What is governance?

In a business context, governance refers to how an organisation is led, managed and controlled. It concerns how decisions are made, who holds responsibility, and how that responsibility is allocated and exercised.

Key elements of governance:

Roles and responsibilities‍

It’s essential to be clear about who is responsible for which tasks and how that responsibility is put into action.

Example: The NIS2 Directive places the responsibility for approving and overseeing security measures with the organisation’s top management. However, in practice, others in the organisation carry out risk assessments and propose measures. Good governance ensures clarity in roles, accountability and reporting lines.

Principles and policies‍

Mature organisations rely on clear policies to guide decision-making and ensure alignment between strategy and everyday operations.

Example: ISO 27001 requires an information security policy approved by top management. This policy sets the framework for daily decision-making – for example in the IT department – and ensures alignment with the organisation’s overall objectives.

{{factbox-dark}}

Transparency and accountability‍

Governance is also about openness and accountability. An organisation must be able to demonstrate its decisions and actions to regulators, customers and stakeholders.

Example: Article 5 of the GDPR requires not only that organisations process personal data lawfully – but also that they can demonstrate it. In other words, they must be able to document their compliance, for example to the data protection authority.

Monitoring and documentation‍

Governance can become a tick-box exercise if organisations don’t follow up. Effective governance means actively monitoring whether rules and policies are being followed.

Example: ISO 27002 (Annex A) outlines 93 controls, such as access management and separation of duties. A solid governance framework ensures these controls are implemented – and that they work in practice.

Put simply: Good governance means saying what you do, doing what you say – and documenting it.

Once your governance is structured and formalised, it’s often referred to as a governance model. You can read more about that in this article, where we share concrete examples from data protection and information security.