ISO/DIS 37014:2026(en)
ISO TC 309
Secretariat: BSI
Date: 2026-01-19
Governance maturity model — Controlled groups of organizational entities — Guidance
© ISO 2026
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
Contents
3.4 Group governance components 11
4 Governance maturity aspects for controlled groups 12
4.3 Governance effectiveness 13
4.3.2 Governance conditions 13
4.3.3 Governance principles and key aspects of practice 14
4.4.2 Group governance framework 17
4.4.3 Group governance strategy 17
4.4.4 Group governance policies 18
4.4.5 Group performance results 18
4.4.6 Group governance charters 18
4.4.8 Governance component reviews 18
5 Governance maturity measurement framework 19
5.5 Measurement aggregation 20
6 Governance maturity model 20
6.2 Governance maturity dimensions 20
6.3 Governance maturity calculation 20
6.4 Governance maturity improvement 21
6.5 Governance maturity evaluation 21
Annex A (informative) Governance maturity evaluation worked example 22
A.2.3.1 Defining the scope clearly 24
A.2.3.2 Determining the evaluation objectives 25
A.2.3.3 Selecting evidence sources 25
A.2.3.4 Ensuring inclusivity and integration 25
A.2.4.1 Evidence collection 25
A.2.4.2 Interviews and engagement 25
A.2.4.3 Application of the maturity scale 26
A.2.4.4 Integration of results 26
A.2.6.1 Review and interpret the evaluation results 27
A.2.6.2 Determine the appropriateness of the maturity levels 27
A.2.6.3 Identify and prioritize governance improvement areas 28
A.2.6.4 Communicate the results to the controlled entities 28
A.2.6.5 Ensure implementation and follow-through 29
A.2.7 Summary of the measurement activities 29
A.3.2 Governance Condition: Group governance framework 30
A.3.2.1 Governance behaviour 30
A.3.2.2 Governance effectiveness 31
A.3.2.3 Governance efficiency 31
A.3.2.4 Maturity scoring table 31
A.3.3 Governance Principle: Purpose 32
A.3.3.1 Governance behaviour 32
A.3.3.2 Governance effectiveness 32
A.3.3.3 Governance efficiency 32
A.3.3.4 Maturity scoring table 32
A.3.4 Governance Principle: Oversight 33
A.3.4.1 Governance behaviour 33
A.3.4.2 Governance effectiveness 33
A.3.4.3 Governance efficiency 33
A.3.4.4 Maturity scoring table 34
A.4 Aggregation of the results 34
A.4.2 Aggregation per governance dimension 34
A.4.3 Aggregating the overall ABC Group governance maturity 36
A.4.4 Interpreting the aggregated score 37
A.4.4.1 Understanding the meaning of the aggregated score 37
A.4.4.2 Why the aggregated score matter 37
A.4.4.3 Interpreting the score for appropriateness 37
A.4.4 Understanding the implications of the results 38
A.5 Determining appropriateness and setting improvement targets 39
A.5.2 Determining appropriateness 39
A.5.3 Identifying governance maturity gaps 40
A.5.4 Setting governance maturity priorities 40
A.5.5 Establishing improvement targets 41
A.5.6 Ensuring continuous improvement 41
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 309 Governance of Organizations.
This is the first edition.
Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html.
Introduction
Groups of organizations, such as corporate groups, business networks, and multinational structures, play an increasingly vital role in international trade and the global economy. These groups connect economies, drive innovation, create employment, and help stabilize markets, making them essential contributors to global economic development. Their ability to operate across multiple countries and industries enhances economic resilience and enables progress on a global scale.
Participation in a group offers numerous benefits to individual organizations. It can strengthen strategic positioning, improve operational efficiency, and enhance long-term sustainability. These advantages include access to shared expertise and best practices, expanded networks and collaborative opportunities, reduced costs through shared services, and enhanced market intelligence. Group arrangements also foster innovation, improve organizational credibility, amplify influence on regulatory and policy matters, and offer collective risk management mechanisms. Additionally, engagement in a group can contribute to employee development and boost morale by connecting staff to a wider professional community.
However, these advantages can be offset by significant challenges. Participating organizations may experience reduced autonomy, diluted brand identity, coordination difficulties, or conflict over resource allocation. Dependency on the group can also create vulnerabilities, especially if key participating organizations withdraw or experience instability. Legal, regulatory, and cultural differences between participating organizations can cause friction, while the actions of a single participating organization can impact the reputation and performance of the entire group. In some cases, group dynamics may discourage innovation, and shared financial obligations can strain stronger participants when others falter.
These complexities highlight the critical importance of effective governance across groups of organizations. Good group governance ensures clarity in roles and responsibilities, promotes accountability, facilitates ethical conduct, and enables participating organizations to navigate both the opportunities and risks inherent in group participation. It helps align diverse interests, builds trust, and supports informed decision-making, thereby unlocking the full value of collaboration while mitigating potential downsides.
While individual organizations can follow internationally agreed standards such as ISO 37000, Governance of Organizations — Guidance, to structure their governance practices, and use ISO 37004, Governance of organizations — Governance Maturity Model — Guidance, to assess their governance maturity, there is currently no global standard for the governance of groups of organizations. A group functions as a whole and can be characterized by different governance practices when compared with that of each individual organization participating in the group. Therefore, the levels of governance maturity can also differ. The lack of guidance on internationally accepted governance maturity for groups hampers the achievement of the intended governance outcomes (effective performance, ethical behaviour and responsible stewardship) for both the group and the individual organizations participating in the group. Without clear guidance, organizations can struggle to identify governance gaps, enhance group performance, and fully realize the benefits of collaboration. Similarly, in the absence of such guidance, stakeholders can also struggle to apply a basis on which to assess whether a group is being appropriately governed.
There are many different types of organizational groups, typically defined by the nature of participation and the relationships between the member organizations. In certain contexts, participation is voluntary; this can be true in industry associations, professional networks, alliances, and collaborative research initiatives. In these arrangements, organizations choose to join based on shared interests, goals, or values, without any formal control or ownership structures. Other groups may be more formalized, such as franchise networks, strategic partnerships, joint ventures, or consortiums, where participation is governed by contractual agreements. At the most structured end of the spectrum are groups formed through ownership or control, such as corporate groups with holding companies and subsidiaries, and operating companies, where participation is based on legal and/or financial obligations.
In highly structured groups of organizations, the main stakeholder, called the controlling member stakeholder (referred to as the controller in this document) , has the legal obligation or defined right to make decisions that affect several separate organizations within the group. In cases where more than one main stakeholder exists, these are collectively referred to as the controlling member stakeholder. Even though each organization is an independent organizational entity with its own legal identity, the controller’s influence can limit the ability of each entity’s governing body to make autonomous decisions. As a result, these governing bodies may struggle to act solely in the best interest of their own organization and instead feel pressure to follow the direction set by the controller, even if it may not align with their organization’s specific needs or purpose.
This type of arrangement is known as a controlled group of organizational entities (referred to as a controlled group in this document). Entities within a controlled group (referred to in this document as controlled entities), are independently existing but are under the control of the same controlling member stakeholder. This controller not only has legal authority over the controlled entities but also determines the controlled group’s collective reason for existing, referred to as the group purpose. Figure 2 depicts an example of this type of a group of organizations, where organization A is the controller and organizations B, C and D are controlled entities and collectively they comprise a controlled group.
Figure 1 — An example of a controlled group of organizational entities
Each controlled entity contributes to achieving the group purpose, while remaining responsible for its own purpose, performance and operations. However, the controller’s influence can heavily shape how each controlled entity functions, makes decisions, and aligns its priorities. This dynamic introduces a complex governance challenge, as the governing bodies of the individual controlled entities must balance their accountability to their own organization with the demands of the controller and the broader interests of the group. While controlled groups can generate significant benefits, they also carry risks. Reduced autonomy may lead to compliance issues, blurred accountability, governance gaps, or decisions that favour the controlled group or controller at the expense of individual organizational resilience and stakeholder interests.
To address this particular issue, this document provides a globally applicable approach to assessing and improving governance maturity for such controlled groups. This document builds on the guidance provided in ISO 37000 and ISO 37004, offering a structured approach to evaluate the implementation of good governance across controlled groups. It enables governing bodies to assess their own organization’s participation in the controlled group and understand their role in collective value creation, while upholding their autonomy and accountability. It also provides stakeholders, current or prospective, with a reliable means to gauge the governance maturity of a controlled group and identify opportunities for improvement.
Although this document is intended to provide guidance for controlled groups, the guidance is applicable regardless of the type, size and nature of activities of the organizations in the group (controlled entities), and whether they operate in the public, private or not-for-profit sectors. The intended uses of this guidance include serving as a tool for continuous improvement rather than punitive enforcement, acting as a lever for strategic alignment rather than a constraint on autonomy, and supporting dialogue between the controller and controlled entities rather than functioning as a mechanism of control. Ultimately, good governance in controlled groups is essential to unlocking shared value, supporting sustainable development, and ensuring that both the controlled entities and the controlled group as a whole have a positive and lasting impact on the economy, society and the natural environment.
Governance maturity model – Guidance for organizations
1.0 Scope
This document is designed to help controlled groups of organizational entities (3.1.6) assess and strengthen their governance maturity, drawing on the principles and guidance of ISO 37000 and ISO 37004. This applicability remains consistent across all controlled entities, irrespective of sector, scale or operational context.
This document is applicable to a particular type of group of organizational entities, namely controlled groups of organizational entities (controlled group), regardless of the type, size and nature of activity of the organizations in the group (controlled entities), and whether they operate in the public, private or not-for-profit sectors.
2.0 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 37000, Governance of organizations — Guidance
ISO 37004, Governance of organizations — Governance maturity model — Guidance
3.0 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 37000 and ISO 37004 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1 Groups of organizations
3.1.1
organization
person or group of people that has its own functions with responsibilities (3.3.3), authorities and relationships to achieve its objectives
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.
[SOURCE: ISO 37000, 3.1.3]
3.1.2
organizational entity
organization (3.1.1) that has a distinct and independent existence
Note 1 to entry: In some cases, an organizational entity can be a legal entity.
[SOURCE: ISO 37000, 3.1.4]
3.1.3
controlled entity
organizational entity (3.1.2), with a controlling member stakeholder (3.2.3)
3.1.4
group of organizations
assembly of two or more organizations (3.1.1) with collective objectives
3.1.5
group of organizational entities
assembly of two or more organizational entities (3.1.2) with a group purpose (3.4.6)
3.1.6
controlled group of organizational entities
group of organizational entities (3.1.5), with a common controlling member stakeholder (3.2.3) where the controlling member stakeholder has determined the group purpose (3.4.6)
Note 1 to entry: In this document, the controlled groups of organizational entities are referred to as controlled groups.
