ISO 37004:2023
(Main)Governance of organizations — Governance maturity model — Guidance
Governance of organizations — Governance maturity model — Guidance
This document gives guidance on evaluating the establishment of governance conditions and on the application of governance principles with consideration for the ISO 37000 key aspects of practice. It sets out the concept of governance maturity and its measurement and provides a governance maturity measurement framework, associated governance maturity scale and a governance maturity model. This document is applicable to all types and sizes of organizations no matter their location.
Gouvernance des organismes — Modèle de maturité de la gouvernance — Recommandations
Le présent document fournit des recommandations relatives à l’évaluation de l’établissement des conditions de gouvernance et à l’application des principes de gouvernance en tenant compte des aspects clés de la pratique énoncés dans l’ISO 37000. Il définit le concept de maturité de la gouvernance et sa mesure, et fournit un cadre de mesure de la maturité de la gouvernance, une échelle de maturité de la gouvernance associée et un modèle de maturité de la gouvernance. Le présent document s’applique aux organismes de tous types et de toutes tailles, quelle que soit leur situation géographique.
Upravljanje organizacij - Model zrelosti upravljanja - Napotki
Ta dokument podaja napotke za ocenjevanje uvedbe pogojev vodenja in uporabe načel upravljanja ob upoštevanju ključnih vidikov prakse iz standarda ISO 37000. Določa koncept zrelosti upravljanja in njegovo merjenje ter podaja okvir za merjenje zrelosti upravljanja, povezano lestvico zrelosti upravljanja in model zrelosti upravljanja.
Dokument se uporablja za vse vrste in velikosti organizacij, ne glede na njihovo lokacijo.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-december-2023
Upravljanje organizacij - Model zrelosti upravljanja - Napotki
Governance of organizations - Governance maturity model - Guidance
Gouvernance des organismes — Modèle de maturité de la gouvernance —
Recommandations
Ta slovenski standard je istoveten z: ISO 37004:2023
ICS:
03.100.02 Upravljanje in etika Governance and ethics
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
INTERNATIONAL ISO
STANDARD 37004
First edition
2023-11
Governance of organizations —
Governance maturity model —
Guidance
Gouvernance des organismes — Modèle de maturité de la
gouvernance — Recommandations
Reference number
© ISO 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 Governance and organization . 1
3.2 Governance maturity . 1
4 Governance maturity aspects . 2
4.1 General . 2
4.2 Governance behaviour . 3
4.3 Governance effectiveness . 3
4.4 Governance efficiency . 4
4.4.1 General . 4
4.4.2 Governance frameworks . 5
4.4.3 Governance strategies . 5
4.4.4 Governance policies . 6
4.4.5 Organizational performance results . 6
4.4.6 Governance charters . . 6
4.4.7 Management reports . 6
4.4.8 Governance component reviews . 7
5 Governance maturity measurement framework . 7
5.1 General . 7
5.2 Measurement principles . 8
5.3 Measurement activities . 8
5.3.1 Commitment . 8
5.3.2 Design . 8
5.3.3 Implement . . . 9
5.3.4 Oversee . 10
5.3.5 Action . 10
5.4 Measurement scale . 10
5.4.1 General . 10
5.4.2 Governance behaviour scale . 11
5.4.3 Governance effectiveness scale . 11
5.4.4 Governance efficiency scale .12
5.4.5 Governance maturity scale . 13
5.5 Measurement aggregation . 14
6 Governance maturity model.15
6.1 General . 15
6.2 Governance maturity dimensions . 16
6.2.1 Governance conditions . 16
6.2.2 Governance principles . 16
6.3 Governance maturity calculation . 17
6.3.1 Maturity model content . 17
6.3.2 Evaluation judgements . 17
6.3.3 Aggregation of results . 17
6.4 Governance maturity improvement . 18
6.4.1 Determining governance appropriateness . 18
6.4.2 Setting improvement targets . 19
6.4.3 Implementing improvement initiatives . 19
6.5 Governance maturity evaluation . 20
6.6 Governance maturity reporting . 21
Bibliography .22
iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use
of (a) patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed
patent rights in respect thereof. As of the date of publication of this document, ISO had not received
notice of (a) patent(s) which may be required to implement this document. However, implementers are
cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents. ISO shall not be held responsible for identifying any or all
such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
iv
Introduction
The need for effective governance of all sizes and types of organizations is of increasing importance.
This is evidenced by society’s growing demands for organizations to demonstrate effective stewardship
of the resources which they use and impact, beyond merely financial returns. Society and organizational
stakeholders are demanding not only that governance failures be avoided, but that good governance
outcomes are demonstrated. These expectations necessitate the existence of a standard against which
an organization’s governance can be measured and decisions can be made. This document provides an
approach for organizations, and their stakeholders, to evaluate, compare and improve their governance
over time such that the organization can achieve good governance outcomes.
In 2021, ISO adopted the first internationally agreed standard for the governance of organizations,
ISO 37000, which set out governance conditions, governance principles and key aspects of practice, and
governance outcomes for the governance of organizations. At that time, there was no internationally
agreed approach by which to measure the governance of an organization in terms of ISO 37000. In the
absence of such an approach to measurement, the identification of areas for improvement, the consistent
assessment of an organization’s governance maturity and an informed comparison with others were
problematic. Governance maturity, in this context, reflects, for example, the degree of organizational
responsiveness, agility and resilience in addressing changing operational conditions, while maintaining
alignment with the organizational purpose and organizational values.
Figure 1 depicts the governance maturity aspects outlined in this document and which should
be considered when evaluating governance maturity. These are the governance behaviour by the
governing body when governing the organization, in accordance with ISO 37000, and the effectiveness
and efficiency with which the governing body applies the ISO 37000 governance principles.
Figure 1 — Governance maturity aspects — Summary
This document provides a globally applicable means to measure the maturity of the governance of an
organization and describes an internationally agreed maturity measurement framework and maturity
model for the governance of organizations. It sets out guidance on measuring an organization’s
governance maturity, based on the ISO 37000 governance conditions and governance principles, and
applies to all types and sizes of organizations no matter their location. It provides a standardized
approach to determine the level of maturity level of the organization’s governance conditions and the
organization’s application of the ISO 37000 governance principles, as well as providing examples of
governance activities at each level.
Governance practices necessarily vary between organizations and should be selected and implemented
according to the organization’s specific and unique circumstances. These variations are due to factors
including how long the organization has been in existence, the organizational context, the number
of personnel the organization employs, the types of resources the organization uses, and laws and
regulations applicable to the organization. This document is, therefore, not intended to assess the
implementation of governance practices, nor the effectiveness of these governance practices. This
document provides a basis for the evaluation of the application of the guidance provided by ISO 37000.
v
Figure 2 provides an overview of the governance maturity model outlined in this document.
Figure 2 — Governance maturity model — Summary
When applying this document’s governance maturity model to an organization, the results can be used
to measure and evaluate the level at which the ISO 37000 governance guidance has been applied, in a
consistent and standardized way.
Evaluations, by or on behalf of an organization, can:
— facilitate self-assessment;
— provide a basis for improvement;
— assist with addressing governance risks;
— be used as input for reports to stakeholders;
— provide a benchmark for comparison with others.
Reports of governance maturity evaluation results can assist:
— organizations to prioritize governance improvement activities;
— governing bodies to demonstrate accountability to their organizations;
— key stakeholders to hold an organization’s governing body responsible for the continual improvement
of the governance of the organization.
Results can therefore be used, for example, by an organization’s:
— governing body to demonstrate the continual improvement of their governance of the organization;
— internal stakeholders, such as personnel, to enhance their confidence that the governance of their
organization is appropriate, effective and defensible;
— external stakeholders, such as investors and regulators, for decision-making purposes.
vi
INTERNATIONAL STANDARD ISO 37004:2023(E)
Governance of organizations — Governance maturity
model — Guidance
1 Scope
This document gives guidance on evaluating the establishment of governance conditions and on the
application of governance principles with consideration for the ISO 37000 key aspects of practice. It
sets out the concept of governance maturity and its measurement and provides a governance maturity
measurement framework, associated governance maturity scale and a governance maturity model.
This document is applicable to all types and sizes of organizations no matter their location.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 37000, Governance of organizations — Guidance
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 37000 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 Governance and organization
3.1.1
likelihood
chance of something happening
[SOURCE: ISO 31000:2018, 3.7, modified — Notes 1 and 2 to entry deleted.]
3.1.2
governance charter
governance component which records a delegation agreement
Note 1 to entry: governance charters are called many different names depending on their purpose including
committee terms of reference, job descriptions and role contracts.
3.2 Governance maturity
3.2.1
governance maturity model
means of and scale for evaluating and assessing the current state of governance maturity
[SOURCE: ISO/TR 13054:2012, 2.5, modified — “governance” added to the term and in the definition.]
3.2.2
governance measurement framework
schema for use in characterizing the application of a governance principle
[SOURCE: ISO/IEC 33001:2015, 3.4.7, modified — “governance” replaced “process” in the term. “the
application of a governance principle” replaced “process quality characteristic of an implemented
process”.]
3.2.3
governance behaviour
behaviour when governing an organization
3.2.4
practice
activity that, when consistently performed, contributes to achieving a specific process purpose or a
specific process attribute
[SOURCE: ISO/IEC 33001:2015, 3.3.6, modified — “generic” deleted from the term, “achieving a specific
process purpose or a specific process attribute” replaced “the achievement of a specified process
attribute”.]
3.2.5
governance component review
examination of a governance component to ensure that the governance component continues to fulfil
its purpose
3.2.6
procedure
specified way to carry out an activity or a process
Note 1 to entry: Procedures can be documented or not.
[SOURCE: ISO 9000:2015, 3.4.5]
4 Governance maturity aspects
4.1 General
The purpose of evaluating governance maturity is to determine the level of certainty stakeholders can
have in the ability of the governing body to govern the organization such that the organization achieves
the intended governance outcomes. These governance outcomes are defined in ISO 37000 as:
— effective performance;
— responsible stewardship;
— ethical behaviour.
Governance maturity, in this document, involves an organization’s governing body establishing
appropriate governance conditions, adopting governance principles as well as applying governance
principles in practice. The governance maturity aspects are written in terms of the application of
the ISO 37000 governance principles based on the use of the defined key aspects of practice. These
governance maturity aspects are equally applicable to the establishment of appropriate governance
conditions based on the use of the guidance provided in ISO 37000.
