporated in strategy;
1056 — ensure the organizational culture is responsive to stakeholder views;
1057 — respect human and labour rights in all countries of operation;
1058 — create and maintain an open communication culture within the organization to help bridge the
1059 gap between diverse stakeholder groups and perspectives such as gender, age, belief systems or
1060 cognitive abilities;
1061 — report practices in a coherent way that relates to strategy so that the stakeholders can effectively
1062 assess organizational governance arrangements.

1063 7.7 Leadership

1064 7.7.1 Principle

1065 The governing body should lead the organization ethically and effectively.

1066 7.7.2 Rationale

1067 In an organization, values and cultural leadership must come from the top. While all levels of
1068 management and individuals contribute to this culture, what the governing body says, does and most
1069 importantly expects, is critical in setting the tone for the organization.

1070 Leadership is therefore a critical issue for a governing body. Its own behaviours provide the model for
1071 the organization’s behaviour. The principles it establishes concerning the way stakeholders should be
1072 treated and the way goals should be pursued, create standards and examples for others to follow.

1073 Leadership styles may differ but all involve the setting of positions which others follow. Since the
1074 governing body is accountable for the organization, including its behaviour, actions and changes, the
1075 governing body should set those positions it requires the organization to follow. These positions and
1076 parameters should be set mindfully and purposefully, considering the context within which the
1077 organization operates. Visible, responsible, and competent oversight ensures that the organization
1078 follows the set positions. In addition, clarity in communication and a mutual understanding of
1079 expectations is required.

1080 7.7.3 Key aspects of practices

1081 In order to lead ethically and effectively, the governing body should lead by example to create a positive
1082 culture, set the tone for others and engender trust and cooperation among the organization’s
1083 stakeholders. It can adopt practices such as those that follow in sub-clause 7.7.3.1 to sub-clause 7.7.3.3.

1084 Accountability through ethical and effective leadership is demonstrated when the governing body:

1085 — is aligned in its decision-making;

1086 — is behaving in a manner consistent with the defined organizational values;
1087 — ensures that the organization is, and is seen to be, following the direction set.

1088 7.7.3.1 Lead the organization

1089 In respect of governance, leadership impacts three areas:

1090 — the functioning of the governing body;

1091 — the performance of the organization as a whole;
1092 — the manner in which the organization impacts its stakeholders.

30 © ISO 2019 – All rights reserved

1093 7.7.3.2 Demonstrate effective leadership

1094 The governing body should demonstrate effective leadership across all areas:

1095 — within the governing body – the governing body should demonstrate the setting of a position and
1096 the collective following of this position (internal alignment);
1097 — within the organization – the organization should demonstrate the following of the positions set
1098 by the governing body;
1099 — within the organization’s external context – where the organization has set contextual positions,
1100 such as commitments to stakeholders, the organization should demonstrate the following of these
1101 positions as set.

1102 The outcomes, whether positive or negative, are determined by the positions which have been set.
1103 Leadership determines whether these positions are followed.

1104 7.7.3.3 Ensure ethical leadership

1105 The governing body should ensure ethical leadership across all areas:

1106 — within the governing body – the members of the governing body should demonstrate that they
1107 are behaving in a manner consistent with the leadership values expected of the governing body
1108 members and collectively, the manner in which the members decide the governing body should
1109 behave, and should be consistent with the leadership values expected of governing bodies;
1110 — within the organization – the governing body should ensure that the organization conducts itself
1111 in a manner consistent with its organizational values;
1112 — within the organization’s external context – the governing body should ensure that the
1113 organization demonstrates to its stakeholders that it is behaving in a manner consistent with its
1114 organizational values.

1115 Laws and rules provide the minimum set of organizational values against which behaviour will be
1116 assessed. Other organizational values are provided in collectively agreed documents such as codes of
1117 practice or standards of behaviour. The following are examples of the leadership values to which
1118 governing bodies and their members are held:

1119 — accountability;
1120 — probity;
1121 — transparency;
1122 — competence;
1123 — respectful of diversity.

1124 Not only do explicit organizational values provide a sound basis on which ethics can be evaluated,
1125 organizational values also:

1126 — provide the individuals of an organization with a collective sense of belonging;

1127 — assist in reconciling strategic dilemmas by creating organizational alignment through the
1128 integration of opposites;
1129 — contribute to the prevention of misconduct;
1130 — provide competitive differentiation for stakeholders by providing clarity against which the
1131 evaluators should be assessing the organization’s behaviour;
1132 — provide increased certainty, which creates reputational value as a consequence of ethical
1133 behaviour and as a consequence of the above point.

