Demystifying Corporate Governance With ISO 37000 | Interview with George Kesteven
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today, my guest is, George Kesteven, and he's the CEO at Frontex, from Australia, and he's one of the leading experts for corporate governance management systems.
Dejan Kosutic:Now he has over forty years in of experience in management consulting, and he has clients almost all over the world. So in Australia, North And Central America, Europe, And he's focused on knowledge management and documentation that supports governance activities of his clients. So in today's podcast, you'll learn what is governance, why is it important, and how to use it for various ISO standards. And, especially, we will focus on this standard ISO 37,000, which is basically a standard around governance. So welcome to the show show, George.
George Kesteven:Thank you, pleasure to be here.
Dejan Kosutic:Great to have you here. So George, why did you actually choose to focus on governance as one of your main, let's say, activities in consulting?
George Kesteven:Okay, my work has been based on the observation that in most organisations the documentation is awful. As a result of that, the governance and compliance activities are at risk, they're challenged, because governance and compliance rely on good definitions of what the organisation is trying to achieve and what it does to meet its governance objectives.
George Kesteven:And in practice that turns out to be a fuzzy mess that typically Yeah, unfortunately yes. Most organisations, their documentation is, as one of my clients described it, a fetid swamp of dead documents. And this puts the organisation at risk, and it puts the directors and officers personally at risk. Increasingly there's personal liability for directors They and are expected to oversee what the organisation does. They're expected to be able to substantiate that the organisation is meeting its obligations.
George Kesteven:And with lousy knowledge management, a lot of organisations, they don't even know what those obligations are, let alone what the organisation has in place to meet those obligations.
Dejan Kosutic:Okay, and if I understood well, with, let's say, a better governance and with better documentation, the companies will, let's say, handle whatever their processes there are. Is this the point here?
George Kesteven:There are several points, but yes, that clearly is a key one. There's also the very obvious point that compliance failures can be catastrophic for an organisation. You will have heard, I'm sure, the safety consultants have a mantra that if you think safety is expensive, just try having an accident. It is very much the same with governance and compliance, that if you fail to meet a compliance objective compliance requirement it can be catastrophic for your organisation. And in practice doing it well is less effort than doing it badly.
Dejan Kosutic:To kind of continue on this topic, I noticed that you mentioned in your LinkedIn profile this corporate governance management system. So can you explain what this actually is?
George Kesteven:Okay, our core proposition is that trying to manage corporate knowledge, that is the policies, procedures and everything else that you ought to be writing down about how your organisation is functioning, trying to manage that body of knowledge as a collection of separate documents, which is the way essentially everybody does it, is doomed to failure. It just cannot work in a live organisation. There is too much going on and no individual manager is in a position to maintain that body of knowledge as a whole. So what we're calling Corporate Governance Management Systems is a methodology for managing that body of knowledge as a single integrated body of knowledge.
George Kesteven:In place of documents you have in effect a database of pages, but the idea is that you have everything in one place and you are mapping your obligations and your compliance requirements to the things that are actually going on in the organisation to meet those requirements.
Dejan Kosutic:Okay, now you mentioned that this is body of knowledge. Now typically people think of body of knowledge, let's say knowledge basis and similar, whereas they think of policies and procedures as basically internal rules, really body of knowledge. So why do you actually consider these internal rules as a body of knowledge?
George Kesteven:Because it's the accumulated wisdom of the organisation that all of the things that you've got in your policies and procedures are the outcome of management thinking and management decisions. That the organisation will have an objective, we need to be safe, we need to be sustainable, we need to meet quality objectives and so on. And for each one of those objectives, the organisation has, people have had to sit down and think about it, how are we going to do it? And they build their knowledge of that, they record it in the form of policy and procedure statements, and they have to communicate it to people. None of your policies, procedures, things like that mean anything unless you can actually show that that information has made it to the people that need it.
George Kesteven:So what we refer to as knowledge means that collective know how, knowing how the organisation is intended to function, and protecting that know how as people move on, people leave, new person, the systems change and so on. And that should be a continuing aggregation of wisdom, not a depreciating library of documents that go out of date.