The way in which a governing body applies a governance principle is comprised of the following
governance maturity aspects:
— the governing body’s governance behaviour;
— the effectiveness of those governance practices that the governing body uses to apply the governance
principle;
— the efficiency of these practices.
Figure 3 depicts those governance maturity aspects for consideration when evaluating governance
maturity, namely the governance behaviour by the governing body when governing the organization, in
accordance with ISO 37000, and the effectiveness and efficiency with which the governing body applies
the ISO 37000 governance principles.
Figure 3 — Governance maturity aspects — Overview
4.2 Governance behaviour
Governance behaviour describes the approach used to apply a governance principle. ISO 37000, for
example, guides that governing bodies should lead the organization ethically and effectively and ensure
such leadership throughout the organization. Governance behaviour is therefore subjective; however,
the following certain features are evident when the governing body governs the organization as guided
by ISO 37000:
a) Adoption: the governing body commits to the adoption of ISO 37000.
b) Understanding: the governing body understands the importance of ISO 37000 for the organization.
c) Application: the governing body applies ISO 37000 and describes its experiences when applying it.
d) Analysis: the governing body compares its application of ISO 37000 with applicable leading
practices and explains the outcomes it intends to achieve from this application.
e) Evaluation: the governing body evaluates its application of ISO 37000.
f) Improvement: the governing body explains the planning and implementation of corrective actions
and improvements.
4.3 Governance effectiveness
Governance effectiveness refers to the governing body’s ability to achieve the objectives of the
ISO 37000 governance principles by selecting and implementing appropriate governance practices.
For every governance principle, ISO 37000 describes:
— the statement of the governance principle;
— the reason or objective for the governance principle (rationale);
— key aspects of governance practices to apply the governance principle to achieve the governance
principle’s objective (key aspects of practice).
Governing bodies can refer to ISO 37000 when deciding on how to appropriately apply the governance
principles, and achieve the objectives of the governance principles, such that their particular
organization can achieve the intended governance outcomes.
Administrative procedures can support governing body activities, such as the recording of meetings.
These procedures should not be confused with governance activities which are the focus of governance
maturity evaluations.
4.4 Governance efficiency
4.4.1 General
Governance efficiency considers the organization and functioning of the implemented governance
practices. This considers how governance practices are:
— made explicit;
— delegated;
— consistently applied;
— continually improved.
Governance components make governance practices explicit. Governance components formalize the
governing body’s application of governance principles and clarify the governing body’s governance
intentions for the organization. They are formal organizational records of a governing body’s
governance of the organization.
The governance components referred to, directly or indirectly, in ISO 37000, include the following:
a) governance frameworks (see 4.4.2);
b) governance strategies (see 4.4.3);
c) governance policies (see 4.4.4);
d) organizational performance results (see 4.4.5);
e) governance charters (see 4.4.6);
f) management reports (see 4.4.7);
g) governance component reviews (see 4.4.8).
NOTE Governance components can be hierarchical in nature. The use of supporting governance components
can guide the governance of a specific:
— governance principle, e.g. the governance of risk;
— subject matter, e.g. the governance of IT (see ISO/IEC 38500);
— organizational construct, e.g. to clarify the governance of a group of organizations.
Supporting governance components should directly refer to and align with the overall, or primary,
organizational governance component as they clarify a specific matter within this context.
4.4.2 Governance frameworks
A documented organizational governance framework provides clarity on the way in which the
organization’s governance arrangements operate across the whole organization. An organizational
governance framework also provides clarity on the way in which the organization is, or is to be,
governed.
The organizational governance framework should be overarching and refer to how the organizational
strategy, governance policies, governance structures (including roles and committees) and
accountabilities (the assigned and agreed authorities and responsibilities) are to align and operate.
Table 1 identifies organizational governance framework description areas.
Table 1 — Governance framework — Contents
Topic Description
The reason for the framework and the objective(s) and outcomes the framework is intend-
Intent
ed to achieve.
Those governance structures (roles and committees) to whom/which the governing body
Structures is delegating and the role of each structure (function) in the achievement of the frame-
work’s objective(s).
Mandate and com- The high-level mandates (authorities) provided to these structures and the commitments
mitment (responsibilities) to be, or as, agreed.
Providing an overview of:
— Context: the context within which the framework is to operate, including relevant
stakeholders.
— Policy: those governance policies used to achieve the framework’s objective(s).
— Accountability: assigned, agreed, overseen and, where necessary, assured delegations.
— Scope: the extent of the organization and/or the extent of the subject matter to which
the framework is to apply (e.g. specific jurisdictions or boundaries).
Design
— Integration: the manner in which the framework is to integrate with other governance
areas and/or activities.
— Resourcing: resources which support the effective implementation of the framework,
including, in summary, the manner in which these resources are to be assigned and
overseen as well as other associated information as appropriate.
— Communication: those roles accountable for the communication and engagement
activities associated with the effective understanding and application of the framework,
including the applicable stakeholder groupings where necessary.
Implementation The roles accountable for the implementation and continued operation of the framework.
The manner, roles and responsibilities associated with the:
— monitoring and oversight of the operating of the framework;
Monitoring, re-
— review of the framework’s continued applicability for the organization;
view and improve-
ment
— assessment of the framework’s operations and applicability and continual improvement
thereof.
4.4.3 Governance strategies
ISO 37000:2021, 6.3.2 describes strategy as “the pattern of evolving intentions that provide
direction for harmonizing and focusing effort to fulfil the organizational purpose, associated value
generation objectives and related strategic outcomes”. Although strategies vary across organizations,
ISO 37000:2021, 6.3.2 notes that at its core, “the organizational strategy reflects the governing body’s
intentions regarding the organization’s achievement of the strategic outcomes within its changing
context”.
Within the context of the organizational strategy, the governing body can also establish secondary
governance strategies. In such cases, these governance strategies should support the achievement of
the organization’s overall strategic outcomes and also meet the objectives of the associated governance
practice.
4.4.4 Governance policies
ISO 37000 describes the use of governance policies as a key aspect of practice (ISO 37000:2021, 6.3).
Governing bodies should formally express their intentions and directions for the organization they
are governing in governance policies and “ensure that those to whom they delegate are empowered to
create management policies, which are consistent with the governance policies”.
Governing bodies should use principles to express their “intentions and directions” (as defined in
ISO 37000:2021, 3.2.9) and ensure that these principles are applied by their organizations. ISO 37000
guides that governing bodies should do this by overseeing the organization’s performance, using the
organization’s reports, for example, and obtaining associated assurance.
Governance policies should describe the governing body’s intentions and directions, including:
— the rationale for the policies and the outcomes the policies are trying to achieve;
— the principles which the organization is to apply as management practices;
— those governance structures (roles and committees) that the governing body will be holding
accountable for the application of these principles;
— the manner in which the governing body will oversee the application of the policies.
Governance policies should consider the context of the organizational governance framework and
organizational strategy, and secondary governance frameworks and governance strategies as
applicable.
4.4.5 Organizational performance results
Organizational performance results provide the governing body with quantitative information about
the performance of the organization’s activities (e.g. reports and records). Organizational performance
results should provide the governing body with the ability to oversee the organization’s management
practices developed in response to the governing body’s governance policies.
4.4.6 Governance charters
Governance charters formalize delegations and form a basis on which the performance of these
delegations can be assessed and continually improved. Governance charters should describe in detail
the delegations indicated in the applicable governance policies, and accurately reflect the organizational
governance framework and organizational strategy. They should also reflect applicable secondary
governance frameworks and governance strategies.
4.4.7 Management reports
In a governance context, management reports are provided by the organization to the governing
body for the governing body to oversee the organization’s performance. The organization provides
these reports on the basis of the governing body’s direction (contained in governance policies) and
delegations (governance charters).
Management reports should be timely and accurate and can include expert insights and opinions of
those preparing the reports. Management reports are more qualitative in content and should be
presented to the governing body together with applicable organizational performance registers.
Management reports provided to the governing body can include:
— insights, highlights, expert opinions, trends, predictive forecasts, comparative analysis and priority
areas for improvement;
— information which can link back to detailed operational or transactional source data if required.
4.4.8 Governance component reviews
Governance components should be regularly reviewed to ensure that they remain current and applicable
and continue to reflect the changing context within which the organization operates. Improvements to
the governing body’s governance components should be planned, prioritized and implemented on this
basis. Governing bodies should ensure that they are aware of the implications, to the organization, of
changes to governance components and respond to these implications accordingly.
5 Governance maturity measurement framework
5.1 General
The governing maturity measurement framework is intended for the evaluation of the maturity with
which the governance principles, as defined in ISO 37000, have been applied, with consideration for the
ISO 37000 key aspects of practice. This evaluation makes use of the governance maturity aspects as
described in this document (see Clause 4).
The governance maturity measurement framework provides a structured approach with which to
provide clarity of the evaluation purpose, consistency of evaluation results and repeatability of the
evaluation activities. The measurement of an organization’s governance maturity includes the activities
to:
a) commit: establish governing body commitment for the evaluation;
b) design: determine and plan, for example, the evaluation scope, time frames and objectives;
c) implement: conduct the evaluation;
d) oversee: monitor the progress of the evaluation and act where necessary;
e) action: review the results, plan improvements and report on the evaluation.
Figure 4 depicts these governance maturity measurement activities.
Figure 4 — Governance maturity measurement activities
5.2 Measurement principles
When measuring governance maturity, measurement principles should be applied and include the
following:
a) Integration: Governance maturity measurement should consider that governance can be exercised
throughout the organization by governing groups and that results can differ depending on the
scope of the evaluation.
b) Intent: Governance maturity measurement should record the rationales provided for the
governance maturity aspects.
c) Completeness: Governance maturity measurement should be structured and comprehensive to
contribute to consistent and comparable results.
d) Inclusivity: Governance maturity measurement should include appropriate and timely involvement
of stakeholders, as appropriate or as required by applicable regulations, such that their knowledge,
views and perceptions can be considered.
e) Dynamic: Governance maturity measurement should consider that governance activities are not
static and necessarily evolve to meet the organization’s changing governance requirements.
f) Information: Governance maturity measurement should use timely, clear, and available historical
and current information, as well as future expectations.
g) Human and cultural factors: Governance maturity measurement considerations should include
human behaviour and culture as they influence measurements.
h) Uncertainty: Governance maturity measurement should consider the level of certainty associated
with measurements.
i) Continual improvement: Governance maturity measurement should form the basis on which
governance is continually improved such that it is and remains appropriate for the organization.