3.1.1 Governance roles
3.2.1
stakeholder
person or organization (3.1.1) that can affect, be affected by, or perceive itself to be affected by a decision or activity
Note 1 to entry: Depending on the nature of the organization, stakeholders can include member stakeholders (3.2.2) and other stakeholders, including customers, regulators, suppliers and employees.
Note 2 to entry: In ISO management system standards, a stakeholder can be referred to as an “interested party”.
[SOURCE: ISO 37000, 3.3.1]
3.2.2
member stakeholder
stakeholder (3.2.1) who has a legal obligation or defined right to make decisions in relation to the governing body (3.2.4) and to whom the governing body is to account
Note 1 to entry: These rights or obligations are often recorded in the organization’s (3.1.1) constituting documents (3.3.5), laws and/or regulations.
Note 2 to entry: These decisions can include, for example, the determination of the composition of the governing body or the parameters within which the governing body is to make decisions.
Note 3 to entry: Governing bodies account to these stakeholders for the organization’s outcomes as well as the governing body’s performance.
Note 4 to entry: Member stakeholders are often referred to, and can include, shareholders and members of an organization.
[SOURCE: ISO 37000, 3.3.2]
3.2.3
controlling member stakeholder
member stakeholder (3.2.2) who has ultimate control in relation to the governing body (3.2.4)
Note 1 to entry: In this document, a controlling member stakeholder is referred to as a controller.
3.2.4
governing body
person or group of people who have ultimate accountability (3.3.2) for the whole organization (3.1.1)
Note 1 to entry: Every organizational entity (3.1.2) has one governing body, whether or not it is explicitly established.
Note 2 to entry: A governing body can be explicitly established in a number of formats including, but not limited to, a board of directors, supervisory board, sole director, joint and several directors, or trustees.
Note 3 to entry: ISO management system standards make reference to the term “top management” to describe a role that, depending on the standard and organizational context, reports to, and is held accountable by, the governing body.
[SOURCE: ISO 37000, 3.3.4, modified — reference to “governing group” deleted from note 1 to avoid confusion.]
3.1.2 Governance concepts
3.3.1
principle
fundamental truth, proposition or assumption that serves as foundation for a set of beliefs or behaviours or for a chain of reasoning
[SOURCE: ISO 37000, 3.2.1]
3.3.2
accountability
obligation to another for the fulfilment of a responsibility (3.3.3)
Note 1 to entry: The obligation includes the duty to inform and to explain the manner in which the responsibility was fulfilled.
Note 2 to entry: The non-fulfilment of a responsibility has consequences that can be enforced on the accountable party.
[SOURCE: ISO 37000, 3.2.2]
3.3.3
responsibility
obligation to act and take decisions to achieve required outcomes
[SOURCE: ISO 37000, 3.2.3]
3.3.4
delegation
assignment of authority and responsibility (3.3.3) from one that holds them to another
[SOURCE: ISO 37000, 3.2.4]
3.3.5
constituting documents
authoritative and unique set or collection of documents that establishes the organization’s (3.1.1) existence and accountability (3.3.2) as amended from time to time
Note 1 to entry: Documents vary depending on the type and location of the organization, and can include a deed of incorporation, articles of association or charter.
[SOURCE: ISO 37000, 3.1.5]
3.1.3 Group governance components
3.4.1
organizational governance framework
strategies, governance policies (3.4.3), decision-making structures and accountabilities (3.3.2) through which the organization’s (3.1.1) governance arrangements operate
[SOURCE: ISO 37000, 3.1.2]
3.4.2
group governance framework
strategies, group governance policies (3.4.4), decision-making structures and accountabilities (3.3.2) within which a group of organizational entities’ (3.1.5) organizational governance frameworks (3.4.1) operate
3.4.3
governance policy
intentions and direction of an organization (3.1.1), as formally expressed by its governing body (3.2.4)
[SOURCE: ISO 37000, 3.2.9]
3.4.4
group governance policy
a formal expression of the intentions and direction of a group of organizational entities (3.1.5)
3.4.5
organizational purpose
organization’s (3.1.1) meaningful reason to exist
Note 1 to entry: The organizational purpose is the ultimate value the organization intends to generate for specified stakeholders (3.2.1).
Note 2 to entry: The organizational purpose guides the performance objectives and provides clear context for daily decision-making by relevant stakeholders.
[SOURCE: ISO 37000, 3.2.10]
3.4.6
group purpose
group of organizational entities’ (3.1.5) meaningful reason to exist
Note 1 to entry: The group purpose is the value the group intends to generate for specified stakeholders (3.2.1) who may vary over time.
Note 2 to entry: The group purpose provides clear context for decision-making by the governing bodies (3.2.4) of the organizational entities (3.1.2) participating in the group of organizational entities (3.1.5).
4.0 Governance maturity aspects for controlled groups
4.1 General
The purpose of evaluating the governance maturity of controlled groups is so that stakeholders can assess how confident they can be in the governance of each controlled entity. Specifically, it examines whether each governing body can govern their controlled entity such that the entity can achieve the intended governance outcomes. It also provides a means by which stakeholders can assess how confident they can be in the controlled group’s ability to achieve its group purpose.
NOTE: The controller as well as each controlled entity in the controlled group should assess their individual entity’s governance maturity using the guidance provided in ISO 37004.
This document provides guidance on assessing several key aspects of group governance, including the establishment of appropriate governance conditions for the group, the adoption and practical application of suitable group governance principles, and the efficient communication of governance directives. The aim of group governance is to create a governance environment that allows each controlled entity to be appropriately governed while enabling the controlled group to achieve its group purpose.
The governance maturity aspects outlined in ISO 37004 are applied to assess the controlled group’s governance environment. These aspects focus on three key areas:
— How the governing body of the controller and the governing bodies of the controlled entities (together called the controlled group governing bodies) behave and make decisions.
— How effectively these governing bodies apply governance conditions, principles, and practices.
— How efficiently governance directives are communicated throughout the entire controlled group.
4.1.1 Governance behaviour
Governance behaviour describes the approach used to apply the governance conditions, principles and key aspects of practice described in ISO 37000 (collectively referred to as governance actions). Similar to individual organizations, controlled groups also exhibit common governance maturity features in their application of governance actions. These features can be observed in the behaviour of both the governing body of the controller and the governing bodies of the controlled entities (together referred to as the controlled group governing bodies).
These features include:
a) Adoption — the controlled group governing bodies demonstrate commitment to the adoption of the governance actions for the controlled group;
b) Understanding — the controlled group governing bodies show an understanding of the importance of the governance actions for the controlled group;
c) Application — the controlled group governing bodies direct the governance actions to achieve the group purpose and can describe their experiences when doing so;
d) Analysis — the controlled group governing bodies compare results of the governance actions with peer groups and can explain the outcomes they intend to achieve from the governance actions for the controlled group;
e) Evaluation — the controlled group governing bodies evaluate stakeholder perceptions of the governance actions;
f) Improvement —the controlled group governing bodies can explain how they plan and implement corrections and improvements to continually enhance their governance actions to achieve the group purpose.
4.1.2 Governance effectiveness
4.1.3 General
Governance effectiveness is a combination of quantitative and qualitative measures which refer to the ability for the controlled group to achieve the intended governance outcomes by applying the governance principles provided in ISO 37000 and selecting and implementing appropriate governance practices for the controlled group. For clarity, the ISO 37000 conditions and principles have been phrased for controlled groups. Governing bodies should refer to ISO 37000 when applying this guidance.
4.1.4 Governance conditions
Governance should be exercised throughout the controlled group and the controlled entities, and an integrated group governance framework should enable the controlled group to coordinate these governance activities such that the controlled group realizes the group purpose and the controller and controlled entities realize the intended governance outcomes: effective performance, responsible stewardship and ethical behaviour.
Governance and delegation
The controlled group governing bodies can delegate outside of their entities, for example to group governance structures, such as shared governance committees, but still remain accountable for what they have delegated and always remain responsible for their controlled entity as a whole. When delegating, each governing body should ensure that its delegation (and the acceptance of delegation) is specifically justified, explained and is formalized together with the appropriate assurance processes, and limits of decision-making authority should also be applied in response to assessed risk. Each governing body should hold to account those to whom it has delegated and ensure accountability is practised. This includes periodic reporting and the presentation of outputs, outcomes, and the processes used to achieve them, supported by evidence that actions taken were reasonable and appropriate.
Governance and management
To achieve a group purpose, controlled groups can realize benefits not only from aligning governance actions and activities, through for example, aligned direction setting and guidance, but can also realize benefits from aligned management practices. Governance actions and activities are aligned using a group governance framework. Within the context of the group governance framework, management practices and activities can be aligned using a group management framework (sometimes called a group policy framework). For example, a group management framework can:
— Enable consistent identification, assessment, and treatment of risks across the group, reducing exposure to unmanaged or duplicated risks.
— Facilitate shared services, joint procurement, and coordinated planning, leading to cost savings and reduced duplication of effort.
— Support improved compliance with common legal, regulatory, and ethical standards, helping ensure the controlled group collectively meets its obligations.
— Provide a structured way to share innovations and updates across the group, improving responsiveness and collaboration.
— Encourage a culture of evaluation and learning by embedding mechanisms for monitoring, feedback, and policy refinement.
While a group management framework can offer valuable benefits, its application requires careful consideration. The management of each controlled entity should be responsible for the implementation of a group management framework, while the governing body should delegate and provide ongoing oversight to ensure that the group management framework remains effective and appropriate for the entity.
When considering the adoption of a group management framework, the controller should also consider several key factors. These include the compliance obligations of each controlled entity, whether the resource requirements of the framework are appropriate for all entities, the potential impact on innovation and flexibility (for example resulting in cumbersome procedures), and the risk of creating confusion around roles and accountabilities.
Governance and sustainability
As outlined in ISO 37000, the purpose of governance — and the responsibility of the governing body — is to establish the conditions that enable the organization to perform over time, fulfil its organizational purpose, and deliver intended value. This responsibility equally applies to the controlled group governing bodies. In addition, these governing bodies should take into account the long-term sustainability of the controlled group as a whole, to ensure that their organizational entity can continue to benefit from being part of the group.
Governance and stakeholders
ISO 37000 provides guidance on stakeholder engagement, fair treatment, and consideration of broader societal and environmental impacts in governance. In furtherance of the intent of ISO 37014, a controller should apply these principles by ensuring fair treatment of all controlled entities, for example when defining the group purpose, through meaningful engagement with the controlled entities and other relevant stakeholders.
Governing body composition, structure and competence
ISO 37000 provides guidance on the appointment of governing bodies and their committees, as well as on the need for their continual improvement. It emphasizes that these processes, and the outcomes of any related assessments, should be transparent and communicated to relevant stakeholders. In furtherance of the intent of ISO 37014, in controlled groups, the controller holds ultimate authority over the governing body of a controlled entity and, in some cases, may even reserve certain decision-making powers. It is therefore essential that controllers follow the ISO 37000 guidance by ensuring that controlled entity governing body appointment processes are transparent and that the results of governance assessments are shared with relevant stakeholders, including the controlled entities themselves.
