Version: 1.0
Owner: CTO – Paolo Carlo Platter
Last Updated: November 2025
Purpose
The Witboost Service Governance Model defines the organizational and procedural framework through which Agile Lab ensures that the Witboost platform is governed, monitored, and continuously improved.
It connects Agile Lab’s holacratic operating system—based on distributed accountability and self-managed circles—to the principles of risk control, operational excellence, and strategic alignment required by the Poste Italiane Group.
Governance Principles
Witboost’s governance is based on the following key principles:
Transparency: All processes are documented in this handbook, while metrics and responsibilities are documented and shared across the organization via the Holaspirit platform.
Accountability Diffusion: Each role and circle owns its domain, decisions, and related risks.
Continuous Improvement: Risks, performance indicators, and goals are monitored regularly, with corrective actions initiated when deviations occur.
Alignment with Group Standards: Governance processes follow the Group’s frameworks for risk management, compliance, and data protection.
Learning Organization: The model supports adaptation through feedback, retrospectives, and cross-functional collaboration.
Governance Structure and Cadence
Operational Steering Meeting – Monthly
Frequency: Every 4 weeks
Participants: Representatives from all Witboost circles (Product, Delivery, Customer Success, Marketing, Sales)
Objectives:
- Review performance metrics and project progress
- Assess achievement of quarterly and strategic objectives
- Identify and evaluate emerging risks and issues
- Trigger corrective or improvement initiatives
Outputs:
- Risk discussion log
- Corrective action plans (CAP)
- Metric Updates
Governance Meeting – Every 4 weeks
Purpose: Ensure continuous alignment of organizational structure, roles, and responsibilities with business needs and market evolution.
Focus areas:
- Clarify ownerships and decision domains
- Review and adjust role definitions and scopes
- Validate the mapping between roles and risks
- Evaluate governance effectiveness and dependencies between circles
Outputs:
- Updated Holaspirit structure
- Refined RACI maps
- Governance change log
Core Functional Areas and Associated Risks
The Witboost organization is structured into self-managed circles represented in Holaspirit.
Each circle operates autonomously within defined accountabilities and interfaces with others through clear collaboration agreements.
Below are the high-level responsibilities and main risk domains for each core area of Witboost Circle.
| Area | Core Responsibilities | Key Risks | Mitigation / Controls |
|---|---|---|---|
| Witboost Lead | Define the go-to market strategy with Sales and Marketing | • Wrong budget allocation • Mismatch between GTM strategy and market readyness |
• Continuous budget monitoring • Definition of OKR and Metrics to measure success |
| Product Management | Define product vision and roadmap; prioritize features; manage product lifecycle and value delivery | • Misalignment between roadmap and market needs • Lack of prioritization leading to inefficiency • Product obsolescence |
• Quarterly roadmap review • Stakeholder validation in steering meetings • Continuous customer and market feedback |
| Product Delivery | Execute product roadmap; ensure quality, reliability, and timely releases | • Delays in delivery • Technical debt accumulation • Quality or security defects • SLA breaches |
• Agile sprint reviews and retrospectives • Automated testing and code reviews • Security validation (penetration testing, vulnerability assessment) • SLA Monitoring and proactive communication |
| Customer Success | Support clients in onboarding and adoption; measure satisfaction; prevent churn | • Customer churn or dissatisfaction • Insufficient incident response |
• Monthly satisfaction tracking (NPS) • SLA monitoring dashboard • Post-mortem analysis of incidents |
| Marketing | Communication, Branding, Lead Generation | • Inconsistent brand message • Miscommunication on features or compliance • Reputational risk |
• Marketing content approval workflow • Alignment with Product, Sales and Compliance before campaigns |
| Sales | Manage pipeline, proposals, partners and contracts; ensure financial alignment and client qualification | • Mispricing or non-compliant offers • Contractual or legal exposure • Reputational risk with unqualified partners |
• Offer review with Product Management• Partner due diligence (financial & compliance) • Contract review by Legal/Compliance |
Cross-Circle and Shared Risks
Certain risks (e.g. Compliance, People, Finance, Internal IT) span multiple domains.
