How to Optimize Performance Using the Governance Maturity Model
View all content.
Sign in or create a free account to view all Executive Resource Center content.
Log In Create AccountBaselining your organization’s level of maturity could unlock key tools and strategies for managing organizational performance.
Effective leadership requires decisiveness in the face of uncertainty, resourcefulness in times of duress and purpose when opportunity arises. Structured organizational governance provides the support leaders need to confidently rise to the challenge and take advantage of new opportunities.
Governance is the system of oversight and support of organizational activities — the framework for how decisions are made. Governance instills order and transparency to roles and processes, bringing clarity to decision-making and predictability to performance. Structured governance builds trust between the organization and stakeholders — including employees, customers, shareholders, vendors, partners, lenders and government agencies — by strengthening transparency, accountability and equity.
Intentional governance does not happen by chance. It is built through charters and bylaws, strategy, key performance metrics (KPI), documentation and risk management. Leaders who understand how to assess and improve their governance have the keys to manage overall organizational performance.
A Deeper Dive into Governance
Governance is the combination of processes and structures implemented by the board of directors or executive management to inform, direct, manage and monitor activities of the organization to achieve strategic goals.
Every organization has a governance structure, whether implied or explicit, based on the natural formation of the organization. The level of intentionality behind that structure — the maturity — influences how organizations deploy their people, processes, technology and capital.
Structured governance helps organizations transform instinctive management and workflows into intentional action. When a governance framework is in place, organizations are positioned to:
- Strengthen transparency and accountability to the benefit of stakeholders
- Empower employees by providing a level of influence associated with their position and clarity of authority and process
- Codify “institutional knowledge” and best practices into documented and repeatable processes and support structures
- Steer decision-making and manage risk during times of change, uncertainty and disruption
- Signal to investors and other sources of capital that guardrails are in place to protect their investments
- Create boundaries between the board and executive leadership and define roles and responsibilities across positions and functions
These factors align to improve organizational performance and mitigate against disruption. When everyone understands what is expected of them, they are better equipped to move in the same direction.
Governance is not culture. Organizational culture is a blend of undercurrent and explicit expectations. Governance is a set of intentional actions to appropriately govern your organization. Governance is what you deploy; your culture is how you deploy it.
The Six Attributes of Organizational Governance
Based on guidance from the National Association of Corporate Directors (NACD) and criteria established by the COSO 2013 Internal Control–Integrated Framework, Weaver has developed an organizational governance model covering the following six attributes:
- Board roles and oversight: How the board and its subcommittees provide appropriate guidance for the organization
- Strategies, policies and procedures: How an organization defines, executes and monitors its strategic plan, policies and procedures
- Structure and accountability: How an organization manages talent recruitment and development, succession planning, compensation and evaluations
- Communication and reporting: How an organization collects and disseminates information to stakeholders
- Assessment and risk management: How an organization assesses, manages and monitors performance, risk and compliance
- Ethical values: How an organization defines, communicates and enforces its ethics policies
Each attribute can be measured against a 1-5 scale to determine organizational maturity. The stages of maturity are defined as:
- Initial – Informal and undefined. At this stage, organizations rely more on natural workflow and personal relationships than on a formalized structure. Processes tend to be ad hoc and roles are not well defined. The organization lacks the formal capabilities for repeating successes or sharing best practices across the enterprise. Policies, procedures and charters have not been established. Communication, accountability and risk management tend to be informal and siloed.
- Repeatable – Disciplined but intuitive. Organizations at this stage have defined committees or board subcommittees, have identified staff professional development needs, and understand responsibility and authority for leadership positions. Policies and procedures, performance metrics and goals, and basic reporting structures exist but are informal.
- Defined – Standard and consistent. At this stage, standard processes are in place and used to establish enterprise-wide consistency and objectives. Boards and committees have charters, a strategic plan and KPIs are defined, and real-time reporting is available. People understand their job responsibilities and have visibility to career pathways. Risk assessments are regularly performed and risk measures are linked to performance goals.
- Managed – Predictable, monitored and measured. Managed organizations employ sophisticated tools and strategies for controlling organizational development. Processes and outcomes are predictable. KPI are aligned with the strategic plan and are actively monitored. Formal guidelines for board, internal and external communications are established, and scenario planning is in place to manage risks.
- Optimizing – Continuous improvement. Processes and procedures are established such that the organization can focus on continual improvement. Process improvement strategies are identified, evaluated and deployed. The organization’s ability to rapidly respond to changes and opportunities is enhanced by accelerating and sharing knowledge. An empowered workforce is aligned with business values and objectives.
The maturity model is a stacked model based on incremental improvements. Each level builds on the one prior by defining expectations and processes at an increasingly granular level. In other words, the requirements of a level must be met before an organization can achieve the next stage. Maturity is driven by a variety of factors, including organizational structure, age, priorities, industry (organizations in heavily regulated industries will typically have more mature processes to ensure compliance), market dominance, size and stakeholder expectations.