Additionally, in controlled groups, the controller should ensure that the governing bodies of controlled entities are composed with the appropriate competence (relevant knowledge, skills, and experience), diversity and inclusion, independence of thought and action, capacity, probity, commitment, and stakeholder representation necessary for their purpose. This ensures alignment with ISO 37000 while recognizing the unique accountability of the controller in shaping and sustaining effective governance across the group.
4.1.5 Governance principles and key aspects of practice
General
ISO 37000 provides governance principles and key aspects of practice which are not exhaustive. In furtherance of the intent of ISO 37014, controlled groups should consider these governance principles and key aspects of practice.
When determining which practices to apply, the governing bodies of the controlled group should assess the relevance of the key aspects of practice outlined in ISO 37000 including, the unique and evolving nature of the controlled group and its context, such as the group purpose, group values, compliance obligations, relevant and controlled entity stakeholder expectations, and the group governance framework.
When the governing bodies apply the guidance of ISO 37000 to the controlled group, it should enable the controlled group to achieve the associated governance outcomes, including:
a) Effective performance:
— The controlled group stays aligned with its defined group purpose;
— It operates efficiently and delivers on the intended objectives;
— It creates value as intended;
— It maintains alignment with group governance policies and relevant stakeholder expectations.
b) Responsible stewardship:
— The controlled group uses shared and individual resources responsibly;
— It manages its collective and individual impacts effectively;
— It considers its role within the broader global context;
— It contributes positively to sustainable development;
— It builds trust and confidence among the communities and stakeholders it serves, both locally and globally.
c) Ethical behaviour:
— The controlled group demonstrates conduct consistent with ethical standards and international norms by fostering a culture of ethics across all controlled entities;
— It promotes accountability through transparent and timely reporting on performance and resource use;
— It treats stakeholders fairly and engages with them meaningfully (including controlled entity stakeholders);
— It acts with integrity and transparency in fulfilling its obligations and commitments;
— It makes decisions competently, ethically, and with due diligence.
These governance outcomes reflect the collective responsibility of the governing body of the controller and the governing bodies of each controlled entity to ensure that the controlled group as a whole operates effectively, responsibly, and ethically.
Group purpose
The governing body of the controller should ensure that the controlled group’s reason for existence is clearly defined as a group purpose. This group purpose should define the controlled group’s intentions towards the natural environment, society and its stakeholders.
It is the controller’s responsibility to ensure that each controlled entity’s purpose is aligned with the overarching group purpose. The controller should also ensure that a set of group values is clearly defined and that each controlled entity establishes its own organizational values that are consistent with, and support, the group values. The governing body of each controlled entity, in turn, should ensure that the entity’s purpose aligns with the group purpose and that its organizational values are aligned with the group values.
Value generation
The governing body of the controller should define the controlled group’s value generation objectives such that they fulfil the group purpose in accordance with the group values and the natural environment, social, and economic contexts within which the controlled group operates.
Strategy
The governing body of the controller should direct and engage with the group governance strategy, in accordance with the controlled group’s value generation model, to fulfil the group purpose.
When developing the group governance strategy, the controller should actively engage the controlled entities in the process. It should also ensure that clear group governance policies are adopted, outlining the controller’s intentions and direction for the controlled group, which should include the following:
a) The governance approach chosen by the controller, for example,
— A risk-based governance approach which focuses on strategic risks that could impact the controlled group’s ability to achieve its objectives;
— A compliance- or rules-based approach which centres on strict adherence to legal, regulatory, and the controller’s requirements;
— A values-based governance model which is rooted in ethical principles, culture, and group values which guide decision-making and behaviours;
— A combination approach which integrates elements of risk-based, compliance-based, and values-based governance to create a balanced and adaptable governance approach.
b) The decision-making approach adopted by the controller, including aspects such as:
— The extent of stakeholder engagement between the controller and the controlled entities;
— Whether decisions for the controlled group are made in an autocratic or collaborative manner;
— Whether decision-making follows a centralized or decentralized model.
c) The processes for determining the group governance strategy, value generation model, and desired strategic outcomes.
d) The establishment and use of group governance committees and roles by the controlled entities.
e) The responsibilities associated with group governance activities, including performance and reporting expectations, as well as guidance on how these responsibilities should be fulfilled.
f) The use of a group management framework to support operational alignment and efficiency, including the use of voluntary codes and standards, and associated governance responsibilities.
g) The principles guiding group governance, which should include information about:
— Respect for each controlled entity’s autonomy and recognition of its governing body’s accountability for the controlled entity, including:
— How each controlled entity’s autonomy should be respected and accountability of that controlled entity’s governing body for the controlled entity should be recognized;
— How each controlled entity’s stakeholders should be fairly treated and the expectations of relevant stakeholders, in particular member and reference stakeholders, should be considered;
— Minimum governance standards expected of controlled entities in respect of the group values;
— Transparency in reporting of alignment with the group governance framework;
— Responsibilities of controlled entities to contribute to the group strategy;
— Processes for adapting group governance policies and practices, and for deviations.
Oversight
The governing body of the controller should oversee the controlled group’s performance to ensure that the performance meets its intentions for, and expectations of, the controlled group, and the controlled group’s ethical behaviour and compliance obligations.
Accountability
The governing body of the controller should demonstrate its responsibility for the controlled group as a whole and hold to account those to whom it has delegated.
Stakeholder engagement
The governing body of the controller should ensure that the controlled group’s stakeholders, including the controlled entities, are appropriately engaged and their expectations considered.
Leadership
The governing body of the controller should lead the controlled group ethically and effectively and ensure such leadership throughout the controlled group.
Data and decisions
The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. The governing bodies of the controller and the controlled entities should at all times act in accordance with their entity's compliance obligations.
Risk governance
The governing body of the controller should ensure that it considers the effect of uncertainty on the group purpose and associated strategic outcomes.
Social responsibility
The governing body of the controller should ensure that decisions across the controlled group are transparent and aligned with broader societal expectations.
Viability and performance over time
The governing body of the controller should ensure that the controlled group remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs.
4.2 Governance efficiency
4.2.1 General
Governance efficiency considers the functioning of the implemented group governance practices across the controlled group. Group governance components formalize and clarify the controller’s governance intentions for the controlled group.
The group governance components can include the following:
a) group governance framework (see 4.4.2);
b) group governance strategies (see 4.4.3);
c) group governance policies (see 4.4.4);
d) group performance results (see 4.4.5);
e) group governance charters (see 4.4.6);
f) group reports (see 4.4.7);
g) governance component reviews (see 4.4.8).
4.2.2 Group governance framework
In line with the organizational governance frameworks described in ISO 37000 and ISO 37004, a group governance framework sets out how a controlled group is, or should be, governed. A well-defined group governance framework should help to ensure that all controlled entities within the group work together effectively while maintaining appropriate levels of autonomy and accountability. It should provide a clear structure for how governance arrangements function across the entire group and support consistency, accountability, and alignment.
The group governance framework offers clarity in several key areas, including:
— Group boundary: Identifying which controlled entities and other organizations (also referred to as controlled entities for ease of reference in this standard) are part of the controlled group and the nature of their participation, for example, whether this is by a shared controlling member stakeholder or by formal agreement.
— Group governance parameters: Describing the governance-related provisions within the constituting documents of controlled entities, as well as relevant compliance obligations, that influence how the controlled group is governed.
— Accountability: Clarifying how each controlled entity’s governing body remains accountable for its own governance responsibilities, even as it operates within the controlled group.
— Governance alignment, by:
— Describing how the group governance framework aligns with the organizational governance frameworks of each controlled entity,
— Describing how the group governance strategy aligns with each controlled entity's organizational strategy and strategic objectives,
— Clarifying how group governance policies are aligned with the governance policies of the controlled entities,
— Outlining how group governance committees and roles are coordinated with those of each controlled entity.
— Group engagement, by:
— Explaining how the controlled entities interact and engage in operational matters, including the mechanisms used to share information,
— Describing how the controlled group’s governing bodies engage with one another, monitor group-level governance issues, and communicate on governance-related topics.
4.2.3 Group governance strategy
In line with an organization’s strategy as described in ISO 37000 and ISO 37004, a group governance strategy is the pattern of evolving intentions that provide direction for harmonizing and focusing effort to fulfil the group purpose, associated value generation objectives and related strategic outcomes for the group.
4.2.4 Group governance policies
Controllers can use group governance policies to clearly express their intentions and strategic direction for the controlled group. These policies should define the roles and structures responsible for implementing those intentions. When developing group governance policies, controllers should consider the group governance framework and the group governance strategy.
The governing bodies of the controlled entities should ensure that those to whom they have delegated are empowered to develop management policies that align with both the group governance policies and their own organizational governance policies. Importantly, even when a governing body delegates responsibilities outlined in group governance policies, it remains accountable for those delegations and for the overall governance of its controlled entity.
4.2.5 Group performance results
Group performance results should be reported by the delegated roles and/or committees designated in the group governance policies to the delegating governing bodies. These results should enable the governing bodies to effectively oversee these delegations.
4.2.6 Group governance charters
In line with an organization’s governance charters, as described in ISO 37004, if the governing body of a controlled entity delegates responsibilities to a committee or role outside its own organization, such as one serving the controlled group (group governance committees or roles), this delegation should be clearly documented in a group governance charter. This includes any roles or committees defined in group governance policies.
Group governance charters should clearly outline the delegation of responsibilities and authority from one organization to another, for example, from a controlled entity to the controller or to another controlled entity. It should also define the limits of delegated decision-making authority, based on the level of assessed risk.
4.2.7 Group reports
In a controlled group governance context, a group report is submitted by a delegated role or committee to each governing body that delegated to that role or committee. These reports enable the governing bodies to oversee how their delegations are being carried out. The content of the group reports is guided by the direction set out in the group governance policies and the specific delegations outlined in the group governance charters.
Group reports should be timely, accurate, material, complete, understandable, responsive, and balanced, and can include expert insights or opinions from those preparing them. They should be accompanied by relevant performance registers to provide a clear and comprehensive view of progress and outcomes.
4.2.8 Governance component reviews
Governance components used to govern a controlled group should be regularly reviewed to ensure that they remain current and applicable and continue to reflect the changing contexts within which the controlled entities and the controller operate. Improvements to the governance components should be planned, prioritized and implemented on this basis. Controlled group governing bodies should remain informed about how changes to group governance components can impact their individual entities and take appropriate action in response.
5.0 Governance maturity measurement framework
5.1 General
The governing maturity measurement framework measures the maturity of an organization’s governance activities using the governance maturity aspects as described in ISO 37004. This approach applies equally to measuring the maturity of the governance activities of controlled groups, using the governance maturity aspects as described in Clause 4 of this standard.