1134 For the governing body itself, the following ethical behaviours (practices) could be expected as a result
1135 of the application of the associated leadership values:

1136 Table 2 — Example organizational values and practices

© ISO 2020 – All rights reserved 31

 Example Example Practices
Organizational Values
Probity - Act in good faith and in the best interest of the organization;
- Disclose potential conflicts of interest at the earliest opportunity and
manage such conflicts appropriately;
- Act according to the intention of compliance obligations;
- Set the tone for the organization by behaving in the manner in which
the organization and its members are expected to behave.
Competence - Take steps to become appropriately informed of all aspects of the
organization and the context within which it operates (such as legal,
environmental, economic, societal, technical, human resources and so
forth);
- Act with due care, skill, diligence, loyalty and take reasonable steps to
become informed about particular matters for decision-making.
Transparency - Openness about decisions and activities that affect society, the
economy and the environment, and willingness to communicate these
in a clear, accurate, timely, honest and complete manner.
1137

1138 7.7.4 Dilemma examples

1139 In exercising leadership, the governing body may face a dilemma since it should direct and limit some
1140 options for all personnel of the organization while at the same time also motivate and enable those that
1141 it leads to act to their fullest potential. Rather than emphasizing just one of these objectives to the
1142 detriment of another, the governing body should seek to resolve the dilemma by, for example, exercising
1143 leadership that serves the people they work with and thereby listening to and empowering the internal
1144 and external stakeholders it leads so that it is able to give better overall direction. Other dilemmas might
1145 come to light, for example, by the expectations of society for the health of the customer and the need the
1146 customer has, or how to address both short-term results for the owner stakeholders and long-term
1147 investments for the distant future.

1148 7.8 Data and decisions

1149 7.8.1 Principle

1150 The governing body should recognize data as a valuable resource for decision making by the organization
1151 and others.

1152 7.8.2 Rationale

1153 Due to a relatively recent increase in the power – and reduction of cost – of technology to gather, store
1154 and extract information from data, the value of data has risen significantly. This brings with it an
1155 organizational responsibility to appropriately deal with its strategic and operational potential.

1156 Data is the raw material from which information is derived. The information that is extracted from the
1157 data will vary based on many facets such as technology, subject, and organizational requirements. The
1158 potential information that could be derived from data may not be obvious, could be difficult to extract
1159 and may not be directly useful to the organization, but it could be very useful to other organizations or
1160 individuals.

1161 Because the primary use of data is to provide information for decision making (whether by humans or
1162 through automation), its value to the organization is multifaceted:

1163 — Decision making within the organization. Data is essential to the governing body, and
1164 throughout the organization, for making decisions. The governing body’s structures and practices
1165 should ensure that it receives the information necessary to govern. Additional structures and
1166 practices ensure that the governing body delegates its authority across the organization such that

32 © ISO 2019 – All rights reserved

1167 decisions are made based on trusted information and with the appropriate level of responsibility
1168 that such decisions require. In all the governing body does, it is required to make decisions. The
1169 continued viability and existence of the organization depends on the decisions made by the
1170 governing body. Governing bodies typically ensure that their decisions are made on the basis of
1171 informed alternative options or proven case studies;
1172 — Decision making outside the organization. Because data is used to make decisions, it is
1173 valuable as a resource that can be bought, sold or otherwise distributed. For most organizations,
1174 data is a strategic resource. This is not only because a lack of data would make it impossible for
1175 the organization to operate, but because the data is a key raw ingredient for its products. This can
1176 include product design and specifications, but also market and customer insights as well as supply
1177 chain and product usage information;
1178 — Appropriate data treatment. The increased value of data also brings a potential increase in risk.
1179 For example, technology now allows the use of personal data on an unprecedented scale which
1180 will add an operational obligation relating to privacy and other constraints if this data is collected
1181 and used by the organization. In assessing the appropriate level of security, it is necessary to
1182 assess the levels of risk associated with loss of data, incorrect dissemination and so on.

1183 7.8.3 Key aspects of practices

1184 The governing body should ensure that the organization identifies, manages, monitors and communicates
1185 the nature and extent of its use of data.

