Published June 2, 2026 | Version v1
Other Open

Net-Positive Management: A Governance, Risk, and Compliance Meta-Framework

Authors/Creators

  • 1. Telos ONG

Description

Organizations implementing multiple management-system standards face structural fragmentation: independent scopes, duplicated evidence, and parallel audit cycles that erode strategic coherence and degrade governance into checklist compliance. This whitepaper introduces Net-Positive Management (NPM), a governance, risk, and compliance (GRC) meta-framework that integrates existing standards without replacing them. NPM is organized by four structural commitments: a teleological criterion derived from Polman and Winston's Net Positive standard; a logical gate of five ethical invariants grounded in Ellul's ethics of self-limitation and Jonas's ethics of responsibility; a Domain-Driven Design architecture (Evans, Brandolini) that models governance over stakeholder impact surfaces rather than organizational hierarchies; and a dynamic causal analytics pipeline (DCCA) operating under Pearl's structural causal models and Gama's concept-drift adaptation. The framework produces a traceable chain from strategic purpose through Bounded Contexts, Ethical Performance Indicators (EPIs), and Behavioral Event Signals (BES) to audit evidence. NPM materializes in seven artifacts constituting a Minimum Viable Compliance baseline and eight phases orchestrating their production and continuous verification. The whitepaper formalizes the ethical gate, the MCDA weight architecture, the DCCA four-control loop, and the operationalization of invariant standards, including extraction limits and the reasonable-third-party test. The framework is standards-agnostic and jurisdiction-adaptable.

Files

Net-Positive-Management.pdf

Files (2.1 MB)

Name Size Download all
md5:9ffd8705ad5941fff8d1199ede5f5893
2.1 MB Preview Download

Additional details

Dates

Issued
2026-06-02

References

  • AICAD Business School. (2025). Unidad 3. El riesgo tiene que ver con el conocimiento
  • Brandolini, A. (2020). Context Mapping on a Business Grid. Avanscoperta Blog. https://blog.avanscoperta.it/2020/04/21/context-mapping-on-a-business-grid/
  • Brandolini, A. (2025). Introducing EventStorming. Leanpub. https://leanpub.com/introducing_eventstorming
  • Campbell, D. T. (1979). Assessing the impact of planned social change. Evaluation and Program Planning, 2(1), 67–90.
  • Chernov, D., Ayoub, A., Sansavini, G., & Sornette, D. (2023). Averting Disaster Before It Strikes: How to Make Sure Your Subordinates Warn You While There Is Still Time to Act. Springer Nature. https://doi.org/10.1007/978-3-031-30772-0
  • Directive (EU) 2022/2464 of the European Parliament and of the Council of 14 December 2022 amending Regulation (EU) No 537/2014, Directive 2004/109/EC, Directive 2006/43/EC and Directive 2013/34/EU, as regards corporate sustainability reporting (CSRD). Official Journal of the European Union, L 322. http://data.europa.eu/eli/dir/2022/2464/oj
  • Ellul, J. (2021). The Technological Society. Knopf Doubleday Publishing Group. (Original work published 1964.)
  • Evans, E. (2004). Domain-Driven Design: Tackling Complexity in the Heart of Software. Addison-Wesley.
  • Gama, J., Žliobaitė, I., Bifet, A., Pechenizkiy, M., & Bouchachia, A. (2014). A survey on concept drift adaptation. ACM Computing Surveys, 46(4), 1–37. https://doi.org/10.1145/2523813
  • Goodhart, C. A. E. (1984). Problems of Monetary Management: The U.K. Experience. In Monetary Theory and Practice. Macmillan.
  • International Organization for Standardization. (2018). ISO 31000:2018 — Risk management — Guidelines. https://www.iso.org/standard/65694.html
  • International Organization for Standardization. (2021a). ISO 37000:2021 — Governance of organizations — Guidance. https://www.iso.org/standard/65036.html
  • International Organization for Standardization. (2021b). ISO 37301:2021 — Compliance management systems — Requirements with guidance for use. https://www.iso.org/standard/75080.html
  • International Organization for Standardization. (2022). ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements. https://www.iso.org/standard/27001
  • International Organization for Standardization. (2023). ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system. https://www.iso.org/standard/42001
  • International Organization for Standardization. (2025). ISO/IEC 27701:2025 — Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines. https://www.iso.org/standard/27701
  • Jonas, H. (1984). The imperative of responsibility: in search of an ethics for the technological age. Univ. of Chicago Press
  • Kaplan, R. S., & Norton, D. P. (1992). The balanced scorecard: Measures that drive performance. Harvard Business Review, 70(1), 71–79. https://hbr.org/1992/01/the-balanced-scorecard-measures-that-drive-performance-2
  • Kaplan, R. S., & Norton, D. P. (1996). The Balanced Scorecard: Translating Strategy into Action. Harvard Business School Press.
  • Kaplan, R. S., & Norton, D. P. (2004). Strategy maps: Converting intangible assets into tangible outcomes. Harvard Business School Press.
  • López Cerezo, J. A. (2018). La confianza en la sociedad del riesgo (1ª ed.). Sello.
  • Lundberg, S. M., & Lee, S.-I. (2017). A unified approach to interpreting model predictions. arXiv preprint arXiv:1705.07874. https://doi.org/10.48550/arXiv.1705.07874
  • Patton, J. (2014). User Story Mapping: Discover the Whole Story, Build the Right Product. O'Reilly Media.
  • Pearl, J. (2013). Causality: Models, Reasoning, and Inference (2nd ed., reprinted with corrections). Cambridge University Press.
  • Polman, P., & Winston, A. S. (2021). Net Positive: How Courageous Companies Thrive by Giving More Than They Take. Harvard Business Review Press.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union, L 119. http://data.europa.eu/eli/reg/2016/679/oj
  • Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA). Official Journal of the European Union, L 333. http://data.europa.eu/eli/reg/2022/2554/oj
  • Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L 2024/1689. http://data.europa.eu/eli/reg/2024/1689/oj
  • Ren, J. (2021). Multi-Criteria Decision Analysis for Risk Assessment and Management. Springer International Publishing.
  • Verwijs, C., Schartau, J., & Overeem, B. (2021). Zombie Scrum Survival Guide: A Journey to Recovery. Addison-Wesley.
  • Wallerstein, I. M. (2011). El moderno sistema mundial (2nd expanded ed., P. López Máñez, Trans.). Siglo Veintiuno.