Professional Documents
Culture Documents
White Paper
An Integrated
Governance Model
August 2023
Level 5, 580 George Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E enquiry@iia.org.au www.iia.org.au
1 In this context the term “board” is used to describe the group or individual accountable for the overall performance of the
organisation. In the corporate sector this is generally a Board of Directors, in other contexts it might be an individual such as a head of
function, a commander or a principal officer.
Governance differs from management. Governance establishes goals, direction, limitations and accountability
frameworks; management is the allocation of resources and the supervision of day -to-day operations.
A practical model
An organisation is established for a purpose and operates within its external context. The governance processes must
recognise these factors. It can attempt to influence them, but it cannot control them. The owners of an organisation
may change an organisation’s purpose and this may involve a conversation with the board; the political and regulatory
environment may change around an organisation, but the organisation can attempt to influence this by various forms of
lobbying.
Exhibit 1 shows a skeleton model for governance of an organisation. It is intended to be scalable – that is it can be
applied to any organisation of any size.
Purpose of Organisation
Governance (External) Context
Culture
The culture of an organisation is an emergent property of the members of that organisation. It consists of the shared
perceptions about what is correct, what is prioritised and what is likely to be rewarded. In an organisation, individual
behaviour is affected by the way in which actions are rewarded or punished.
People learn what is acceptable behaviour by observing the behaviours of others in the organisation. The board can
build organisational culture by setting expectations and holding individuals to account for their behaviour.
Aspects include
› The values of the organisation. These are the principles and beliefs that define the way in which the organisation will
behave both internally and towards its stakeholders and customers. This aspect has been considered important for
some time and appears in COSO Internal Control (2013) as
Management sets an ethical climate that fosters honesty and integrity through their actions, code of conduct,
whistleblower policy, etc.
Governance principles apply at every level of responsibility in every organisation. Managers are accountable to their
superiors and govern their areas of responsibility. The scope that they may have for independent action will depend on
the organisation and the level of the manager within it. As ISO 37000 says:
The degree of separation of duties between the governing body and managers varies according to organizational
needs and circumstances. In certain circumstances…an individual can be required to fulfil both governance and
management responsibilities.
At the highest levels of the organisation, there is more governance than management; at the lower levels there is
increasing management and corresponding decrease in governance.
Risk Management
What is risk?
The frameworks for management of risk have evolved over time and, while they use many of the same words, they have
different philosophical approaches.
Level Concept Level of risk Explanation Used in Controls
Risk as hazard Conceivable Safety Physical
1
damage
Mechanical
(exposure)
Risk as a potential Consequences Introduces the AS/NZS 4360:1995 Process-based
event of the event and concept of hard controls to
COSO ERM (2004)
the likelihood of likelihood. prevent/detect/
experiencing them. COSO ERM (2017) correct adverse
2 23
events.
Also the concept
Systems used in most of Some thought
the commercial is given to
literature coming soft controls
out of the USA. (behavioural
measures)
Risk as an effect Consequence Expands the ISO 31000 Human-factors are
of effect and concept of prominent in the
Most Australian
likelihood of uncertainty to go approach.
Government
3 experiencing the beyond potential
official guidance. Controls must
Humanist consequence events.
be designed
with a conscious
understanding of
human behaviour.
Risk Management Principles and Framework An important part of leadership in establishing sound risk
Risk management is a management activity. An important management is determining the amount and type of risk
aspect of AS ISO 31000:2018 Risk management – that may or may not be taken. This is often called the
Guidelines is its emphasis on human factors. The standard organisation’s risk appetite.
while not including issues of culture within the framework The Integration component includes consideration of
recognises that human behaviour and culture significantly organisation structures, strategy, leadership, objectives
influence all aspects of risk management at each level and and operations. Design should consider: organisational
stage. This emphasis on culture is an emerging issue in context (including external pressures and obligations);
organisational management. organisational roles, authorities, responsibilities and
ISO 31000 describes a risk management framework as accountabilities; the allocation of resources; and
containing five components (Exhibit 3). Most of these communication and consultation processes.
components are internal to the risk management activity.
The framework as suggested in ISO 31000 is based on the
Risk management in the integrated model
Plan->Do->Check->Act cycle of quality management and Risk management maps on to the integrated model
touches on the governance framework in the Leadership, as shown in Exhibit 4. Nearly every aspect of the risk
Integration and Design components. management activity overlaps the governance model.
Purpose of Organisation
Governance (External) Context
Objectives
Compliance is the process of making sure an organisation
and its members fulfill the organisation’s obligations.
ts
Or
in
tra
ga
Obligations may be mandated or assumed voluntarily but
ns
nis
co
ati
they are usually driven by external pressures. They are
al
on
rn
effectively a subset of the objectives of the organisation.
al
te
Va
Ex
lue
Individual managers are accountable for their performance
s
in relation to obligations.
After ISO 37301:2021 Compliance management Compliance management maps on to the integrated model
systems – Requirements with guidance for use. as shown in Exhibit 6. Every aspect of the compliance
management activity is also part of the risk management
Exhibit 5 shows the essentials of a compliance
activity.
management process: obligations arising from decisions
of the governing body as well as from external constraints;
and a process designed to meet the obligations.
in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself
that the governance system is appropriately designed and operating as intended.
(Paragraph 6.4.3.3)
In this context, assurance may be defined (consistent with the meaning in standard English) as “a positive declaration
intended to give confidence”.
It might also, consistent with the concept espoused by Deming (1982), be a process designed to achieve and to confirm
the achievement of particular objectives.
This assurance, when the board is not in a position to directly validate the processes, is obtained by reports produced by
independent review functions.
Assurance is therefore obtained by receiving reports and by direct enquiry across multiple, independent sources of
information.
This is represented in the integrated model by four components across two governance activities as illustrated in Exhibit
GOVERNING BODY
Accountability, reporting
Purpose of Organisation
Governance (External) Context
Summary
This paper has introduced a five factor model of governance that is compatible with common standards that address
governance, risk management, compliance and assurance. These standards overlap in their scope and application and
yet are expected to operate as an integrated whole.