(Swiss Verein; Zug register; principal base Geneva. This Bylaw defines the Executive Management (EM) structure, roles, Delegation of Authority (DoA), and the operating “components” (functions, systems, and centers of excellence) required to run GRF at sovereign-grade while preserving Board-reserved powers (Art. 9.1) and the Central Bureau (CB) non-executive clearance regime (Arts. 9.3, 12). Cross-refs: Arts. 1–3, 5–7, 8 (§§8.3/8.3A), 9–11, 13–17, 18–21; Bylaw 1 (Committees). EN controls; FR/DE companions may be issued.)
2.1 EM Composition, Mandates & Interfaces
2.1.1 Constitution & Appointment
(a) Executive Management (EM) operates GRF within Board-approved Strategy, Operating Plan, and Budget.
(b) Appointments by Board of Trustees per Art. 8.3 and §8.3A; phasing “as funding matures.”
(c) EM authority is bounded by Art. 9.1 (Board-reserved), Annex F (DoA), Annex G (Signatory), and CB Clearance for Material Actions (Arts. 9.3, 12).
2.1.2 Roles & Core Duties
ED/CEO — overall delivery; OP/Budget; KPIs; control environment; primary Board/CB counterpart.
COO — operations, convenings, procurement, vendor mgmt., continuity (Annex Z).
CFO — budgeting, accounting, treasury, reserves, insurance, financial reporting.
CTO/CIO — platforms (identity/SSO/MFA, CSR, cloud, EO/HPC), SDLC, vendor security.
CISO — ISMS/PIMS, cyber risk, IR/DR/BCP, red-team cadence.
Chief Data Steward (CDS) — data/model governance, QA/QC, provenance, licensing, publication packs.
Program Directors (DRR / DRF / DRI) — program roadmaps, 90-day sprints, KPI delivery with Regional/Thematic Chairs (Art. 10).
2.1.3 Interfaces & Accountability
Board (policy/strategy/oversight); CB (clearance/registers/gazette; non-executive); Chairs & Committees (delivery & oversight); ECT (inter-nexus execution under Art. 11).
2.2 Delegation of Authority (DoA): Spending, Contracting, HR, Data Release, Disclosure
Construction rule. Board-reserved powers (Art. 9.1) are non-delegable. All EM actions observe Annex F (caps/tiers), Annex G (Signatory), and CB Clearance (Arts. 9.3, 12).
2.2.1 Spending & Contracting
(a) Tiered caps (illustrative; values in Annex F):
• Tier 1 (Dept.) routine OpEx/Grants/Small IT ≤ T1.
• Tier 2 (Exec.) program/IT/security/platform ≤ T2.
• Tier 3 (ED/CEO) cross-functional/multi-year ≤ T3.
• Board above T3 or where Art. 9.1 requires.
(b) Aggregation: related commitments/options (12-month look-forward) aggregate.
(c) Prohibitions (Board only): borrowing, guarantees, liens, real property, core IP assignments/exclusive licenses, equity-like instruments.
(d) Procurement: competitive methods or documented single-source; evaluation panels with independence walls; debarment checks; open-contracting transparency (Annex AB).
(e) Contracts: CB-cleared templates; four-eyes legal/finance; change control; audit rights; data/privacy addenda; IP/OSS per Annex T.
(f) RAP: caps may rise one tier with RAP-Clearance; ex-post ratification (Art. 19).
2.2.2 HR (Hiring, Compensation, Conduct)
Headcount within Board-approved plan; employment vs Auftragsvertrag classification (CB-cleared); cross-border hiring via EOR as needed; compensation within frameworks (no donor-tied variable pay); Code/PSEA mandatory; separations via CB-cleared templates.
2.2.3 Data & Model Release
Prereqs: Data/Model Cards, QA/QC, validation, uncertainty bands, licenses, provenance hashes (Annex T). CDS/CTO sign publication pack → CB Pre-Clearance for public releases, cross-border transfers, high-stakes analytics, or privacy-impactful datasets (Art. 15.4).
2.2.4 Disclosures & Independence
Sensitive public statements: ED/CEO + CB process check; funding transparency via Donor & Dues Registers; conflicts/RPT filings (Annex N); no co-branding without Board approval (Art. 3).
2.2.5 Treasury & Banking
Banking per Annex H; two-to-sign; alternates (Annex G); capital-preservation instruments; counterparty limits; reconciliations monthly; insurance adequacy annual review.
