There is a comfortable lie at the heart of corporate governance
That compliance proves integrity, that efficiency is the supreme value, that measuring the measurable is what matters.
NPM is built on the opposite instinct: the refusal to exercise power you technically have but ethically should not, made architectural. Five invariants, one gate, one core of evidence under every standard you run.
Each standard is coherent. Together they are not
Every management standard is designed in isolation from the others. Run several and you get parallel governance structures that never meet.
Fragmented scopes
A perimeter per standard. Evidence duplicated, scopes overlapping, responsibilities colliding. The documentation burden grows faster than the governance value it produces.
Binary checklists
A control is in place, or it is not. Convenient for audit, pathological for governance. It cannot tell a control that protects something from a control that only produces evidence of its own execution.
Checklist governance
Under operational pressure, compliance degrades into ritual. Conformity gets signaled. The outcomes the activity was designed to produce quietly stop happening.
The question upstream of every standard goes unasked: what is this organization for, and at what cost to the systems that sustain it?
Your risk matrix cannot see the crash coming
Probability-by-impact matrices are correlational. They plot which risks co-occur with which impacts and say nothing about the causal pathway between them. Two failures compound:
Causal blindness
The matrix treats each risk as an independent coordinate. It is structurally unable to represent the feedback and second-order effects behind most real organizational failures.
Organizational silence
Even when the risk is known, hierarchy and fear keep the signal from the people empowered to act (Chernov et al., 2023Chernov, D., Ayoub, A., Sansavini, G. and Sornette, D. (2023) Averting disaster before it strikes: how to make sure your subordinates warn you while there is still time to act. Springer Nature.). No better matrix fixes that.
NPM answers with structural causal models as the default framing for governance analytics, and invariants that make risk information flow architecturally guaranteed rather than a matter of managerial discretion.
One core. Every standard becomes a view
"An organization compliant with NPM is compliant with each of the underlying standards as a byproduct."
Five invariants. Checked, not aspired to
Every candidate control, policy, metric or model must clear all five at once. Fail one and it is not admitted. The invariants are minimums: add your own, but none of the five can be removed or weakened.
Purpose primacy
Every automation, control, metric or model must trace to the organizational purpose and the Net Positive North Star. A candidate that traces only to operational efficiency fails.
The test. A documented chain from bounded context, through a strategic objective, to the purpose declaration.
No manipulation. Judgment stays yours
No hidden persuasion. No dark patterns, internal propaganda or undisclosed nudging, and no decision support that quietly becomes decision capture. This applies to everything the organization produces.
The test. A reasonable third party, examining the mechanism, would recognize it as informing judgment rather than replacing it.
Extraction limits
For every material topic, the relevant ecological and social limits are identified, internal boundaries keep impact within them, and repair plans exist before a limit is at risk, not after.
The test. Per topic: a documented limit, a monitoring mechanism, a contingency plan. Thresholds published in advance.
Accountability for externalities
Unintended and second-order effects count, including those carried by suppliers, contractors and downstream users. Consequences the organization discovers must be acted on, not merely disclosed.
The test. The risk register includes externalized effects with named owners, and at least one evaluation cycle per year addresses them explicitly.
Auditability of the ethical limit
The limit produces evidence. Decisions, exceptions, compensations and overrides leave persistent records that allow continuous evaluation with verifiable results.
The test. An auditor can retrieve every record without asking the decision-maker.
"A control that does not pass the logical gate is not a control. It is a liability with documentation."
The five invariants, in fullCausally honest analytics
Eight pipeline stages, each auditable, implementing the DCCA loop. Stages 3 and 4 are blocking gates: bad data halts the cycle and fails loudly, before it can reach a score.
Every dashboard claim is labeled correlational or causal. Causal claims require the causation analyses: structural equations from the business map, difference-in-differences per deployed control, and a Bayesian network once the data supports it. A claim that cannot be supported at the level it is presented is downgraded or retracted. Explore the pipeline ›
Every tile traces to evidence
Read-only to operators, produced by the pipeline, never edited by hand. Claims labeled correlational or causal, and missing data shows as "insufficient data", never as a score.
Ten to twelve weeks to a defensible baseline
Weeks, minimum, in a small organization. Parallel workstreams in a larger one. No metric reaches executive visibility without traversing all eight phases at least once. See the programme ›
The site follows the whitepaper
Net-Positive Management: A Governance, Risk, and Compliance Meta-Framework
"Organizations implementing multiple management-system standards face structural fragmentation: independent scopes, duplicated evidence, and parallel audit cycles that erode strategic coherence and degrade governance into checklist compliance. This whitepaper introduces Net-Positive Management (NPM), a GRC meta-framework that integrates existing standards without replacing them."
Polman, P. and Winston, A.S. (2021) Net positive: how courageous companies thrive by giving more than they take. Boston: Harvard Business Review Press.