Dejan Kosutic:This is certainly an interesting approach to documentation and we'll come to this later, but let me first ask you how is this governance, let's say management system, related to ISO 37,000? And what is ISO 37,000 in the first place?
George Kesteven:Okay, ISO 37,000 is a set of guidelines, it's not a certification standard, that is written, directed at governing bodies, boards of directors, to provide a top level view of what it means to say that an organisation is well governed. It sets out a set of principles that the organisation should meet. There are two categories, they are the things the organisation ought to have in place so that it is capable of meeting its objectives, and then things it ought to have in place to show that it actually does meet its objectives.
Dejan Kosutic:Okay. Can you give me some examples of what are the principles, the main principles in the standard?
George Kesteven:Okay, the governing body should be competent to meet its obligations. I mean that is one of them. It should be sufficiently equipped to meet its obligations. It should have systems in place to make sure that stakeholder concerns are taken into account in its decision making. That it should be able to show that its decision making is based on data, that the managers who have governance responsibilities need to be able to distinguish between their governance activities and their management activities.
George Kesteven:That the delegation from the governing body to personnel within the organisation needs to be well defined. These are all really fairly obvious things. The point of the standard is just that it spells them out in a consistent way. It's also important to note that the standard itself says that not every organisation needs to achieve optimum performance on every one of these. You need to consider to what extent are they actually relevant to what your organisation is doing.
Dejan Kosutic:Typically, which kind of organisations do you find the most suitable actually to implement these principles, these guidelines? So is it larger organisations, I don't know, public organisations, governments or private, small ones?
George Kesteven:Well, the standard is useful for any organisation that has a board of directors. It's the sort of thing that even on a system that we set up fairly recently was for quite a small not for profit organisation. And for them it is useful just as a discussion point that are we as a group doing everything we ought to be doing to make sure that this organisation is behaving properly, that it is sustainable, that it will continue to work well even when members of the Board of Governors move on and so on. In their case they don't need to go very much further than that, But the larger and more complex the organisation, the more value there is in working through each of these elements in detail, at least some local detail. In part because it identifies gaps in the management system as well.
Dejan Kosutic:Okay, do you maybe know if let's say there is this Fortune 500, let's say in The US, are most of these companies actually implementing these principles?
George Kesteven:They will all be implementing at least some of these principles. I mean, every organization where the Board of Directors is thinking about its own activities will be in fact doing some of these. The idea of ISO 37,000 is just to establish a consistency as to how they do it and a consistent terminology. ISO 37,000 is coupled with ISO 37,004 which is simply a way of measuring the extent to which an organisation complies with 37,000 and I think the long term objective is that organisations will start to report the extent of their governance maturity using these two. I'm not aware of anyone much doing it yet, but I think it will come.
Dejan Kosutic:It's interesting actually there is this ISO 27,004 which is also about measurement objectives and measurement of security management security, right? So it's interesting actually the numbering is also falling here. Are there any other standards related to 37,000 that are important?
George Kesteven:Well, there are any number of standards that are relevant sort of for the next level down. Okay, 37,000 is very much the top level, it's saying that if you're the Board of Governors, here's how you view your governance system as a whole.
George Kesteven:And then for each of those elements you may choose to use some of the more detailed.
Dejan Kosutic:Because you mentioned this 37,004, is there 37,005 or something like this?
George Kesteven:Not that I'm aware of, no.
Dejan Kosutic:Okay. Just to clarify here, there is also this standard 37,001 which is anti bribery, it's from what I understood not related to, least not directly related to 37,000.
George Kesteven:Well, it's not directly related, but 37,000, one of the principles is that you have to ensure that your organisation's behaviour is ethical. Okay? Now the organisation might well decide that to implement that, to meet that requirement, it will choose to comply with 37,001 as part of what it does to ensure ethical Okay,
Dejan Kosutic:okay. Yeah, this numbering is a little bit confusing because it's usually the Yeah, same I agree. Unfortunately, but okay. Okay, so how can actually consultants or I would say and actually before I go into this, another question, you mentioned that there is a distinction between governance and management, right? So can you please explain this?