5.3 Measurement activities
5.3.1 Commitment
The governing body should, as an act of accountability to the organization, demonstrate commitment to
the measurement of the maturity of the organization’s governance. The governing body should:
— ensure that evaluations are regularly conducted;
— delegate the necessary authorities and responsibilities;
— ensure that the intent, scope and objectives for the evaluation are defined;
— ensure that the level of evidence to meet the objectives is clarified;
— ensure that the necessary resources are allocated;
— ensure that the results of the measurement form the basis of improvement initiatives;
— oversee reporting on the results of evaluations and improvement initiatives.
5.3.2 Design
The evaluation intent, scope and objectives should guide the evaluation design including:
— the identification of applicable organizational entities and structures;
— the identification of relevant stakeholders and their roles, expectations, and the quality of the
relationship between the organization and the stakeholders;
— the use of representatives;
— the protection of personal data according to compliance obligations;
— the expected duration, deadlines and reporting requirements;
— the influencing human factors and their assessed level of influence;
— the use of technology.
The evaluation design should provide clarity regarding the evaluators, e.g. whether the evaluation is to
be:
— self-evaluated;
— facilitated by one or more individuals;
— conducted by personnel employed by the organization;
— conducted by an independent, external service provider.
Other considerations include:
— the use of independent assurance providers;
— anonymous responses;
— workshopped, consensus-based group evaluations or individual responses;
— regulatory requirements, including those addressing differences of opinions.
5.3.3 Implement
The implementation of the evaluation should be managed by those to whom the governing body has
effectively delegated. Implementation activities should be performed within the parameters provided
by the governing body and the governance maturity measurement principles (see 5.1). Evaluations
should be informed through access to all relevant personnel and necessary evidence in accordance with
the evaluation design.
Implementation activities include:
— developing and agreeing a schedule of activities and deadlines, i.e. a plan;
— developing and agreeing an associated resource plan as necessary;
— preparing and managing dependencies;
— entering into agreements as necessary;
— coordinating with relevant organizational entities and stakeholders or their representatives;
— communicating and engaging with participants;
— installing technologies as required;
— sourcing, gathering and converting information as necessary;
— verifying inputs as necessary;
— monitoring the implementation activities;
— reporting on progress as required.
5.3.4 Oversee
The governing body should oversee evaluations to ensure that:
a) they fulfil their intended purpose,
b) are conducted according to the determined scope,
c) achieve the stated objectives, and
d) apply the evaluation principles (see 5.1).
The governing body should:
— require those to whom they have delegated to provide timely and accurate reports;
— ensure that incidents and issues are addressed, e.g. resource constraints, non-responses and bias;
— take corrective action as necessary;
— assure itself of the accuracy of reports it receives.
5.3.5 Action
On receipt of governance maturity evaluation results, the governing body should:
a) compare the results of the evaluation with past evaluations, as applicable;
b) assess prior and current governance improvement programmes in the context of the results;
c) determine the appropriateness of the results for the organization;
d) identify and prioritize areas for improvement;
e) assess the prioritized areas to determine the details of their implementation;
f) report on the results, including, for example:
1) the evaluation approach, intent and scope;
2) the evaluation results and comparisons with past evaluations;
3) the assessed appropriateness and associated rationales;
4) the results of past improvement initiatives, including challenges to achieve its desired maturity
level;
5) future areas of focus for improvements;
g) take appropriate action based on the results of the maturity assessment and prioritizations.
5.4 Measurement scale
5.4.1 General
Governance maturity is assessed across three governance maturity aspects: governance behaviour,
governance effectiveness and governance efficiency. Each of these governance maturity aspects is
measured on a six-point scale (0 to 5) with the bottom of the scale, “undefined”, through to the top end
of the scale, “optimizing”. The scale is used to reflect the increasing levels of governance maturity.
Table 2 provides each level of the governance maturity measurement scale.
Table 2 — Governance maturity measurement scale with descriptions
Level Description
Level 0: Undefined No evidence can be found of commitment to or application of the principle.
Where evidence is available, it is limited to that of performing the minimum necessary
Level 1: Limited
to achieve the intent of the principle.
Level 2: Emerging Evidence is available and managed.
Evidence is available, managed, and aggregated to form a cohesive system in which
Level 3: Formalized
emergent behaviours can be observed.
Level 4: Measured Evidence is available, managed, aggregated, and it is measured or assessed.
Evidence is available, managed, aggregated, measured or assessed, and it is optimized
Level 5: Optimizing
for continual improvement.
5.4.2 Governanc
...
INTERNATIONAL ISO
STANDARD 37004
First edition
2023-11
Governance of organizations —
Governance maturity model —
Guidance
Gouvernance des organismes — Modèle de maturité de la
gouvernance — Recommandations
Reference number
© ISO 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 Governance and organization . 1
3.2 Governance maturity . 1
4 Governance maturity aspects . 2
4.1 General . 2
4.2 Governance behaviour . 3
4.3 Governance effectiveness . 3
4.4 Governance efficiency . 4
4.4.1 General . 4
4.4.2 Governance frameworks . 5
4.4.3 Governance strategies . 5
4.4.4 Governance policies . 6
4.4.5 Organizational performance results . 6
4.4.6 Governance charters . . 6
4.4.7 Management reports . 6
4.4.8 Governance component reviews . 7
5 Governance maturity measurement framework . 7
5.1 General . 7
5.2 Measurement principles . 8
5.3 Measurement activities . 8
5.3.1 Commitment . 8
5.3.2 Design . 8
5.3.3 Implement . . . 9
5.3.4 Oversee . 10
5.3.5 Action . 10
5.4 Measurement scale . 10
5.4.1 General . 10
5.4.2 Governance behaviour scale . 11
5.4.3 Governance effectiveness scale . 11
5.4.4 Governance efficiency scale .12
5.4.5 Governance maturity scale . 13
5.5 Measurement aggregation . 14
6 Governance maturity model.15
6.1 General . 15
6.2 Governance maturity dimensions . 16
6.2.1 Governance conditions . 16
6.2.2 Governance principles . 16
6.3 Governance maturity calculation . 17
6.3.1 Maturity model content . 17
6.3.2 Evaluation judgements . 17
6.3.3 Aggregation of results . 17
6.4 Governance maturity improvement . 18
6.4.1 Determining governance appropriateness . 18
6.4.2 Setting improvement targets . 19
6.4.3 Implementing improvement initiatives . 19
6.5 Governance maturity evaluation . 20
6.6 Governance maturity reporting . 21
Bibliography .22
iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use
of (a) patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed
patent rights in respect thereof. As of the date of publication of this document, ISO had not received
notice of (a) patent(s) which may be required to implement this document. However, implementers are
cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents. ISO shall not be held responsible for identifying any or all
such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
iv
Introduction
The need for effective governance of all sizes and types of organizations is of increasing importance.
This is evidenced by society’s growing demands for organizations to demonstrate effective stewardship
of the resources which they use and impact, beyond merely financial returns. Society and organizational
stakeholders are demanding not only that governance failures be avoided, but that good governance
outcomes are demonstrated. These expectations necessitate the existence of a standard against which
an organization’s governance can be measured and decisions can be made. This document provides an
approach for organizations, and their stakeholders, to evaluate, compare and improve their governance
over time such that the organization can achieve good governance outcomes.
In 2021, ISO adopted the first internationally agreed standard for the governance of organizations,
ISO 37000, which set out governance conditions, governance principles and key aspects of practice, and
governance outcomes for the governance of organizations. At that time, there was no internationally
agreed approach by which to measure the governance of an organization in terms of ISO 37000. In the
absence of such an approach to measurement, the identification of areas for improvement, the consistent
assessment of an organization’s governance maturity and an informed comparison with others were
problematic. Governance maturity, in this context, reflects, for example, the degree of organizational
responsiveness, agility and resilience in addressing changing operational conditions, while maintaining
alignment with the organizational purpose and organizational values.
Figure 1 depicts the governance maturity aspects outlined in this document and which should
be considered when evaluating governance maturity. These are the governance behaviour by the
governing body when governing the organization, in accordance with ISO 37000, and the effectiveness
and efficiency with which the governing body applies the ISO 37000 governance principles.
Figure 1 — Governance maturity aspects — Summary
This document provides a globally applicable means to measure the maturity of the governance of an
organization and describes an internationally agreed maturity measurement framework and maturity
model for the governance of organizations. It sets out guidance on measuring an organization’s
governance maturity, based on the ISO 37000 governance conditions and governance principles, and
applies to all types and sizes of organizations no matter their location. It provides a standardized
approach to determine the level of maturity level of the organization’s governance conditions and the
organization’s application of the ISO 37000 governance principles, as well as providing examples of
governance activities at each level.
Governance practices necessarily vary between organizations and should be selected and implemented
according to the organization’s specific and unique circumstances. These variations are due to factors
including how long the organization has been in existence, the organizational context, the number
of personnel the organization employs, the types of resources the organization uses, and laws and
regulations applicable to the organization. This document is, therefore, not intended to assess the
implementation of governance practices, nor the effectiveness of these governance practices. This
document provides a basis for the evaluation of the application of the guidance provided by ISO 37000.
v
Figure 2 provides an overview of the governance maturity model outlined in this document.
Figure 2 — Governance maturity model — Summary
When applying this document’s governance maturity model to an organization, the results can be used
to measure and evaluate the level at which the ISO 37000 governance guidance has been applied, in a
consistent and standardized way.
Evaluations, by or on behalf of an organization, can:
— facilitate self-assessment;
— provide a basis for improvement;
— assist with addressing governance risks;
— be used as input for reports to stakeholders;
— provide a benchmark for comparison with others.
Reports of governance maturity evaluation results can assist:
— organizations to prioritize governance improvement activities;
— governing bodies to demonstrate accountability to their organizations;
— key stakeholders to hold an organization’s governing body responsible for the continual improvement
of the governance of the organization.