The measurement of a controlled group’s governance maturity includes the activities to:
a) Commit: establish commitment for the evaluation by the controlled group’s governing bodies;
b) Design: determine and plan, for example, the evaluation scope, time frames and objectives, within the context of the controlled group’s requirements;
c) Implement: conduct the evaluation ensuring effective stakeholder engagement with the controlled group’s governing bodies;
d) Oversee: the controller should monitor the progress of the evaluation and the controlled group governing bodies should act where necessary;
e) Action: the controller should review the evaluation results, share them with the governing bodies of the controlled group, plan and agree necessary improvements, and ensure that the controlled group’s governing bodies report on the evaluation outcomes.
5.1.1 Measurement principles
When measuring the governance maturity of a controlled group, the ISO 37004 measurement principles should be applied and include the following:
a) Integration: measurement should take into account that governance across the controlled group, as exercised by the governing bodies of the controller and each controlled entity, can result in differences which should be integrated.
b) Intent: measurement should record rationales for the answers provided.
c) Completeness: measurement should be structured and comprehensive to contribute to consistent and comparable results.
d) Inclusivity: measurement should include appropriate and timely involvement of the governing bodies of the controlled group, and other relevant stakeholders as appropriate or as required by applicable regulations, such that their knowledge, views and perceptions can be considered.
e) Dynamic: measurement should take into account that governance activities are not static and necessarily evolve to meet the controlled group’s changing governance requirements as well as those of the controller and the controlled entities.
f) Information: measurement should use timely, clear, and available historical and current information, as well as future expectations.
g) Human and cultural factors: measurement considerations should include human behaviour and culture as they influence measurements.
h) Uncertainty: the level of certainty associated with measurements should be considered.
i) Continual improvement: measurement should form the basis on which the governance of the controlled group is continually improved.
5.1.2 Measurement activities
The controller’s governing body should be guided by ISO 37004, and should:
a) Commit: demonstrate commitment to the measurement of the maturity of the controlled group’s governance;
b) Design: use the evaluation intent, scope and objectives to guide the evaluation design;
c) Implement: effectively delegate to others to manage the evaluation;
d) Oversee: provide oversight of the evaluation;
e) Action: on receipt of evaluation results, compare the results with past evaluations, as applicable; assess prior and current governance improvement programmes in the context of the results; determine the appropriateness of the results for the controlled group; identify and prioritize areas for improvement; and assess the prioritized improvement areas to determine the details of their implementation.
The governing bodies of the controlled group should report on the results.
5.1.3 Measurement scale
The governance maturity measurement framework outlined in ISO 37004 should guide the evaluation of the maturity of the governance of the controlled group.
5.1.4 Measurement aggregation
Governance maturity is evaluated for the governance conditions and the governance principles across the three governance maturity aspects (governance behaviour, governance effectiveness and governance efficiency).
Results are aggregated for:
a) Governance maturity aspects,
b) Governance conditions,
c) Governance principles,
d) Overall governance of the controlled group, that is, the aggregation of the aggregated results for the (a) governance maturity aspects, (b) governance conditions and (c) governance principles.
6.0 Governance maturity model
6.1 General
A governance maturity evaluation of a controlled group takes into account the group's governance conditions and principles, using the maturity measurement scale defined in the governance maturity measurement framework.
After the evaluation, the controller’s governing body should establish improvement targets where needed. These targets should be appropriate for the controlled group, taking into account both the positive and negative impacts on the controller and each controlled entity.
The controller should share the results of the governance evaluation with the governing bodies of the controlled entities. In turn, these governing bodies should communicate the results within their respective entities and to other relevant stakeholders. This communication should highlight the success of past governance improvement initiatives and outline future improvement priorities.
6.1.1 Governance maturity dimensions
The governance dimensions to be considered in the evaluation include the controlled group’s governance conditions (see 4.3.2) and governance principles (see 4.3.3).
6.1.2 Governance maturity calculation
The ISO 37004 governance maturity measurement scale is applied incrementally to demonstrate increasing governance maturity of the controlled group.
Using the ISO 37004 framework, a result represents the evaluated level of achievement for a specific governance maturity aspect within a governance dimension, averaged across the controlled group. This average is calculated using the arithmetic mean of individual evaluations, with decimal values rounded down.
Final results are obtained by aggregating scores across governance maturity aspects and dimensions, as well as a combined aggregation of both. This process yields an overall governance maturity level for the controlled group.
Weights, or other differentiation criteria, can be used where a controlled group includes controlled entities with very different characteristics. In controlled groups, entities can vary significantly, for example, in terms of industry, size, complexity, risk exposure, geographic context, or strategic importance. Treating all entities as if they had equal influence or equal expectations can, in such cases, distort the overall picture of group governance maturity.
These weights can be based on quantitative factors (for example, revenue contribution, number of employees, asset base) or qualitative criteria (for example, strategic relevance, regulatory intensity, stakeholder sensitivity, environmental or social impact). If weights, or other differentiation criteria, are used, it is important that the controller is transparent about how the weights are determined, apply them consistently, and periodically re-evaluate them to ensure they remain appropriate and do not undermine the credibility of the result.
6.1.3 Governance maturity improvement
A final consideration is the appropriateness of the governance maturity level for the controlled group. Higher maturity levels—across all three governance maturity aspects—do not necessarily imply greater certainty in achieving the group’s intended benefits and governance outcomes. Moreover, the investment required to reach higher levels of maturity may not be suitable for every controlled entity and could negatively affect the resource stewardship of one or more entities. Therefore, the chosen level of governance maturity should be appropriate for both the controller and the controlled entities and should be aligned with the governance needs of the entire controlled group.
The factors used to determine the appropriateness of governance are diverse and include the specific contexts of the controlled group, the controller, and the controlled entities. These factors should be identified through consultation with the controller, the controlled entities, and, where appropriate, relevant stakeholders.
The governing body of the controller should not simply aim for the highest levels of governance maturity; it should aim for the level of governance maturity most appropriate for the controlled group. This is a key consideration which, if not applied, can result in inappropriate use of resources, or reduced group responsiveness.
Governance improvement targets should be set for both the short and long term. These targets should be set on the basis of the gap between the evaluated maturity level and that determined as being appropriate for the controlled group.
6.1.4 Governance maturity evaluation
When applying the guidance provided in this clause, the users should:
a) Establish the controlled group boundary, and governance conditions and governance principles (governance dimensions), which will comprise the scope of the evaluation (see 6.2).
b) Evaluate the level of governance maturity for each governance dimension, against the governance aspects, and aggregate these results if necessary (see 6.3).
c) Determine the level of governance maturity, for each governance dimension and governance aspect, which is appropriate for the organization, set improvement targets where necessary (see 6.4).
Annex A provides a governance maturity evaluation worked example.
(informative)
Governance maturity evaluation worked example- Scenario overview
- ABC Group
- Scenario overview
ABC Group is a fictional cross-sector controlled group comprising four distinct organizational entities operating in different industries, regulatory environments and risk contexts. The controller, the ABC Group Board, establishes the group purpose, governance framework and group-wide governance policies that shape the expectations and operating boundaries for each entity. While each controlled entity retains its own governing body, all entities operate within the group governance framework and contribute to achieving the group purpose.
- ABC Logistics
ABC Logistics is a transport and distribution company operating in a dynamic, high-volume commercial environment. Its business model is characterised by tight margins, fast operational cycles and highly variable stakeholder expectations. The entity faces operational and supply-chain risks, requiring responsive oversight, strong coordination practices, and disciplined application of group governance directives. However, ABC Logistics also operates with relatively lean structures, which can lead to uneven governance adoption and inconsistent integration of group-level governance components.
- ABC Energy
ABC Energy functions within a heavily regulated sector and operates complex, capital-intensive assets. Its governing body shows strong alignment with the group purpose and consistently integrates the group governance framework into decision-making. Given the entity’s exposure to safety, environmental and regulatory risks, ABC Energy tends to demonstrate more mature governance behaviour. It has established oversight practices and tends to apply group policies confidently, reflecting a governance environment where formalisation and proactive risk management are essential.
- ABC Foods
ABC Foods operates in manufacturing and consumer markets, where product quality, supply chain integrity and stakeholder trust are critical. Its governance practices generally reflect stable structures and disciplined oversight, particularly in relation to risk management and compliance. The entity faces both regulatory and reputational risks, which influence its governing body to adopt a more proactive stance on oversight. Its operating environment requires consistent alignment with group expectations, though local market dynamics may occasionally create tension between group-wide governance requirements and local operational priorities.
- ABC Digital
ABC Digital functions in a technology-driven environment with heightened exposure to data protection, cybersecurity and innovation-related risks. It tends to operate with more agile governance practices that evolve quickly in response to technological change. While the entity keeps its governance components relatively up to date, differences in pace and culture compared to more traditional sectors in the group can result in variations in how group-level governance structures, templates and review cycles are adopted. Its operating circumstances demand both flexibility and increased attention to oversight of digital risk.
The ABC Group Board, the controller, has decided to evaluate the group’s governance maturity aligned with ISO 37014. Each entity operates under different regulatory, cultural and operational circumstances, yet all are governed within the boundaries of a single group governance framework and are expected to contribute to the achievement of a shared group purpose. These differences and interdependencies make ABC Group an instructive scenario for exploring the governance maturity of a controlled group.
By way of example, the evaluation aims to determine the governance maturity of the controlled group in relation to three governance dimensions aligned with ISO 37000 guidance:
a) Governance Condition: Organizational governance framework.
b) Governance Principle: Purpose.
c) Governance Principle: Oversight.
Together, these dimensions reflect the foundational elements needed to achieve the governance outcomes described in ISO 37000 (effective performance, ethical behaviour and responsible stewardship) across a controlled group.
- Measurement activities
- General
- Measurement activities
ISO 37014 guides that the governance maturity of a controlled group be measured using the governance maturity measurement framework set out in ISO 37004, adapted for the unique characteristics of controlled groups. Clause 5 of ISO 37014 establishes that the controller’s governing body should follow the same structured, evidence-based approach used for evaluating the governance maturity of individual organizations but expanded to reflect the interaction between the controller and the controlled entities, as well as the functioning of the controlled group as a whole.
The measurement activities ensure that the evaluation is systematic, comprehensive, comparable and suitable for continual improvement, in line with the measurement principles contained in ISO 37004 and adopted by ISO 37014. These activities are designed to ensure that the evaluation not only measures the maturity of governance practices but also supports better governance across the controlled group by clarifying expectations, highlighting areas of inconsistency, and identifying opportunities for improvement.
