Governance pillar

Governance Fundamentals

A board-ready primer that links corporate governance duties with technology, sustainability, and risk programs so executives can evidence oversight.

Aligned with ISO 37000 guidance, OECD Principles of Corporate Governance, ISSB/TCFD climate disclosures, and EU CSRD/ESRS reporting expectations.

Board oversight and structure

Define clear oversight so strategy, risk, and compliance stay synchronized across committees and management.

Controls

  • Clarify committee charters (audit, risk, technology, sustainability) with decision rights, escalation paths, and cadence.
  • Maintain forward agendas that align quarterly with strategy, capital allocation, cybersecurity posture, and emerging regulation.
  • Provide director education on cyber, AI, and climate topics; log attendance and outcomes.
  • Track delegations of authority and management policies so financial, operational, and data decisions have documented thresholds.

Metrics

  • Agenda coverage: percent of required oversight topics (risk appetite, talent, technology, ESG) covered per year.
  • Action closure: time to close board or committee actions and follow-up items.
  • Education completion: director training completion and refresh cycles on critical topics.
  • Delegation adherence: exceptions to approval matrices and aging of unresolved deviations.

Regulatory hooks

Audit committee responsibilities stem from SOX and exchange listing standards. Cyber oversight expectations are reinforced by SEC cybersecurity disclosure rules. EU CSRD requires governance disclosures on board skills and oversight of sustainability topics.

Risk, internal control, and assurance

Integrate enterprise risk management with internal control and assurance functions.

Controls

  • Operate a risk appetite statement with key risk indicators (KRIs) covering cyber, resilience, conduct, and third parties.
  • Align ERM and internal audit plans so testing covers top risks and regulatory focus areas; maintain a single issue register.
  • Use three lines model clarity: first line owns controls, second line challenges, third line provides independent assurance.
  • Implement issue governance with root cause analysis, remediation owners, due dates, and periodic validation.

Metrics

  • Risk appetite adherence: KRIs within tolerance and count of breaches with documented responses.
  • Audit alignment: coverage of top risks in audit plan; percentage of audits delivered on schedule.
  • Issue lifecycle: closure timeliness, reopened issues, and remediation effectiveness rates.
  • Independence indicators: proportion of audit engagements free from management override or scope reductions.

Regulatory hooks

The Institute of Internal Auditors three lines model, ISO 31000 risk guidance, and COSO ERM underpin risk and assurance expectations. Financial services also align to Basel operational risk principles and EBA internal governance guidelines.

ESG and sustainability reporting

Treat sustainability data like financial data: controlled sources, audit trails, and clear narrative ownership.

Controls

  • Create a data dictionary for greenhouse gas (GHG), diversity, and supply-chain metrics with calculation logic and system sources.
  • Apply internal controls over sustainability reporting (ICSR) mirroring SOX disciplines: access, change management, reconciliations, and review checkpoints.
  • Coordinate scenario analysis and transition plans aligned to TCFD/ISSB climate standards; document assumptions.
  • Establish assurance readiness with evidence packages for limited or reasonable assurance over ESRS metrics.

Metrics

  • Data lineage completeness: percentage of reported metrics with source-to-report traceability and control owners.
  • Assurance findings: count and severity of external assurance or internal review issues on ESG data.
  • Scenario coverage: number of climate scenarios tested and frequency of updates.
  • Supply-chain scope: share of spend covered by supplier GHG or human-rights questionnaires.

Regulatory hooks

EU CSRD/ESRS mandates extensive governance and sustainability disclosures with assurance. ISSB IFRS S1/S2 and TCFD guide climate risk reporting. U.S. public companies should align with SEC climate disclosure expectations.

Technology and data governance

Govern technology with the same rigor as finance: decision rights, architecture standards, and accountable data controls.

Controls

  • Maintain architecture standards and waiver processes covering cloud landing zones, encryption, identity, and logging.
  • Operate data governance councils that steward data quality, privacy, retention, and AI usage policies.
  • Integrate product and policy reviews so legal, security, and privacy sign-offs are captured before launch.
  • Align technology investment with strategy via business cases, value tracking, and decommissioning criteria.

Metrics

  • Standard adherence: percentage of solutions compliant with reference architectures and security baselines.
  • Data quality: critical data elements with defined owners, data quality scores, and issue remediation cycle time.
  • Product review throughput: average approval time and number of late-stage escalations.
  • Portfolio health: spend versus value delivered, and retirement of redundant tools or systems.

Regulatory hooks

Technology governance evidence supports SOX ITGCs, ISO/IEC 27001, NIST CSF 2.0 governance functions, and supervisory expectations in DORA and APRA CPS 230 for operational risk.