Results can therefore be used, for example, by an organization’s:
— governing body to demonstrate the continual improvement of their governance of the organization;
— internal stakeholders, such as personnel, to enhance their confidence that the governance of their
organization is appropriate, effective and defensible;
— external stakeholders, such as investors and regulators, for decision-making purposes.
vi
INTERNATIONAL STANDARD ISO 37004:2023(E)
Governance of organizations — Governance maturity
model — Guidance
1 Scope
This document gives guidance on evaluating the establishment of governance conditions and on the
application of governance principles with consideration for the ISO 37000 key aspects of practice. It
sets out the concept of governance maturity and its measurement and provides a governance maturity
measurement framework, associated governance maturity scale and a governance maturity model.
This document is applicable to all types and sizes of organizations no matter their location.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 37000, Governance of organizations — Guidance
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 37000 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 Governance and organization
3.1.1
likelihood
chance of something happening
[SOURCE: ISO 31000:2018, 3.7, modified — Notes 1 and 2 to entry deleted.]
3.1.2
governance charter
governance component which records a delegation agreement
Note 1 to entry: governance charters are called many different names depending on their purpose including
committee terms of reference, job descriptions and role contracts.
3.2 Governance maturity
3.2.1
governance maturity model
means of and scale for evaluating and assessing the current state of governance maturity
[SOURCE: ISO/TR 13054:2012, 2.5, modified — “governance” added to the term and in the definition.]
3.2.2
governance measurement framework
schema for use in characterizing the application of a governance principle
[SOURCE: ISO/IEC 33001:2015, 3.4.7, modified — “governance” replaced “process” in the term. “the
application of a governance principle” replaced “process quality characteristic of an implemented
process”.]
3.2.3
governance behaviour
behaviour when governing an organization
3.2.4
practice
activity that, when consistently performed, contributes to achieving a specific process purpose or a
specific process attribute
[SOURCE: ISO/IEC 33001:2015, 3.3.6, modified — “generic” deleted from the term, “achieving a specific
process purpose or a specific process attribute” replaced “the achievement of a specified process
attribute”.]
3.2.5
governance component review
examination of a governance component to ensure that the governance component continues to fulfil
its purpose
3.2.6
procedure
specified way to carry out an activity or a process
Note 1 to entry: Procedures can be documented or not.
[SOURCE: ISO 9000:2015, 3.4.5]
4 Governance maturity aspects
4.1 General
The purpose of evaluating governance maturity is to determine the level of certainty stakeholders can
have in the ability of the governing body to govern the organization such that the organization achieves
the intended governance outcomes. These governance outcomes are defined in ISO 37000 as:
— effective performance;
— responsible stewardship;
— ethical behaviour.
Governance maturity, in this document, involves an organization’s governing body establishing
appropriate governance conditions, adopting governance principles as well as applying governance
principles in practice. The governance maturity aspects are written in terms of the application of
the ISO 37000 governance principles based on the use of the defined key aspects of practice. These
governance maturity aspects are equally applicable to the establishment of appropriate governance
conditions based on the use of the guidance provided in ISO 37000.
The way in which a governing body applies a governance principle is comprised of the following
governance maturity aspects:
— the governing body’s governance behaviour;
— the effectiveness of those governance practices that the governing body uses to apply the governance
principle;
— the efficiency of these practices.
Figure 3 depicts those governance maturity aspects for consideration when evaluating governance
maturity, namely the governance behaviour by the governing body when governing the organization, in
accordance with ISO 37000, and the effectiveness and efficiency with which the governing body applies
the ISO 37000 governance principles.
Figure 3 — Governance maturity aspects — Overview
4.2 Governance behaviour
Governance behaviour describes the approach used to apply a governance principle. ISO 37000, for
example, guides that governing bodies should lead the organization ethically and effectively and ensure
such leadership throughout the organization. Governance behaviour is therefore subjective; however,
the following certain features are evident when the governing body governs the organization as guided
by ISO 37000:
a) Adoption: the governing body commits to the adoption of ISO 37000.
b) Understanding: the governing body understands the importance of ISO 37000 for the organization.
c) Application: the governing body applies ISO 37000 and describes its experiences when applying it.
d) Analysis: the governing body compares its application of ISO 37000 with applicable leading
practices and explains the outcomes it intends to achieve from this application.
e) Evaluation: the governing body evaluates its application of ISO 37000.
f) Improvement: the governing body explains the planning and implementation of corrective actions
and improvements.
4.3 Governance effectiveness
Governance effectiveness refers to the governing body’s ability to achieve the objectives of the
ISO 37000 governance principles by selecting and implementing appropriate governance practices.
For every governance principle, ISO 37000 describes:
— the statement of the governance principle;
— the reason or objective for the governance principle (rationale);
— key aspects of governance practices to apply the governance principle to achieve the governance
principle’s objective (key aspects of practice).
Governing bodies can refer to ISO 37000 when deciding on how to appropriately apply the governance
principles, and achieve the objectives of the governance principles, such that their particular
organization can achieve the intended governance outcomes.
Administrative procedures can support governing body activities, such as the recording of meetings.
These procedures should not be confused with governance activities which are the focus of governance
maturity evaluations.
4.4 Governance efficiency
4.4.1 General
Governance efficiency considers the organization and functioning of the implemented governance
practices. This considers how governance practices are:
— made explicit;
— delegated;
— consistently applied;
— continually improved.
Governance components make governance practices explicit. Governance components formalize the
governing body’s application of governance principles and clarify the governing body’s governance
intentions for the organization. They are formal organizational records of a governing body’s
governance of the organization.
The governance components referred to, directly or indirectly, in ISO 37000, include the following:
a) governance frameworks (see 4.4.2);
b) governance strategies (see 4.4.3);
c) governance policies (see 4.4.4);
d) organizational performance results (see 4.4.5);
e) governance charters (see 4.4.6);
f) management reports (see 4.4.7);
g) governance component reviews (see 4.4.8).
NOTE Governance components can be hierarchical in nature. The use of supporting governance components
can guide the governance of a specific:
— governance principle, e.g. the governance of risk;
— subject matter, e.g. the governance of IT (see ISO/IEC 38500);
— organizational construct, e.g. to clarify the governance of a group of organizations.
Supporting governance components should directly refer to and align with the overall, or primary,
organizational governance component as they clarify a specific matter within this context.
4.4.2 Governance frameworks
A documented organizational governance framework provides clarity on the way in which the
organization’s governance arrangements operate across the whole organization. An organizational
governance framework also provides clarity on the way in which the organization is, or is to be,
governed.
The organizational governance framework should be overarching and refer to how the organizational
strategy, governance policies, governance structures (including roles and committees) and
accountabilities (the assigned and agreed authorities and responsibilities) are to align and operate.
Table 1 identifies organizational governance framework description areas.
Table 1 — Governance framework — Contents
Topic Description
The reason for the framework and the objective(s) and outcomes the framework is intend-
Intent
ed to achieve.
Those governance structures (roles and committees) to whom/which the governing body
Structures is delegating and the role of each structure (function) in the achievement of the frame-
work’s objective(s).
Mandate and com- The high-level mandates (authorities) provided to these structures and the commitments
mitment (responsibilities) to be, or as, agreed.
Providing an overview of:
— Context: the context within which the framework is to operate, including relevant
stakeholders.
— Policy: those governance policies used to achieve the framework’s objective(s).
— Accountability: assigned, agreed, overseen and, where necessary, assured delegations.
— Scope: the extent of the organization and/or the extent of the subject matter to which
the framework is to apply (e.g. specific jurisdictions or boundaries).
Design
— Integration: the manner in which the framework is to integrate with other governance
areas and/or activities.
— Resourcing: resources which support the effective implementation of the framework,
including, in summary, the manner in which these resources are to be assigned and
overseen as well as other associated information as appropriate.
— Communication: those roles accountable for the communication and engagement
activities associated with the effective understanding and application of the framework,
including the applicable stakeholder groupings where necessary.
Implementation The roles accountable for the implementation and continued operation of the framework.
The manner, roles and responsibilities associated with the:
— monitoring and oversight of the operating of the framework;
Monitoring, re-
— review of the framework’s continued applicability for the organization;
view and improve-
ment
— assessment of the framework’s operations and applicability and continual improvement
thereof.
4.4.3 Governance strategies
ISO 37000:2021, 6.3.2 describes strategy as “the pattern of evolving intentions that provide
direction for harmonizing and focusing effort to fulfil the organizational purpose, associated value
generation objectives and related strategic outcomes”. Although strategies vary across organizations,
ISO 37000:2021, 6.3.2 notes that at its core, “the organizational strategy reflects the governing body’s
intentions regarding the organization’s achievement of the strategic outcomes within its changing
context”.
Within the context of the organizational strategy, the governing body can also establish secondary
governance strategies. In such cases, these governance strategies should support the achievement of
the organization’s overall strategic outcomes and also meet the objectives of the associated governance
practice.
4.4.4 Governance policies
ISO 37000 describes the use of governance policies as a key aspect of practice (ISO 37000:2021, 6.3).
Governing bodies should formally express their intentions and directions for the organization they
are governing in governance policies and “ensure that those to whom they delegate are empowered to
create management policies, which are consistent with the governance policies”.
Governing bodies should use principles to express their “intentions and directions” (as defined in
ISO 37000:2021, 3.2.9) and ensure that these principles are applied by their organizations. ISO 37000
guides that governing bodies should do this by overseeing the organization’s performance, using the
organization’s reports, for example, and obtaining associated assurance.
Governance policies should describe the governing body’s intentions and directions, including:
— the rationale for the policies and the outcomes the policies are trying to achieve;
— the principles which the organization is to apply as management practices;
— those governance structures (roles and committees) that the governing body will be holding
accountable for the application of these principles;
— the manner in which the governing body will oversee the application of the policies.
Governance policies should consider the context of the organizational governance framework and
organizational strategy, and secondary governance frameworks and governance strategies as
applicable.
4.4.5 Organizational performance results
Organizational performance results provide the governing body with quantitative information about
the performance of the organization’s activities (e.g. reports and records). Organizational performance
results should provide the governing body with the ability to oversee the organization’s management
practices developed in response to the governing body’s governance policies.
4.4.6 Governance charters
Governance charters formalize delegations and form a basis on which the performance of these
delegations can be assessed and continually improved. Governance charters should describe in detail
the delegations indicated in the applicable governance policies, and accurately reflect the organizational
governance framework and organizational strategy. They should also reflect applicable secondary
governance frameworks and governance strategies.
4.4.7 Management reports
In a governance context, management reports are provided by the organization to the governing
body for the governing body to oversee the organization’s performance. The organization provides
these reports on the basis of the governing body’s direction (contained in governance policies) and
delegations (governance charters).