1186 The following practices relate to the three aspects of the use of data by the organization.

1187 7.8.3.1 Use appropriate data for decision making

1188 Different approaches to decision making may be used depending on the particular circumstances and
1189 matters at hand. The governing body uses data from many sources to make decisions for the organization.
1190 In order to make decisions of requisite quality, the governing body should ensure that its decision making
1191 is appropriately informed. It should:

1192 — exercise its right and responsibility to determine and receive the information it requires,
1193 including the appropriate data collection methods, preparation and timely delivery of
1194 information;
1195 — have diverse inputs into a rigorous, open and transparent decision-making process to better
1196 understand the results that could be achieved, options for achieving them and their implications;

1197 NOTE Such inputs could be derived from the diversity of the governing body’s composition, its field of
1198 knowledge, skills, experience, age, culture, race and gender.

1199 — maintain an appropriate balance between guiding discussions to a decision and ensuring that
1200 every member has the opportunity to express their independent assessment;
1201 — ensure there is commitment to support the collective decision, to clearly record it and to act on
1202 it;
1203 — consider its level of independence and the effect this level has on its decision making, including
1204 financial interests, position, associations, relationships, bias and alliances;
1205 — carefully address conflicts of interest when making decisions;
1206 — pay attention to the dynamics of the governing body, including, for example, undue reliance on
1207 any member for decision making.

1208 Decision making throughout the organization should be supported by the appropriate delegation of
1209 authority from the governing body. This delegation should be formalized together with the appropriate
1210 assurance processes. Limits of decision-making authority may be applied in response to assessed risk.
1211 Additionally:

1212 — authority should match the level of responsibility associated with the decisions being made;

© ISO 2020 – All rights reserved 33

1213 — information structures, including access to information, monitoring and potential mitigation of
1214 decisions should be sufficient to ensure compliance with organizational requirements.

1215 7.8.3.2 Recognise data as a strategic resource

1216 The recognition that data can be a strategic asset (or liability) means that the organization should:

1217 — understand its use and potential use by the organization and others (e.g. suppliers, customers,
1218 regulators and other stakeholders as well as competitors and those who misuse the data);
1219 — acknowledge the complexities and evolutionary nature of data and establish governance policies
1220 and direction that aligns with the organization’s needs and the degree of change;
1221 — ensure that the information requirements of the organization are sufficiently supported by its
1222 current and future technology capabilities.

1223 7.8.3.3 Ensure responsible data treatment

1224 New technology brings an increase in the volume and value of data and a responsibility for governing
1225 bodies to ensure that valuable opportunities are leveraged, while sensitive data is protected and secured.
1226 The governing body should:

1227 — have sufficient oversight associated with the use of data and its supporting technology to ensure
1228 it remains within its established risk appetite. Examples of how to achieve this may include:
1229 o the adoption of a system to ensure the rights, obligations and constraints of datasets are
1230 understood and tracked, for example privacy and intellectual property right obligations;
1231 o implement a risk-based Information Security Management System (ISMS);
1232 o adequate auditing and monitoring of technology systems to ensure the responsible use
1233 of technology and its compliance with the organization’s governance and management
1234 policies and other requirements;
1235 o an innovative process such that changes in technology can quickly be assessed and, if
1236 necessary and appropriate, organizational policy can be updated to leverage new
1237 opportunities;
1238 — remain accountable for the use of the technology;
1239 — consider human behaviour when applying technology – including safety, whether it is fit for
1240 purpose and is aligned with organizational purpose;
1241 — consider the wider organizational stakeholders in its use of technology – particularly as it relates
1242 to human capital.

1243 Tools to assist with data and decisions are included in the ISO/IEC 38505 series.

1244 7.8.4 Dilemma examples

1245 In governing data and decisions, governing bodies encounter numerous dilemmas. Some of the most
1246 damaging types of organizational risks are strategic in nature, for example, decisions regarding changes
1247 in direction, entering into new or previously unfamiliar areas of activity or responding to abnormal and
1248 adverse operational events. Modelling objectives and their associated decision requirements makes
1249 oversight less complex and more robust. Such modelling can strengthen immature governance processes,
1250 highlight interdependence of decision criteria, cognitive bias, groupthink, or unexpected scenarios.

1251 7.8.5 Dilemma reconciliation

1252 Many decisions involve the consideration of several dimensions. Many decisions that governing bodies
1253 face are dilemmas owing to the fact that the governing body needs to make decisions involving a wide
1254 range of different societal value systems.