Dejan Kosutic:Is then governance and how is this different from management?
George Kesteven:Okay, the standard has in mind there, I think, I wasn't party to the writing of it, is that supposing the organisation says we're going to comply with such and such a standard, the organisation's managers are responsible for the day to day activity of the organisation, but separately they may be required to step back and report to the board on instances of compliance failure, of policy failure, it's that kind of distinction. I mean, would say 37,000 at a high level you are expecting people to be reporting to the board on your compliance, your governance activities. Now that's not directly related to your management activities.
Dejan Kosutic:Okay, because you know very often this term governance is not only seen as something that is related to the board, but also something that is related to well, management in in some cases. For example, there is this IT governance concept. Right? There is a standard called 38,500, I think, which speaks about IT governance. And it's basically really about IT processes on this lower, I would say managerial level.
George Kesteven:This is very much the case and indeed this was part of what led to the development of our methodology and our governance management system, is a way to pull together these various elements. You're absolutely right, the word governance is thrown around a lot with quite a few very different meanings. Part of the problem, and indeed this is what we are aiming to address as consultants, is that when you talk about board level activities, the guidelines all say that the directors have to oversee what's going on, exercise oversight, all What of that kind of is very difficult for them at present in most organisations is knowing what they can actually look at. Back to my original point about lousy documentation. And a great deal of what is going on within organisations also falls under the heading of governance, as you just mentioned, with IT, a heap in financial services as well, and all the know your customer regulations and the anti money laundering stuff and so on.
George Kesteven:We in practice try to just stay away from the word governance in a sense for exactly this reason.
Dejan Kosutic:Okay. But we then conclude that, let's say, corporate governance is something that is related to the boards of companies, whereas governance can be used also in terms of, let's say, management on more day to day level.
George Kesteven:Yeah, that's a great distinction. Unfortunately, you run into complications even with that, that corporate governance in some circles is taken to mean, is the company going to rip off its shareholders? Is this sovereign risk? You know, all that kind of stuff. Also gets called corporate governance.
Dejan Kosutic:Now let's get into a more practical practical, let's say, thing. So the the the most of, let's say, our audience is really dealing with, you know, various frameworks, standards like 27,001, nice two, Dora, ISO 9,001, SOC two and similar. So how can ISO 37,000 help consultants or professionals dealing with these other standards? How can you help them?
George Kesteven:Okay. Its value is when you take a step back and say: Is this organisation actually doing all the things it should be doing? If you're focused on any one of those individual standards that you just mentioned, then ISO 37,000 doesn't help you, it's the other way around. If you say, Okay, here's an organisation, what is it currently doing? Can anyone put hand on heart and say this organisation is aware of its obligations and is it doing everything it should to meet them?
George Kesteven:But the first question is it aware of its obligations? Now those may be regulatory obligations or they may be management system standards that the organisation ought to be dealing with for commercial reasons, for social license to operate reasons and so on. And ISO 37,000 is just a starting point for looking at the organisation saying, is it actually doing everything it should be doing? Is the board in a position to be governing this organisation at all? If you're a consultant working within the organisation, you never see the board members and you're focused on one specific area, then I would say ISO 37,000 isn't really going to help you.
Dejan Kosutic:But okay, as you were saying, if 37,000 is not useful for, for example, for ISO 27,001, it's it's if I understood well, it's the other way around, then how is it useful for consultants? I mean, how is ISO 37,000 useful for consultants?
George Kesteven:Okay. There is quite a demand from boards who want assistance in formulating their roles and responsibilities, right at the top level. It is not uncommon, particularly if you get into smaller organisations and not for profits, where the directors don't come with a history of corporate management. And those kind of boards quite often are looking for consultants to help them formulate a big picture of what they as a group should be doing and what they should be looking at when they look at their organisation to establish that the organisation is behaving as it should. Okay, very much the picture.