Maturity manifests across the six attributes of organizational governance, as shown in the table below. Each attribute is described in more detail following the table.
*Click to enlarge the image below.
Attribute #1: Board Roles and Oversight
Are board roles explicitly defined through charters and committees? How consistently and effectively does the board provide oversight to the organization?
The board of directors is charged with setting strategic direction, overseeing execution and ensuring accountability. The structure of the board, its level of involvement in an organization, alignment with management, and effectiveness as a governing body are largely driven by the organization’s maturity level.
This attribute manifests across the maturity model in the following ways:
- Initial
- A board is in place but does not have defined charters, bylaws or committees
- Objectives have not been defined for the organization
- Repeatable
- A board charter and bylaws exist and committees are defined
- The board has communicated objectives and requirements for the organization
- Defined
- The board and its committees have established charters that align with the organization’s mission and objectives
- Committee work is aligned with an annual calendar; key functions and responsibilities are scheduled and deployed
- Managed
- The board and its committees are functioning at the defined state
- The board is building the foundation for a strong risk governance culture
- Optimizing
- The board and its committees are committed to continuously improving the organization’s capabilities
Attribute #2: Strategies, Policies and Procedures
Are the strategy, goals, objectives, policies and procedures for supporting the organization’s mission clearly defined? What are the key performance indicators (KPIs) to monitor achievement of the mission? Is the strategy communicated, documented and aligned?
Defined strategies, policies and procedures are key to delivering predictable and repeatable outcomes. In immature organizations, strategy may not be clearly aligned with the organization’s stated direction and policies and procedures may be undefined or loosely owned by business functions, units or even individuals. As organizations mature, they have the tools and means in place to set organizational strategy and codify, align and monitor. The board should set direction through policy making while management implements the policy through procedures to achieve outcomes.
This attribute manifests across the maturity model in the following ways:
- Initial
- A strategic plan and vision are understood but goals and objectives are not necessarily defined or documented
- Performance metrics for measuring success with achieving the strategic plan are not yet established
- Policies and procedures exist, but they are not documented; often, they are dependent on the institutional knowledge of staff
- Repeatable
- Objectives and goals for the organization are determined by the board and generally known by the staff
- Executive management works through the appropriate structure to execute operations
- Key performance measures have been established
- Informal policies and procedures support the organization’s strategic direction
- Defined
- A strategic plan has been developed and is aligned with specified objectives
- Key performance measures are defined
- Board policies set direction, which management implements through procedures to achieve outcomes
- Policies and procedures are refined, documented and communicated
- Managed
- The strategic plan and goals are agreed upon
- Meaningful KPIs that align with the goals and objectives are in place and monitored
- Goals, objectives and policies are aligned to the strategic plan and communicated to the organization
- Policies and procedures are reviewed, revised and communicated throughout the organization on a defined schedule
- Policies and procedures are aligned and govern business processes
- Optimizing
- The board and its committees are committed to continuous improvement for the organization
- The strategic plan and goals are defined, documented, communicated and redefined annually
- Performance measures and KPIs for goals and objectives are mapped to expected outcomes, regularly measured, monitored and reported to management
- Management provides staff opportunities for input at regular intervals regarding the strategic plan, goals and objectives
- Policies are continuously evaluated on an enterprise-wide basis to achieve the desired risk/reward balance
Attribute #3: Structure and Accountability
How effective is the structure of the organization for achieving objectives and managing programs; hiring, training and developing staff; evaluating performance; and engaging in succession planning? Are board and management responsibilities clearly differentiated? Does a clear distinction between board and management responsibilities exist? Are roles and responsibilities defined with adequate staffing?
Organizational success is dependent on an engaged and empowered staff. A defined and monitored approach to talent recruitment and development, compensation and incentives, and succession planning is crucial to instilling fairness and accountability while mitigating risk.
