Public-sector governance

Public-sector governance alignment for accountable digital services

Government agencies must comply with OMB Circular A-123, GAO Green Book internal controls, OMB M-24-10 AI safeguards, UK Orange Book risk management, the EU Interoperable Europe Act, and OECD digital government principles. This 3,200-word playbook delivers governance structures, data controls, and oversight cadences that keep programmes compliant and auditable.

Updated to reflect U.S. Federal Cybersecurity Performance Goals (2023 update), FedRAMP moderate baseline revision 5, and the Interoperable Europe Act implementation roadmap.

Coordinate with board oversight, ESG accountability, and third-party governance to manage cross-sector dependencies.

Executive summary

Public-sector governance frameworks emphasise risk management, internal control, transparency, and service delivery outcomes. OMB Circular A-123 requires U.S. federal agencies to implement enterprise risk management (ERM) integrated with internal controls, reporting on material weaknesses and corrective actions.OMB Circular A-123 (2016) The GAO Standards for Internal Control in the Federal Government (Green Book) provides the criteria for design and operating effectiveness of controls across the control environment, risk assessment, control activities, information and communication, and monitoring.GAO Green Book (2014)

OMB Memorandum M-24-04 directs agencies to modernise identity, credential, and access management, strengthen software supply chain practices, and implement zero trust in line with the U.S. National Cybersecurity Strategy.OMB M-24-04 (December 2023) OMB M-24-10 establishes minimum risk management practices for government use of artificial intelligence, including inventories, risk assessments, impact mitigation, and transparency.OMB M-24-10 (March 2024)

Internationally, the UK Orange Book: Management of Risk (2023) sets out principles for integrating risk management into public service delivery, while the EU Interoperable Europe Act mandates governance for cross-border digital public services, including interoperability assessments and cooperation structures.UK Orange Book (July 2023)Interoperable Europe Act (April 2024)

This playbook enables agencies to integrate these frameworks into cohesive governance programmes. It covers source packs, organisational structures, risk management, data governance, technology enablement, oversight metrics, and implementation roadmaps.

Regulatory source packs

Create curated source packs for agency leadership, programme managers, and oversight bodies. Each pack should contain official guidance, policy memoranda, circulars, audit reports, and compliance checklists.

Pack Contents Primary obligations Update cadence
Internal controls and ERM
  • OMB Circular A-123 and Appendix A (internal control over reporting).
  • GAO Green Book standards.
  • OMB Circular A-11 Section 270 (ERM guidance).
 Annual assurance statements, risk profile development, corrective action plans, control testing documentation. Annual review with quarterly updates for corrective actions.
Cybersecurity and zero trust
  • OMB M-24-04, M-22-09 (zero trust strategy), CISA Cybersecurity Performance Goals.
  • NIST SP 800-53 Rev. 5, NIST SP 800-207 (Zero Trust Architecture).
  • FedRAMP baselines and continuous monitoring requirements.
 Zero trust implementation plans, identity governance, software supply chain security, FedRAMP package maintenance. Quarterly to align with cybersecurity reporting cycles.
AI governance
  • OMB M-24-10 AI risk management guidance.
  • NIST AI Risk Management Framework (AI RMF 1.0 and Generative AI Profile).
  • Agency-specific AI policies and inventories.
 AI use case inventories, risk assessments, impact mitigation plans, transparency artefacts. Quarterly review with ad hoc updates for new AI deployments.
International interoperability
  • Interoperable Europe Act, European Interoperability Framework, and national digital government strategies.
  • OECD Digital Government Policy Framework.
  • Cross-border data sharing agreements.
 Interoperability assessments, governance board minutes, cooperation agreements, performance indicators. Semi-annual, tied to cross-border project milestones.
Audit and oversight
  • Inspector General audit reports, GAO recommendations, National Audit Office findings.
  • Legislative mandates (e.g., U.S. FISMA, UK Managing Public Money).
 Audit response tracking, remediation progress, reporting to oversight committees. Quarterly with updates after each audit.

Maintain digital repositories for source packs with access controls, versioning, and change logs. Provide dashboards summarising upcoming compliance deadlines, open findings, and policy updates.