Dejan Kosutic:Yeah, it makes sense. So from what I see, this ISO 37,000 and and this governance in general, it could be kind of a let's say an upsell for consultants that are already working with companies. Right? If they're already implement I don't know. DORA or NIST two or SOC two, if they're already, I would say in good terms with the senior management, they can actually offer this as a second project where they can actually help them with this general level governance thing, right?
George Kesteven:Yeah, I agree entirely that it is a common failing in organisations that they don't even have a register of their compliance requirements. But if you are in there as a consultant providing services in relation to one particular requirement, you can at some point step back and say okay, well this is one of a list, show me the rest of the list, and they will say well we don't know what should be on it, and you then say, well let's work our way through ISO 37,000 and think about it.
Dejan Kosutic:Okay, now let's go back to lousy documentation. From my experience, companies typically do not look at this documentation as a body of knowledge or let's say best practices. They simply see it as something that needs to be done. And in most cases, something that they don't do very willingly, right? They're usually seeing this as overhead.
Dejan Kosutic:So can you explain a little bit this concept actually of how to turn this thinking that actually that documentation is basically your best knowledge, your best practices, and that this is something good for a company?
George Kesteven:Right, well just to step back a little when I'm talking about lousy documentation, a metric that we have found, if you take an organisation that has been running for more than five years or so, and you get their current collection of documents, and actually work through it, you'll be the first person in history that's ever looked at them all, we find that on average 65% of the pages are obsolete or duplicated or irrelevant. Which means that the amount of work the organisation is doing to audit, for induction and training, onboarding, all of that is burdened with all of this extra dead documents and it's also an enormous value. I was with a client just a week ago and we just did a quick tally of how many dead documents they have in their system, and made an estimate of how much management time went into creating those. And it means they're sitting there, currently, on our estimate, with $7,500,000 worth of dead documents. So the concept that we have approached is to say, okay, we're not focused on documents but on what's in the documents, and this is really what we mean by knowledge.
George Kesteven:Okay, so here's a piece of information, it's a policy statement or it's a procedure or whatever it is. For that piece of information, who is accountable for what it says, which also in practice means who has authority to change it and issue a new How does it relate to other pieces of information in the system? So if it's a procedure, it belongs on someone's position description, if it implements a policy, or more than one policy, then there has to be a link between that policy and this piece of information. For which employees is it required knowledge, that is, is it something they need to know before they can even start work, like the code of conduct or in industrial situations, anything to do with safety, that sort of stuff. And then who are the people that need to access to it, they don't need to know it but they may need to look for it, okay?
George Kesteven:And that means they also need to be told when it changes. Now all of that, that's what we mean by the knowledge management, and in this day and age all of that can in fact be automated. So the idea is that managers, if they're designing a procedure or writing a policy or whatever they do, they shouldn't be spending any time at all on documents. They should be thinking about how do we do this better?
Dejan Kosutic:That's Okay. And you're saying that the managers should not be spending time on writing documents?
George Kesteven:Should be Okay, managers should be designing better procedures, or writing policies. They shouldn't be bogged down in the detail of creating documents, they're creating content and everything else should happen behind the scenes. To give you the sort of thing that Sorry, you're about to
Dejan Kosutic:ask? No, no, if you can give me an example here just for me to understand better this distinction between Okay.
George Kesteven:Supposing you've got a bit of your organisation and there's a procedure that isn't working properly, bad things are happening. So currently, typically what happens is you get the team together, you sit down in a room, you decide what changes you're going to make, and you go out and you implement those changes, and then sometime, some months later, you'll get around to updating the document. The way we do it, we have the team together in the room, we put the procedure up on screen because everything we do is online, and we make the change there and then on screen, saying this is what our new procedure is going to be, and we say, yeah, okay, do it. And the documentation is updated at that point. There's no delay and no one has done anything with documents at all.
George Kesteven:There are no documents in our system.
Dejan Kosutic:So you're saying that the managers should update the documents basically on the go without any formal approvals or what?
George Kesteven:No, Okay, now two things. First, they're not updating documents at all, they're updating procedures. These are just pages in our system. The approval is well, obviously you have a structure as to who can prove what, and I mean the example I just gave assumed that the person with approval authority is in the room. If they're not in the room then they ought to be.