ISO 37014 describes five sequential measurement activities, which together form the governance maturity measurement process for controlled groups:
a) Commit: The controller and the governing bodies of the controlled entities formally commit to the governance maturity evaluation, establishing shared purpose, expectations and resourcing.
b) Design: The controller develops the evaluation scope, objectives and methodology. This includes identifying the governance conditions and principles to be assessed, determining evaluation methods, and planning engagement with controlled entities.
c) Implement: Evidence is collected, analysed and evaluated. Engagement with the governing bodies of controlled entities occurs at this stage, ensuring inclusivity, completeness and clarity.
d) Oversee: The controller monitors the progress of the evaluation, ensuring it is properly conducted, remains aligned with the agreed scope, and respects the roles, responsibilities and autonomy of the controlled entities.
e) Action: The controller reviews the evaluation results, determines the appropriateness of the maturity levels for the controlled group, sets improvement targets, communicates results to the controlled entities, and ensures that the governing bodies act on the findings.
Together, these activities operationalise the governance maturity measurement framework in a way that is consistent with ISO 37004 while addressing the specific governance characteristics of controlled groups under ISO 37014. This ensures that the evaluation is not only technically sound but also supportive of effective performance, responsible stewardship and ethical behaviour (governance outcomes) across the controlled group.
- Commit
The evaluation begins when the ABC Group Board, acting as the controller, formally commits to assessing the maturity of the group’s governance framework, the alignment of Purpose across the group, and the strength of Oversight practices. This commitment is not a procedural formality, it is essential to establishing a shared understanding across the controlled entities that the evaluation is strategic, improvement-oriented, and grounded in internationally recognised good practice.
For ABC, this commitment involves:
— Communicating to the governing bodies of all four controlled entities that the evaluation will assess how well the group’s governance arrangements help them fulfil their own responsibilities while contributing to the group purpose.
— Emphasising that the evaluation is not a top-down compliance exercise, but a means of strengthening governance across the entire controlled group.
— Confirming that the controller will provide the necessary support, resources, and clarity of roles, ensuring that governing bodies feel confident and included in the process.
This commitment stage is especially important for the ABC Group because the maturity of Purpose and Oversight varies across entities; without the controller signalling shared ownership of the evaluation, inconsistencies would likely deepen rather than improve.
The ABC Group Board formally commits to evaluating the governance maturity of the controlled group and communicates this to all controlled entity governing bodies.
- Design
Once commitment is established, the controller turns to designing the evaluation, using the ISO 37004 measurement principles of completeness, integration, inclusivity, information quality, and recognition of human and cultural factors, as they influence measurements, to structure the approach.
In the ABC Group context, this design phase focuses on tailoring the evaluation to the three selected governance dimensions:
a) Governance Condition: Organizational governance framework.
b) Governance Principle: Purpose.
c) Governance Principle: Oversight.
The design step is essential because the maturity of these areas depends on both group-level intentions and the way they are interpreted and implemented within each controlled entity. The design should ensure comparability, fairness, and meaningful aggregation across entities with different histories, cultures, and capabilities.
The design process for ABC Group involves:
— Defining the scope clearly (A.2.3.1).
— Determining the evaluation objectives (A.2.3.2).
— Selecting evidence sources (A.2.3.3).
— Ensuring inclusivity and integration (A.2.3.4).
- Defining the scope clearly
The controller specifies that the evaluation will examine:
a) Group governance framework: how governance is structured and coordinated across the controlled group.
b) Purpose (group and organizational): the clarity of the group purpose, the group purpose’s alignment with entity organizational purposes, and how group purpose influences strategy and behaviour.
c) Oversight (group and organizational): how the controller and controlled entities oversee performance, compliance, risk, ethics, and stewardship.
- Determining the evaluation objectives
The evaluation aims to:
— Understand how consistently the group governance framework is adopted and applied across controlled entities.
— Assess how deeply Purpose is embedded and used in decision-making.
— Determine whether Oversight practices provide the controller with reliable, comparable insight across the group.
- Selecting evidence sources
Evidence will be collected through:
— Group-level and entity-level charters, policies, delegations, and reporting frameworks.
— Board packs demonstrating how Purpose influences decisions.
— Oversight reports, risk dashboards, and assurance findings.
— Interviews with the governing bodies, and other relevant stakeholders, to assess behavioural maturity.
- Ensuring inclusivity and integration
Because governance maturity at ABC Group differs among entities, the design requires:
— Engaging each governing body early to explain expectations.
— Designing templates that allow for comparable evidence.
— Recognising contextual differences (for example, ABC Logistics’ more reactive oversight culture).
— Planning for integrated interpretation at group level.
The design step ensures the evaluation is not merely an audit of documents, but a holistic assessment of behaviour, effectiveness and efficiency across the controlled group.
- Implement
The Implement stage involves carrying out the evaluation according to the agreed design. For the ABC Group, this step is where evidence is gathered, interviews are conducted, and the maturity of the group governance framework, Purpose, and Oversight is assessed using the ISO 37004 scale.
This phase is critical because it transforms the conceptual design into a clear picture of governance maturity, revealing not only what exists on paper but what is practiced across the group. The Implement stage involves activities to:
— Collect evidence (A.2.4.1).
— Conduct interviews and engage stakeholders (A.2.4.2).
— Apply the maturity scale (A.2.4.3).
— Integrated the results (A.2.4.4).
- Evidence collection
Evaluators compile evidence such as:
— The group governance framework and entity-level governance frameworks.
— Group and entity board charters showing delegated responsibilities and authority.
— Group purpose statements and entity organizational purpose alignment documents.
— Oversight reports, assurance outputs, and escalation records.
This evidence is used to evaluate:
— Whether governance arrangements are implemented as intended.
— Whether they are functioning effectively.
— Whether they are efficiently supported by governance components such as policies, reports, and review processes, and whether these components collectively efficiently communicated to the relevant stakeholders as intended.
- Interviews and engagement
Interviews with governing bodies, and other relevant stakeholders, help determine behavioural maturity.
For example:
— The ABC Energy Board demonstrates strong understanding of, and commitment to, the group purpose.
— The ABC Logistics Board is less confident about applying the group governance framework, indicating uneven behavioural adoption.
These behavioural insights are essential because governance maturity cannot be assessed solely by examining documents.
- Application of the maturity scale
Evaluators assign maturity scores for each governance aspect (behaviour, effectiveness, efficiency), at a high-level, evaluators find that:
— For the group governance framework, the evaluation shows that while documentation is strong, practices differ between entities.
— For Purpose, the group-level intent is clear, but entity-level embedding varies.
— For Oversight, structures exist but reporting lacks consistency across entities.
All scoring decisions include documented rationales, reflecting the ISO 37004 principle of intent.
- Integration of results
Differences across controlled entities are integrated into a single controlled group result, which is a key requirement of ISO 37014, ensuring the outcome reflects the functioning of the controlled group as a whole.
- Oversee
Throughout the evaluation, the controller exercises oversight to ensure that the process remains credible, inclusive, and aligned with the agreed design. In the ABC Group, this includes:
— Monitoring progress against timelines,
— Ensuring evaluators have access to governing bodies and information.
— Addressing concerns raised by entities about autonomy or interpretation.
— Checking that evidence is complete, consistent, and fairly interpreted.
Oversight is crucial because it protects the integrity of the evaluation process. Since controlled entities operate within different regulatory and cultural contexts, misunderstandings or misalignments could undermine the evaluation if the controller does not actively manage the process.
For example:
— ABC Foods expresses concern that some group governance requirements might not align well with local regulatory expectations.
— The controller ensures these concerns are factored into the interpretation, respecting the ISO 37014 principle that the evaluation should account for uncertainty and contextual variation.
Oversight also ensures that evaluators apply the maturity scale consistently, maintaining comparability across governance dimensions and entities.
- Action
The Action stage is where the governance maturity evaluation begins to deliver value. In ISO 37014, this stage requires the controller to interpret the results, determine what levels of governance maturity are appropriate for the controlled group, communicate the findings, and ensure that governing bodies take corrective and improvement actions. It translates measurement into meaningful governance change, ensuring the evaluation strengthens both individual controlled entities and the controlled group as a whole.
For the ABC Group, the Action phase unfolds through several interlinked activities:
— Review and interpretation of the evaluation results (A.2.6.1).
— Determine the appropriateness of the maturity levels for the group and entities (A.2.6.2).
— Identify and prioritize governance improvement areas (A.2.6.3).
— Communicating the results to the controlled entities (A.2.6.4).
— Ensuring implementation and follow-through (A.2.6.5).
- Review and interpret the evaluation results
— Analyse the maturity scores for each governance dimension
The controller examines the results for the group governance framework, Purpose, and Oversight. This includes comparing behavioural maturity with the actual effectiveness of governance practices and the efficiency of governance components.
For example, ABC Group sees strong behavioural commitment to the group governance framework, but uneven application across entities.
— Identify patterns, strengths and weaknesses across the controlled group
The analysis highlights where governance is consistently mature and where gaps exist, such as:
— Purpose being well understood at group level but embedded inconsistently at entity level.
— Oversight structures being in place but reporting quality varying widely.
— Assess the credibility and completeness of information
The controller ensures that the results accurately reflect the context and that no governance dimension is over- or under-represented due to incomplete evidence or limited stakeholder input.
— Compare results with prior evaluations or expectations
If relevant data exist, the controller notes whether governance has improved, stagnated, or regressed. For ABC Group, earlier assessments showed similar patterns of unevenness, indicating the need for a more structured group-wide approach.
- Determine the appropriateness of the maturity levels
ISO 37014 emphasises that appropriateness is more important than striving for the maximum maturity level. The controller should consider whether the maturity levels achieved, and those targeted, are suitable for the controlled group’s context.
For ABC Group, this involves:
— Assessing whether higher maturity levels would require disproportionate resources
Some controlled entities operate in lower-margin environments; requiring them to achieve level 4 or 5 maturity would strain their capacity and potentially undermine responsible stewardship. For example, the governing body of a controlled entity could allocate the entity’s resources to governance activities in a way that is inappropriate or inefficient, diverting them from uses that would better serve the entity’s best interests.
— Evaluating whether the maturity levels align with the group’s strategic risks and complexity
While the group governance framework could benefit from reaching level 4, Oversight might not require such maturity yet, given the group’s current risk exposure.
— Considering regulatory, stakeholder, and market expectations
In jurisdictions where ABC entities operate under lighter governance requirements, pushing for very high maturity levels might not be justified.
— Determining whether maturity gaps pose material risks
For example, gaps in Oversight effectiveness might expose the group to ethical or compliance risks, suggesting improvement is necessary even if a high maturity level is not required.
— Balancing entity autonomy and group cohesion
The controller ensures that targeted maturity levels do not compromise the governing bodies’ own responsibilities or limit their ability to govern effectively within their local context.
Based on these considerations, in summary, ABC Group concludes that:
— A maturity level of 3 (Formalized) is appropriate for all three evaluated dimensions at this stage.
— The current group-level result of 2.66 (rounded down to 2) indicates that further development is required to reach the appropriate level.
- Identify and prioritize governance improvement areas
The controller uses the results and appropriateness assessment to define priority actions that will strengthen governance across the group. These actions are selected because they directly address the gaps identified.