1255 A process of reconciliation between seemingly opposed alternatives leads governing bodies, and other
1256 decision makers, to make more informed and robust decisions.

34 © ISO 2019 – All rights reserved

1257 An approach for governing bodies to reconcile dilemmas includes:

1258 — recognizing and identifying the dilemma;

1259 — understanding and articulating the opposing perspectives;
1260 — identifying the advantages and disadvantages of each;
1261 — reconciling the perspectives, considering how each position could support the other;
1262 — mapping an associated action plan.

1263 7.9 Risk governance

1264 7.9.1 Principle

1265 The governing body should ensure that the organization identifies, assesses, treats, monitors and
1266 communicates the nature and extent of the uncertainties the organization faces in the achievement of its
1267 strategic objectives.

1268 7.9.2 Rationale

1269 Value is achieved by taking on some amount of risk in the pursuit of objectives. The nature and extent of
1270 such risks should be made clear to stakeholders along with assurance that the organization will operate
1271 within the level of risk that is acceptable for the organization and take corrective action if necessary.

1272 7.9.2.1 Risk governance activities

1273 Risk governance activities include:

1274 — understanding the organizational purpose, objectives, and model for defining, creating, delivering
1275 and sustaining value;
1276 — determining the risk appetite;
1277 — determining the organization’s approach to compliance;
1278 — assurance of an effective risk oversight framework:
1279 o choice of risk treatments are consistent with governance policies;
1280 o emerging risks are identified, understood and managed, in real time;
1281 o risk impacting strategies are managed within agreed limits;
1282 o effective data analytics are employed to correctly understand risk aggregations and
1283 concentrations;
1284 o decision making behaviours are driven by risk prioritization and are consistent with
1285 organizational and governance policies;
1286 o effective risk reporting is fostered by management through the creation and
1287 maintenance of a positive risk culture;
1288 — employing internal systems and controls validating assurances that risks are effectively managed;
1289 — ensuring transparency with regard to risk disclosure to the organization’s stakeholders, as
1290 appropriate;
1291 — governing the organization in a way that supports the achievement of its strategic objectives
1292 through adopting a stakeholder-inclusive approach and integrating all the resources the
1293 organization relies upon.

1294 7.9.2.2 Risk integration

1295 The governing body should ensure that risk management is integrated into all organizational activities
1296 by seeking evidence that:

1297 — all components of the risk management framework have been customized and implemented;
1298 — the necessary resources are allocated to managing risk;
1299 — authority, responsibility and accountability for managing risk have been assigned.

© ISO 2020 – All rights reserved 35

1300 7.9.2.3 Stakeholders and the organizational context

1301 The governing body should ensure that the risk oversight framework reflects the external and internal
1302 environment in which the organization operates and the particular environments of the activities in
1303 which risk management processes are applied.

1304 When designing the framework for managing risk, the organization should examine and understand its
1305 external and internal context and the dilemmas resulting from their competing needs. It should also
1306 examine and understand, short, medium, and long-term trends including sustainability and social
1307 responsibility trends, impact and dependencies.

1308 Examining the organization’s external context may include, but is not limited to:

1309 — the social, cultural, political, legal, regulatory, financial, technological, economic and
1310 environmental factors, whether international, national, regional or local;
1311 — key drivers and trends affecting the objectives of the organization;
1312 — external stakeholders’ relationships, perceptions, societal values and expectations, changing
1313 demographics;
1314 — contractual relationships and commitments;
1315 — the complexity of networks and dependencies;
1316 — the organization’s compliance obligations.

1317 Examining the organization’s internal context may include, but is not limited to:

1318 — purpose, vision, mission and organizational values;

1319 — governance, organizational structure, roles and accountabilities;
1320 — strategy, objectives, and governance and management policies;
1321 — the organization’s culture and ethos;
1322 — standards, guidelines and models adopted by the organization;
1323 — capabilities, understood in terms of resources and knowledge (e.g. capital, time, people,
1324 intellectual property, processes, systems and technologies);
1325 — data, information systems and information flows;
1326 — relationships with internal stakeholders, taking into account their perceptions and personal
1327 values;
1328 — contractual relationships and commitments;
1329 — interdependencies and interconnections.