George Kesteven:But if they're not then you forward the proposal to the person who can approve it.
Dejan Kosutic:Okay, are you saying that procedures are not documents? Because I use the words documents and by documents I mean policies, procedures, plans, these kind of things.
George Kesteven:Okay, this is the conceptual change that I'm trying to get across here. The way we do it, we have a system of individual pages, we have no documents.
George Kesteven:And so if you have a procedure, it is a page in a system. It is in that sense a document in that it's words on a screen, but we're not mucking around with Word documents or PDFs or anything that.
Dejan Kosutic:So you're saying that technically it's much easier to change a text of a particular policy or procedure because you don't have to really create a new document in Word or something like this.
George Kesteven:Yeah, absolutely. Partly it's easier for that reason. It's also easier because with the information compartmentalised and broken down into very small units, you can just go and change this procedure. So you know, we're changing the order of the steps, things like that. And it is just a single page, not 20 pages of stuff that needs to be edited.
Dejan Kosutic:Now going back to the concept of of knowledge and documents. So, typically, people think of knowledge of something that is rather unstructured and something that provides, let's say, a guidance, not so much something that is mandatory. Right? Whereas policies and procedures are something that is very structured and it's mandatory. So how do you kind of reconcile these two concepts and
George Kesteven:Okay, I don't have any problem with the concept of structured knowledge. That for us we've got the organisation as a whole and its Board of Governors intentions for how that organisation should function, and that body of knowledge is then quite clearly structured. We normally take an approach first just what is defined the organisation, which in anything other than a small business is often surprisingly challenging. Then what are its governance objectives? And then below that, what policies do we have in place to support those governance objectives, what procedures do we have in place.
George Kesteven:So we set up a structure of knowledge in which each of these elements has a defined place. This perhaps the word knowledge is causing issue here, but yeah, we certainly have not had any pushback to date on this aspect. Very
Dejan Kosutic:good. So basically let's go back to the topic of 37,000. So if a consultant wants to kind of move into this area, what would you suggest, where to start with ISO 37,000?
George Kesteven:Okay, the starting point might be the Board of Directors wanting guidance on the organisation as a whole, as we talked about, or it might be if the consultant is already in the organisation dealing with a specific area, The next step for them is to take a broader view of the organisation and look at the 18 elements of 37,000 and perhaps create a report saying: Okay, the organisation I mean the first maturity rating in thirty seven thousand and four is: Is the organisation aware of this principle at all? And the consultants might well be able to come back with a very short, simple report for the organisation, the senior personnel, saying, here are some holes in your governance system, here are some significant gaps, and I would like to suggest a project to fill them.
Dejan Kosutic:Okay, so basically go with some kind of a gap analysis, and then after that, based on these gaps, propose a project for the implementation, right?
George Kesteven:Yeah, yeah.
Dejan Kosutic:Okay, great.
George Kesteven:The standard was written with that in mind, indeed.
Dejan Kosutic:Okay, great. Are there, let's say, laws or regulations in Australia or, I don't know, Europe or or North America which, let's say, specify corporate governance? And if he has, how is then 37,000 useful for these kind of use cases? I mean, for compliance with these kind of regulations?
George Kesteven:37,000 says that the board of directors needs to make sure that the organisation is meeting its compliance obligations. Okay, it is at that point that laws come in, and so if you were to say to the board of directors, are you aware of all the legal requirements that the organisation actually has to do things to comply with?
George Kesteven:And if you really want to get them moving as consultants, say, are you aware of which of these have personal liability for directors and officers? In Australia there's now the offence of industrial manslaughter, where if someone is killed in the workplace as a result of management failure, then director's officer can go to jail. Okay. Okay? And one of the elements of 37,000 says, are you aware of your compliance obligations And are you making sure that your organisation is meeting them?
Dejan Kosutic:Okay, okay, understood. And if a consultant is completely new in thirty seven thousand, so besides purchasing the standard, are there some courses available or some other, let's say, learning materials to go in this direction?