Management reports should be timely and accurate and can include expert insights and opinions of
those preparing the reports. Management reports are more qualitative in content and should be
presented to the governing body together with applicable organizational performance registers.
Management reports provided to the governing body can include:
— insights, highlights, expert opinions, trends, predictive forecasts, comparative analysis and priority
areas for improvement;
— information which can link back to detailed operational or transactional source data if required.
4.4.8 Governance component reviews
Governance components should be regularly reviewed to ensure that they remain current and applicable
and continue to reflect the changing context within which the organization operates. Improvements to
the governing body’s governance components should be planned, prioritized and implemented on this
basis. Governing bodies should ensure that they are aware of the implications, to the organization, of
changes to governance components and respond to these implications accordingly.
5 Governance maturity measurement framework
5.1 General
The governing maturity measurement framework is intended for the evaluation of the maturity with
which the governance principles, as defined in ISO 37000, have been applied, with consideration for the
ISO 37000 key aspects of practice. This evaluation makes use of the governance maturity aspects as
described in this document (see Clause 4).
The governance maturity measurement framework provides a structured approach with which to
provide clarity of the evaluation purpose, consistency of evaluation results and repeatability of the
evaluation activities. The measurement of an organization’s governance maturity includes the activities
to:
a) commit: establish governing body commitment for the evaluation;
b) design: determine and plan, for example, the evaluation scope, time frames and objectives;
c) implement: conduct the evaluation;
d) oversee: monitor the progress of the evaluation and act where necessary;
e) action: review the results, plan improvements and report on the evaluation.
Figure 4 depicts these governance maturity measurement activities.
Figure 4 — Governance maturity measurement activities
5.2 Measurement principles
When measuring governance maturity, measurement principles should be applied and include the
following:
a) Integration: Governance maturity measurement should consider that governance can be exercised
throughout the organization by governing groups and that results can differ depending on the
scope of the evaluation.
b) Intent: Governance maturity measurement should record the rationales provided for the
governance maturity aspects.
c) Completeness: Governance maturity measurement should be structured and comprehensive to
contribute to consistent and comparable results.
d) Inclusivity: Governance maturity measurement should include appropriate and timely involvement
of stakeholders, as appropriate or as required by applicable regulations, such that their knowledge,
views and perceptions can be considered.
e) Dynamic: Governance maturity measurement should consider that governance activities are not
static and necessarily evolve to meet the organization’s changing governance requirements.
f) Information: Governance maturity measurement should use timely, clear, and available historical
and current information, as well as future expectations.
g) Human and cultural factors: Governance maturity measurement considerations should include
human behaviour and culture as they influence measurements.
h) Uncertainty: Governance maturity measurement should consider the level of certainty associated
with measurements.
i) Continual improvement: Governance maturity measurement should form the basis on which
governance is continually improved such that it is and remains appropriate for the organization.
5.3 Measurement activities
5.3.1 Commitment
The governing body should, as an act of accountability to the organization, demonstrate commitment to
the measurement of the maturity of the organization’s governance. The governing body should:
— ensure that evaluations are regularly conducted;
— delegate the necessary authorities and responsibilities;
— ensure that the intent, scope and objectives for the evaluation are defined;
— ensure that the level of evidence to meet the objectives is clarified;
— ensure that the necessary resources are allocated;
— ensure that the results of the measurement form the basis of improvement initiatives;
— oversee reporting on the results of evaluations and improvement initiatives.
5.3.2 Design
The evaluation intent, scope and objectives should guide the evaluation design including:
— the identification of applicable organizational entities and structures;
— the identification of relevant stakeholders and their roles, expectations, and the quality of the
relationship between the organization and the stakeholders;
— the use of representatives;
— the protection of personal data according to compliance obligations;
— the expected duration, deadlines and reporting requirements;
— the influencing human factors and their assessed level of influence;
— the use of technology.
The evaluation design should provide clarity regarding the evaluators, e.g. whether the evaluation is to
be:
— self-evaluated;
— facilitated by one or more individuals;
— conducted by personnel employed by the organization;
— conducted by an independent, external service provider.
Other considerations include:
— the use of independent assurance providers;
— anonymous responses;
— workshopped, consensus-based group evaluations or individual responses;
— regulatory requirements, including those addressing differences of opinions.
5.3.3 Implement
The implementation of the evaluation should be managed by those to whom the governing body has
effectively delegated. Implementation activities should be performed within the parameters provided
by the governing body and the governance maturity measurement principles (see 5.1). Evaluations
should be informed through access to all relevant personnel and necessary evidence in accordance with
the evaluation design.
Implementation activities include:
— developing and agreeing a schedule of activities and deadlines, i.e. a plan;
— developing and agreeing an associated resource plan as necessary;
— preparing and managing dependencies;
— entering into agreements as necessary;
— coordinating with relevant organizational entities and stakeholders or their representatives;
— communicating and engaging with participants;
— installing technologies as required;
— sourcing, gathering and converting information as necessary;
— verifying inputs as necessary;
— monitoring the implementation activities;
— reporting on progress as required.
5.3.4 Oversee
The governing body should oversee evaluations to ensure that:
a) they fulfil their intended purpose,
b) are conducted according to the determined scope,
c) achieve the stated objectives, and
d) apply the evaluation principles (see 5.1).
The governing body should:
— require those to whom they have delegated to provide timely and accurate reports;
— ensure that incidents and issues are addressed, e.g. resource constraints, non-responses and bias;
— take corrective action as necessary;
— assure itself of the accuracy of reports it receives.
5.3.5 Action
On receipt of governance maturity evaluation results, the governing body should:
a) compare the results of the evaluation with past evaluations, as applicable;
b) assess prior and current governance improvement programmes in the context of the results;
c) determine the appropriateness of the results for the organization;
d) identify and prioritize areas for improvement;
e) assess the prioritized areas to determine the details of their implementation;
f) report on the results, including, for example:
1) the evaluation approach, intent and scope;
2) the evaluation results and comparisons with past evaluations;
3) the assessed appropriateness and associated rationales;
4) the results of past improvement initiatives, including challenges to achieve its desired maturity
level;
5) future areas of focus for improvements;
g) take appropriate action based on the results of the maturity assessment and prioritizations.
5.4 Measurement scale
5.4.1 General
Governance maturity is assessed across three governance maturity aspects: governance behaviour,
governance effectiveness and governance efficiency. Each of these governance maturity aspects is
measured on a six-point scale (0 to 5) with the bottom of the scale, “undefined”, through to the top end
of the scale, “optimizing”. The scale is used to reflect the increasing levels of governance maturity.
Table 2 provides each level of the governance maturity measurement scale.
Table 2 — Governance maturity measurement scale with descriptions
Level Description
Level 0: Undefined No evidence can be found of commitment to or application of the principle.
Where evidence is available, it is limited to that of performing the minimum necessary
Level 1: Limited
to achieve the intent of the principle.
Level 2: Emerging Evidence is available and managed.
Evidence is available, managed, and aggregated to form a cohesive system in which
Level 3: Formalized
emergent behaviours can be observed.
Level 4: Measured Evidence is available, managed, aggregated, and it is measured or assessed.
Evidence is available, managed, aggregated, measured or assessed, and it is optimized
Level 5: Optimizing
for continual improvement.
5.4.2 Governance behaviour scale
Governance behaviour is subjective (see 4.2). Due to the subjective nature of the measure, an
understanding of the result of the measurement should be confirmed with the stakeholder concerned.
Table 3 provides a simplistic description of governance attitude at each level of the governance maturity
measurement scale.
Table 3 — Governance behaviour maturity measurement scale with descriptions
Level Description
Level 0: Undefined There is no agreement or intention to adopt the principle.
Adoption: There is an intention or commitment to adopt the principle but limited abili-
Level 1: Limited
ty to explain why the principle is important for the organization.
Understanding: There is an adoption and clear description of the rationale of the prin-
Level 2: Emerging ciple for the organization but with limited understanding of how the principle is, or will
be, applied in practice.
Application: There is an adoption, description of rationale and ability to explain how
th
...
NORME ISO
INTERNATIONALE 37004
Première édition
2023-11
Gouvernance des organismes —
Modèle de maturité de la gouvernance
— Recommandations
Governance of organizations — Governance maturity model —
Guidance
Numéro de référence
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2023
Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette
publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,
y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut
être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii
Sommaire Page
Avant-propos .iv
Introduction .v
1 Domaine d’application . 1
2 Références normatives .1
3 Termes et définitions . 1
3.1 Gouvernance et organisme . 1
3.2 Maturité de la gouvernance . 2
4 Aspects de maturité de la gouvernance . 2
4.1 Généralités . 2
4.2 Comportement en matière de gouvernance . 3
4.3 Efficacité de la gouvernance . 4
4.4 Efficience de la gouvernance . 4
4.4.1 Généralités . 4
4.4.2 Cadres de gouvernance . 5
4.4.3 Stratégies de gouvernance. 6
4.4.4 Politiques de gouvernance . 6
4.4.5 Résultats de la performance de l’organisme . 6
4.4.6 Chartes de gouvernance . 7
4.4.7 Rapports de management . 7
4.4.8 Revues des composantes de la gouvernance . 7
5 Cadre de mesure de la maturité de la gouvernance . 7
5.1 Généralités . 7
5.2 Principes de mesure . 8
5.3 Activités de mesure . 9
5.3.1 Engagement. 9
5.3.2 Conception . 9
5.3.3 Mise en œuvre . 10
5.3.4 Supervision . . 10
5.3.5 Action . 11
5.4 Échelle de mesure . 11
5.4.1 Généralités . 11
5.4.2 Échelle de comportement en matière de gouvernance .12
5.4.3 Échelle d’efficacité de la gouvernance .12
5.4.4 Échelle d’efficience de la gouvernance .13
5.4.5 Échelle de maturité de la gouvernance . 14
5.5 Agrégation des mesures . 15
6 Modèle de maturité de la gouvernance .16
6.1 Généralités . 16
6.2 Dimensions de maturité de la gouvernance . 17
6.2.1 Conditions de gouvernance . 17
6.2.2 Principes de gouvernance . 17
6.3 Calcul de la maturité de la gouvernance . 18
6.3.1 Contenu du modèle de maturité . 18
6.3.2 Jugements d’évaluation . 18
6.3.3 Agrégation des résultats . 19
6.4 Amélioration de la maturité de la gouvernance . 19
6.4.1 Déterminer l’adéquation de la gouvernance . 19
6.4.2 Définir des objectifs d’amélioration . 20
6.4.3 Mise en œuvre des initiatives d’amélioration . 21
6.5 Évaluation de la maturité de la gouvernance . 21
6.6 Rapports sur la maturité de la gouvernance . 22
Bibliographie .24
iii
Avant-propos
L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes
nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est
en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude
a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,
gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.