In these cases:
- A Primary Owner is accountable for overall management and reporting
- Contributing Circles provide support, data, and implementation evidence
- Coordination occurs through the Governance & Coordination Committee (GCC)
Risk Governance Framework
Risk governance in Witboost follows a three-level model:
- First Line of Defense: Each circle monitors and mitigates risks within its domain, maintaining accountability in Holaspirit.
- Second Line of Defense: The Witboost Lead and Compliance referents consolidate and review risks during governance meetings.
- Third Line of Defense: Internal Audit and Group Risk & Compliance (Poste Italiane) perform periodic reviews and audits.
All identified risks are recorded during Tactica and Governance meeting reports, which includes:
- Description and category
- Likelihood and impact rating
- Responsible circle and owner
- Mitigation projects
Escalation and Reporting
| Level | Escalation Trigger | Report To | Frequency |
|---|---|---|---|
| Operational | KPI deviation, delivery risk | Witboost Lead, Product Circle during Operational Steering Meeting | Monthly |
| Governance | Structural or role-related issues | Governance Meeting | Monthly |
| Strategic | Reputational, regulatory, or systemic risk | Agile Lab Board / Group Risk Function | As required |
Continuous Improvement and Review
- This governance model is reviewed every 4 weeks during a the Governance meeting.
- Adjustments to structure, responsibilities, or risk ownership are approved in the governance meeting and documented in Holaspirit.
- Lessons learned from incidents or audits feed into process updates and employee training programs.
Risk Assessment Methodology
Each risk is evaluated according to likelihood and impact, scored from 1 (Low) to 5 (High).
The combination of these scores defines a Risk Level = Likelihood × Impact, classified as:
| Level | Score Range | Description | Color |
|---|---|---|---|
| Low | 1–5 | Controlled / acceptable | 🟢 |
| Medium | 6–12 | Requires mitigation and monitoring | 🟠 |
| High | 15–25 | Critical, requires immediate corrective action | 🔴 |
Impact dimensions considered:
- Operational – service continuity, internal process efficiency
- Financial – budget variance, delayed payments
- Compliance / Legal – regulatory or contractual exposure
- Reputational / Strategic – stakeholder trust and alignment with market strategy
- People / Organizational – retention, culture, skill coverage
- Technology / Architecture – obsolescence, dependency, scalability
- Information Security / Cyber – unauthorized access, vulnerability exploitation
Risk Register
All the risks are recorded, assessed and version onf the Risk Register in Witboost sharepoint.
Control Effectiveness and KPIs
Each mitigation action is linked to Key Performance Indicators (KPIs) measuring control effectiveness.
KPI trends are reviewed:
- Monthly during one of the two Operational Steering Meetings in the metric session
If a KPI is below threshold for two consecutive cycles, the risk is re-evaluated, and escalation may be triggered.
Residual Risk Evaluation
Each risk is reclassified after mitigation into:
- Low Residual Risk → Continuous monitoring
- Medium Residual Risk → Requires follow-up or improvement plan
- High Residual Risk → Escalating path
Residual risk assessments are logged in the Operational Steering Report and in Holaspirit under each Circle’s accountability.
Review and Update Process
- Frequency: Every 4 weeks during the Operational Steering Meetings
- Extraordinary Reviews: Triggered by new regulation, audit findings, or major incidents
- Initiation: Any stakeholder can propose a new risk or control during a Operational Steering Meeting, first set identified top-down
- Validation: Compliance Circle validates; Witboost Lead approves updates
- Lessons Learned: Incorporated after incidents or audits within 2 weeks of closure
Summary
The Witboost Risk Management framework merges:
- Traditional enterprise discipline (matrix, KPIs, escalation, residual risk)
- Agile Lab adaptability through continuous feedback and learning