George Kesteven:I'm not sure. We're certainly working on building elements on the Frontex website that address exactly this. Most of the consulting work that is currently going on around 37,000 as far as I can tell is from consultants that want to offer high level board of directors assistance. Where I think there is an opportunity, and this is obviously the direction of my own consulting work, is the next level down. What the organisation actually does to meet all these requirements, and in doing so what documentations it have.
Dejan Kosutic:Okay, great. Now you mentioned also this, if understood well, 37,004 is about what measurement of governance. Right?
Dejan Kosutic:And how do you actually measure if a company is well governed?
George Kesteven:Okay, the way 37,004 proposes it, you work your way through the 18 elements and for each element you give three scores, zero to five, zero meaning nothing in place, through to five, it's optimised with continuous improvement.
Dejan Kosutic:It's kind of a maturity scale, right?
George Kesteven:Yeah, very much so. And what you're looking at first is, in relation to each of these principles, the organisation's behaviour, as in, does it acknowledge this requirement at all? If so, has it made a statement about it? Has it promulgated that statement? Has it developed procedures and so on?
George Kesteven:Then the effectiveness of what you've done, as in are your procedures implemented, are people trained in them and so on, and then the efficiency of those. So for each principle you come up with these three scores, then the rating for the principle as a whole is the mean of those three rounded down, and and so on.
Dejan Kosutic:Great, it sounds like a very good and very precise tool for measurement. And actually it comes to my mind that it can also be used as a gap analysis, right, for doing this initial gap analysis and to see where the company is lacking, right?
George Kesteven:Oh yeah, and in fact the standard actually proposes that for each element you will set short and long term targets, improvement targets, and they also make the point that you don't need to be aiming for a perfect score on every element. For some organisations you can quite reasonably decide that we don't need the principle at all or we don't need to go very far with it.
Dejan Kosutic:Okay, great, great. It sounds like a very useful standard. Okay. The the another question on a different topic. So very often, there is this ESG, like, concept, like the environmental, social, and garden.
Dejan Kosutic:And so is this standard, I mean, 37,000, let's say useful for companies that go for this ESG environmental, social and governance?
George Kesteven:Certainly it should be and the standard was written with that in mind. This comes back in part to the fuzziness around the word governance. That governance in the ESG concept is a lesser thing than corporate governance in the thirty seven thousand sense because from 37,000 point of view environment and sustainability are components, I mean they are principles within 37,000. Nonetheless, they all touch on this same basic issue, can we define what we mean when we say our organisation is well governed, and can we prove it? They all in a sense come back to that.
Dejan Kosutic:Then let's let's wrap up the call. And what would you suggest to consultants when thinking about ISO 37,000 or or governance? What should they focus on and what they should take the most care about?
George Kesteven:Certainly they need to be precise with their definitions. Okay, when they start talking to the organisation, start talking to directors and officers, they will find that there is the same confusion about what the word governance means. And it can be useful to just spell out quite precisely. This gap analysis, as you put it, is certainly a very good way to start. Make sure you don't try to do everything all at once.
George Kesteven:I mean clearly it is a very in anything other than a small business it is a very large can of worms that you're opening. But it is valuable to an organisation to get this right. It does in fact reduce the total amount of work that its managers have to do once they understand what it is you're on about. Doing things well, doing things consistent with all the standards and compliance requirements and so on is actually less work once you've set up the systems to do it.
Dejan Kosutic:Yeah, yeah. Okay, great. Well, you for this insights, George, and I learned a lot today about Guardians and especially about 37,000. So thank you.
George Kesteven:My pleasure. Thank you.
Dejan Kosutic:Okay. So just to mention that I also did an interview I mean, a podcast episode two episodes before around how to handle documents. So this was an interview with Carlos Cruz, and you can also take a look at this episode if you're interested in in writing policies and procedures. And this was it for today. Thank you everyone for listening or watching this podcast, and see you again in two weeks time in our new episode of Secure and Simple podcast.
Dejan Kosutic:Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisor website, you can check out various tools that can help your business. For example Conformia software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients.
Dejan Kosutic:Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, stay safe!
