For decades, COSO has been the gold standard in internal controls and enterprise risk management. But with the release of its new Corporate Governance Framework (CGF), now open as a Public Exposure Draft, COSO has thrown down the gauntlet to the compliance profession. This isn’t just a governance checklist. It is a call to action: step up, shape governance, and lead your organization into the future.
After exploring each of the six CGF Components in depth, I wanted to conclude this series by bringing it all together. What does the new COSO framework mean for compliance professionals? How should you adjust your strategy, your conversations with the board, and your daily work? Here are the big lessons and the practical next steps.
1. The Big Picture: A New Era for Governance and Compliance
The COSO CGF is a principles-based, integrated system designed to make governance everyone’s business, not just the sole responsibility of a Board of Directors. The six Components—Oversight, Strategy, Culture, People, Communication, and Resilience, each include key Principles with practical Points of Focus and leading-edge considerations. This is not a compliance framework by name, but it is a governance framework that places compliance at the heart of value creation, accountability, and enterprise resilience.
Compliance Takeaway: The CGF is arriving at a moment of regulatory complexity, stakeholder activism, and reputational volatility. Boards and management face evolving risks from AI, cyber, and ESG while being held to standards of transparency and trust by investors, employees, and society itself. If you’re a compliance leader, COSO just handed you the blueprint for embedding compliance deeper than ever before.
2. Oversight: Compliance’s Seat at the Table
Effective governance starts with the board, but it extends through management to every level of the organization. Oversight is about structure, independence, and accountability across board composition, executive delegation, and shareholder engagement. Do not be a bystander in governance; be a builder. Propose committee enhancements, brief leadership on independence and risk, and ensure compliance is on the board’s standing agenda. Your role is to clarify escalation protocols, support board effectiveness, and ensure oversight extends beyond mere numbers to encompass culture and ethical tone.
Compliance Takeaway: Start benchmarking your BOD structure and practices against COSO’s principles. Bring data to governance discussions and push for compliance metrics and risk topics to be regular board agenda items.
3. Strategy: From Afterthought to Co-Pilot
Strategy is no longer a C-suite sandbox. COSO makes clear: the board must oversee strategy, management must align it with purpose, and compliance must be at the table from planning to performance review. Step into the strategic conversation early. Embed compliance considerations into scenario planning, risk assessment, and incentive design. Move beyond being a “fixer” after decisions are made. You are now a co-pilot in shaping resilient, risk-aware, and stakeholder-driven strategy.
Compliance Takeaway: Map your organization’s strategic plan to the four COSO strategy principles: purpose, development, execution, and measurement. Create or enhance compliance dashboards with ethical and cultural KPIs, and ensure the board is briefed on them.
4. Culture: From Soft Topic to Measurable Mandate
Culture is not simply a poster on the wall; rather, it is how people behave when nobody is watching. The CGF calls for boards to own culture oversight, with management embedding values in every business process, from hiring to crisis response. Culture is now measurable, manageable, and mission-critical. Create culture dashboards, integrate ethics into leadership assessments, and bring employee sentiment to the board. Remember, misaligned culture leads to misconduct, and compliance has the data to prove it.
Compliance Takeaway: Launch a culture governance program with clear metrics (hotline use, training engagement, exit interview themes). Schedule regular board updates and recommend third-party culture assessments every few years.
5. People: Talent Is Governance in Action
People make or break both strategy and culture. COSO’s People Component focuses on workforce planning, succession, compensation, and development, with the board responsible for oversight of the front line—partner with HR on leadership development, succession planning, and ethics in incentives. Review onboarding and offboarding for compliance moments of truth, and advocate for ethics questions in performance reviews. Do not simply check the HR box; bring a compliance risk lens to every talent conversation.
Compliance Takeaway: Review how people-related risks (succession gaps, compensation misalignment) are addressed in board and committee agendas. Propose ethics- and compliance-driven enhancements to talent processes, and pilot 360-degree reviews for key leaders.
6. Communication: Governance’s Nervous System
Communication is not simply about reporting; rather, it is the way governance breathes. The CGF emphasizes trustworthy data, technology enablement, escalation protocols, and stakeholder engagement. Ensure your GRC systems provide real-time, accurate insights. If your compliance program runs on spreadsheets, it’s time for an upgrade. Push for integrated platforms, streamlined reporting, and regular “lookback” exercises after incidents.
Compliance Takeaway: Lead a review of your communication tools and escalation pathways. Bring technology-enabled dashboards to executive and board meetings, combining compliance, risk, and culture indicators for holistic governance oversight.
7. Resilience: From Compliance Cost Center to Value Enabler
Resilience is the ability to anticipate, withstand, and adapt to disruption. The Resilience Component weaves together risk, compliance, internal control, and continuous monitoring and positions compliance as a pillar of enterprise stability. Expand your oversight of internal controls beyond financials—leverage technology to automate high-risk monitoring. Lead post-incident reviews that turn mistakes into governance muscle. Compliance is not just about “bouncing back” from crisis; it is about building systems that don’t break in the first place.
Compliance Takeaway: Map compliance risks to strategic objectives and ensure alignment with enterprise risk management (ERM). Use predictive analytics to flag emerging cultural or ethical risks and brief the board on how compliance is driving not just compliance but resilience.
What Makes COSO’s CGF Different—and What You Should Do Now
Cross-functional by design. Each Component connects with others—culture shapes strategy, people enable resilience, and communication powers oversight.
Principle-based, not prescriptive. The framework is adaptable across industries and geographies. It is not about ticking boxes but building a system that fits your organization.
Tech-forward and future-focused. AI, data, and technology are built in from the start, not an afterthought.
Final Takeaways for Compliance Professionals:
- Engage early and often: Do not wait for the board to call you. Proactively map your program to the CGF’s Components.
- Benchmark and build: Use the framework as a lens to spot gaps, propose improvements, and advocate for compliance in new domains (talent, tech, ESG).
- Educate and evangelize: Socialize the CGF across the C-suite, HR, IT, and risk. Make compliance the bridge that connects governance with value creation.
Closing Thoughts: A Call to Action
The new COSO Corporate Governance Framework is a leadership manual for the modern compliance professional. It challenges us to see compliance as more than defense; it is the engine of long-term value, trust, and resilience.
If you are ready to move from risk mitigator to governance architect, COSO just handed you the playbook. Now’s the time to roll up your sleeves, engage with the board, and help build a governance system that will stand the test of disruption, scrutiny, and change.