This attribute manifests across the maturity model in the following ways:
- Initial
- The organizational structure exists informally based on functions
- The organization has not yet designated a staff member or members with managing programs, evaluating performance and overseeing specific risks
- Policies are informal and do not emphasize internal control documentation
- Data are used as necessary when system reporting is available
- Repeatable
- Responsibilities and authorities are defined for specific individuals and roles
- Delegation of authority is implemented through the organizational structure
- Responsibilities for internal controls are established and role-specific
- Performance measures are determined based on function or expected outcome
- Internal controls are documented, including segregation of duties
- Staff professional development needs are identified and documented
- Data are available to assess whether internal controls are working as intended
- Defined
- Board and management roles and responsibilities are clearly defined
- Management establishes the direction for program outcomes
- Roles and responsibilities are clearly defined with delegation of authority matching job responsibilities
- Internal controls are documented and updated on a regular cycle, including training
- KPIs are integrated into decision-making processes
- Professional development and employee evaluation cycles are established with clearly defined performance measures for individual roles
- Career ladders and succession planning are established
- Managed
- A formal lines-of-defense framework for management, compliance and risk is implemented
- Internal controls are certified by the control owners with certification provided to management
- Professional development plans are aligned with performance evaluations, with a clear understanding of delegation of authority
- Risk measures are linked to staff performance goals
- Resource and capital allocation techniques are effectively deployed
- Staffing levels are systematically determined
- Working committees are created by management to address organization-wide issues
- Reliance on technology is intentional and early warning systems are in place
- Optimizing
- Organizational structure and delegation of authority are effective entity-wide
- Procedures include preventative and detective internal controls that sufficiently reduce risk of error
- Improvement initiatives are established and integrated with development and risk management plans
- Internal control structure is highly automated
- The performance evaluation process includes a year-end review and a 360 or peer review component
- Training to reinforce procedures and controls is conducted annually
- Succession planning is defined and implemented through middle management levels
Attribute #4: Communication and Reporting
What types of communication are used by the organization for board reporting, internal reporting, staff meetings, dashboards and public information?
Communication and reporting are essential to building trust, marshalling support for organizational direction, executing on organizational goals and satisfying regulatory requirements. This requires organizations to have policies and procedures in place for disseminating information to stakeholders as appropriate for the organization.
This attribute manifests across the maturity model in the following ways:
- Initial
- Communication and reporting guidelines exist on an informal basis
- Reporting systems are not common across functions or are inconsistently deployed
- There is no consistent communications plan across functions and departments
- Repeatable
- A basic reporting structure is in place and supported by systems used in operations
- Board reporting occurs on a defined basis
- Meeting minutes and agendas are retained
- A communication plan is implemented
- Board updates are consistently communicated to staff
- Systems are leveraged to produce consistent and routine reports
- Performance measures are determined and measured
- Defined
- Organizational reporting is defined by policy and procedure
- Robust management reports are deployed
- External communication protocols are defined
- Objectives and performance metrics are integrated into enterprise-wide systems
- Staff training on reporting elements and requirements is provided at regular intervals
- Systems are leveraged to track expected performance and produce reports
- KPIs are integrated into decision-making processes
- Managed
- Formal guidelines dictate consistent and timely communication to the board, staff and public
- Reporting systems are accessible on demand, specific to individual roles
- Reporting formats and KPIs are evaluated and updated on a regular basis
- KPIs are evaluated periodically and refined as needed
- Optimizing
- Entity-wide reporting needs are adequately serviced
- The board and management periodically evaluate performance management and communication effectiveness
- Reporting systems are accessible in near real time
- KPIs are integrated into enterprise-wide systems, providing dashboard reporting and performance management, including corrective action plans
Attribute #5: Assessment and Risk Management
What processes are in place to monitor the organization’s progress for meeting stated objectives, performance metrics, risk management and compliance?
This attribute brings — or strengthens, depending on the maturity of your organization — discipline to monitoring and risk management functions. As organizations mature, they implement a more sophisticated process for setting and achieving goals and anticipating and mitigating risk. These processes are integrated throughout everything to develop risk-based decision making and a risk-conscious culture.
This attribute manifests across the maturity model in the following ways:
- Initial
- Goals, objectives and compliance are monitored on an informal basis
- Risk management is fragmented and ad hoc
- Individual risks are managed in silos
- The organization behaves reactively to events
- KPIs are not monitored
- Repeatable
- Basic risk management policy structures and processes are in place, including annual risk assessments
- High-level risk-management policies are defined
- Performance goals are informally established
- KPIs are informally monitored
- Required data elements and tools for monitoring have been identified
- Defined
- Risk-sensitive and risk-aware decision-making is taking place
- A risk assessment is performed annually
- A compliance program is established for individual programs or divisions
- Control deficiencies drive improvement initiatives
- Risk measures are linked to performance goals
- Managed
- A formal board-approved risk management policy is in place
- A compliance program is defined for the organization and has dedicated resources
- Risk assessments are performed more than once a year
- Staff are trained annually on risk measures and compliance
- Improved quantification, time-tested models and data analytics are used to identify emerging risks and anticipate potential disruptive change
- KPIs are regularly monitored
- Optimizing
- Risk management policy is reviewed and updated annually
- All elements of the risk management structure fully align with business environment changes
- Risk management program results are reported regularly to the board and management
- Risk assessments are performed continuously or on a defined rotating basis
- Management uses risk management results for optimized decision making, forecasting and scenario planning analysis
- Compliance is continuously monitored using integrated systems
- Compliance and performance goals are continuously monitored and used to analyze risk trends associated with goals and objectives
Attribute #6: Ethical Values
Is an ethics policy in place? How are ethical standards communicated throughout the organization? Are ethics requirements enforced and followed by employees? How is compliance monitored?