Governance structure and roles

Establish governance bodies aligned with public-sector accountability. Typical structures include:

  • Executive governance board. Chaired by the agency head or deputy, overseeing risk, performance, and compliance. Reviews ERM profiles, AI inventories, cybersecurity posture, and programme outcomes.
  • Risk and internal control committee. Coordinates implementation of OMB Circular A-123, monitors control testing, and oversees corrective actions.
  • Cybersecurity and technology council. Oversees zero trust implementation, FedRAMP authorisations, software supply chain risk, and technology investments.
  • Data and AI governance council. Manages data strategy, privacy, AI risk management, and interoperability requirements.
  • Programme delivery boards. Monitor digital service transformation, customer experience metrics, and benefits realisation.

Define charters, membership, decision rights, quorum, and escalation paths. Align charters with regulatory obligations and legislative mandates. Document meetings, decisions, and actions with clear ownership and deadlines.

Develop role descriptions for key positions: Chief Financial Officer (CFO), Chief Risk Officer (CRO), Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Data Officer (CDO), Chief AI Officer (per OMB M-24-10), and programme managers. Outline responsibilities for compliance, risk management, assurance, and stakeholder engagement.

Integrate oversight from Inspectors General, audit committees, and legislative bodies. Establish formal processes for responding to audit findings, congressional inquiries, and public transparency requirements (e.g., Freedom of Information Act, open data mandates).

Risk management and internal controls

Implement ERM aligned with OMB Circular A-123 and GAO Green Book. Identify strategic, operational, compliance, financial, and reputational risks. Use risk taxonomy tailored to agency missions, covering cybersecurity, privacy, AI, procurement, programme delivery, and stakeholder trust.

Conduct risk assessments using quantitative and qualitative methods. Score risks based on likelihood, impact, velocity, and control effectiveness. Document risk responses (accept, avoid, reduce, share) and assign accountable owners. Update risk profiles at least quarterly and report to executive governance boards.

Design control activities across processes: budgeting, procurement, grants management, IT operations, and service delivery. Document control objectives, procedures, frequency, evidence, and responsible parties. Align with GAO Green Book and UK Orange Book principles such as proportionate control and risk appetite articulation.

Perform control testing using first-line self-assessments, second-line monitoring, and internal audit. Capture results in control repositories, track deficiencies, and develop corrective action plans. Report status to oversight committees and update assurance statements.

Integrate cybersecurity controls aligned with NIST SP 800-53, CISA Cybersecurity Performance Goals, and sector-specific directives. Monitor compliance through vulnerability management, continuous diagnostics and mitigation, and incident reporting systems.

Procurement governance and contract management

Public procurement must align with legal frameworks such as the U.S. Federal Acquisition Regulation (FAR), EU Public Procurement Directives (2014/24/EU), and UK Public Contracts Regulations 2015 (updated 2024). Establish procurement governance boards that oversee planning, solicitation, evaluation, award, and contract management phases.

Implement acquisition planning templates capturing mission alignment, market research, risk assessments, cybersecurity requirements (e.g., FAR 52.204-21), sustainability criteria, and socioeconomic considerations. Document approval workflows and ensure compliance with small business goals and socio-economic programmes.

Require source selection plans with evaluation criteria, scoring methodologies, and conflict-of-interest disclosures. Maintain records of evaluations and debriefings to support transparency and protest defence. Track procurement timelines, protest outcomes, and performance metrics.

During contract administration, monitor performance through quality assurance surveillance plans (QASP), service level tracking, and deliverable acceptance procedures. Apply Earned Value Management (where applicable) and integrate contract data into governance dashboards.

For EU and UK contexts, incorporate social value and green public procurement requirements. Use the European Commission’s Buying Green! handbook and UK Cabinet Office social value guidance to define evaluation criteria. Document supplier commitments and monitor delivery through contract management systems.

AI and data governance

Implement AI governance per OMB M-24-10 and NIST AI RMF. Establish AI use case inventories with metadata: purpose, model type, data sources, impact level, responsible officials, and mitigation controls. Require pre-deployment risk assessments evaluating fairness, privacy, security, and human oversight.

Develop AI risk mitigation plans, including bias testing, explainability, monitoring, and incident response. Document results and update inventories. Provide transparency artefacts such as public reporting, notices, and evaluation summaries for use cases affecting rights or safety.

Integrate AI governance with data management. Implement data classification, lineage, and quality controls. Align with the Federal Data Strategy, Evidence Act, and EU data governance principles. Establish data stewardship roles, metadata catalogues, and access management policies.