L’ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui
concerne la normalisation électrotechnique.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier, de prendre note des différents
critères d’approbation requis pour les différents types de documents ISO. Le présent document
a été rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2
(voir www.iso.org/directives).
L’ISO attire l’attention sur le fait que la mise en application du présent document peut entraîner
l’utilisation d’un ou de plusieurs brevets. L’ISO ne prend pas position quant à la preuve, à la validité et
à l’applicabilité de tout droit de propriété revendiqué à cet égard. À la date de publication du présent
document, l’ISO n’avait pas reçu notification qu’un ou plusieurs brevets pouvaient être nécessaires à sa
mise en application. Toutefois, il y a lieu d’avertir les responsables de la mise en application du présent
document que des informations plus récentes sont susceptibles de figurer dans la base de données de
brevets, disponible à l’adresse www.iso.org/brevets. L’ISO ne saurait être tenue pour responsable de ne
pas avoir identifié de tels droits de propriété et averti de leur existence.
Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un
engagement.
Pour une explication de la nature volontaire des normes, la signification des termes et expressions
spécifiques de l’ISO liés à l’évaluation de la conformité, ou pour toute information au sujet de l’adhésion
de l’ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les obstacles
techniques au commerce (OTC), voir le lien suivant: www.iso.org/iso/fr/avant-propos.
Le présent document a été élaboré par le comité technique ISO/TC 309, Gouvernance des organisations.
Il convient que l’utilisateur adresse tout retour d’information ou toute question concernant le présent
document à l’organisme national de normalisation de son pays. Une liste exhaustive desdits organismes
se trouve à l’adresse www.iso.org/fr/members.html.
iv
Introduction
La nécessité d’une gouvernance efficace pour les organismes de toutes tailles et de tous types revêt
une importance croissante. En effet, la société exige de plus en plus des organismes qu’ils fassent
preuve d’une gestion efficace des ressources qu’ils utilisent et sur lesquelles ils ont un impact, au-delà
des simples rendements financiers. La société et les parties prenantes des organismes exigent non
seulement d’éviter les mauvaises pratiques de gouvernance, mais aussi de faire preuve de bons résultats
en matière de gouvernance. Ces attentes nécessitent l’existence d’une norme par rapport à laquelle
la gouvernance d’un organisme peut être mesurée et des décisions peuvent être prises. Le présent
document fournit une approche permettant aux organismes et à leurs parties prenantes d’évaluer, de
comparer et d’améliorer leur gouvernance au fil du temps, afin que l’organisme puisse atteindre de bons
résultats en matière de gouvernance.
En 2021, l’ISO a adopté la première norme internationalement reconnue relative à la gouvernance des
organismes, l’ISO 37000, qui définit les conditions de gouvernance, les principes de gouvernance et les
aspects clés de la pratique, ainsi que les résultats de la gouvernance pour les organismes. À l’époque,
il n’existait pas d’approche internationalement reconnue permettant de mesurer la gouvernance d’un
organisme par rapport à l’ISO 37000. En l’absence d’une telle approche de mesure, l’identification des
domaines d’amélioration, l’appréciation cohérente de la maturité de la gouvernance d’un organisme
et une comparaison éclairée avec d’autres organismes étaient problématiques. La maturité de la
gouvernance, dans ce contexte, reflète par exemple le degré de réactivité, d’agilité et de résilience de
l’organisme face à l’évolution des conditions opérationnelles, tout en maintenant l’alignement sur la
finalité et les valeurs de l’organisme.
La Figure 1 reprend les aspects de la maturité de la gouvernance décrits dans le présent document et
qu’il convient de prendre en compte lors de l’évaluation de la maturité. Ces aspects sont le comportement
de l’organe de gouvernance lorsqu’il dirige l’organisme, conformément à l’ISO 37000, et l’efficacité
et l’efficience avec lesquelles l’organe de gouvernance applique les principes de gouvernance de
l’ISO 37000.
Figure 1 — Aspects de maturité de la gouvernance — Synthèse
Le présent document fournit un moyen applicable à l’échelle mondiale pour mesurer la maturité de la
gouvernance d’un organisme et décrit un cadre de mesure de la maturité et un modèle de maturité
de la gouvernance des organismes reconnus au niveau international. Il présente des recommandations
relatives à la mesure de la maturité de la gouvernance d’un organisme, basées sur les conditions et les
principes de gouvernance de l’ISO 37000, et s’applique aux organismes de tous types et de toutes tailles,
quelle que soit leur situation géographique. Il fournit une approche normalisée pour déterminer le
niveau de maturité des conditions de gouvernance de l’organisme et de l’application par l’organisme des
principes de gouvernance de l’ISO 37000. Il fournit également des exemples d’activités de gouvernance
à chaque niveau.
v
Les pratiques de gouvernance varient nécessairement d’un organisme à l’autre et il convient qu’elles
soient sélectionnées et mises en œuvre en fonction des circonstances spécifiques et uniques de
l’organisme. Ces variations sont dues à des facteurs tels que l’ancienneté de l’organisme, son contexte,
le nombre de personnes employées par l’organisme, les types de ressources utilisées par l’organisme,
ainsi que les lois et règlements applicables à l’organisme. Le présent document n’est donc pas destiné
à apprécier la mise en œuvre des pratiques de gouvernance, ni l’efficacité de ces pratiques. Le présent
document fournit une base pour l’évaluation de l’application des recommandations figurant dans
l’ISO 37000.
La Figure 2 donne une vue d’ensemble du modèle de maturité de la gouvernance décrit dans le présent
document.
Figure 2 — Modèle de maturité de la gouvernance — Synthèse
En appliquant le modèle de maturité de la gouvernance de ce document à un organisme, les résultats
peuvent être utilisés pour mesurer et évaluer dans quelle mesure les recommandations de l’ISO 37000
relatives à la gouvernance ont été appliquées, d’une manière cohérente et normalisée.
Les évaluations, réalisées par ou pour le compte d’un organisme, peuvent:
— faciliter l’auto-évaluation;
— fournir une base pour l’amélioration;
— aider à traiter les risques liés à la gouvernance;
— être utilisées pour alimenter les rapports destinés aux parties prenantes;
— fournir un point de référence pour la comparaison avec d’autres.
Les rapports sur les résultats de l’évaluation de la maturité de la gouvernance peuvent aider:
— les organismes à prioriser les activités d’amélioration de la gouvernance;
— les organes de gouvernance à démontrer leur redevabilité vis-à-vis de leurs organismes;
— les principales parties prenantes à tenir l’organe de gouvernance d’un organisme responsable de
l’amélioration continue de la gouvernance de l’organisme.
Les résultats peuvent donc être utilisés, par exemple, par:
— l’organe de gouvernance d’un organisme pour démontrer l’amélioration continue de la gouvernance
de l’organisme;
— les parties prenantes internes, telles que le personnel, pour renforcer leur confiance dans le fait que
la gouvernance de l’organisme est appropriée, efficace et défendable;
— les parties prenantes externes, telles que les investisseurs et les autorités réglementaires/de
régulation, à des fins de prise de décision.
vi
NORME INTERNATIONALE ISO 37004:2023(F)
Gouvernance des organismes — Modèle de maturité de la
gouvernance — Recommandations
1 Domaine d’application
Le présent document fournit des recommandations relatives à l’évaluation de l’établissement des
conditions de gouvernance et à l’application des principes de gouvernance en tenant compte des aspects
clés de la pratique énoncés dans l’ISO 37000. Il définit le concept de maturité de la gouvernance et sa
mesure, et fournit un cadre de mesure de la maturité de la gouvernance, une échelle de maturité de la
gouvernance associée et un modèle de maturité de la gouvernance.
Le présent document s’applique aux organismes de tous types et de toutes tailles, quelle que soit leur
situation géographique.
2 Références normatives
Les documents suivants sont cités dans le texte de sorte qu’ils constituent, pour tout ou partie de leur
contenu, des exigences du présent document. Pour les références datées, seule l’édition citée s’applique.
Pour les références non datées, la dernière édition du document de référence s’applique (y compris les
éventuels amendements).
ISO 37000, Gouvernance des organismes — Recommandations
3 Termes et définitions
Pour les besoins du présent document, les termes et les définitions de l’ISO 37000 ainsi que les suivants
s’appliquent.
L’ISO et l’IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en
normalisation, consultables aux adresses suivantes:
— ISO Online browsing platform: disponible à l’adresse https:// www .iso .org/ obp
— IEC Electropedia: disponible à l’adresse https:// www .electropedia .org/
3.1 Gouvernance et organisme
3.1.1
vraisemblance
possibilité que quelque chose se produise
[SOURCE: ISO 31000:2018, 3.7, modifié — Les Notes 1 et 2 à l’article ont été supprimées.]
3.1.2
charte de gouvernance
composante de la gouvernance qui fait état d’un accord de délégation
Note 1 à l'article: Les chartes de gouvernance portent de nombreux noms différents en fonction de leur finalité,
notamment mandats de comité, descriptions de poste et contrats de rôle.
3.2 Maturité de la gouvernance
3.2.1
modèle de maturité de la gouvernance
moyens et échelle d’évaluation et d’appréciation de l’état actuel de maturité de la gouvernance
[SOURCE: ISO/TR 13054:2012, 2.5, modifié — «de la gouvernance» ajouté au terme et à la définition.]
3.2.2
cadre de mesure de la gouvernance
schéma à utiliser pour caractériser l’application d’un principe de gouvernance
[SOURCE: ISO/IEC 33001:2015, 3.4.7, modifié — «de la gouvernance» remplace «du processus» dans le
terme; «l’application d’un principe de gouvernance» remplace «la qualité d’un processus caractéristique
d’un processus mis en œuvre».]