Ethical values set the tone for an organization’s integrity, which in turn serves as a foundation for building relationships of trust with key stakeholders. This attribute serves as a guide for building structure around integrity, fairness and corporate responsibility.
This attribute manifests across the maturity model in the following ways:
- Initial
- Ethical values have not been defined by the board
- Employees are unsure how to report suspicious activity
- Defined and consistent criteria for addressing misconduct may not be in place
- Repeatable
- No formal ethics policy is in place
- Fraud prevention and detection efforts exist for areas of known exposure
- Ethical values are informally communicated by the management
- Conflicts of interest are voluntarily reported
- Systems are ad-hoc for tracking reported violations
- Misconduct is addressed on an ad-hoc basis without defined and consistent criteria
- Defined
- A formal ethics program is in place for the entire organization
- A related party and conflicts of interest disclosure process is defined
- A hotline exists for reporting suspicious activity or suspected fraud
- Related party and conflicts of interest disclosure process is defined
- Employee misconduct is reported and addressed according to defined criteria included in the formal ethics policy
- Managed
- The ethics program is reviewed, revised and communicated throughout the organization on a defined schedule
- Employees are required to acknowledge the ethics program and any revisions
- Ethics considerations are incorporated into processes
- Routine related party and conflicts of interest reporting are in place
- Staff receive annual training on fraud prevention and detection program
- Ethics program violations are consistently addressed in accordance with the policy requirements and routinely reported to the board
- Processes are updated as necessary based on information obtained from reported suspected fraud
- Optimizing
- The ethics program is updated on an annual basis
- Violations are formally tracked and monitored
- Information gathered through tracking and monitoring of violations is continuously analyzed and incorporated into the program updates
- Ethical considerations are incorporated into procedure updates throughout the organization
- Recurring training and proactive monitoring are in place
How to Assess Your Maturity
As a leader, you can use the maturity model to benchmark your organization’s governance procedures against developed and proven criteria. Benchmarking allows you to strategically determine your current level of maturity (current state), where you want to be (goal state) and what you need to do to get there. With that information in hand, you can then begin building the structure you need to mature your organization.
At a minimum, a self-assessment should:
- Identify existing structures, roles and responsibilities
- Evaluate the design of existing processes and related procedures and controls
- Determine the improvements required to reach your goal state
- Prioritize and determine a timeline for executing identified improvements
Success is predicated on management buy-in, consensus on the goal state and priorities, transparency, communication and follow through. A fair and honest assessment may prompt difficult questions and tough conversations. Do not shy away from them. Instead, use that input as an opportunity to engage stakeholders in the effort by explaining how a more mature organization will benefit them.
We have provided a downloadable Governance Maturity Model Self-Assessment Tool that lists common attributes associated with each level of maturity for the six governance elements named above. Your organization can use this to help you understand where you are now and begin planning improvements.
Striking the Right Balance
There is no right or wrong level of maturity, provided your organization satisfies the regulatory standards for your industry. You do not need to achieve a “managed” or “optimizing” level of maturity across every attribute. Recognize that your attributes may manifest at different levels of maturity, which is both acceptable and to be expected.
Let’s compare an established, global, publicly traded manufacturer of medical devices to a young, regional, privately owned retailer. You should expect that the global manufacturer will operate at the “managed” or “optimizing” levels across most attributes simply because of its age, regulatory requirements, level of risk and expectations of shareholders.
By comparison, reaching a “defined” level of maturity may be enough for the small retail business to meet its goals. However, should the private retail operator enter new markets, expand its staff, establish franchises or eventually go public, it may need to advance at least some attributes of its governance to manage risk, support its growth strategy, and satisfy investors and stakeholders.
Governance is Flexible and Dynamic
As the retail store example demonstrates, governance is not a one-size-fits-all task. This is an essential concept to communicate throughout any governance initiatives you undertake. The environment in which you operate is dynamic; your governance framework can and should scale and adapt along with you.
Consider the amount of uncertainty and change that you have navigated in the past year, three years or even five years. Organizations are constantly beset by change — growth and expansion opportunities, regulatory changes, competitive pressure, market disruption, technological advancements, and changing consumer and employee expectations.
An effective governance framework should undergo periodic reassessments and recalibration to ensure it stays attuned to your operations. Ultimately, this is an asset to your organization. By ensuring your governance framework grows and changes along with your organization, you will maintain the guideposts your organization needs to stay focused on strategic objectives, ethical behavior and continual improvement.
Click here to access Weaver’s Governance Maturity Model Self-Assessment Tool and get started. If you would like assistance, contact us to discuss how Weaver can work with you to assess your organizational governance to improve management of your organizational performance.
©2022