Coordinate with privacy officers to ensure compliance with Privacy Act, GDPR (if applicable), and national data protection laws. Conduct privacy impact assessments and maintain consent/notice records.

Align interoperability efforts with the Interoperable Europe Act and OECD principles. Use common data models, APIs, and standards. Document interoperability assessments and governance board approvals.

Technology and service management

Adopt zero trust architectures per OMB M-22-09 and M-24-04. Implement identity governance, multi-factor authentication, microsegmentation, and continuous monitoring. Align with CISA’s Zero Trust Maturity Model 2.0 and document progress.

Ensure cloud services meet FedRAMP authorisation levels (Low, Moderate, High) and maintain continuous monitoring. Track Plan of Action and Milestones (POA&M) closure and vulnerability management metrics. Coordinate with third-party governance to manage cloud providers and SaaS vendors.

Use IT service management frameworks (ITIL 4) to manage incidents, changes, and service levels. Document service catalogues, SLAs, and performance metrics. Integrate service management with resilience planning (COOP, continuity of operations) and testing.

Implement software supply chain controls, referencing NIST SP 800-218 (Secure Software Development Framework) and OMB M-22-18 requirements for software attestations. Maintain software bills of materials, vulnerability tracking, and remediation processes.

Leverage digital platforms to deliver citizen services with accessibility, usability, and multilingual support. Follow U.S. 21st Century Integrated Digital Experience Act and EU Web Accessibility Directive requirements. Track user satisfaction, completion rates, and error metrics.

Grants management governance

Agencies administering grants must comply with the U.S. Uniform Guidance (2 CFR 200), EU Cohesion Policy regulations, or national grant frameworks. Establish grants governance boards overseeing programme design, risk assessments, application review, award decisions, and post-award monitoring.

Develop risk-based monitoring plans classifying recipients by financial stability, programmatic complexity, and prior performance. Assign monitoring activities such as desk reviews, site visits, and performance audits. Document risk assessments and monitoring results to support Single Audit Act compliance and EU audit requirements.

Implement grant agreements with clear performance indicators, reporting schedules, and data requirements. Use digital grants management systems to track applications, disbursements, and outcomes. Integrate systems with financial management platforms to ensure accurate reporting.

Provide technical assistance and capacity-building resources for recipients, particularly smaller organisations and local governments. Track training participation, compliance support provided, and impact on performance metrics.

Performance management and transparency

Align performance reporting with OMB Circular A-11, Government Performance and Results Act, and national equivalents. Define strategic objectives, performance indicators, and targets. Integrate risk information into performance reviews to link outcomes with governance actions.

Use dashboards to monitor key metrics: programme delivery milestones, budget execution, customer experience (e.g., CX maturity assessments), cybersecurity posture, AI risk mitigation, and sustainability outcomes. Publish performance data on open data portals where required.

Enhance transparency by publishing governance artefacts: risk profiles, AI inventories, privacy impact assessments, and audit responses. Ensure accessibility and compliance with records management policies.

Engage stakeholders—citizens, civil society, legislative bodies—through consultations, public reports, and feedback mechanisms. Document input and integrate into governance decisions.

Community engagement and accountability

Engage citizens and stakeholders using frameworks such as the U.S. Open Government National Action Plan, the UK Government Communication Service’s Engaging for Impact model, and OECD stakeholder participation guidelines. Develop engagement strategies covering consultation, co-design, and feedback mechanisms for digital services and policy initiatives.

Maintain public dashboards and open data portals with metrics on service performance, budget execution, and governance actions. Ensure accessibility and multilingual support. Provide context, explanatory notes, and channels for feedback.

Establish grievance mechanisms for service complaints, privacy concerns, and AI impacts. Track grievances, response times, resolutions, and systemic improvements. Report aggregated data to oversight bodies and include in transparency reports.

Collaborate with civil society organisations, academic institutions, and industry partners through advisory councils and partnerships. Document outcomes, commitments, and follow-up actions.

Assurance and oversight coordination

Coordinate assurance among internal audit, Inspectors General, external auditors, and oversight bodies. Develop an assurance map linking risk areas to assurance providers and coverage frequency. Ensure independence and avoid duplication.