3.2.3
comportement en matière de gouvernance
comportement lors de la gouvernance d’un organisme
3.2.4
pratique
activité qui, lorsqu’elle est réalisée de façon uniforme, contribue à l’atteinte d’un objectif ou d’un attribut
spécifique du processus
[SOURCE: ISO/IEC 33001:2015, 3.3.6, modifié — «générique» supprimé du terme; «l’atteinte d’un objectif
ou d’un attribut spécifique du processus» remplace «l’atteinte d’un attribut spécifié du processus».]
3.2.5
revue d’une composante de gouvernance
examen d’une composante de gouvernance afin de s’assurer qu’elle continue à remplir sa fonction
3.2.6
procédure
manière définie de réaliser une activité ou un processus
Note 1 à l'article: Les procédures peuvent ou non faire l’objet de documents.
[SOURCE: ISO 9000:2015, 3.4.5]
4 Aspects de maturité de la gouvernance
4.1 Généralités
L’objectif de l’évaluation de la maturité de la gouvernance est de déterminer le niveau de certitude que
les parties prenantes peuvent avoir quant à la capacité de l’organe de gouvernance à diriger l’organisme
de telle sorte que celui-ci atteigne les résultats escomptés en matière de gouvernance. Ces résultats de
gouvernance sont définis dans l’ISO 37000 comme:
— une performance efficace;
— une gestion responsable;
— un comportement éthique.
La maturité de la gouvernance, dans le présent document, implique que l’organe de gouvernance d’un
organisme établisse les conditions de gouvernance appropriées, adopte des principes de gouvernance
et les applique en pratique. Les aspects de maturité de la gouvernance sont rédigés sous forme
d’application des principes de gouvernance de l’ISO 37000 sur la base de l’utilisation des aspects clés de
la pratique définis. Ces aspects de maturité de la gouvernance s’appliquent également à l’établissement
des conditions de gouvernance appropriées basées sur l’utilisation des recommandations fournies dans
l’ISO 37000.
La manière dont un organe de gouvernance applique un principe de gouvernance s’articule autour des
aspects de maturité de la gouvernance suivants:
— le comportement de l’organe de gouvernance en matière de gouvernance;
— l’efficacité des pratiques de gouvernance que l’organe de gouvernance utilise pour appliquer le
principe de gouvernance;
— l’efficience de ces pratiques.
La Figure 3 décrit les aspects de la maturité de la gouvernance à prendre en compte lors de l’évaluation
de la maturité de la gouvernance, à savoir le comportement de l’organe de gouvernance lorsqu’il
dirige l’organisme, conformément à l’ISO 37000, et l’efficacité et l’efficience avec lesquelles l’organe de
gouvernance applique les principes de gouvernance de l’ISO 37000.
Figure 3 — Aspects de maturité de la gouvernance — Vue d’ensemble
4.2 Comportement en matière de gouvernance
Le comportement en matière de gouvernance décrit l’approche utilisée pour appliquer un principe
de gouvernance. L’ISO 37000, par exemple, indique qu’il convient que les organes de gouvernance
dirigent l’organisme de manière éthique et efficace et qu’ils assurent ce leadership dans l’ensemble
de l’organisme. Le comportement en matière de gouvernance est donc subjectif; cependant,
les caractéristiques suivantes sont évidentes lorsque l’organe de gouvernance dirige l’organisme
conformément à l’ISO 37000:
a) adoption: l’organe de gouvernance s’engage à adopter l’ISO 37000;
b) compréhension: l’organe de gouvernance comprend l’importance de l’ISO 37000 pour l’organisme;
c) application: l’organe de gouvernance applique l’ISO 37000 et décrit son expérience de son
application;
d) analyse: l’organe de gouvernance compare son application de l’ISO 37000 avec les pratiques
dominantes applicables et explique les résultats qu’il entend obtenir de cette application;
e) évaluation: l’organe de gouvernance évalue son application de l’ISO 37000;
f) amélioration: l’organe de gouvernance explique la planification et la mise en œuvre des actions
correctives et des améliorations.
4.3 Efficacité de la gouvernance
L’efficacité de la gouvernance fait référence à la capacité de l’organe de gouvernance à atteindre les
objectifs des principes de gouvernance de l’ISO 37000 en sélectionnant et en mettant en œuvre des
pratiques de gouvernance appropriées.
Pour chaque principe de gouvernance, l’ISO 37000 décrit:
— l’énoncé du principe de gouvernance;
— la raison ou l’objectif du principe de gouvernance (justification);
— les aspects clés des pratiques de gouvernance permettant d’appliquer le principe de gouvernance
pour atteindre l’objectif de ce dernier (aspects clés de la pratique).
Les organes de gouvernance peuvent se référer à l’ISO 37000 pour décider de la manière d’appliquer
correctement les principes de gouvernance et d’atteindre les objectifs de ces principes, afin que leur
organisme puisse obtenir les résultats escomptés en matière de gouvernance.
Des procédures administratives peuvent soutenir les activités de l’organe de gouvernance,
comme l’enregistrement des réunions. Il convient de ne pas confondre ces procédures avec les activités
de gouvernance qui font l’objet des évaluations de maturité de la gouvernance.
4.4 Efficience de la gouvernance
4.4.1 Généralités
L’efficience de la gouvernance concerne l’organisation et le fonctionnement des pratiques de gouvernance
mises en œuvre. Il s’agit de savoir comment les pratiques de gouvernance sont:
— explicitées;
— déléguées;
— appliquées de façon uniforme;
— améliorées en continu.
Les composantes de la gouvernance rendent les pratiques de gouvernance explicites. Les composantes
de la gouvernance formalisent l’application des principes de gouvernance par l’organe de gouvernance
et clarifient les intentions de l’organe de gouvernance en matière de gouvernance de l’organisme.
Elles constituent des enregistrements officiels de l’organisme sur la gouvernance de l’organisme par
l’organe de gouvernance.
Les composantes de la gouvernance auxquelles il est fait référence, directement ou indirectement,
dans l’ISO 37000, comprennent ce qui suit:
a) cadres de gouvernance (voir 4.4.2);
b) stratégies de gouvernance (voir 4.4.3);
c) politiques de performances (voir 4.4.4);
d) résultats de la performance de l’organisme (voir 4.4.5);
e) chartes de gouvernance (voir 4.4.6);
f) rapports de management (voir 4.4.7);
g) revues des composantes de la gouvernance (voir 4.4.8).
NOTE Les composantes de la gouvernance peuvent être de nature hiérarchique. L’utilisation de composantes
de gouvernance en soutien peut orienter la gouvernance:
— d’un principe de gouvernance spécifique, par exemple la gouvernance du risque;
— d’un sujet spécifique, par exemple la gouvernance des technologies de l’information (voir ISO/IEC 38500);
— d’une construction organisationnelle spécifique, par exemple pour clarifier la gouvernance d’un groupe
d’organismes.
Il convient que les composantes de gouvernance venant en soutien fassent directement référence et
s’alignent sur la composante globale, ou principale, de gouvernance de l’organisme lorsqu’elles clarifient
une question spécifique dans ce contexte.
4.4.2 Cadres de gouvernance
Un cadre de gouvernance de l’organisme documenté permet de clarifier la manière dont les dispositifs
de gouvernance de l’organisme fonctionnent dans l’ensemble de l’organisme. Un cadre de gouvernance
de l’organisme clarifie également la manière dont l’organisme est, ou doit être, dirigé.
Il convient que le cadre de gouvernance de l’organisme soit global et fasse référence à la manière dont
la stratégie de l’organisme, les politiques de gouvernance, les structures de gouvernance (y compris
les rôles et les comités) et les redevabilités (les pouvoirs et les responsabilités attribués et convenus)
doivent s’aligner et fonctionner.
Le Tableau 1 identifie les domaines de description du cadre de gouvernance de l’organisme.
Tableau 1 — Cadre de gouvernance — Contenu
Sujet Description
La raison d’être du cadre ainsi que l’objectif ou les objectifs et les résultats que le cadre est
Intention
censé atteindre.
Les structures de gouvernance (rôles et comités) auxquelles l’organe de gouvernance
Structures délègue ses pouvoirs et le rôle de chaque structure (fonction) dans l’atteinte de l’objectif
ou des objectifs du cadre.
Mandat et Les mandats (pouvoirs) de haut niveau confiés à ces structures et les engagements (res-
engagement ponsabilités) à convenir ou tels que convenus.
Fournir une vue d’ensemble des éléments suivants:
— contexte: le contexte dans lequel le cadre doit fonctionner, y compris les parties
prenantes pertinentes;
— politique: les politiques de gouvernance utilisées pour atteindre l’objectif ou les
objectifs du cadre;
— redevabilité: les délégations attribuées, convenues, supervisées et, si nécessaire,
assurées;
— domaine d’application: l’étendue de l’organisme et/ou l’étendue du sujet auquel le
cadre doit s’appliquer (par exemple, des juridictions ou des frontières spécifiques);
Conception
— intégration: la manière dont le cadre doit s’intégrer aux autres domaines et/ou
activités de gouvernance;
— ressources: les ressources qui soutiennent la mise en œuvre efficace du cadre,
y compris, en résumé, la manière dont ces ressources doivent être affectées et
supervisées, ainsi que d’autres informations associées, suivant le cas;
— communication: les rôles redevables des activités de communication et de dialogue
associées à la compréhension et à l’application efficaces du cadre, y compris les
groupes de parties prenantes applicables, si nécessaire.
TTabableleaauu 1 1 ((ssuuiitte)e)
Sujet Description
Mise en œuvre Les rôles redevables de la mise en œuvre et du fonctionnement continu du cadre.
La méthode, les rôles et les responsabilités associés à:
— la surveillance et la supervision du fonctionnement du cadre;
Surveillance, revue — la revue de l’applicabilité continue du cadre pour l’organisme;
et amélioration
— l’appréciation du fonctionnement et de l’applicabilité du cadre et de son amélioration
continue.
4.4.3 Stratégies de gouvernance
L’ISO 37000:2021, 6.3.2 décrit la stratégie comme «le modèle d’intentions évolutives qui orientent
l’harmonisation et la concentration des efforts pour réaliser la finalité de l’organisme, atteindre les
objectifs de création de valeur associés et obtenir les résultats stratégiques correspondants». Bien que
les stratégies varient d’un organisme à l’autre, l’ISO 37000:2021, 6.3.2 note qu’au fond, «la stratégie
de l’organisme reflète les intentions de l’organe de gouvernance concernant l’obtention des résultats
stratégiques de l’organisme dans son contexte qui évolue».
