How to Build a Corporate Governance Framework — Checklist & Templates

A governance framework is not a single document — it is a system of policies, structures, and practices that work together. An organization with a board charter but no committee bylaws is like a house with a roof but no walls. This guide presents practical steps with checklists and templates ready to adapt to any organization's size and nature.

Organizations that settle for "we know how we work" without formal documentation face doubled risks in three critical situations. When seeking financing or investment — institutional investors require governance documents as a basic condition in due diligence. During rapid growth — what works with 20 employees collapses with 200 because personal relationships cannot substitute for formal systems. During regulatory audits — supervisory authorities like CMA and SAMA don't accept "we usually do it this way" as an answer.

The Saudi Companies Law issued by Royal Decree No. M/3 of 1437H defines clear structural requirements. Every joint-stock company must have a board of directors of 3-11 members. Listed companies face additional requirements under the CMA Corporate Governance Regulation — including independent members and specialized committees.

Step one: diagnose the current state. Before building anything, the organization needs to understand where it stands through 10 diagnostic questions: Is there a formally constituted board with an approved resolution? Is there a written board charter? Are there independent members? Are there specialized committees with written bylaws? Is there a conflict of interest policy? Are meetings held with formal minutes? Is there an annual meeting schedule? Is board performance evaluated? Is there a decision follow-up mechanism? Is there a data protection policy? Every "no" answer represents a gap that must be addressed.

Step two: design the organizational structure. The core components arrange in three layers. Layer one: the General Assembly of shareholders — the supreme authority for appointing the board, approving financial statements, and distributing profits. Layer two: the board of directors and specialized committees. Essential committees are: the audit committee (mandatory for all listed companies) handling financial oversight and compliance, the nominations and remuneration committee handling compensation and leadership selection, and the risk committee handling institutional risk monitoring. Layer three: executive management and internal audit.

Each committee must have written bylaws defining: authorities and responsibilities clearly, committee composition and membership requirements, meeting quorum and voting mechanisms, meeting frequency (audit committee: at least 4 meetings annually), and mechanism for reporting and recommendations to the board.

Step three: draft policies by priority. Seven core policies arranged in three phases. Phase one within 3 months — mandatory essentials: (1) Board charter — defines the board's authorities, responsibilities, operating mechanisms, and independence criteria. (2) Conflict of interest policy — regulates member disclosure of direct and indirect interests, and prevents participation in voting on conflicted decisions. (3) Committee bylaws — independent bylaws for each committee defining authorities, composition, and procedures.

Phase two within 3 additional months — strengthening transparency and accountability: (4) Disclosure and transparency policy — defines material information that must be published, disclosure timing, and channels. (5) Remuneration and compensation policy — links compensation to performance and defines clear criteria for fixed and variable remuneration. (6) Risk management policy — defines methodology for identifying, assessing, and treating institutional risks.

Phase three within 3 additional months — completing the system: (7) Whistleblower policy — provides safe and confidential channels for reporting violations without fear of retaliation. Added to this is the personal data protection policy for PDPL compliance — mandatory for every organization processing personal data.

Organizations that settle for "we know how we work" without formal documentation face doubled risks during growth, audits, or fundraising.

Each policy must contain six essential elements: (a) Purpose — why this policy exists. (b) Scope — who is subject to it and when it applies. (c) Definitions — explanation of key terms. (d) Detailed provisions — specific rules and procedures. (e) Responsibilities — who implements, who monitors, who holds accountable. (f) Enforcement mechanism and penalties — what happens upon violation.

Step four: activate practices. Policies without actual practices are just paper. Activation requires six operational practices: predetermined annual meeting schedule approved at the start of each fiscal year. Agendas distributed 7 business days before each meeting with supporting documents. Detailed meeting minutes approved at the next meeting — including attendance, decisions, voting, and observations. Decision follow-up register reviewed at each meeting. Member interest disclosure register updated upon any change. Annual governance report presented to the General Assembly.

The corporate secretary is responsible for ensuring these practices are executed regularly. A qualified corporate secretary — specialized in law or governance — is recommended even for non-listed companies. Responsibilities include: preparing agendas in coordination with the board chair, documenting minutes, following up on decision implementation, and managing disclosure records.

