Village Governance CourseCapstone
All modules
CapstoneGroup work90–150 min live

Risk, architecture, and action

Participants complete the eight prior modules individually, then reconvene for this facilitated session to test, compare, and apply what they have learned. The capstone is deliberately a workshop, not a lecture or a quiz: the value comes from doing the work on your own organisation's records, scenarios, and decisions — together, in the room — and leaving with a concrete board-level output rather than a set of notes.

How the session works

Run this as a synchronous group session of 90 to 150 minutes, depending on group size and how many exercise sets you complete. Work in small groups of three to five. A facilitator keeps time, surfaces disagreement rather than smoothing it over, and ensures each set ends with a short report-back. The four exercise sets below build toward the 90-minute capstone flow and its governance memo; smaller boards can run a subset, but Exercise set D and the capstone flow should always be completed.

Teaching point: Every exercise asks the same underlying question in a different form — can you prove, later, how a record was created, changed, shared, exported, and bounded? Convenience and trust-in-vendor are not answers to it.
Facilitator note: Capture each group's outputs verbatim. The memo at the end is built from the room's own words, not from the facilitator's summary — that is itself a sovereign-record discipline.

Exercise set A — Record mapping

Start from your own organisation. Before architecture or scenarios, the group needs a shared, clear-eyed picture of which records actually carry governance weight and where each one is most fragile.

Workshop format
  1. List the top ten governance-relevant records your organisation holds — minutes, board papers, strategy drafts, committee deliberations, voting trails, dissent pathways, AI summaries, approvals, correspondence of record, and so on.
  2. Sort each record into low, medium, or high consequence if it were altered, lost, leaked, or disputed. Use the worst plausible case, not the typical case.
  3. Mark every record that lacks immutable provenance or verifiable boundary history — where you could not prove who authored it, how it changed, or who it was shared with.
  4. Report back the three records most in need of a sovereign approach, with one sentence each on why.
Discussion topics
  • Where did the group disagree on consequence rating, and what does that disagreement reveal about unstated assumptions?
  • Which "high consequence" records turned out to have the weakest provenance — and why is that combination so common?
  • How many of your top ten live in tools that could change their terms, jurisdiction, or availability without your consent?

Exercise set B — Failure scenario lab

Abstract risk becomes concrete when you trace a single failure end to end. Assign each group one scenario, then run it twice — once in the world you live in now, once in the world you could build.

Workshop format
  1. The facilitator assigns each group one scenario: an AI summary omission (a material dissent dropped from the record); contested minutes (two parties remember the resolution differently); a leaked board paper; a cross-jurisdiction disclosure request; or an inaccurate authorship trail.
  2. Reconstruct, step by step, how the scenario unfolds in your current environment — what is provable, what is contestable, where the organisation is exposed, and who carries the residual risk.
  3. Now repeat the reconstruction assuming a sovereign-record architecture — verifiable provenance, controlled boundaries, attributable change history, and explicit AI constraints.
  4. Report back: which harms disappear under the sovereign architecture, which remain, and which become more visible (and therefore actionable) rather than hidden.
Discussion topics
  • Which harms could not be designed away — and what does that tell you about the limits of architecture versus policy and culture?
  • Where did making a harm more visible feel uncomfortable, and why might that discomfort be the point?
  • In the cross-jurisdiction case, who actually decides what is disclosed today — your board, or a vendor's terms and a foreign legal regime?

Exercise set C — Policy & constitutional design

Architecture without rules is just storage. This set asks each group to write the default constitutional rules for a single record class, then stress-test them against a hard case.

Workshop format
  1. Choose one record class: board minutes, strategy drafts, or committee deliberations.
  2. Draft the default rules: who may read, who may edit, who may export, who may approve, and who may delete.
  3. Define what requires countersignature (a second attributable approval), and what an AI assistant may and may not do with the record — for example, summarise but never silently alter, or draft but never approve.
  4. Test the rules against one exceptional case: a protected cultural matter, an employment dispute, or an external review request. Where do the defaults break, and what controlled exception is needed?
Discussion topics
  • Did the exceptional case force you to weaken a default, or to add a controlled exception with its own provenance? What is the difference, and why does it matter?
  • Who, in your draft, can do something irreversible — and is that power countersigned, logged, and bounded?
  • What did your group decide AI may never do, and how would the architecture enforce that rather than merely state it?

Exercise set D — Board action statement

The course is only worth the change it produces at board level. Each group now compresses its work into a one-page statement and defends it under challenge.

Workshop format
  1. Draft a one-page board statement with four parts: the present-state risk you have identified; the future-state principle you will hold to; the pilot scope you propose; and the required governance controls.
  2. Keep it to a single page — a board statement that cannot fit on one page will not survive a board agenda.
  3. Present the statement to the room.
  4. Field challenge questions from peers acting as directors (is this affordable and proportionate?), auditors (can you evidence this?), and regulators (does this meet your obligations?).
Discussion topics
  • Which challenge question was hardest to answer, and does the gap sit in your evidence, your architecture, or your policy?
  • Could a sceptical director read your statement and know exactly what they are being asked to approve?
  • What would have to be true in twelve months for this statement to have been worth writing?

The 90-minute capstone flow

If time is short, this is the irreducible core of the session. It folds the four exercise sets into a single timed sequence that produces one tangible output per group.

Workshop format
  1. Part 1 · Risk statement (20 min) — complete the sentence together: "Our organisation is materially exposed where deliberation records are …" Draw on your Exercise set A mapping and Exercise set B scenarios.
  2. Part 2 · Architecture statement (25 min) — complete: "A fit-for-purpose sovereign deliberation environment for us would …" Name the properties that would close the exposures from Part 1.
  3. Part 3 · Action statement (25 min) — name three commitments: one board-level, one operational, and one pilot or proof-of-concept. Each must have an owner and a horizon.
  4. Part 4 · Report-back (20 min) — each group presents its risk, architecture, and action statements; the room challenges and refines them.
Discussion topics
  • Does your action statement follow from your risk statement, or did the group jump to a favoured solution before naming the exposure?
  • Is your pilot small enough to start and meaningful enough to learn from?
  • Which of the three commitments will be hardest to keep, and what would protect it from quietly lapsing?

Capstone output

Each group leaves with a short governance memo — a single artefact the board can act on. It carries four sections: top risks (from record mapping and the scenario lab), target-state principles (from the architecture statement and policy design), near-term actions (the board-level, operational, and pilot commitments), and a pilot proposal (scope, controls, owner, and horizon). The memo is the bridge from this course to a real decision: it should be tabled, minuted, and — fittingly — held as a sovereign record in its own right.

Closing teaching point: You began the course by reframing records as governance. You end it by producing a record that commits your board to act. If that memo can later be proven authentic, attributable, and unaltered, you have already demonstrated the principle the course exists to teach.
Completing the capstone saves your progress on this device.
← Module 8 Back to course home →

Offered freely, in good faith

This course is shared freely and in good faith — no paywall, no obligation. In the spirit of koha — a gift offered in reciprocity — if it proves valuable to you or your board, a contribution toward its continued development and running costs is gratefully received, in whatever measure reflects the benefit you've realised.

Leave a koha →

Run this with your own board

Want to put the course into practice? You can run the whole programme inside your own Governance Academy Village — a sovereign space for your board to deliberate, built on the same decision-record architecture this course teaches. Not sure which Village fits? A couple of quick questions will point you to the right one.

Find the right Village for us → Explore a demo Village →

No obligation — the course itself stays free.

Reached the end? Share the capstone with a colleague, or show a QR code to scan.