1330 7.9.3 Key aspects of practices

1331 The management of risk is crucial to the achievement of the organization’s objectives. Therefore, the
1332 governance of risk should be intentional, mindful and purposeful. The governing body should:

1333 — ensure that risk is adequately considered when setting the organizational policy;
1334 — understand the impact of leadership actions or inactions on decision-making behaviours across
1335 the organization;
1336 — ensure that the organization’s strategy and associated objectives are appropriately balanced;
1337 — facilitate decision-making by setting the risk appetite for the organization, and limiting the
1338 potential loss that the organization will tolerate;
1339 — govern risk in such a way as to ensure that the organization’s management of risk is integrated
1340 into all organizational activities, evaluating the necessity for:
1341 o the adoption of a formal risk management approach or framework for the organization;
1342 o the allocation of resources necessary for managing risk;
1343 o ensuring a culture that encourages the reporting of new risks, opportunities and near
1344 misses;
1345 — assume accountability for the organization’s continual sensing and responding to risk, and
1346 communicating the chosen approach with stakeholders as necessary;

36 © ISO 2019 – All rights reserved

1347 — engage responsibly, accurately and transparently about the organization’s positive and negative
1348 risk impacts on its stakeholders and the context within which it operates in the short, medium
1349 and long term and the decisions made in this regard;
1350 — ensure that the process for measuring risks is consistent throughout the organisation, enabling
1351 effective comparison and prioritisation for the allocation of resources for mitigation;
1352 — ensure it is adequately informed of new and emerging risk.

1353 Tools, definitions and interpretations to assist with risk governance are included in ISO/IEC 31000 and
1354 ISO/IEC 31010.

1355 7.9.4 Dilemma examples

1356 In governing risk, governing bodies encounter numerous dilemmas. For example, although governing
1357 bodies should create approaches for assuring that unacceptable results do not take place, they should
1358 also lead and enable the organization to take purposeful risks to take advantage of the underlying
1359 opportunities. Both aspects are necessary to achieve and maintain viability of the organization.

1360 Rather than focusing on single dimensions, and thereby creating cultures in which one organizational
1361 value dominates others, governing bodies should resolve such dilemmas by finding complementarities
1362 between them. For example, in the dilemma involving consciously taking risks and ensuring safety, both
1363 aspects are desirable and necessary. In this case, the governing body should find reconciliation in the
1364 management strategies: governing bodies should identify the areas where the organization needs to be
1365 cautious so as to enable it to be overall sufficiently courageous.

1366 7.10 Exercising social responsibility

1367 7.10.1 Principle

1368 The governing body should ensure that decisions are transparent and aligned with broader societal
1369 expectations.

1370 7.10.2 Rationale

1371 For an organization to act in a socially responsible way means acting consistently and transparently in
1372 line with organizational values and stakeholder and societal expectations. By doing this an organization
1373 demonstrates ethical behaviour and helps maintain a balance between social, economic, and natural
1374 environmental system health and proactively creating sustainable wellbeing.

1375 Compliance with the law is often not sufficient to demonstrate that the organization is acting responsibly
1376 because these often lag behind social expectations and usually set only minimum standards of behaviour.
1377 For an organization to act in a socially responsible way means operating within parameters of acceptable
1378 behaviour and not allowing actions that are legally or locally permissible, but not necessarily in line with
1379 what is expected of it by broader stakeholders and society. It also means being transparent to
1380 stakeholders about whether it is meeting societal expectations and how this is being achieved, or not.

1381 For example, if an organization has operations across a number of jurisdictions, the standard it sets
1382 should reflect a consistent approach across the organization rather than exploiting differences that exist
1383 in legal requirements and ethical norms. It must be transparent with stakeholders about the approach it
1384 is taking, providing necessary evidence to support its claims. Other considerations are current societal
1385 and stakeholder values and related expectations, as well as maintaining the needs of future generations.

© ISO 2020 – All rights reserved 37

1386 Core subjects and issues of responsible organizational behavior include social and natural environmental
1387 issues.1 Other considerations are current societal and stakeholder values and related expectations, as
1388 well as maintaining the needs of future generations.

1389 Issues of particular concern to a governing body are where the organization benefits but where the price
1390 for that benefit is paid by another party. These are sometimes referred to as negative externalities or
1391 unpriced impacts and can be both financial or non-financial in nature.

1392 A socially responsible organization takes responsibility for its impacts on the society it is part of.
1393 However, the society has diverse groups with diverse interests. These interests can be reconciled by an
1394 organizational purpose which combines the competing demands of the groups in society with the
1395 responsibility organizations have for society as a whole.