Step five: review and continuous improvement. The governance framework must evolve with the organization and regulatory changes. This phase requires: annual review of all policies with updates as needed. Annual board performance evaluation — both collectively and individually — with an independent external assessor every 3 years. Monitoring regulatory updates from CMA, SAMA, and SDAIA and adapting policies accordingly. Benchmarking against international best practices — OECD governance principles and IFC standards.

Comprehensive Governance Checklist — Organized by Domain: Use this checklist to assess the completeness of your governance framework. Answer each item with "Exists and implemented," "Exists but not implemented," or "Does not exist." Board Domain: (1) Written and approved board charter — Why it matters: without it, there is no reference for board authority and it becomes a ceremonial body. (2) Board composition includes at least one independent member — Why it matters: the independent member asks the questions founders won't ask themselves. (3) Predetermined annual meeting schedule — Why it matters: without a fixed schedule, meetings get delayed and canceled under daily work pressure. (4) Detailed meeting minutes formally approved — Why it matters: minutes are the only legal proof of decisions in case of dispute. (5) Annual board performance evaluation — Why it matters: a board that isn't evaluated doesn't improve.

Committees Domain: (6) Audit committee with written bylaws — Why it matters: legally mandatory for listed companies, practically essential for unlisted ones as a second line of defense against financial errors. (7) Nominations and remuneration committee — Why it matters: prevents compensation inflation and ensures leadership selection based on competence not patronage. (8) Risk committee or designated risk officer — Why it matters: risks not systematically monitored turn into sudden crises. Policies Domain: (9) Conflict of interest policy — Why it matters: protects the organization from decisions serving individual interests at the organization's expense. (10) Disclosure and transparency policy — Why it matters: shareholders and stakeholders deserve accurate information for their decisions.

Reporting and Follow-up Domain: (11) Board decision follow-up register — Why it matters: decisions without follow-up are just good intentions. (12) Annual governance report presented to the General Assembly — Why it matters: shows shareholders that governance is a working system, not decoration. (13) Updated member interest disclosure register — Why it matters: undisclosed conflicts of interest expose the organization to legal liability. Audit and Compliance Domain: (14) Annual internal audit plan — Why it matters: internal audit is the board's eye on daily operations. (15) Independent external auditor — Why it matters: provides credibility to financial statements and reveals what management might conceal. (16) Personal data protection policy (PDPL) — Why it matters: a legal obligation with penalties up to 5 million SAR.

How to Use the Checklist — Scoring and Prioritization: Calculate your score: "Exists and implemented" = 2 points. "Exists but not implemented" = 1 point. "Does not exist" = 0. Score 0 to 10: Critical gap — start immediately with essential items: board charter, conflict of interest, audit committee. These three cover 70% of the biggest risks. Score 11 to 20: Moderate gap — basics exist but activation is lacking. Focus on converting "exists but not implemented" to "implemented" — the problem is not scarcity but the gap between paper and reality. Score 21 to 26: Limited gap — your organization is in good shape. Focus on missing items and improving the quality of what exists. Score 27 to 32: High maturity — continue annual improvement and engage an external assessor every 3 years for an objective perspective. Prioritize gaps by risk level: items related to legal compliance first (PDPL policy, audit committee), then items related to asset protection (conflict of interest, internal audit), then items related to operational efficiency (board evaluation, governance report).

FAQ: Does a small organization need all these policies? Not necessarily at the same complexity level. The principle is proportionality — as the organization grows and its operations become more complex, the need for formal documentation increases. But even a small organization needs at minimum: board charter + conflict of interest policy + audit committee bylaws.

Can ready-made templates be used? Yes — but customization is essential. Templates provide structure and essential elements, but must be adapted to the organization's reality: its size, sector, and specific regulatory requirements. A bank governance policy differs fundamentally from a technology company's.

How do I know the governance framework actually works and isn't just paperwork? Three clear signs: (1) Committees meet regularly and produce substantive reports — not ceremonial ones. (2) Decisions are followed up and those responsible for implementation are held accountable. (3) There is a genuine annual board performance evaluation — not just a form being filled out.

References: (1) Companies Law — Royal Decree No. M/3 of 1437H (updated 2022) — boe.gov.sa. (2) Corporate Governance Regulation — Capital Market Authority CMA — cma.org.sa. (3) Principles of Corporate Governance — OECD — oecd.org.