2.2.6 Security & Continuity
RBAC/ABAC; PAM; red-team & pen-test cadence; critical CVE SLAs; SBOM/SLSA; incident 24-hour report; legal holds (Art. 13.4); DR drills (Annex Z); HSM/KMS key custody.
2.3 Planning, Budgeting & Quarterly Performance
2.3.1 Annual Cycle
Strategy refresh; Operating Plan (OP) with KPI tree & milestones; Budget (FIC → Board); mid-year reforecast if ±10% variance or reserve breach.
2.3.2 Reporting & Assurance
Monthly management pack; Quarterly Performance Review (QPR) (finance/programs/tech & data/ethics/assurance); Annual Report (audited financials + impact + governance statement).
2.3.3 Variances & Escalations
Red-threshold variances → Remediation Plan within 15 Business Days; Board call-in rights (Art. 9.1(j)); CB may halt acts lacking Clearance; RAP trigger if continuity threatened (Art. 19).
2.4 Operating Components & Centers of Excellence (CoEs)
Purpose. Define the expert “components” EM must maintain to execute at scale, with clear mandates, interfaces, KPIs, and safeguards. Components are management-level (not Board committees) and operate under DoA + CB Clearance.
2.4.1 Program Management Office (PMO)
Mandate: portfolio governance for DRR/DRF/DRI; 90-day sprint orchestration; stage-gates; benefits realization.
Interfaces: Program Directors, Regional/Thematic Chairs, CFO (funding gates), CB (Clearance IDs).
KPIs: milestone hit-rate; benefits realization %; variance closure time; audit findings closed.
2.4.2 Procurement & Vendor Management
Mandate: sourcing strategy, competition, contracts, performance/SLA, service credits, renewals, debarment list.
Safeguards: independence walls; donor walls; open-contracting disclosures; CB Clearance for Material Actions.
KPIs: competitive coverage %, cycle time, vendor risk scores, SLA attainment.
2.4.3 Legal & Secretariat (EM)
Mandate: commercial/HR/IP/privacy contracting; litigation coordination; policy harmonization; record of compliance with Arts. 7, 13, 15, 16.
Interfaces: CB as clerk of record (Registers/Gazette).
KPIs: template adoption, cycle time, exceptions cleared.
2.4.4 Protocol, Accreditation & Events
Mandate: identity vetting, badging, zoning, safety plans (Art. 17); Geneva diplomatic participation.
KPIs: incident-free rate; accessibility compliance; drill pass-rate.
2.4.5 Treasury Operations
Mandate: liquidity, cash forecasting, reconciliations, counterparty monitoring, reserves execution, insurance placement.
KPIs: liquidity days, recon timeliness, limit breaches, reserve coverage.
2.4.6 Data Governance CoE
Mandate: taxonomy, classification, lineage, retention (Annex W), DPAs/ROPA, DPIA/TIA, transfer mapping.
KPIs: DPIA throughput; DSAR SLA; policy conformance; data loss events.
2.4.7 Model Risk & Validation CoE
Mandate: model inventory, validation, calibration, fairness/uncertainty disclosure, red-team cadence, retirement criteria (Art. 15.2).
KPIs: model-card coverage, validation pass-rate, drift alerts, time-to-remediate.
2.4.8 Cyber Defense & SOC
Mandate: ISMS operations, threat detection, incident response, vulns, zero-trust, secrets mgmt.
KPIs: MTTD/MTTR, critical patch SLA, phishing fail-rate, control effectiveness.
2.4.9 Privacy Office (DPO)
Mandate: FADP/GDPR/UK GDPR compliance; EU/UK representatives; lawful bases; cross-border transfers; complaints.
KPIs: DPIA/TIA SLA, DSAR SLA, regulatory interactions closed.
2.4.10 Grants & Sub-Awards Office
Mandate: (If used) neutralized, ring-fenced grants/sub-awards; monitoring & evaluation; anti-capture controls.
KPIs: on-time reports; exception rate; audit findings closed.
2.4.11 Partnerships & Alliances
Mandate: MoUs, non-financial collaborations, neutral vendor/academy/government interfaces; no donor-conditioned content (Art. 3).
KPIs: MoU to output conversion; independence incidents = 0.
2.4.12 Knowledge, Records & Archives
Mandate: CSR hygiene (Art. 13), controlled vocabularies, evidence packs, redaction workflows, archive deposits.
KPIs: filing timeliness; retrieval SLA; completeness score.
2.4.13 Sustainability, Accessibility & Inclusion
Mandate: carbon budgets for convenings, waste/energy standards, accessible participation, fair-work principles.
