1.1 Policies

Key message: they are formally documented statements of management expectations and intentions in relation to a specific area or task. Policies are used to direct actions and decisions, and adherence to policy is mandatory. Effective policies:

• Be clear, but concise
• Keep it simple and practical
• Anticipate questions
• Educate and communicate
• Build in flexibility
• Define non‐compliance consequences
• Build in measurement and compliance validation
• Promote transparency
• Provide for feedback

1.2 Controls

Key message: they are means of managing a risk, ensuring that a business objective is achieved or that a process is followed. Effective controls:

• Some controls are policies; some controls ensure compliance to policies
• Controls should be sufficient to achieve the required result without introducing consequences that are unacceptable to the organization. Common controls are measurement and reporting
• When possible, build controls into the technology to reduce the effort for people to comply
• Excessive controls may cause people to circumvent the control or work inefficiently, or have negative business impacts

1.3 Guidelines

Key message: they are recommended practices that allow some discretion or leeway in their interpretation, implementation, or use. Effective guidelines:

• Guidelines are not requirements, they are recommendations to guide people making decisions or performing activities
• Must be seen as helpful
• Must be easy to access, understand, and follow
• Guidelines are needed for tasks that:
  • Are performed by many people, but could be confusing without assistance
  • Used to be done differently and quick adoption of a new method is needed
  • Are performed infrequently but too much variation creates challenges
  • Could be easier, faster, or more successful if expertise is shared

2. Decision-making authority

Governance decisions are made at highest levels of the organization

• But it makes no sense for all decisions to be made at the same level
• If all decisions require involvement of leadership they will be slow

Decision‐making authority should be delegated as far as possible

• While still ensuring that required outcomes are consistently produced
• This helps to ensure people are respected, motivated, and valued

Everyone must understand their own scope of control

• And make decisions within that scope
• If scope is too narrow then decision making will be pushed too high
• If scope is too broad then risks may be created

2.1 Match the level of risk

Decisions with little risk can be made at low levels:

• Place decision making authority as close as possible to people doing the work
• Moderate risk with training, automation, policies, and guidelines

Decisions with significant risk should be made at higher levels with a mechanism to provide more structure and review