We continue our exploration of the recently released COSO Corporate Governance Framework (the Framework) as a Public Exposure Draft. Today, we begin a deep dive into the six individual components with a discussion of Component 3—Culture. When discussing corporate culture, we often do so in vague, inspirational terms. However, in Component 3 – Culture, the Framework culture is positioned as a measurable, manageable, and mission-critical governance function. For compliance professionals, this is not just validating; it is moving to a mandate.

In today’s risk environment, culture should not be a soft topic. Properly viewed, it is a leading indicator of whether your organization can weather disruption, comply with complex regulations, and maintain trust with stakeholders. COSO’s culture guidance transforms tone at the top into governance in action. It links behaviors to strategy, values to risk, and leadership to accountability.

What Is Culture in the COSO Framework?

COSO defines culture as “the set of shared values, attitudes, and behaviors shaped by leadership that influence how individuals act with integrity, make decisions, and respond to risk.” It is not a slogan, but how people behave when no one is watching.

The Culture Component is built around three core principles:

1. Establish and Model Culture and Behaviors
2. Promote Ethics, Respect, and Open Communication
3. Assess and Adapt Culture

These principles emphasize that culture is dynamic and strategic, rather than passive or peripheral. It must be designed, led, measured, and, when necessary, corrected.

Why Culture Belongs to Compliance

Culture has long been a central component of compliance. But COSO now gives it a governance home—under the board’s oversight and executive leadership’s execution. Compliance leaders are uniquely positioned to monitor, assess, and influence culture in real time, across all levels of the organization.

Culture impacts:

• How decisions are made.
• Whether employees speak up;
• How misconduct is handled.
• Whether the strategy is executed ethically, and
• Whether compliance programs are seen as check-the-box or mission-critical.

With COSO’s Culture Component in hand, the compliance function has the playbook, and the board has the responsibility to govern culture as seriously as they govern financial controls.

III. Five Key Lessons for Compliance Professionals

Lesson 1: Culture Starts at the Board—Help Them Set the Tone and Model the Way

Principle 11: Establish and Model Culture and Behaviors

Boards and executive management must define the desired culture and model expected behaviors in alignment with purpose, values, and strategy. They must actively reinforce ethical norms through actions, decisions, and communications.

Compliance Tip: Offer directors a quarterly culture dashboard that includes whistleblower activity, employee sentiment, training engagement, and ethics concerns. Use anonymized narratives to make the data more relatable and human. Collaborate with your board chair or lead independent director to include ethics and culture in the annual board assessment. If board behaviors contradict stated values, it’s your role to surface that constructively.

Lesson 2: Promote Ethics and Psychological Safety—So People Speak Up Before the Headlines

Principle 12: Promote Ethics, Respect, and Open Communication

Executive management, with board oversight, must foster an environment of ethical behavior, respect for diversity of thought, and open communication at all levels of the organization. This includes codes of conduct, anti-retaliation protections, and speaking-up programs.

Compliance Tip: Go beyond the hotline. Create structured opportunities for employees to raise concerns in a safe and low-friction manner, such as listening sessions, surveys, or informal feedback channels. Use data to prove psychological safety gaps. If your hotline volume is too low, if anonymous feedback is not being received, or if exit interviews reveal unspoken concerns, bring this to the board’s attention and recommend action.

Lesson 3: Culture Is Built into Systems—Integrate It into Business Processes

COSO makes it clear: culture is operational. It is not just about the value posters on the wall. It must be embedded in hiring practices, incentive structures, performance reviews, vendor relationships, and even crisis response plans.

Compliance Tip: Partner with HR and operations to integrate ethical behavior into job descriptions, bonus structures, and leadership assessments. Help managers understand how their daily decisions influence and shape the organizational culture. Audit your incentive systems. If employees are being rewarded for outcomes that conflict with your values, such as cutting corners to meet targets, that should be an evident and loud red flag. Share these insights with leadership and propose alignment strategies to enhance their effectiveness.

Lesson 4: Assess Culture with the Same Rigor as Financial Controls

Principle 13: Assess and Adapt Culture

Boards and executives must continuously monitor culture through both qualitative and quantitative means, like surveys, exit interviews, focus groups, and misconduct trends. They must use this insight to adjust behaviors, policies, and communications.

Compliance Tip: Develop a culture scorecard that blends hard metrics (e.g., hotline use, turnover, audit findings) with soft indicators (e.g., pulse survey sentiment, values alignment). Share it regularly with senior leadership and the board. Recommend a third-party cultural assessment every 2–3 years. A fresh outside perspective can validate internal findings or reveal misalignment between what leaders think the culture is and what employees experience.

Lesson 5: Culture Must Adapt in Crisis—So Plan Ahead

COSO acknowledges that culture is stress-tested in times of disruption, be it a cyber breach, executive misconduct, acquisition, or societal crisis. The Culture Component encourages entities to integrate cultural expectations into their change management and crisis response processes.

Compliance Tip: Collaborate with risk and crisis teams to develop culture-aligned responses in your business continuity or crisis management playbooks. This includes messaging protocols, decision-making principles, and escalation thresholds. After any major incident, conduct a post-crisis culture audit. Ask: Did we live our values? Were our responses timely, ethical, and transparent? Feed those insights into board reporting and future crisis planning.

Building a Culture Governance Program: Where Compliance Leads

To bring COSO’s Culture Component to life, compliance professionals should spearhead a culture governance program that includes:

• Clear definitions of desired behaviors linked to purpose and values
• Measurement tools (dashboards, surveys, listening posts, audits)
• Accountability mechanisms (ownership in performance reviews, board oversight)
• Responsive feedback loops to adjust based on data and stakeholder input
• Ethics-based training that evolves with risk and reality

This program should be integrated into your ERM process, strategic reviews, and board governance cycle, rather than being siloed off as “compliance only.”

What Boards Need to Hear from Compliance

Bring these messages to your next board or audit committee meeting:

• Culture is a governance issue, not just a management function.
• Misaligned culture leads to misconduct, regulatory failure, and reputational damage.
• Compliance has real-time data on how values are being lived or violated.
• Boards must monitor culture as a key component of enterprise risk and strategy.
• Tone at the top must be modeled, not just messaged.

When directors understand this, they begin to treat culture metrics with the same gravity as revenue forecasts or audit findings.

Final Thoughts: Culture Is Compliance’s Moment to Lead

In the world of governance, culture is where compliance and leadership intersect. COSO’s Framework not only endorses this idea, but it also institutionalizes it. If culture determines how strategy is executed, how risks are mitigated, and how stakeholders perceive your organization, then compliance is not merely a monitor; rather, it is a culture architect. So step up. Utilize the COSO Culture Component to foster ethical leadership, safeguard long-term value, and ensure that your organization not only talks the talk but also walks the walk.

To read or comment on the full CGF Public Exposure Draft, click here. The comment period closes July 11, 2025.