Prepare annual assurance statements (OMB Circular A-123) summarising control effectiveness, material weaknesses, and corrective actions. Include updates on AI risk mitigation, cybersecurity, and interoperability. Provide statements to OMB, Congress, and national audit offices as required.

Track audit findings and recommendations in central systems. Assign owners, deadlines, and status. Report progress to governance boards and oversight committees. Document evidence of remediation for closure.

Conduct quality assurance over assurance activities, including internal audit peer reviews (IIA standards), Inspector General quality assessments, and third-party evaluations.

Workforce capability and ethics

Effective governance depends on skilled personnel. Develop workforce strategies aligned with the U.S. Office of Personnel Management’s Human Capital Framework, the UK Government Functional Standard for People, or EU competency models. Identify critical roles in risk management, cybersecurity, AI, procurement, and programme delivery, and assess competency gaps.

Implement training programmes covering OMB Circular A-123, GAO Green Book, zero trust, AI risk management, privacy, procurement ethics, and grants compliance. Track completion rates, learning outcomes, and certifications (e.g., Certified Government Auditing Professional, Certified Information Systems Security Professional).

Maintain ethics programmes consistent with Standards of Conduct, EU Staff Regulations, and national codes. Provide regular ethics training, conflict-of-interest disclosures, and advisory services. Document ethics inquiries and resolutions to demonstrate integrity.

Support workforce wellbeing and inclusion by aligning with diversity, equity, inclusion, and accessibility (DEIA) strategies, such as the U.S. Executive Order 14035 and UK Civil Service Diversity and Inclusion Strategy. Track workforce demographics, retention, and satisfaction metrics, and link initiatives to governance outcomes.

Key metrics and indicators

Develop metrics aligned with governance objectives:

  • Control effectiveness. Percentage of controls tested and effective, number of material weaknesses, and corrective action timeliness.
  • Risk management. Risk profile refresh frequency, high-risk mitigation progress, risk appetite breach count.
  • Cybersecurity. Zero trust capability scores, patching cadence, FedRAMP POA&M closure rates, incident response performance.
  • AI governance. Percentage of AI use cases inventoried, risk assessments completed, mitigation plans implemented, transparency artefacts published.
  • Interoperability. Number of cross-border services compliant with Interoperable Europe governance, API uptime, data quality scores.
  • Performance and CX. Customer satisfaction, digital service adoption, accessibility compliance, backlog of service requests.
  • Audit remediation. Recommendation closure rates, elapsed time since issuance, repeat findings.

Visualise metrics through executive dashboards and publish summaries for public transparency, respecting security and privacy constraints.

Implementation roadmap

  1. Months 0–2

    Perform baseline assessment against OMB A-123, GAO Green Book, M-24-10, zero trust requirements, and interoperability mandates. Establish governance councils and assign roles.

  2. Months 3–5

    Develop source packs, update policies, and implement risk registers. Launch AI inventory and cybersecurity roadmap updates.

  3. Months 6–8

    Deploy dashboards, data governance platforms, and automation tools. Conduct control testing and pilot assurance reviews.

  4. Months 9–12

    Publish performance and transparency reports, complete AI risk mitigation plans, and update zero trust and interoperability milestones. Address audit findings.

  5. Months 12+

    Embed continuous improvement, expand citizen engagement, and integrate sustainability reporting with ESG mandates.

Future outlook and continuous improvement

Monitor emerging policies such as the U.S. National AI Research Resource roadmap, UK Digital and Data Strategy, and EU GovTech initiatives. Update governance frameworks to incorporate new digital identity standards, privacy regulations, and resilience mandates. Conduct horizon scanning using regulatory trackers, think tank reports, and international forums.

Embed continuous improvement by performing annual maturity assessments across governance pillars—risk management, cybersecurity, AI, procurement, grants, and community engagement. Benchmark against peer agencies, share lessons learned through communities of practice, and adjust resource allocations to close capability gaps.

Evidence pack checklist

Compile evidence packs containing: governance charters, risk profiles, control documentation, AI inventories, privacy impact assessments, FedRAMP authorisation packages, interoperability assessments, audit reports, corrective action plans, and performance dashboards. Maintain version control and review cycles.

Use evidence packs to brief oversight bodies, respond to audits, and inform public transparency reports. Update packs after major policy changes or programme milestones and log approvals.