KPIs: event footprint vs target; WCAG conformance; supplier code adherence.
2.4.14 Communications & Transparency
Mandate: comms policy, Gazette summaries, crisis communications; election blackout (Art. 8.6).
KPIs: approval cycle time; accuracy/errata rate; blackout compliance.
2.4.15 Translation & Language Services
Mandate: FR/DE companions; interpretation planning; glossary governance; EN control.
KPIs: translation SLA; term consistency; error rate.
2.4.16 Field Logistics & Safety
Mandate: travel policy, per-diems, carbon-aware routing, duty of care, safeguarding (Art. 17.3).
KPIs: incident rates; compliance with per-diem/airfare caps.
2.5 Management Systems & Standards (Baseline)
2.5.1 Information & Privacy
ISMS: ISO/IEC 27001; PIMS: ISO/IEC 27701; SOC 2 (as applicable).
Privacy controls: ROPA, DPIA/TIA, EU/UK reps, transfer mechanisms, DSAR workflows (Art. 15.4).
2.5.2 Quality & Service
QMS: ISO 9001 for program delivery; ISO/IEC 20000-1 for service management (platform SLAs).
2.5.3 Continuity
BCMS: ISO 22301; RPO ≤ 1h / RTO ≤ 4h for CSR and identity (Annex Z).
2.5.4 Data/Model & Geospatial
AI/ML mgmt: ISO/IEC 42001 (emerging), model cards, data cards; OGC/WMO/IEEE alignment (Art. 15.1–15.2).
2.6 Policy Stack & Playbooks (Minimum Corpus)
Mandatory policies (owned by EM; CB process-cleared; Board adopts Class-A/B as needed): Independence & Non-Affiliation; Conflicts & RPT; Procurement & Competition; Treasury & Investment; Data/Model Governance; Privacy & Data Protection; Information Security; Incident Response; Business Continuity; Grants/Sub-awards (if used); Events/Protocol & Safety; Communications & Media; Whistleblowing; Sanctions/KYC/AML; Anti-Bribery/Corruption; Antitrust/Competition; HR (hiring, conduct, safeguarding); Open-Contracting/Transparency. Annual review; Gazette summaries where material.
2.7 Third-Party & Supply-Chain Risk
Scope: cloud/identity, data providers, payment rails, travel/venues, critical integrators.
Requirements: vendor tiering; risk assessments; DPAs; DPbD; SBOM/SLSA; security questionnaires; right-to-audit; service credits; exit plans & data return/delete.
CB Clearance: required for high-impact vendors and cross-border data/DRF rails.
2.8 Global Operations, Employment & Trade Compliance
Cross-border employment: EOR where needed; immigration support per Art. 17.4.
Export controls & sanctions: SECO/EU/OFAC screening (Art. 16.3); technology transfer reviews; high-risk country controls.
Antitrust/lobbying: guardrails for convenings and coalition work; no market allocation or anti-competitive conduct.
2.9 Program Delivery Pipeline (Stage-Gates)
Stages: Initiate → Scope → Design → Build/Test → Publish/Operate → Review/Retire.
Artifacts: charter, risk register, budget, DPIA/TIA (if any), Data/Model Cards, QA/QC, acceptance criteria, publication pack with CB Clearance ID.
Reviews: PIR within 90 days of go-live; lessons→controls.
2.10 Metrics, Dashboards & Publication
Dashboards: finance/treasury; delivery KPIs; cyber/privacy; procurement; RAP status (if active); independence/compliance exceptions.
Publication: Board pack monthly; Gazette material per Art. 13.3; member-level impact summaries (privacy-safe).
2.11 Exceptions, Waivers & Enforcement
Waivers: written, time-boxed; require Board resolution if altering caps or policy baselines; CB Clearance and Gazette notice (lawful redactions).
Enforcement: acts outside DoA or CB conditions are voidable (Art. 7.11); discipline per Art. 16; contract remediation and clawback where applicable.
2.12 Review & Amendments
This Bylaw is reviewed annually by NGC with ARC/FIC/ECC/TDC inputs. Amendments follow Art. 21; technical updates to Annex F/G/H/L/T/W/Z/AD proceed under Class (C) in §21.1.1.
Design result: An expert-grade, componentized operating model—clear roles, disciplined DoA, and the full suite of execution components (PMO, procurement, legal, protocol, treasury, data/model governance, cyber/privacy, partnerships, knowledge, sustainability)—all wired to CB Clearances and the Council System of Record so GRF can deliver DRR/DRF/DRI at speed without sacrificing independence, auditability, or public trust.