1396 7.10.3 Key aspects of practices

1397 The following practices relate to the role of the governing body in making sure the organization is acting
1398 socially responsibly:

1399 — ensure that the expectations of stakeholders are clearly understood. This includes continually
1400 involving stakeholders through an engagement process and highly developed approach to
1401 accountability as outlined in section 7.5;
1402 — Identify and articulate issues and opportunities affecting stakeholder expectations as outlined in
1403 7.9;
1404 — Ensure that the organizational purpose expresses the organization’s approach to stakeholders;
1405 — Engage with all relevant stakeholders when determining and reviewing the organizational values
1406 and promote the organizational values to stakeholders;
1407 — Engage with all relevant stakeholders when establishing and reviewing the organizational and
1408 governance policies;
1409 — steer the organization such that its decision making and activities are consistent with the
1410 organizational purpose, organizational values and the organizational and governance policies.
1411 This includes considering how stakeholders may report where a breach in behaviour is occurring
1412 (see ISO 37002);
1413 — measure performance against the objectives related to socially responsible behaviour;
1414 — transparently report to stakeholders the organization’s objectives relating to being socially
1415 responsible, how it is ensuring these objectives are being met and what performance is being
1416 achieved;
1417 — because individual actions influence social responsibility, it should be an integral part of
1418 organizational strategy with assigned responsibilities and objectives;
1419 — the organization should consider undertaking specific measures contributing to the wellbeing of
1420 its society. For example, philanthropy can have a positive impact on society but is not a substitute
1421 for stakeholder engagement or addressing adverse impacts of the organization’s activities.

1422 7.11 Organizational viability and success over time

1423 7.11.1 Principle

1424 The governing body should ensure that the organization remains viable without compromising the ability
1425 of current and future generations to meet their needs.

1426 7.11.2 Rationale

1427 The governing body has a primary responsibility to ensure that the organization can continue to achieve
1428 its purpose over time. This requires balancing the health of social, natural environmental and economic
1429 systems. This in turn requires understanding and being compatible with stakeholder expectations (see

1 See ISO 26000, Guidance on Social Responsibility for more information.

38 © ISO 2019 – All rights reserved

1430 sections 7.6 and 7.10), actively contributing to, conserving and restoring these systems on which the
1431 organization's viability and success is dependent.

1432 Impacts on the systems can be both positive and negative and can be a direct result of the organization’s
1433 actions or an unintended consequence of these actions. Areas of impact include climatic stability, a
1434 healthy level of biodiversity and social equality. Organizations should recognize opportunities to
1435 contribute to sustainable wellbeing through supporting the health of these systems as well as limiting
1436 negative impacts.

1437 Where an organization fails to understand and respond to the needs of the systems of which is a part, it
1438 is unlikely that the organization value model will continue to create value and therefore that the
1439 organization will remain viable.

1440 7.11.3 Key aspects of practices

1441 The governing body should:

1442 — Articulate the organization’s value generation model: take a systems-wide view of the
1443 manner in which the organization generates value over time;
1444 — Identify wider system relationships: understand the external system interactions that
1445 underpin the organization’s value generation model;
1446 — Govern for organizational viability over time: ensure that the organization protects and
1447 restores the systems on which its value generation model depends and adapts where required.

1448 7.11.3.1 Articulate an integrated view of the organization’s value generation model

1449 — identify the key resources (for example capitals such as human, social and relational, intellectual,
1450 the natural environment, financial and manufactured), structures, processes, relationships,
1451 information, decision making, reporting and other aspects of the organization that allow it to
1452 create sustained value for stakeholders;
1453 — articulate how these aspects inter-relate to create value over time.

1454 7.11.3.2 Identify wider system relationships

1455 — ensure that the key external systems that the organization depends on are identified, the inter-
1456 relations described, and the organization’s positive and negative impacts on them specified. Such
1457 systems include, for example, economic, social and natural environmental systems. These
1458 systems influence the various resources, or capitals, which the organization positively or
1459 negatively impacts, or on which the organization’s value generation model depends as well as
1460 other aspects of organizational functioning as detailed in 7.11.3.1.

