What Gets Measured Gets Managed.

Peter Drucker


Defining rules and practices to establish risk management, compliance and governance in your organisation.

Why you need a governance framework

A governance framework is a structured and written set of rules that outlines how an organisation is governed, managed and controlled. The governance framework is an important step in effective governance and provides directions for both managers and employees when fulfilling their function.

A governance framework should cover everything from the overall directions set by the board of directors or the top management to the actual controls executed by the employees, while supplying clear reference to any law, standard, contracts, regulations etc. that it is aligned with.

This will make it tangible both on a high level, on an operational level while ensuring full accountability.

How we help you

We are helping a lot of our clients in creating their policies, procedures, instructions, internal standards and controls. As a whole, this constitutes their governance framework, giving them the means to be accountable, to document and show that they are in control and comply.

We can help you in defining the right governance framework for your specific company, and once it is ready, we can help you implement, monitor and maintain it in the organisation.

Whether you are looking for help in creating a new or improving your existing framework within the following fields, we can help you cover the following in your framework:

  • Corporate governance
  • Risk management
  • Data and information governance
  • Compliance
  • IT governance
  • Quality assurance
  • Business continuity management
  • Incident management
  • Project governance
  • Supplier management
  • Negotiation management
  • Conflict management


Before we start writing we will complete an assessment of what you actually need and what you already have in place. This is an interview, where we examine your immediate needs, identify the most relevant legislation that you need to comply to and discuss how you are able to account today.

On the basis of this assessment we will create a plan, for the project, including scope, tasks, estimates and priorities.

We normally work on frameworks in a pyramidic structure, starting with policies outlying the overall direction, then adding procedures including controls.

This result is a framework consisting of:

Clear direction (the policy level)

What you do, when you do it and who is responsible (the procedure level)

How you are able to monitor and account (the control level)

We will then walk through each of these documents with their respective owners, word by word. Discussing and addressing any issue we might find and amending the policy, procedure or control accordingly.

This leaves out what we refer to as the instruction level, which more closely may document how you complete selected operations. This is intentional, and we see the instruction level as something you may want to create later for specific complex operations.

Instructions are typically rather detailed documents guiding the reader step by step (and often with screenshots), through the task at hand. They are great for delegation, complex work and where lots of people need to follow the exact same steps.

Leaving instructions out will however enable you to have a framework ready within a rather short timeframe, which may be just a few month, if there is a lot to write.

This is important, since the year long project of creating instruction level documents, will, seen from our experience, make it far too big a thing to take on in the organisation.

We are heavy supporters of standards, we know standards, we use standards, we even create our own, but we always deliver a fully customised framework adapted specifically to the individual organisation


We don’t believe in one size fits all, but neither do we believe that you should invent everything from scratch, especially if it is not part of your core business.

We focus our effort on what makes you special, and how best to account for this. The rest is mostly effortless assistance getting you up to standard or as close as you want.

Some of the standards we are working with includes

  • COSO ERM – Enterprise Risk Management
  • ISO 31000 – Enterprise Risk Management
  • CoBIT – Governance of IT
  • ISO 27001, ISO 27002 – Information Security Management
  • ISO 27005 – Information Security Risk Management
  • APQC Process framework
  • PCI DSS – Payment Card Industry Data Security Standard
  • ITIL – IT management and operations practices
  • ISO 22301 – Business Continuity Management
  • ISO 29100 – Privacy Management

For a few companies and typically just in a few specific areas however, the game is not just about getting up to standard, but rather about setting the standard, becoming a forerunner and taking the lead.

If that is what you need, then by building accountability on the front line, so to speak, we will make it both concrete and tangible, and enable you to yield an incredible power when you are presenting to your peers, customers, auditors or authorities.

When the framework is done and handed over to the respective owners, you will need to follow up closely to ensure the procedures and controls are being implemented in the organisation. We sometimes help clients with this, but either way, focus should be put on control execution.

If or where instruction level documents are needed, we would recommend you to focus on controls and their execution first, then later create instructions on the basis of what you actually do.

The results of using the right framework

With the right framework in your organisation, you will have a clear structure supporting decision making, governance, management and control. You will in other words establish the right level of control throughout your company and your suppliers or sourcing partners.

This includes your ability to account, both to authorities, auditors or in the case of an IPO or a due diligence to a team of lawyers.

And accountability is a big thing, from our perspective, as we often sees exactly how much of a difference it makes to the process of explaining your level of control, that you can fully document exactly how this control is structured and exactly why it is trustworthy.