By Marcus Allen
Director, Thamer James Ltd
Management Consultants
ISO 37000 has generated increasing interest amongst Boards, senior leaders and governance professionals seeking to strengthen organisational oversight and long-term sustainability.
Unlike many ISO standards, however, ISO 37000 presents a unique challenge.
It is not a management system standard.
It is not designed for certification.
It does not contain a set of auditable requirements.
Instead, ISO 37000 provides guidance on the governance of organisations through a series of principles designed to help governing bodies improve performance, accountability, stewardship and organisational success.
Having participated in governance discussions and governance-related reviews, one observation becomes immediately apparent:
The most difficult part of an ISO 37000 review is rarely identifying governance structures.
The challenge is determining how effectively those structures operate in practice.
Many organisations can demonstrate:
→ Board Terms of Reference
→ Committee Structures
→ Delegated Authorities
→ Corporate Policies
→ Risk Registers
→ Strategic Plans
→ Performance Reporting
These are all important governance components.
However, ISO 37000 encourages organisations to look beyond structures and examine governance effectiveness.
That is where many practical challenges begin.
Governance Is Often Difficult to Measure
One of the first challenges during any governance review is that governance is inherently less tangible than many management disciplines.
For example, an organisation can easily demonstrate whether a business continuity plan exists.
It can demonstrate whether a health and safety inspection has been completed.
It can demonstrate whether a supplier has been approved.
Governance is different.
Questions often become more subjective:
→ Are leaders making effective decisions?
→ Is accountability genuinely understood?
→ Does the Board receive sufficient information?
→ Are stakeholder interests properly balanced?
→ Does organisational culture support good governance?
These questions are often far more difficult to assess than procedural compliance.
The discussion quickly moves beyond documentation and into organisational behaviour.
Governance and Management Are Frequently Blurred
Another common challenge is distinguishing governance from management.
Many organisations struggle to clearly define where governance responsibilities end and management responsibilities begin.
Board members may become heavily involved in operational decision-making.
Senior managers may assume responsibilities that properly belong within governance structures.
As a result, accountability can become confused.
ISO 37000 places considerable emphasis on the distinction between governance and management because both functions are essential but serve different purposes.
Governance provides direction and oversight.
Management delivers operational execution.
A governance review often reveals areas where these boundaries have become unclear over time.
Culture Cannot Be Reviewed Through Documents Alone
Perhaps the most difficult area within ISO 37000 reviews is organisational culture.
Many governance failures stem not from missing policies but from behaviours.
An organisation may possess excellent governance documentation whilst simultaneously operating within a culture that discourages challenge, suppresses escalation or tolerates poor decision-making.
Culture influences:
→ Risk reporting
→ Leadership behaviour
→ Accountability
→ Transparency
→ Ethical conduct
→ Stakeholder engagement
The challenge is that culture cannot simply be measured through policy reviews.
Understanding culture requires discussions, interviews, observation and leadership engagement.
This often represents one of the most valuable aspects of an ISO 37000 review.
Stakeholder Expectations Are Increasing
Historically, governance reviews focused heavily on regulatory compliance and financial oversight.
Today's environment is very different.
Stakeholders increasingly expect organisations to demonstrate:
→ Ethical leadership
→ Sustainability
→ Transparency
→ Responsible decision-making
→ Social responsibility
→ Organisational resilience
→ Long-term value creation
ISO 37000 reflects these broader expectations.
Consequently, governance reviews now extend beyond traditional compliance topics.
Many organisations discover that stakeholder expectations have evolved faster than their governance frameworks.
Governance and Resilience Are Becoming Interconnected
Another practical challenge involves operational resilience.
Historically, governance and resilience were often treated as separate disciplines.
Governance focused on oversight.
Resilience focused on operational recovery.
Increasingly, these areas overlap.
Boards are now expected to understand:
→ Critical organisational services
→ Operational dependencies
→ Third-party risks
→ Crisis decision-making
→ Recovery capabilities
→ Long-term organisational sustainability
This requires governance reviews to consider how leadership structures support resilience under pressure.
A governance framework that functions only during stable conditions may not provide sufficient assurance when disruption occurs.
Board Information Quality
A recurring challenge observed across many organisations concerns the quality of information provided to governing bodies.
Boards typically receive significant volumes of data.
The issue is often not the quantity of information but its usefulness.
Governance reviews frequently examine:
→ Whether information supports decision-making
→ Whether key risks are visible
→ Whether performance reporting is meaningful
→ Whether emerging issues are identified early
→ Whether strategic risks receive sufficient attention
Poor governance decisions are often linked to incomplete, delayed or poorly presented information.
Effective governance requires effective insight.
Governance Maturity Varies Significantly
One lesson consistently reinforced through governance reviews is that governance maturity varies enormously between organisations.
Two organisations may possess very similar governance structures on paper.
However, their governance effectiveness can differ significantly.
The difference usually lies in leadership behaviours, accountability, culture, decision-making quality and organisational learning.
This is why ISO 37000 encourages organisations to focus on outcomes rather than merely structures.
The objective is not simply to create governance frameworks.
The objective is to create governance that works.
Moving Beyond Compliance
Perhaps the greatest practical challenge associated with ISO 37000 is helping organisations move beyond a compliance mindset.
Many leaders naturally seek checklists.
They want definitive requirements.
They want measurable controls.
ISO 37000 deliberately avoids this approach.
Instead, it encourages organisations to reflect on how governance contributes to sustainable success.
This requires deeper discussion and often greater organisational honesty.
It means examining not only what governance structures exist, but whether they genuinely support effective leadership, accountability and decision-making.
Conclusion
ISO 37000 offers organisations a valuable opportunity to examine governance from a broader and more strategic perspective.
The challenge is that governance effectiveness cannot be determined solely through policies, committee structures or organisational charts.
The most successful governance reviews explore how governance operates in practice.
They examine behaviours as well as structures.
They assess culture as well as compliance.
They consider resilience as well as accountability.
Most importantly, they focus on whether governance helps the organisation achieve its purpose and navigate uncertainty successfully.
Because ultimately, good governance is not demonstrated by the quality of documentation.
It is demonstrated by the quality of decisions made when organisations face challenge, complexity and change.
Marcus Allen
Director | Thamer James Ltd
Management Consultants
Master's Degree in Management Learning and Change – University of Bristol
Diploma in Governance, Risk and Compliance (GRC) – International Compliance Association (ICA)
Member, BSI G/01 Governance Committee
Thamer James Ltd
Governance • Resilience • Business Continuity • Risk Management
#ISO37000 #Governance #CorporateGovernance #BoardEffectiveness #Leadership #OperationalResilience #BusinessContinuity #RiskManagement #GRC #GovernanceReview #GovernanceFramework #BoardLeadership #BusinessResilience #StrategicGovernance #ThamerJamesLtd