For the ABC Group, these include:
— Standardising oversight reporting templates
This is intended to improve comparability, reliability, and timeliness of information from all controlled entities.
— Strengthening the embedding of Purpose
Developing group-wide tools to help entities integrate Purpose (group and organizational purpose) into decision-making, culture initiatives and strategic planning and introducing periodic assessments of how Purpose influences behaviour and outcomes.
— Formalising governance component review cycles
Ensuring that group governance policies, group-related charters, and the group governance framework are reviewed at least annually, or on significant change, documenting updates and communicating them across all entities, enhancing alignment of governance practices across entities, and providing guidelines or “minimum governance standards” to ensure entities interpret and implement group governance expectations consistently.
— Improving proactive oversight
Supporting entities with early risk detection tools and building capacity for forward-looking oversight practices rather than reactive reporting.
Each improvement reflects a direct response to gaps identified in the maturity assessment and is aligned with the continual improvement principle of ISO 37004.
- Communicate the results to the controlled entities
Once the controller synthesises the findings, the next step is transparent communication.
For ABC Group, this involves:
— Preparing a structured report
The report summarises maturity scores, rationales and improvement expectations. This ensures that the controlled entity governing bodies clearly understand their roles and responsibilities following the evaluation.
— Holding briefing sessions
The briefing sessions are held with each controlled entity’s governing body, and relevant stakeholders. The sessions explain what the scores mean, how they were derived, why certain improvements are required, and what the intended benefits are for both the entity and the group.
— Encouraging open dialogue
The open dialogue ensures that governing bodies, and relevant stakeholders, can ask questions, express concerns, and discuss how improvement expectations intersect with local realities.
— Reinforcing the collective nature of governance improvement
The evaluation results are presented as opportunities for shared learning and strengthening group cohesion, not as judgments or punitive assessments.
This communication step is fundamental for building trust and ensuring that the controlled entities embrace the outcomes of the evaluation.
- Ensure implementation and follow-through
Action is incomplete unless it results in real governance improvements. ISO 37014 guides the controller to ensure that the governing bodies implement agreed improvements and report on progress.
For the ABC Group, follow-through includes:
— Assigning responsibilities for each improvement action
The controller:
— Leads improvements related to group governance policies and reporting alignment, and the individual entities lead improvements related to embedding Purpose and proactive risk oversight.
— Ensures that strategic governance objectives are set and delegations are established such that responsibilities and authority are assigned for the achievement of these objectives, and appropriate resources are available.
— Oversees training and capacity building programmes to ensure that those responsible are able to fulfil their obligations.
— Setting timelines and milestones
Clear timeframes are established for implementing each improvement, enabling the controller to monitor progress effectively.
— Integrating improvement activities into existing governance cycles
The controller guides the controlled entities to ensure that governance framework updates become part of the annual board calendar, oversight reporting improvements are built into quarterly board cycles, and that group purpose and organizational purpose embedding activities are included in annual strategy reviews.
— Monitoring progress against improvement targets.
The controller receives structured status updates from entities, allowing it to assess progress and address barriers.
— Planning the next maturity evaluation.
Future evaluations are planned to measure whether improvements have been implemented effectively and whether the maturity levels have increased in line with the appropriate targets. Over time, these evaluations also take account of significant trends and emerging insights.
This final stage ensures that ABC Group’s governance maturity is continually improved, rather than evaluated merely in a one-off exercise.
- Summary of the measurement activities
Table 1 summarises, at a high level, the governance maturity measurement activities the ABC Group Board, as controller, takes to align with the guidance provided in ISO 37014.
Table 1 — Governance Maturity Measurement Framework — Example
Activity | High-level activity summary | ||
|---|---|---|---|
Commit |
| — | Controller commits to governance maturity evaluation |
— | Controlled entities acknowledge their role | ||
Design |
| — | Scope defined (1 condition and 2 principles) |
— | Methods selected | ||
— | Instruments aligned to ISO 37004 | ||
Implement |
| — | Evidence collected across the group |
— | Interviews conducted | ||
— | Behaviours assessed | ||
Oversee |
| — | Controller monitors progress |
— | Evaluators maintain independence | ||
— | Adjustments are made as needed | ||
Action |
| — | Controller reviews the results |
— | Determines appropriateness | ||
— | Sets improvement targets | ||
— | Communicates results | ||
- Implementation
- General
- Implementation
The Governance Maturity Measurement Framework’s Implement activity evaluates the controlled group’s governance conditions and governance principles using the ISO 37004 maturity aspects (governance behaviour, governance effectiveness, and governance efficiency). ISO 37014 guides that these evaluations should reflect how the controller and controlled entities collectively contribute to achieving the intended governance outcomes of effective performance, responsible stewardship, and ethical behaviour, as described in ISO 37000.
By applying ISO 37014 to the ABC Group, the evaluation examines not only whether governance practices exist, but whether they are understood, applied, functioning well, and efficiently supported by governance components such as policies, frameworks, charters, and reporting mechanisms.
- Governance Condition: Group governance framework
The ABC Group group governance framework establishes the structures, policies, roles, and reporting mechanisms that enable the controller and controlled entities to govern consistently while respecting each entity’s autonomy. The maturity of this framework is assessed in terms of how governing bodies behave when applying it, how effectively it achieves its intended outcomes, and how efficiently it is supported by governance components.
- Governance behaviour
ABC Group governing bodies demonstrate a strong commitment to applying the group governance framework, although behavioural maturity varies across entities.
— The ABC Group Board consistently references the framework in its discussions about delegations, oversight responsibilities, and performance expectations. This shows that the controller embraces its role in setting governance direction for the group.
— Entity governing bodies display different levels of understanding and confidence when applying the framework. For example, ABC Energy integrates the framework into its board agendas and committee charters, while ABC Logistics shows hesitation and inconsistent interpretation.
— Governing body members can explain why the framework matters for operating as a controlled group rather than as independent organizations. They recognise that shared governance structures support alignment, consistency, and collective performance.
— Some entities proactively evaluate how the framework affects stakeholder perceptions, while others only follow guidance reactively. This indicates partial movement toward the higher behavioural stages described in ISO 37004.
Overall behavioural maturity: A mature commitment exists at the controller level, with variation across controlled entities that reduces group-wide consistency.
- Governance effectiveness
Effectiveness reflects how well the framework achieves its intended purpose: enabling coordinated governance that supports the group purpose and governance outcomes.
— The framework establishes clear accountabilities for the controller and each entity, which helps ensure that roles are understood and governance boundaries are respected. This supports effective stewardship and reduces confusion between governance and management functions.
— Most entities have implemented the framework appropriately, reflecting alignment between group expectations and local governance practices. However, the consistency of application is uneven.
— Group-wide committees and reporting structures function well, providing the controller with visibility into entity performance, ethics, and compliance. This demonstrates effective oversight mechanisms.
— Gaps arise when entity boards fail to apply elements of the framework uniformly, such as inconsistent documentation of delegations or incomplete adoption of minimum governance standards. These gaps dilute the effectiveness of group-wide governance alignment.
— The framework supports the alignment of strategies and policies across the group but does not yet ensure that governance outcomes are achieved consistently at entity level.
Overall effectiveness: Formalized and functional, but with varying quality of application across entities that prevents fully consistent group-level governance.
- Governance efficiency
Efficiency assesses whether governance components supporting the framework are well-defined, consistently used, reviewed, and communicated across the controlled group.
— The framework and related governance components, charters, policies, delegations, reporting templates, exist for both group and entity levels, reflecting sound formalization.
— Entities use these components with differing levels of discipline. Some entities update their governance documents regularly, while others rely on outdated or informal practices.
— Review cycles for governance components are not systematically applied, leading to uneven quality and alignment. For example, ABC Digital updates its policies annually, whereas ABC Logistics has not reviewed its charters for two years.
— Reporting formats vary between entities, which reduces comparability and makes aggregation more resource-intensive for the controller.
— Communication of governance component updates is inconsistent, limiting the efficiency with which entities adopt improvements or incorporate changes.
Overall efficiency: Governance components are present and functional but lack harmonized review, communication, and standardization across the group.
- Maturity scoring table
Table 2 summarises the results of the evaluation the group governance framework governance condition for the ABC Group worked example.
Table 2 — Group Governance Framework evaluation results
Aspect | Score | Rationale | ||
|---|---|---|---|---|
Behaviour | 4 Measured |
| — | Controller and entities show commitment to applying the framework |
— | Behavioural differences remain across entities | |||
Effectiveness | 3 |
| — | Framework implemented across group |
— | Not yet systematically assessed for outcome achievement | |||
Efficiency | 3 |
| — | Governance components exist and function |
— | Review cycles and harmonization across entities incomplete | |||
- Governance Principle: Purpose
Purpose is central to ISO 37000 and ISO 37014. For ABC Group, the controller has defined a clear group purpose, and each controlled entity has aligned its own organizational purpose with it. Maturity is assessed based on how well governing bodies behave when applying Purpose, how effectively Purpose guides decisions, and how efficiently Purpose is embedded and supported.
- Governance behaviour
Governing bodies across ABC Group generally demonstrate commitment to Purpose, with varying depth of understanding.
— The ABC Group Board articulates Purpose confidently and links it to long-term strategy and stakeholder expectations. This aligns with ISO 37014’s behaviour guidance, where governing bodies show understanding and analysis of governance actions.
— Entity boards understand the requirement to align their own organizational purposes, and most can explain how their entity contributes to the group’s value creation and societal impact.
— Behavioural commitment varies: ABC Energy and ABC Foods actively reference Purpose when evaluating major decisions. ABC Logistics references Purpose only superficially, showing less consistent behavioural adoption.
— Some governing bodies have begun evaluating whether stakeholders perceive their behaviours as aligned with Purpose, demonstrating movement toward behavioural evaluation and improvement (higher maturity stages).
Overall behavioural maturity: Strong at group level, moderate and uneven across entities.
- Governance effectiveness
Effectiveness reflects whether Purpose meaningfully shapes decision-making and governance outcomes.
— Purpose is integrated into group strategy documents, influencing capital allocation, sustainability commitments, and risk appetite.
— Entities have developed organizational purpose statements aligned with the group purpose, providing coherence across the controlled group.
— Board papers increasingly reference Purpose, though not always consistently or substantively.
— Decision-making is influenced by Purpose in some entities, such as prioritising renewable investments in ABC Energy.
— There is no systematic process for assessing the impact of Purpose alignment, meaning the controller cannot yet determine how effectively Purpose drives behaviour across all entities.
Overall effectiveness: Formalized and partially embedded but lacking a structured feedback process.
- Governance efficiency
Efficiency assesses how well Purpose is supported by governance components, communication, and review systems.
— Purpose and values are formally documented and communicated, forming a clear reference point for all controlled entities.
— Embedding tools and processes are inconsistent across entities. Some have culture programmes and Purpose-aligned decision frameworks; others rely solely on statements.
