Governance

Governance is the management structure that defines how your organisation makes decisions, allocates responsibilities and ensures control. In a compliance context, governance is the foundation that makes it possible to comply with legislation, manage risks and document that you act responsibly.

Back to Dictionary

What is governance?

Governance is about management and control. It is the structures, processes and rules that determine how your organisation is led, who makes which decisions, and how you ensure those decisions are sound.

In a compliance context, governance is the framework that makes it possible to work systematically with legislation, regulation and internal standards. Without governance, you risk compliance work becoming ad hoc, with important decisions being taken without sufficient basis.

Good governance requires three things: clear roles and allocation of responsibilities, well-defined decision-making processes, and adequate control and monitoring. It sounds simple, but in practice it is one of the greatest challenges for many organisations.

Governance is closely linked to your compliance framework. The framework defines what you must comply with, whilst governance defines how you organise yourselves to do so.

Governance, Risk and Compliance (GRC)

GRC is an integrated approach that brings governance, risk management and compliance together in one coherent structure. The idea is to avoid silos where each department works in isolation on their part of the puzzle.

Governance sets the direction and defines who is responsible for what. Risk management identifies and assesses threats that could prevent the organisation from achieving its objectives. Compliance ensures the organisation meets the requirements it is subject to.

When the three disciplines work together, you get a more complete picture. A risk assessment informs governance decisions, and the governance structure ensures compliance requirements are taken seriously at management level.

Compliance management is the practical tool that binds GRC together in day-to-day operations.

Governance in legislation

Several regulations impose direct requirements on governance:

GDPR requires accountability. You must be able to demonstrate that you comply with the regulation. This presupposes clear roles, documented processes and a DPO if your organisation is obliged to appoint one.

NIS2 sets explicit requirements for management to approve and oversee cyber security measures. Management can be held personally liable, and the directive requires them to participate in relevant training.

DORA requires the management body of financial undertakings to take active responsibility for ICT risk management, including approval of policies and oversight of implementation.

ISO 27001 requires management commitment and a clear information security policy approved by top management. Management review is a formal requirement in the standard.

Governance in practice

Effective governance starts with defining roles. Who owns the compliance programme? Who reports to management? Who has decision-making authority to accept risks?

Set up a compliance committee or governance board with representatives from relevant functions: legal, IT, security, HR and the business. The committee should meet regularly and have a clear mandate from management.

Document your policies and procedures and ensure they are approved by the right people. A policy not approved by management has no authority.

Use internal audit to verify that the governance structure is working. The audit should be independent of the functions it assesses and report directly to management or the board.

Ensure security awareness throughout the organisation. Governance is not only a management issue. All employees must understand their role and responsibilities.

Frequently Asked Questions about Governance

What is the difference between governance and compliance?

Governance is the overarching management structure defining how the organisation is led and controlled. Compliance is a part of governance and specifically concerns adherence to legislation and regulation. Good governance creates the conditions for effective compliance.

What does GRC mean?

GRC stands for Governance, Risk and Compliance. It is an integrated approach where management structures, risk management and compliance work are brought together in one coherent framework, so the organisation avoids silos and duplication of effort.

Who is responsible for governance?

The board and senior management bear overall responsibility for governance. They set the direction, approve policies and ensure adequate control and monitoring is in place.

Does GDPR require a governance structure?

GDPR does not explicitly require a governance structure, but the regulation's requirements for accountability, documentation and organisational measures presuppose in practice that you have clear management structures for data protection.