Dans le cadre de la stratégie de l’organisme, l’organe de gouvernance peut également établir des
stratégies de gouvernance secondaires. Dans ce cas, il convient que ces stratégies de gouvernance
soutiennent la réalisation des résultats stratégiques globaux de l’organisme et répondent également
aux objectifs de la pratique de gouvernance associée.
4.4.4 Politiques de gouvernance
L’ISO 37000 décrit l’utilisation de politiques de gouvernance comme un aspect clé de la pratique
(ISO 37000:2021, 6.3). Il convient que les organes de gouvernance expriment formellement leurs
intentions et leurs orientations pour l’organisme qu’ils dirigent dans des politiques de gouvernance et
«veillent à ce que les personnes auxquelles ils délèguent des pouvoirs soient en mesure d’élaborer des
politiques de gestion conformes aux politiques de gouvernance».
Il convient que les organes de gouvernance utilisent des principes pour formuler «leurs intentions et
leurs orientations» (comme défini dans l’ISO 37000:2021, 3.2.9) et s’assurent que ces principes sont
appliqués par leurs organismes. Selon l’ISO 37000, il convient que les organes de gouvernance le fassent
en supervisant les performances de l’organisme, en utilisant les rapports de l’organisme, par exemple,
et en obtenant l’assurance associée.
Il convient que les politiques de gouvernance décrivent les intentions et les orientations de l’organe de
gouvernance, y compris:
— la raison d’être des politiques et les résultats qu’elles tentent d’obtenir;
— les principes que l’organisme doit appliquer comme pratiques de management;
— les structures de gouvernance (rôles et comités) que l’organe de gouvernance tiendra pour redevables
de l’application de ces principes;
— la manière dont l’organe de gouvernance supervisera l’application des politiques.
Il convient que les politiques de gouvernance tiennent compte du contexte du cadre de gouvernance de
l’organisme et de la stratégie de l’organisme, ainsi que des cadres de gouvernance et des stratégies de
gouvernance secondaires, suivant le cas.
4.4.5 Résultats de la performance de l’organisme
Les résultats de la performance de l’organisme fournissent à l’organe de gouvernance des informations
quantitatives sur la performance des activités de l’organisme (par exemple des rapports et des
enregistrements). Il convient que les résultats de la performance de l’organisme permettent à l’organe
de gouvernance de superviser les pratiques de management de l’organisme développées en réponse aux
politiques de gouvernance de l’organe de gouvernance.
4.4.6 Chartes de gouvernance
Les chartes de gouvernance formalisent les délégations et constituent une base sur laquelle la
performance de ces délégations peut être appréciée et améliorée en continu. Il convient que les chartes
de gouvernance décrivent en détail les délégations indiquées dans les politiques de gouvernance
applicables et qu’elles reflètent fidèlement le cadre de gouvernance de l’organisme et la stratégie de
l’organisme. Il convient qu’elles reflètent également les cadres de gouvernance et les stratégies de
gouvernance secondaires applicables.
4.4.7 Rapports de management
Dans le contexte de la gouvernance, les rapports de management sont fournis par l’organisme à l’organe
de gouvernance afin que ce dernier puisse superviser les performances de l’organisme. L’organisme
fournit ces rapports sur la base des orientations de l’organe de gouvernance (contenues dans les
politiques de gouvernance) et des délégations (chartes de gouvernance).
Il convient que les rapports de management soient rédigés en temps utile et avec précision, et qu’ils
puissent inclure les points de vue et les avis des experts qui les préparent. Les rapports de management
ont un contenu plus qualitatif et il convient qu’ils soient présentés à l’organe de gouvernance en même
temps que les registres de performance applicables de l’organisme. Les rapports de management
présentés à l’organe de gouvernance peuvent comprendre:
— des éclairages, des faits marquants, des avis d’experts, des tendances, des prévisions, des analyses
comparatives et des domaines prioritaires à améliorer;
— des informations pouvant renvoyer à des données sources opérationnelles ou transactionnelles
détaillées, si nécessaire.
4.4.8 Revues des composantes de la gouvernance
Il convient que les composantes de la gouvernance fassent l’objet d’une revue régulière pour s’assurer
qu’elles restent actuelles et applicables et qu’elles continuent de refléter l’évolution du contexte dans
lequel l’organisme exerce ses activités. Il convient que les améliorations apportées aux composantes de
gouvernance de l’organe de gouvernance soient planifiées, priorisées et mises en œuvre sur cette base.
Il convient que les organes de gouvernance soient bien conscients des conséquences, pour l’organisme,
des changements apportés aux composantes de la gouvernance et qu’ils y répondent en conséquence.
5 Cadre de mesure de la maturité de la gouvernance
5.1 Généralités
Le cadre de mesure de la maturité de la gouvernance est destiné à évaluer la maturité avec laquelle les
principes de gouvernance, tels que définis dans l’ISO 37000, ont été appliqués, en tenant compte des
aspects clés de la pratique décrits dans l’ISO 37000. Cette évaluation utilise les aspects de la maturité
de la gouvernance tels que décrits dans le présent document (voir Article 4).
Le cadre de mesure de la maturité de la gouvernance fournit une approche structurée permettant
d’assurer la clarté de l’objectif de l’évaluation, la cohérence des résultats de l’évaluation et la répétabilité
des activités d’évaluation. La mesure de la maturité de la gouvernance d’un organisme comprend les
activités suivantes:
a) engagement: établir l’engagement de l’organe de gouvernance vis-à-vis de l’évaluation;
b) conception: déterminer et planifier, par exemple, la portée, les délais et les objectifs de l’évaluation;
c) mise en œuvre: réaliser l’évaluation;
d) supervision: suivre l’évolution de l’évaluation et agir si nécessaire;
e) action: examiner les résultats, planifier les améliorations et rendre compte de l’évaluation.
La Figure 4 décrit ces activités de mesure de la maturité de la gouvernance.
Figure 4 — Activités de mesure de la maturité de la gouvernance
5.2 Principes de mesure
Lors de l’évaluation de la maturité de la gouvernance, il convient que les principes de mesure soient
appliqués et comprennent les éléments suivants:
a) intégration: il convient que la mesure de la maturité de la gouvernance tienne compte du fait que la
gouvernance peut être exercée dans l’ensemble de l’organisme par des équipes de direction et que
les résultats peuvent différer selon la portée de l’évaluation;
b) intention: dans le cadre de la mesure de la maturité de la gouvernance, il convient d’enregistrer les
justifications fournies pour les différents aspects de la maturité de la gouvernance;
c) exhaustivité: il convient que la mesure de la maturité de la gouvernance soit structurée et
exhaustive afin de contribuer à l’obtention de résultats cohérents et comparables;
d) inclusivité: il convient que la mesure de la maturité de la gouvernance comprenne la participation
appropriée et en temps utile des parties prenantes, suivant le cas ou conformément à la
réglementation applicable, afin que leurs connaissances, leurs points de vue et leurs perceptions
puissent être pris en compte;
e) dynamique: il convient que la mesure de la maturité de la gouvernance tienne compte du fait que les
activités de gouvernance ne sont pas statiques et qu’elles évoluent nécessairement pour répondre
aux nouvelles exigences de l’organisme en matière de gouvernance;
f) information: il convient que la mesure de la maturité de la gouvernance s’appuie sur des
informations passées et actuelles claires et disponibles en temps utile, ainsi que sur les attentes
futures;
g) facteurs humains et culturels: il convient que la mesure de la maturité de la gouvernance tienne
compte du comportement humain et de la culture, car ils influencent les mesures;
h) incertitude: il convient que la mesure de la maturité de la gouvernance tienne compte du niveau de
certitude associé aux mesures;
i) amélioration continue: il convient que la mesure de la maturité de la gouvernance constitue la base
de l’amélioration continue de la gouvernance, de sorte qu’elle soit et reste appropriée à l’organisme.
5.3 Activités de mesure
5.3.1 Engagement
Il convient que l’organe de gouvernance, dans le cadre de sa redevabilité envers l’organisme, s’engage à
mesurer la maturité de la gouvernance de l’organisme. Il convient que l’organe de gouvernance:
— s’assure que des évaluations sont régulièrement effectuées;
— délègue les pouvoirs et les responsabilités nécessaires;
— s’assure que l’intention, la portée et les objectifs de l’évaluation sont définis;
— s’assure que le niveau de preuve pour atteindre les objectifs est clarifié;
— s’assure que les ressources nécessaires sont allouées;
— veille à ce que les résultats de l’évaluation servent de base aux initiatives d’amélioration;
— supervise les rapports sur les résultats des évaluations et des initiatives d’amélioration.
5.3.2 Conception
Il convient que l’intention, la portée et les objectifs de l’évaluation guident la conception de l’évaluation,
y compris:
— l’identification des entités et structures organisationnelles applicables;
— l’identification des parties prenantes pertinentes et de leurs rôles, de leurs attentes et de la qualité
de la relation entre l’organisme et les parties prenantes;
— le recours à des représentants;
— la protection des données personnelles conformément aux obligations de conformité;
— la durée prévue, les délais et les exigences en matière de rapports;
— les facteurs humains ayant une influence et leur niveau d’influence évalué;
— l’utilisation de la technologie.
Il convient que la conception de l’évaluation soit claire en ce qui concerne les évaluateurs, par exemple
si l’évaluation doit être:
— auto-évaluée;
— conduite par une ou plusieurs personnes;
— menée par du personnel employé par l’organisme;
— réalisée par un prestataire de services externe et indépendant.
D’autres considérations incluent:
— le recours à des prestataires de services d’assurance indépendants;
— des réponses anonymes;
— les évaluations de groupe en atelier, basées sur le consensus, ou les réponses individuelles;
— les exigences réglementaires, y compris celles qui concernent les différences d’opinions.
5.3.3 Mise en œuvre
Il convient que la mise en œuvre de l’évaluation soit gérée par les personnes auxquelles l’organe de
gouvernance a effectivement donné délégation. Il convient que les activités de mise en œuvre soient
réalisées dans le cadre des paramètres fournis par l’organe de gouvernance et des principes de
mesure de la maturité de la gouvernance (voir 5.1). Il convient que les évaluations soient renseignées
en permettant l’accès à tout le personnel concerné et aux preuves nécessaires, conformément à la
conception de l’évaluation.
Les activités de mise en œuvre comprennent:
— l’élaboration et l’approbation d’un calendrier d’activités et de délais, c’est-à-dire un pla
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...