— Review of Purpose alignment occurs informally, rather than through structured assessments or reporting cycles.
— No group-wide indicators or metrics exist to evaluate how Purpose influences performance, culture, or stakeholder relationships.
Overall efficiency: Emerging, with strong documentation but limited systematic embedding.
- Maturity scoring table
Table 3 summarises the results of the evaluation the Purpose governance principle for the ABC Group worked example.
Table 3 — Governance Principle: Purpose evaluation results
Aspect | Score | Rationale | ||
|---|---|---|---|---|
Behaviour | 4 |
| — | Governing bodies understand and articulate purpose |
— | Stakeholder perception is not yet systematically measured | |||
Effectiveness | 3 |
| — | Purpose aligned and used in planning |
— | Effectiveness | |||
Efficiency | 2 |
| — | Purpose documented |
— | Embedding tools inconsistent across entities | |||
- Governance Principle: Oversight
Oversight ensures that performance, ethics, risk, and compliance are governed effectively and consistently across the controlled group.
- Governance behaviour
Behaviour reflects how governing bodies demonstrate their oversight responsibilities.
— The controller shows strong oversight behaviour, reviewing consolidated performance, risk, and compliance each quarter.
— Entity governing bodies take oversight seriously but differ in their proactiveness. ABC Foods anticipates risks and escalates early. ABC Logistics often responds only when prompted.
— Some boards use oversight insights to challenge management, while others simply acknowledge reports without deeper analysis.
— Behavioural variation highlights inconsistent governance cultures, which is typical of maturing controlled groups.
Overall behavioural maturity: Formalized but not yet consistently forward-looking across all entities.
- Governance effectiveness
Effectiveness indicates whether oversight structures achieve intended results.
— Oversight structures exist across the group, including risk committees, ethics oversight, and assurance mechanisms.
— Most entities provide oversight reports of reasonable quality, enabling the controller to identify issues and corrective measures.
— Inconsistency in reporting quality reduces group-level effectiveness, as the controller cannot always compare risks or performance accurately.
— Escalation mechanisms work, but reliance on reactive rather than proactive oversight limits the group’s ability to anticipate risks.
Overall effectiveness: Formalized with functioning mechanisms, but gaps reduce reliability and comparability.
- Governance efficiency
Efficiency concerns how governance components support Oversight in a streamlined and consistent manner.
— Oversight components such as templates, dashboards, and registers exist, but are not harmonised.
— Reporting cycles differ between entities, causing inefficiency when consolidating group-level oversight information.
— Assurance practices are not fully integrated, with some entities lacking consistent internal audit engagement.
— Review of oversight processes is ad hoc, reducing opportunities for systematic improvement.
Overall efficiency: Emerging, requiring standardisation and structured review cycles.
- Maturity scoring table
The Table 4 summarises the results of the evaluation the Oversight governance principle for the ABC Group worked example.
Table 4 — Governance Principle: Oversight evaluation results
Aspect | Score | Rationale |
|---|---|---|
Behaviour | 3 | Governing bodies apply oversight but vary in proactivity |
Effectiveness | 3 | Oversight mechanisms identify issues; entity variability limits consistency |
Efficiency | 2 | Oversight components exist but lack standardization and systematic review |
- Aggregation of the results
- General
- Aggregation of the results
ISO 37014 guides that governance maturity results for controlled groups be aggregated systematically, using the governance maturity measurement framework provided in ISO 37004. The purpose of aggregation is to convert individual evaluations, which are conducted across multiple governance aspects and multiple controlled entities, into clear, consolidated results that reflect the maturity of the controlled group as a whole.
Because controlled groups consist of several governing bodies, each with its own governance context, aggregation is essential to:
— Integrate differences across controlled entities into one coherent evaluation of the group.
— Provide a fair, balanced, and comparable result.
— Supply the controller with a group-level maturity score that informs governance improvement priorities.
— Ensure transparency and traceability, as guided by ISO 37004 measurement principles.
ISO 37014 guides that aggregation should occur at three levels:
— Per governance maturity aspect: Behaviour, Effectiveness, Efficiency.
— Per governance dimension: each governance condition and governance principle evaluated.
— Overall controlled group governance maturity: the aggregated score representing the group’s total maturity.
Aggregation uses the arithmetic mean, with all decimal values rounded down, ensuring consistency with ISO 37004’s measurement methodology. This rounding down avoids overstating maturity and maintains a conservative, reliability-focused approach to scoring.
- Aggregation per governance dimension
For each governance dimension evaluated (Governance condition: group governance framework, Governance principle: Purpose, and Governance principle: Oversight), the scores are aggregated across the three ISO 37004 maturity aspects (Governance behaviour, Governance effectiveness, and Governance efficiency). This ensures that no single aspect disproportionately influences the final result, that it reflects the reality that governance maturity depends on how actions are understood (behaviour), how well they work (effectiveness), and how well they are supported by governance components (efficiency), that it provides a clear basis for identifying which aspects need improvement for each governance dimension.
The controller:
— Collected the maturity aspect scores for each dimension.
— Calculated the arithmetic mean of the three governance aspect scores.
— Rounded down any decimal to the nearest whole number.
Recorded this as the aggregated maturity score for that governance dimension.
The controller chose not to apply weights, or other differentiation criteria, to reflect the group’s operational complexity, even though the group operates across multiple sectors, jurisdictions and risk environments. This decision was made because introducing such complexity in the first evaluation or initial application of ISO 37014 was considered likely to create unnecessary complexities.
The controller’s calculations for the group governance framework are shown in Table 5, the result of which is an aggregated maturity level for the governance condition (group governance framework), of 3.
Table 5 — Governance Condition: Group Governance Framework
Aspect | Score |
|---|---|
Behaviour | 4 |
Effectiveness | 3 |
Efficiency | 3 |
Sum of the Scores | (4+3+3) = 10 |
Number of Scores | 3 |
Calculation (Mean) | (4+3+3)/3=3,33 |
Rounded down | 3 |
The controller’s calculations for Purpose are shown in Table 6, the result of which is an aggregated maturity level for the governance principle (Purpose), of 3.
Table 6 — Governance Principle: Purpose
Aspect | Score |
|---|---|
Behaviour | 4 |
Effectiveness | 3 |
Efficiency | 2 |
Sum of the Scores | (4+3+2) = 9 |
Number of Scores | 3 |
Calculation (Mean) | (4+3+2)/3=3,00 |
Rounded down | 3 |
The controller’s calculations for Oversight are shown in Table 7, the result of which is an aggregated maturity level for the governance principle (Oversight), of 2.
Table 7 — Governance Principle: Oversight
Aspect | Score |
|---|---|
Behaviour | 3 |
Effectiveness | 3 |
Efficiency | 2 |
Sum of the Scores | (3+3+2) = 8 |
Number of Scores | 3 |
Calculation (Mean) | (3+3+2)/3=2,66 |
Rounded down | 2 |
- Aggregating the overall ABC Group governance maturity
Once each governance dimension has its aggregated score, ISO 37014 provides a final aggregation step to produce a single maturity level representing the controlled group. This score is essential because it provides a group-wide indicator of governance maturity, enables benchmarking against future evaluations, supports decision-making and prioritisation of governance improvements, and offers stakeholders a clear and transparent summary of maturity.
The controller:
— Takes the aggregated dimension scores.
— Calculates the arithmetic mean.
— Rounds down to the nearest whole number.
— Reports this as the overall controlled group governance maturity level.
The controller decided not to aggregate the results from first principles at the dimension and aspect levels. Instead, it chose to aggregate the already-aggregated scores, as this approach better supported the intended purpose of the evaluation — not reliance on a precise quantitative result, but rather fostering discussion and driving improvements in governance across the group.
The controller’s calculations for the ABC Group’s aggregated governance maturity are shown in Table 8, the result of which is an aggregated maturity level for ABC Group, of 2.
Table 8 — Governance Principle: Oversight
Dimension | Score |
|---|---|
Governance Framework | 3 |
Purpose | 3 |
Oversight | 2 |
Sum of the Scores | (3+3+2) = 8 |
Number of Scores | 3 |
Calculation (Mean) | (3+3+2)/3=2,66 |
Rounded down | 2 |
- Interpreting the aggregated score
Once the aggregated governance maturity level for the controlled group has been calculated, ISO 37014 guides the controller to interpret the results in light of the group’s governance needs, context and objectives.
The aggregated maturity level provides a starting point, not an endpoint. It indicates the current state of governance maturity, but not whether the maturity level is appropriate or sufficient for the controlled group’s circumstances.
- Understanding the meaning of the aggregated score
The ABC Group’s aggregated governance maturity level is 2, representing a position between Emerging and Formalized maturity on the ISO 37004 scale. Reflections at this level include:
— Foundational governance practices exist across the controlled group, but they are not yet consistently applied. This means that while governance structures, policies and processes are in place, their use varies between controlled entities.
— Behavioural maturity varies, with some entities demonstrating stronger understanding and application of the governance framework than others. Variability in behaviour among governing bodies is typical of an emerging governance environment within a controlled group.
— Effectiveness is uneven, indicating that governance practices achieve their intended purposes in some areas but not reliably across all entities. This limits the controller’s ability to rely on governance processes as a dependable mechanism for group-wide oversight.
— Efficiency of governance components remains underdeveloped, particularly for Oversight and Purpose embedding. Governance components such as reports, reviews, policies, and charters exist, but are not consistently harmonised or regularly reviewed.
Together, these factors explain why the aggregated maturity score reflects a system that is functioning but not yet aligned or fully developed across the controlled group.
- Why the aggregated score matter
The ABC Group Board felt that interpreting the aggregated maturity score was essential for several reasons:
— It provided a clear baseline for governance improvement
The ABC Group Board could identify how far the controlled group is from the maturity level that is appropriate for its context and can plan development activities accordingly.
— It highlighted the extent of inconsistency across controlled entities
A maturity level of 2 indicated notable variation in governance behaviours, practices, and efficiencies across entities, which could pose risks to achieving the group purpose.
— It signalled governance vulnerabilities that could affect value creation, compliance, and stakeholder trust
Emerging maturity implies that the group’s governance was not yet sufficiently robust to handle complex or changing circumstances in a coordinated way.
— It helped the controller assess whether governance outcomes were achievable
If governance maturity is too low, the controlled group could struggle to achieve ISO 37000’s intended governance outcomes of effective performance, ethical behaviour and responsible stewardship.
— It framed the level of governance investment required
A lower maturity score suggests that governance improvements could require investment in capacity-building, systems, reporting processes, or governance component reviews.
- Interpreting the score for appropriateness
ISO 37014 states that maturity levels should be evaluated against what is appropriate for the controlled group, not simply against the highest possible level.
