The compliance profession has long relied on the COSO frameworks for a solid foundation in internal controls and enterprise risk management. Now, in a move that promises to unify governance practices across sectors, COSO has released a Corporate Governance Framework (CGF) as a Public Exposure Draft. It’s not just a policy document—it’s a strategic blueprint. For compliance professionals, it represents an opportunity to elevate our role from risk mitigators to architects of long-term value. Today, we begin a multipart exploration of the Framework: what you need to know, why it matters, and how it changes the governance game.
The Big Picture: What Is COSO’s Corporate Governance Framework?
At its core, the CGF is a principles-based, integrated governance system that complements COSO’s earlier frameworks for internal control (ICIF) and enterprise risk management (ERM) while extending beyond them. It is designed to guide boards, executives, shareholders, employees, and other stakeholders in aligning governance structures and practices with the creation of long-term value.
The CGF is built around six interdependent components:
- Oversight
- Strategy
- Culture
- People
- Communication
- Resilience
Each Component contains several Principles (24 in total), supported by Points of Focus, Deeper Insights, and Leading-Edge Considerations.
In short, this is not a checkbox approach to governance. It’s a holistic, iterative model that adapts to an entity’s purpose, risk profile, stakeholder expectations, and regulatory landscape.
Why This Framework—and Why Now?
The business case for the CGF is compelling and overdue. COSO makes clear that good governance is no longer just about compliance; rather, it should be seen as a competitive differentiator.
Consider the drivers:
- Regulatory complexity and fragmentation—Boards face a maze of requirements (state law, SEC rules, listing standards, ESG expectations).
- Multi-stakeholder capitalism—Long-term shareholder value now demands attention to customers, employees, communities, and ecosystems.
- Technology disruption—AI, cyber risk, and data ethics—demands new models of oversight.
- Reputation and trust—Ethics, culture, and transparency are now strategic assets.
COSO’s framework encourages organizations to move beyond the reactive “check-the-box” mindset and embed governance into every aspect, from executive decision-making to workforce engagement.
The Six Components: What Compliance Needs to Know
Now, consider each component through a compliance lens.
1. Oversight
This section reminds us that effective governance starts with the board, not ends there. It focuses on board structure, independence, committee roles, director selection, and accountability.
Compliance takeaway: The audit committee remains central, but boards are encouraged to create or expand roles for risk, technology, ethics, and culture oversight, which is great news for CCOs who want more engagement at the top.
2. Strategy
This is where compliance shifts from gatekeeper to enabler. The CGF pushes alignment between strategy and purpose, with boards and management jointly accountable for development, execution, and course correction.
Compliance takeaway: This is your call to integrate risk and ethics into strategic planning. Be present in the room when business models are reviewed, not after decisions have been made.
3. Culture
The CGF recognizes culture as both a risk and an asset. Boards are expected to model ethical conduct and oversee cultural assessments, while management must embed values into decision-making, hiring, rewards, and performance management.
Compliance takeaway: If culture eats policy for breakfast, this is your lunch menu. From whistleblower protections to leadership coaching, this is your roadmap for making culture measurable and actionable.
4. People
Talent is governance. This Component covers workforce strategy, succession planning, performance management, and incentives. It also underscores the board’s growing responsibility to understand workforce-related risks.
Compliance takeaway: Pay attention to the alignment between values, behaviors, and rewards. Compensation structures are now squarely in the realm of ethical risk, and compliance should have a voice in this area.
5. Communication
Information flow is framed as a governance issue, not just a reporting function. This section covers data quality, internal and external communications, technology platforms, escalation protocols, and stakeholder engagement.
Compliance takeaway: Effective GRC programs rely on reliable data and timely communication to ensure effectiveness. If your systems still rely on spreadsheets and email, the CGF serves as a reminder to modernize.
6. Resilience
This section ties together risk management, compliance, internal controls, and adaptability. It encompasses principles related to compliance ownership, fraud management, third-party risk, and continuous monitoring.
Compliance takeaway: The CGF validates what we already know —that compliance is a pillar of enterprise resilience. However, it also encourages us to adopt more intelligent tools (e.g., risk analytics, AI-driven monitoring, integrated assurance platforms).
What Makes This Framework Different?
Several innovations stand out:
- Cross-functionality: The CGF is not siloed. Each Component is tied to others through stakeholder dynamics and shared responsibilities.
- Flexibility with discipline: It’s grounded in principles, not prescriptive rules, making it adaptable across industries and organizational types.
- The tone throughout the organization: Culture, communication, and people strategies extend well beyond the C-suite.
- Forward-looking: Technology governance, AI risk, and stakeholder capitalism are not afterthoughts; instead, they are built in.
What Should Compliance Professionals Do Now?
The CGF is in the public exposure draft phase, with comments due by July 11, 2025. You should take the time to respond proactively:
- Read it, annotate it, and engage with it. COSO wants stakeholder feedback. If you’re a CCO, CAE, or GRC leader, now’s your chance to shape the future.
- Map your current practices to the six components. Where are your gaps? What metrics do you need? Start small, with one principle per quarter, perhaps.
- Socialize the CGF internally. Use it to open conversations with HR, IT, legal, risk, and the board. This is not simply a governance framework; instead, it should be viewed as a bridge to enterprise-wide alignment.
- Rethink your compliance program as a governance engine, especially in areas such as culture, people, and communication, where compliance can become a valuable partner in strategic execution.
Final Thoughts
COSO’s Corporate Governance Framework is more than a governance tool. It is a leadership manual for the modern era. For those of us in compliance, it validates that our work is not merely about avoiding risk but about enabling performance, trust, and value creation.
In the spirit of the Compliance Evangelist: Preach governance, embed culture, and lead with purpose.
Now, we should all roll up our sleeves and help build the future of corporate governance, one component at a time.
To read or comment on the full CGF Public Exposure Draft, click here. The comment period closes on July 11, 2025.
