We continue our exploration of the recently released COSO Corporate Governance Framework (the Framework) as a Public Exposure Draft. Today, we begin a deep dive into the six individual components with a discussion of Component 2—Strategy. This component prioritizes compliance at the forefront of value creation. This is not just about watching for missteps. It’s about enabling the entity to pursue bold goals while staying grounded in ethics, purpose, and accountability.
For compliance professionals, this is a welcome and long overdue shift. Strategy is no longer just a business conversation; it’s a strategic imperative. COSO makes it clear: strategy is governance, and governance must include compliance at every stage—from definition to execution to performance monitoring. Today, we extract five key lessons for compliance professionals ready to step into a new leadership role.
I. Strategy in the COSO CGF: What It Covers
The Strategy Component of COSO’s CGF focuses on aligning the entity’s strategic direction with its purpose, values, and long-term objectives. It’s made up of four core principles:
- Define Purpose and Core Values
- Develop and Communicate the Strategy
- Execute the Strategy
- Measure Performance Against Strategy and Adjust
These principles provide a governance framework that not only connects the board and executive management but cascades responsibility throughout the entity, from strategy rooms to front-line decision-making.
Why Strategy Matters to Compliance
For years, strategy has been seen as the exclusive domain of the CEO, CFO, and business development leaders. Compliance was invited in after the fact, to clean up, audit, or assess risks. But COSO’s framework changes the conversation.
As compliance professionals, we bring a risk-aware, ethics-focused, stakeholder-sensitive perspective to the table. In an era of ESG mandates, AI disruption, global volatility, and regulatory scrutiny, strategy without compliance is incomplete. If your compliance function is not integrated into the strategy process, you are not practicing governance; you are essentially doing damage control.
II. Five Key Lessons for Compliance Professionals
Lesson 1: Start with Purpose—Not Just Policy
Principle 7: Define Purpose and Core Values
Boards and management must define the entity’s fundamental purpose, the “why” behind the business, and articulate the core values that guide decision-making, behavior, and stakeholder relationships. These values must be embedded into operations, strategic priorities, and performance incentives.
Compliance Tip: Tie your compliance policies, training, and reporting to the entity’s purpose and values. Do not discuss rules; instead, focus on alignment. Offer to help HR and communications integrate purpose into onboarding, annual certifications, and code of conduct messaging. When purpose becomes the language of the enterprise, compliance becomes a strategic partner.
Lesson 2: Compliance Must Be at the Strategy Table
Principle 8: Develop and Communicate the Strategy
Executive management, in consultation with the board, is responsible for developing the strategic plan, which encompasses competitive positioning, market risks, stakeholder expectations, and capital allocation. Strategy development must consist of scenario planning and risk alignment to maximize long-term value.
Compliance Tip: Join strategic planning conversations early. Provide insight on regulatory trends, reputational risks, geopolitical shifts, and stakeholder concerns that could derail strategy if not addressed upfront. Offer to run a pre-mortem exercise: If this strategy fails, why will it fail? Use compliance-led facilitation to identify blind spots in the business model.
Lesson 3: Execution Is Where Ethics Live or Die
Principle 9: Execute the Strategy
Executing the strategy requires a well-defined operating model, clear accountability, aligned incentives, and integrated reporting. Middle management translates strategic goals into action, and it’s here that ethical risk often emerges.
Compliance Tip: Get involved in operational risk reviews. Ask how incentives are aligned with values. Review whether performance metrics encourage long-term thinking or shortcut-taking. Collaborate with the COO or HR to incorporate ethical conduct and risk awareness into performance evaluations and team KPIs. This helps you drive a values-based strategy from the ground up.
Lesson 4: Metrics Matter—And So Does What You Measure
Principle 10: Measure Performance Against Strategy and Adjust
Management must develop and track both financial and non-financial KPIs to assess progress against strategic goals. The board oversees these metrics and ensures that adjustments are made when results or risks shift.
Compliance Tip: Contribute to KPI development. Suggest ethical culture indicators, hotline trends, third-party risk metrics, or audit closure rates as part of strategy dashboards. Push for the inclusion of lagging and leading indicators. It’s not enough to track what went wrong. Compliance needs metrics that alert us to potential issues before they occur. Compliance analytics is your secret weapon.
Lesson 5: Agility Requires Structure—Be the Change Advisor
COSO’s Strategy Component emphasizes the need for strategic agility. This is the ability to pivot in the face of market disruptions, new risks, or regulatory change. But agility does not mean chaos. It requires disciplined change management, escalation procedures, and decision-making protocols.
