We continue our exploration of the recently released COSO  Corporate Governance Framework (the Framework) as a Public Exposure Draft.  Today, we begin a deep dive into the six individual components with a discussion of Component 5—Communication. Suppose culture is the heart of an organization, and people are its muscle. In that case, communication is the circulatory system, carrying oxygen (information), nutrients (values), and antibodies (escalations and feedback) to every part of the governance body.

Most assuredly, it is not a side note. Communication is a core governance function, equally as critical as oversight, strategy, and culture. This component affirms something that compliance professionals have long known: poor communication creates risk, while effective communication fosters trust, resilience, and accountability. The Framework lays out a comprehensive roadmap for governing the quality, flow, and purpose of information both inside and outside the enterprise. It addresses communication as both a technical capability and a leadership responsibility, making it a perfect area for compliance professionals to lead from the front.

Today, we examine what Component 5 encompasses and identify five actionable lessons for compliance professionals who are ready to champion the communication function in governance.

What Does the Communication Component Cover?

COSO organizes this component around four principles:

1. Commit to Information Quality
2. Engage Stakeholders Strategically
3. Communicate Effectively with Internal Stakeholders
4. Communicate Effectively with External Stakeholders

Taken together, these principles stress that communication is strategic, multidirectional, and accountable. It is not just about what is said; rather, it is about who says it, how it is said, where it flows, and whether the message enables ethical decision-making, risk awareness, and stakeholder engagement.

Why Communication Matters to Compliance

For compliance professionals, communication is both a tool and a test. How we communicate policies, processes, and expectations shapes how employees behave. How the board receives information determines the quality of its decisions. How stakeholders perceive our transparency defines our license to operate.

More than ever, regulators, investors, and employees demand not just disclosure but meaningful, timely, and values-driven communication. That means compliance must go beyond the whistleblower hotline and annual training; we must build communication systems that enable governance excellence.

Five Key Lessons for Compliance Professionals

Lesson 1: Information Quality Is a Governance Issue—Own the Integrity of the Message

Principle 17: Commit to Information Quality

Boards and management must ensure that all internal and external information is accurate, complete, timely, and relevant to the decisions being made. This includes maintaining systems and controls to validate data and eliminate ambiguity in terminology.

Compliance Tip: Perform a communication audit of compliance reporting. Are your dashboards jargon-heavy or decision-ready? Do your risk reports help the board prioritize issues or confuse the message? Work with IT, internal audit, and risk to deploy governance, risk, and compliance (GRC) platforms that centralize and standardize your reporting. Use these tools not just to track activities but to tell a governance story.

Lesson 2: Stakeholder Engagement Is Risk Management—Make Communication Strategic

Principle 18: Engage Stakeholders Strategically

Executive management must identify key internal and external stakeholders and ensure that appropriate channels exist to share information, solicit feedback, and address concerns. This includes employees, investors, regulators, customers, suppliers, and communities.

Compliance Tip: Map your stakeholder communication channels, including the messages sent to whom, when, and through which medium. Identify gaps where feedback isn’t captured or transparency is lacking. Lead a quarterly cross-functional stakeholder forum with representatives from legal, ESG, investor relations, operations, and compliance. Use it to review messaging consistency, flag potential disconnects, and align on communication strategy for high-impact governance topics.

Lesson 3: Internal Communication Must Flow in All Directions—Not Just Top-Down

Principle 19: Communicate Effectively with Internal Stakeholders

Effective communication within the entity must support timely, secure, and informed decision-making across all departments and levels. It must include not only top-down directives, but also cross-functional collaboration and bottom-up feedback.

Compliance Tip: Evaluate whether your policies and training materials are accessible and understandable to frontline employees. Simplify complex legal language. Reinforce messaging across multiple touchpoints, not just once a year. Establish a compliance “listening architecture.” This could include monthly manager check-ins, anonymous digital suggestion boxes, and cultural pulse surveys. Use the insights to adapt your messaging, identify unspoken risks, and refine your program in real-time.

Lesson 4: External Communication Requires Guardrails—Balance Transparency and Confidentiality

Principle 20: Communicate Effectively with External Stakeholders

Boards and executive management must govern external communications with care, thereby ensuring transparency while protecting sensitive information and aligning with legal, regulatory, and reputational considerations. This includes formal disclosures, media engagement, investor briefings, and even social media interactions.

Compliance Tip: Coordinate with legal, investor relations, and public affairs to ensure external compliance disclosures (e.g., investigations, regulatory actions, ESG updates) are accurate and strategically timed. Recommend creating or expanding the entity’s disclosure committee beyond financial reporting. Include ethics, cybersecurity, and ESG in its scope. This ensures consistent governance over all public-facing statements, not just 10-Ks and earnings calls.

Lesson 5: Escalation Protocols and Whistleblower Systems Are Core Communication Channels

COSO stresses that communication is not simply about planned messaging, but it is about creating pathways for critical issues to reach decision-makers quickly. That includes whistleblower programs, hotline escalation, and crisis protocols that support real-time visibility and accountability.

Compliance Tip: Review your escalation policy. Is it clear when, how, and to whom an issue must be reported? Is there redundancy if a leader is implicated? Does the board know what “red lines” exist? Include whistleblower trends and escalation effectiveness as standing items in your board or audit committee materials. Go beyond volume and share insights about culture, responsiveness, and process quality. That’s how you earn board confidence and budget support.

Building a Governance Communication Program

To operationalize COSO’s Communication Component, compliance leaders should help lead the development of an integrated governance communication program with the following features:

• Message alignment across all internal and external platforms;
• Defined roles for who speaks, who approves, and who responds;
• Feedback mechanisms like surveys, listening sessions, and open-door policies;
• Secure reporting systems that support anonymity and protect whistleblowers; and
• Crisis playbooks that define escalation paths, communications teams, and messaging protocols.

The goal? To ensure that communication is not just noise, but a narrative that guides behavior, enables decisions, and builds trust with all stakeholders.

What Boards Need to Hear from Compliance

Here’s what to communicate to your board:

• The quality of governance depends on the quality of information.
• Misaligned or confusing communication creates regulatory and reputational risk.
• Stakeholders expect timely, truthful, and values-aligned information, not just compliance.
• Compliance has a unique view into cross-functional communication gaps and whistleblower data.
• The board should actively monitor communication systems and protocols, just as it does financial reporting.

When the board understands that communication is a control, not just a convenience, they will begin to ask better questions and set higher expectations.

Final Thoughts: Communication Is Governance in Motion

To determine whether your governance program is effective, listen to what people say and, equally importantly, what they do not. COSO’s Communication Component reminds us that in governance, silence is a risk, confusion is a vulnerability, and transparency is a strength.

As compliance professionals, we are communicators by necessity, but COSO invites us to become communicators by design. That means building systems that convey messages, address concerns, and connect people to their purpose. Governance is not just about structure; in many ways, it is about story. Make sure yours is told well.

To read or comment on the full CGF Public Exposure Draft, click here. The comment period closes July 11, 2025.