1461 7.11.3.3 Govern for organizational viability over time

1462 — identify, articulate, and monitor the key positive and negative impacts on systems, resources
1463 and aspects of the organization that will result from governance decisions. This should result
1464 in clarity about the impact of decisions over time both for those aspects the organization is
1465 directly dependent on, but also those the organization is not dependent on but whose ability
1466 to be sustained will be undermined by the decisions. This clarity is unlikely to be achieved
1467 without a consultation process with stakeholders;
1468 — when accounting to stakeholders, include a description of;
1469 - the organization’s value generation model and how the key structures, processes,
1470 relationships, information, decision-making, reporting and other key aspects of the
1471 organization work to create value;
1472 - how decisions or external factors may affect key aspects of the organization;
1473 - how decisions or external factors may affect the organization’s value generation model;

© ISO 2020 – All rights reserved 39

1474 - how decisions affect the health of the wider natural environmental, social and economic
1475 systems.
1476
1477 Some tools to assist with these sustainability practices are outlined in Annex A.

1478 7.11.3.4 Dilemma examples

1479 In seeking to ensure viability the governing body may face a number of dilemmas. For example, although
1480 it should direct the organization to adopt approaches that take into account both the primary and knock-
1481 on material impacts of external systems on its own viability, the governing body needs to also direct the
1482 organization to maintain the resilience of the external systems in which it operates. Reconciling inter-
1483 relations and dependencies between the organization’ s value generation model and the systems affected
1484 by the model should identify areas that require stakeholder engagement and governing body oversight.

1485 When engaging stakeholders, governing bodies should not give exclusive priority to any one single
1486 stakeholder perspective (e.g. only current owner stakeholder returns, or only society’s perception) at the
1487 expense of other valid concerns. Instead, governing bodies should seek to resolve dilemmas, by, for
1488 example, taking a multi-stakeholder approach.

1489 Over time, the impacts and trade-offs between external and internal systems may change and stakeholder
1490 perspectives may change. These shifts will present new dilemmas for the governing body to consider. For
1491 example, as societal values shift to recognizing unsustainable human pressures on the natural
1492 environment, the governing body should re-evaluate the viability of its model against these expectations.

1493

1494

1495

40 © ISO 2019 – All rights reserved

1496 Annex A
1497 (informative)
1498 Governance Tools and Resources

1499 A.1 Sustainability Practices

1500 Tools to assist with these practices include:

1501 — Adopting practices for corporate social responsibility including:

1502 o UN sustainability goals2;
1503 o UN Global Compact3;
1504 o ISO 14001:2015, Environmental Management Systems – Requirements with guidance for
1505 use
1506 o ISO 26000:2010, Guidance on social responsibility
1507 — In addition to required reporting, use a reporting framework that focuses on the long-term use
1508 and preservation of resources. These include:
1509 o International Integrated Reporting Framework4;
1510 o Global Reporting Initiative5;
1511 o Sustainability Accounting Standards Board6.
1512 — Impact measurement tools can be found at:
1513 o The World Business Council on Sustainable Development7

2 https://www.un.org/sustainabledevelopment/sustainable-development-goals/
3 https://www.un.org/Depts/ptd/about-us/un-global-compact
4 http://integratedreporting.org/resource/international-ir-framework/
5 https://www.globalreporting.org/standards
6 https://www.sasb.org/
7https://www.wbcsd.org/Programs/Redefining-Value/Business-Decision-Making/Assess-and-Manage-

Performance

© ISO 2020 – All rights reserved 41

1514 Bibliography

1515 [1] ISO 14001:2015, Environmental Management Systems – Requirements with guidance for use

1516 [2] ISO 26000:2010, Guidance on social responsibility

1517 [3] ISO 37001:2016, Anti-bribery management systems – Requirements for use

1518 [4] ISO/IEC 31000:2018, Risk management – Guidelines

1519 [5] ISO/IEC 31010:2009, Risk management – Risk assessment techniques

1520 [6] ISO/IEC 38500:2015, Information technology – Governance of IT – Information technology –

1521 Governance of IT for the organization

1522 [7] ISO/IEC TR 38502:2017, Information technology – Governance of IT – Governance of data –

1523 Framework and model

1524 [8] ISO/IEC 38505-1:2017, Information technology – Governance of IT – Governance of data – Part 1:
1525 Application of ISO/IEC 38500 to the governance of data

1526 [9] ISO/IEC TR 38505-2:2017, Information technology – Governance of IT – Governance of data – Part
1527 1: Implications of ISO/IEC 38505-1 for data management

1528 [10] ISO 19600:2014, Compliance management systems - Guidelines

1529

42 © ISO 2019 – All rights reserved