Compliance Tip: Be a Governance Resource During Change. Whether it’s a reorg, a product launch, a merger, or a crisis response, help ensure that the right people are consulted, documented, and accountable. Offer a compliance impact assessment for major strategic shifts. Show how culture, third-party relationships, data privacy, or anti-bribery obligations will be affected and what the plan is to stay in control.
III. Strategy Is a Compliance Priority—Not Just a Business One
COSO’s Framework makes something crystal clear: strategy is no longer “off-limits” to compliance. The board must oversee it. Executive management must align it with the purpose. And the compliance function must embed integrity, risk foresight, and stakeholder accountability into every strategic decision. We should break the old model that treated compliance as a back-end reviewer. We are now co-pilots. COSO has provided compliance with the governance language to claim its seat at the strategy table. Now it is up to us to use it.
How to Put This Into Practice
Here are five actionable steps for compliance teams:
- Review your company’s strategic plan through the lens of COSO’s four strategy principles. Start by mapping your organization’s current strategic plan against the four COSO Strategy principles: defining purpose and core values, developing the strategy, executing it, and measuring performance. Ask critical questions—Does the plan reflect your core values? Are ethical risks explicitly considered? Do compliance concerns inform strategic KPIs? This exercise helps compliance professionals identify gaps where compliance can bring additional value, ensuring the organization’s long-term strategy is rooted in accountability, integrity, and transparency. It also positions compliance as a proactive contributor to governance, not a reactive afterthought.
- Schedule a briefing with strategy or finance leaders to explore how risk and ethics are being integrated into the process. Establish a strategic dialogue with your CFO, head of strategy, or business development leadership to understand how ethical considerations and compliance risks are being integrated into planning. Bring COSO’s Strategy principles to the table as a common framework and ask how the company’s strategic models account for reputational risk, regulatory change, and stakeholder expectations. Use this time to identify areas where compliance can provide valuable insights, such as in ESG, M&A due diligence, or geopolitical risk assessment. These conversations open doors for cross-functional collaboration and foster trust with executives as they manage high-impact decisions.
- Develop compliance metrics that align with strategic objectives, such as trust, resilience, and stakeholder engagement, to ensure effective management and oversight. Move beyond traditional compliance outputs (e.g., number of training sessions or hotline reports closed) and align your metrics with enterprise-level strategic outcomes. Consider how to measure ethical culture, employee trust, third-party integrity, and the entity’s overall resilience to misconduct. Develop dashboards that can be integrated into strategic performance reviews or presented to executive management and the board of directors. Metrics might include culture survey participation, average investigation time, or third-party onboarding risk ratings. When compliance shows it can measure what matters to business leaders, it becomes a strategic asset, not a regulatory cost center.
- Pilot a strategic compliance review for a major initiative (product launch, M&A, market expansion). Choose a significant upcoming business initiative, perhaps a new product launch, geographic expansion, or merger, and embed compliance into the project team from the start. Conduct a compliance risk assessment tailored to the initiative’s strategy, market, and operating model. Ask how data privacy, third-party risk, anti-bribery compliance, and ethical culture will be protected during execution. Create an action plan that includes clear governance checkpoints, escalation triggers, and controls. This pilot not only demonstrates the value of compliance in driving strategic success, but it also establishes a replicable model for integrating compliance into future enterprise initiatives.
- Educate your board on the compliance implications of COSO’s Strategy Component—especially in strategy execution and performance monitoring. Prepare a board-level briefing or an audit committee presentation that focuses on how the compliance function supports strategic execution and long-term value creation. Use COSO’s Strategy principles to show how compliance intersects with business model design, culture, risk oversight, and scenario planning. Discuss how your function contributes to measuring non-financial performance indicators and adjusting strategy considering regulatory shifts or reputational risks. Reinforce the message that compliance is a governance tool, not just a defensive mechanism. By educating the board on these dynamics, you elevate the role of compliance in strategy and support a culture of forward-looking governance.
Final Thoughts: The Future of Strategy Is Compliance-Infused
We often say that strategy sets the tone for the business. However, as compliance professionals, we now have the tools and the COSO framework to ensure that our tone is ethical, risk-aware, stakeholder-conscious, and purpose-driven. Compliance should not simply review strategy; we should all move to shape it. Bring your questions, our insights, and our integrity to the table where the most important business decisions are made. That is what governance leadership looks like. COSO just gave compliance the playbook.
To read or comment on the full CGF Public Exposure Draft, click here. The comment period closes July 11, 2025.
