Home Governance Capability Assessment
Print E-mail


Governance Capability Assessment


For implementing Enterprise Governance the executive management and - if it exists - the supervisory board should follow scenarios to evaluate, direct and monitor business operation in alignment with the adapted governance objectives. In this term the “Enterprise Governance” is driven by the organization’s specific business goals and enabling governance objectives instead of generic control or regulatory framework based “checklists”. When ISO/IEC 15504 standard (SPICE) based Governance Capability Assessment concept is applied, the evaluation of compliance will focus on how the capability profiles of the implemented core business and governance processes are aligned with the governance objectives customized for the Enterprise Goals. This customization keeps in mind three dimensions:

  • the business operation (processes and activities) under scope,
  • the applicable governance practices from recognized reference models and
  • the capability level targets.


 Figure: Dimensions of Governance Capability Assessment


By using Governance Capability concept in customization of governance objectives, the management is able to present management assertions in alignment with both business specific and generic (e.g. regulatory) requirements. These assertions are linking business activities to governance practices within the applied capability assessment model supporting both the implementation of the Enterprise Governance Framework and its internal and external evaluation.

The term of “Governance Capability Assessment” is used in context of Governance, Risk Management and Internal Control processes based on different concepts:

  • Corporate Governance Principles and Codes (OECD, etc.)
  • Recognized Control Frameworks and Reference Models (like COSO, COBIT, Enterprise SPICE, etc.)
  • Risk Tolerance and Risk Appetite (as of COSO ERM)
  • Performance Measurement (as of COBIT)
  • Process Capability Assessment (ISO/IEC 15504-2:2003)
  • Evaluating Process-related Risk (ISO/IEC 15504-4:2004)
  • Quantitative Performance Measurement (ISO/IEC TR 15504-7:2008)

Internal and external audit standards (like IIA and ISA) recommend system based evaluation of existing internal controls against internationally recognized control frameworks like COSO (Internal Control - Integrated Framework) and COBIT (Control Objectives for Information and related Technology). The contents of these frameworks – such as other models like Enterprise SPICE - are applicable to set up Process Reference Models in compliance with ISO/IEC 15504-2 requirements.


The selected processes from the COSO, COBIT and the Enterprise SPICE reference models associated with the process attributes defined in ISO/IEC 15504-2 provide a common basis for performing assessments of governance capability regarding Enterprise Governance and reporting of results by using a common rating scale. ISO/IEC 15504 (SPICE) offers not only transparent method for assessing performance of relevant governance processes, but also tools for assessing related risk areas based on the gaps between target and assessed capability profiles.

However traditional compliance-driven approaches have been facing to major problem as there is no evidence that compliance (to any model) really drives business success. On the contrary: all big failure companies of the last decades had been “equipped with” long list of compliance and excellence records for many years. The key problem is that managing compliance issues has only limited focus on lower level outcomes - like activity goals - without considering the overall success factors. Enterprise Governance should focus on wider internal and external contexts of risks defined as effects of uncertainties on enterprise objectives as referred by the ISO 31000 Risk Management standard [9]. Quantitative Performance Measurement covering the overall governance structure is needed for establishing useful risk criteria for supporting management decisions at all organizational and operational levels.

Most of the metrics applied by Quantitative Performance Measurement, like those related to “Usefulness” and “Efficiency” generic attributes, are typically not interpretable for the ISO/IEC 15504 process capability levels. These metrics are applicable in business context of the processes by providing tool for defining and/or adapting economically meaningful base practices as process performance (level 1) indicators. There is no meaning to establish such metrics for the generic practices of higher capability level Process Attributes; however highlighting of the generic attribute metrics of those business or governance practices, which are identified enablers of higher capability level practices for all processes within the scope of the process assessment model, is more than reasonable. Those base practices adapted from control frameworks or reference models as performance (level 1) indicators of a governance process, are applicable to determine risk appetite at operational and organizational levels.













education and culture



Powered by Joomla!. Designed by: Free Joomla 1.5 Theme, linux hosting. Valid XHTML and CSS.