When applying this requirement to the ABC Group:
— A maturity level of 2 is likely insufficient for the group’s operational complexity. The group spans multiple sectors, jurisdictions and risk environments. A more formalized governance maturity (level 3) would better support alignment and oversight.
— A lower maturity level increases exposure to inconsistent oversight and fragmented governance practices. This could diminish the controller’s confidence in the effectiveness of entity-level decision making.
— Stakeholder expectations, particularly regulators, investors, and community stakeholders, require greater governance reliability. Purpose, Oversight, and Organizational Governance Framework maturity should align with relevant stakeholder perceptions of stability, transparency, and ethical conduct.
— Resource stewardship considerations discourage setting overly ambitious targets. While the group could theoretically pursue higher maturity levels, doing so could impose unnecessary burdens on smaller or less-resourced entities.
— The controller should balance aspiration with practicality. A maturity level of 3 (Formalized) provides a feasible, responsible target that supports governance strengthening without overwhelming the controlled entities.
- Understanding the implications of the results
The ABC Group Board felt that a score of 2 had practical implications for governance within the controlled group. These included:
— Oversight requires immediate attention
Since Oversight scored lowest (2), it is the dimension that contributes most to the lower aggregated maturity score.
— Governance alignment needs reinforcement
Variability in governance practices between entities should be reduced to support reliable group-level governance.
— Governance components should be harmonised and reviewed regularly
Efficiency weaknesses show that governance tools and structures need to be standardised across entities.
— Purpose embedding should be strengthened
Purpose behaviour and effectiveness are reasonable, but efficiency gaps limit the ability of Purpose to shape decision-making consistently.
— Entity autonomy and accountability should be respected while consolidating group governance expectations
Enhancing maturity requires careful balancing of group-level guidance and entity-level flexibility.
The ABC Group Board felt that the aggregated governance maturity level of 2 indicated that:
— The controlled group had basic governance capability.
— But governance practices are not yet reliable, consistent, or harmonised enough to support the group's ambitions.
— The ABC Group Board should take immediate action to guide improvements to reach the appropriate maturity level of 3.
- Determining appropriateness and setting improvement targets
- General
- Determining appropriateness and setting improvement targets
ISO 37014 emphasises that the purpose of a governance maturity evaluation is not simply to achieve the highest maturity score, but to determine the maturity level that is appropriate for the controlled group, taking into account its context, risks, resources, strategic objectives, and the needs of both the controller and controlled entities.
Controlled groups are complex systems; therefore, governance maturity improvements should be pursued strategically, responsibly, and proportionately, without undermining responsible stewardship or placing undue burden on controlled entities.
- Determining appropriateness
After calculating the aggregated governance maturity score of 2 (Emerging), the controller should decide whether this maturity level is appropriate for the ABC Group’s context. ISO 37014 guides the controller to consider several factors when determining appropriateness. In the ABC Group scenario, each factor should be assessed carefully:
— The complexity and scale of the controlled group
ABC Group operates in multiple sectors: energy, logistics, food manufacturing, and digital services. Different entities face different regulatory and operational conditions. These differences mean that governance maturity will naturally vary, but the group still requires a minimum level of harmonization to operate effectively.
— Resource availability across controlled entities
Some entities (e.g., ABC Energy) have strong governance functions and can easily adopt higher maturity practices. Others (e.g., ABC Logistics) operate with leaner structures and would face financial and administrative strain if required to adopt maturity level 4 or 5 practices prematurely. A maturity target should therefore balance ambition with realistic capacity.
— Risk exposure and strategic priorities
Entities such as ABC Digital manage data protection risks that could require higher oversight maturity. ABC Foods and ABC Logistics face operational and supply chain risks that require consistent governance but not the most sophisticated governance structures. This diversity suggests that a moderate maturity target is suitable at group level.
— Regulatory and stakeholder expectations
Some jurisdictions in which ABC Group operates have strong governance codes; others have minimal governance requirements. The group should set a maturity level that satisfies relevant stakeholder expectations without imposing disproportionate governance demands on subsidiaries not guided by strong governance codes or by higher stakeholder expectations.
— Governance outcomes desired by the controller
The controller wants to improve alignment, predictability, and reporting consistency. Achieving these goals requires moving beyond “Emerging” maturity but not necessarily reaching the highest maturity levels.
— Responsible stewardship and impact on controlled entities
Imposing excessively high governance expectations could divert resources away from operations, innovation, or local strategic initiatives. Governance should strengthen, not hinder, the resilience and performance of each controlled entity.
After applying these considerations, the controller determines that a governance maturity level of 3 (Formalized) is appropriate for the ABC Group.
This target represents:
— A realistic next step for the group.
— An achievable goal across all entities.
— A level that supports strategic alignment and oversight consistency.
— A maturity that balances ambition with responsible stewardship.
The current result of 2 therefore indicates that a maturity improvement programme is required.
- Identifying governance maturity gaps
ISO 37014 guides the controller to identify gaps between the evaluated maturity level, and the appropriate maturity level determined for the controlled group.
For ABC Group, the gaps can be summarised as follows:
— Governance Framework
Current maturity level: 3, Appropriate maturity level: 3.
Gap: No maturity gap, but opportunities remain to strengthen consistency and efficiency.
— Purpose
Current maturity level: 3, Appropriate maturity level: 3.
Gap: No maturity gap, but improvements needed in embedding and measurement.
— Oversight
Current maturity level: 2, Appropriate maturity level: 3.
Gap: One full maturity level, requiring targeted development.
The critical governance gap lies in Oversight, where behavioural, effectiveness, and efficiency differences across entities weaken the group’s ability to anticipate risks and ensure consistent stewardship.
- Setting governance maturity priorities
ISO 37014 guides the controller to prioritise improvements that address the most significant governance gaps, strengthen governance outcome achievement, consider resource usage and entity capabilities, and support sustainable and coordinated improvements across the controlled group.
For the ABC Group, the most important improvement priorities are:
— Strengthen oversight consistency and proactivity
Because Oversight is below the appropriate maturity level, improvements could include:
— Standardising risk, ethics, and performance reporting formats across entities.
— Introducing proactive oversight tools, such as early warning indicators and standardised risk heatmaps.
— Providing training to entity boards on proactive oversight behaviours.
— Embedding structured escalation procedures with clear accountability pathways.
— Improve efficiency of governance components
Although the governance framework scored 3, its efficiency sub-score indicates opportunities to strengthen the functioning of components. Improvements could include:
— Implementing annual reviews of governance charters, policies, and delegations, especially where significant changes are experienced.
— Ensuring all entities use updated and aligned governance documents.
— Creating a central repository for all governance components, accessible across the controlled group.
— Deepen purpose embedding and measure its impact
While Purpose scored 3 overall, improvement is still needed to achieve consistent maturity. Improvements could include:
— Developing group-wide Purpose-embedding tools (e.g., decision-making checklists or alignment templates).
— Establishing metrics for assessing Purpose impact (e.g., culture indicators, stakeholder trust measures).
— Encouraging entities to report on Purpose alignment during strategic discussions.
— Promote shared governance understanding across entities
To enhance behavioural maturity across all dimensions, improvements could include:
— Conducting governance workshops for governing bodies to strengthen shared understanding.
— Facilitating cross-entity learning through governance forums.
— Offering targeted support to entities with lagging governance maturity, such as ABC Logistics.
- Establishing improvement targets
ISO 37014 encourages the controller to set both short-term and long-term improvement goals that align with the appropriate maturity level and resource realities.
The ABC Group Board’s targets were as follows:
— Short-Term Targets (12–18 months)
— Introduce a standardised oversight reporting template across all entities.
— Implement a group-wide governance document review cycle.
— Provide training for entity governing bodies on proactive oversight behaviours.
— Develop Purpose-embedding tools for use in strategy and decision-making.
— Improve communication of governance component updates across the group.
— Long-Term Targets (24–36 months)
— Establish a group-wide governance dashboard integrating risk, ethics, performance, and sustainability indicators.
— Build integrated assurance mechanisms across entities to support consistent Oversight.
— Introduce annual maturity self-assessments for entities to support continuous improvement.
— Develop metrics and indicators for Purpose alignment and culture measurement.
— Strengthen alignment between entity organizational strategies and the group governance strategy.
- Ensuring continuous improvement
ISO 37014 emphasises that improvement actions should be implemented and monitored over time to ensure that the evaluation leads to real governance enhancement.
For the ABC Group Board, this could include:
— Incorporating improvement actions into board calendars and operating plans.
— Assigning clear responsibilities for each improvement area (e.g., Group Governance Office, entity company secretaries, committee chairs).
— Requiring quarterly updates from controlled entities on progress.
— Conducting a follow-up governance maturity evaluation within 24–36 months.
— Using insights to refine the group governance framework and strategies.
This approach ensures that governance maturity development is not a discrete activity, but an ongoing governance practice embedded into the functioning of the controlled group.
- Conclusion
This worked example illustrates how the ISO 37014 guidance can be applied in practice to assess and improve the governance maturity of a controlled group of organizational entities. Using the ABC Group scenario, the evaluation demonstrated the importance of following the structured, evidence-based measurement approach. Through the sequential activities of Commit, Design, Implement, Oversee, and Action, the controller was able to conduct a comprehensive assessment that reflected both the governance environment of each controlled entity and the functioning of the controlled group as a whole.
The evaluation results highlight that the calculated maturity level is not the most important outcome. While the aggregated governance maturity score of 2 provides a useful indication of the present level of maturity, ISO 37014 emphasises that this figure is only a starting point. Appropriateness, not numerical maximisation, is the correct lens through which maturity should be interpreted. The ABC Group Board, acting as the controller, appropriately determined that a higher maturity level of 3 (Formalized) is suitable for the group’s context, risk profile, governance needs and resource realities. This alignment with the guidance in Clause 6.4 reinforces a core principle of ISO 37014: governance maturity should be fit for purpose, proportionate, and reflective of the controlled group’s circumstances, not merely the product of arithmetic calculation.
Perhaps the most significant insight from the worked example is that the true value of a governance maturity evaluation lies in the discussions and improvements it enables. The process supported richer dialogue between the controller and the controlled entities, built a shared understanding of governance expectations, and revealed areas of variability that could impact the controlled group’s ability to achieve its group purpose. These insights directly informed improvement priorities, such as strengthening oversight consistency, harmonising governance components, and deepening Purpose embedding, which will support more reliable, transparent, and aligned governance practices across the group.
Ultimately, the evaluation illustrates that governance maturity is a dynamic, developmental journey rather than a fixed classification. ISO 37014 positions governance maturity measurement as a mechanism for continuous improvement, collaboration, and stewardship. The ABC Group example shows how applying the standard can help a controlled group not only understand where it stands today, but decide where it ought to be, and take meaningful steps toward achieving that level of maturity. Through this approach, the controlled group strengthens its capacity to realise its group purpose and uphold the governance outcomes of effective performance, ethical behaviour, and responsible stewardship, benefiting both the controller and the controlled entities.
