We continue our exploration of the recently released COSO Corporate Governance Framework (the Framework) as a Public Exposure Draft. Today, we begin a deep dive into the six individual components with a discussion of Component 6—Resilience. In today’s volatile business climate, one thing is sure: disruption is no longer the exception; it has become the norm. Whether it’s a cybersecurity incident, regulatory upheaval, geopolitical instability, or reputational crisis, the organizations that thrive are those that can bend without breaking. That’s why Component 6 – Resilience in the COSO Corporate Governance Framework (CGF) is more than timely; it may well be foundational.
For the compliance professional, resilience isn’t just about bouncing back—it’s about designing governance systems that withstand, anticipate, and even leverage disruption. The CGF reframes resilience as an integrated model that weaves together risk management, compliance, internal control, and continuous monitoring. This final Component of the framework is where compliance moves from policy enforcement to value creation. It is where compliance becomes a partner in operational continuity, strategic foresight, and cultural durability.
What Is the Resilience Component?
COSO defines resilience as the ability to withstand disruption, adapt to change, seize opportunity, and sustain long-term value. It is not reactive firefighting but rather about proactive design. This Component is structured around four principles:
- Manage and Oversee Risks and Opportunities
- Manage Compliance Responsibilities
- Establish and Evaluate Internal Control
- Monitor Governance Effectiveness
These principles span strategic, operational, and cultural dimensions of governance, reinforcing that a single function doesn’t own resilience. It’s built collaboratively across the board, executive leadership, internal audit, risk, and yes, compliance.
Why Resilience Belongs to Compliance
Compliance has continuously operated at the intersection of policy, people, and process. But in the Framework view, compliance is a key architect of resilience. Why? Because of the following:
- Compliance sees how risks evolve across geographies, regulations, and business lines.
- Compliance manages escalation, remediation, and accountability processes.
- Compliance helps define the thresholds for risk acceptance and control failure.
- Compliance monitors ethics and behavior—early indicators of cultural cracks.
- Compliance is a trusted communicator in times of crisis.
The Resilience Component is our invitation to lead not just to prevent harm, but to build strength.
Five Key Lessons for Compliance Professionals
Lesson 1: Governance Without Risk Integration Is Incomplete
Principle 21: Manage and Oversee Risks and Opportunities
Executive management, with board oversight, must establish a structured, dynamic risk management process that aligns strategy, performance, and risk appetite. The board must allocate oversight of risk areas across committees while maintaining integrated ownership of enterprise-level risks.
Compliance Tip: Engage with your risk management function to ensure your compliance risks, such as regulatory enforcement, third-party integrity, and misconduct, are embedded in enterprise risk registers and heatmaps. Use scenario planning to show how legal and compliance risks could disrupt strategic objectives. Partner with the CRO to lead cross-functional risk workshops that consider both downside risk and upside opportunity (e.g., entering new markets with strong compliance advantages).
Lesson 2: Compliance Is Not a Silo—It’s a System
Principle 22: Manage Compliance Responsibilities
Compliance must be embedded across the enterprise, with clear ownership, independent oversight, robust policies, and responsive change management. The CCO must have the authority, access, and independence to lead an effective compliance program that evolves with risk.
Compliance Tip: Ensure your program includes both centralized compliance (for policy and strategy) and decentralized compliance partners (within functions or geographies). Consistency is key, but so is contextualization. Build a compliance change management protocol that activates when laws shift or operations expand. This should include regulatory horizon scanning, impact assessments, stakeholder training, and updated controls. Resilience depends on staying current, not compliant with yesterday’s standards.
Lesson 3: Internal Control Is Not Just Finance—It’s Enterprise Resilience
Principle 23: Establish and Evaluate Internal Control
Internal controls must support the achievement of operational, reporting, and compliance objectives. Executive management must align controls with ethics, legal obligations, and the entity’s risk profile, and boards must oversee their design and effectiveness.
Compliance Tip: Expand your oversight of controls beyond SOX and financial reporting. Review controls around conflicts of interest, data protection, anti-corruption, and third-party oversight. Collaborate with internal audit and risk to integrate compliance controls into enterprise-wide control frameworks and control testing cycles. Use this alignment to identify duplication, streamline assurance, and enhance board visibility.
Lesson 4: Monitoring Isn’t About Activity—It’s About Insight
Principle 24: Monitor Governance Effectiveness
Governance must be continuously monitored, not just audited periodically. This includes reviewing trends, stakeholder expectations, and gaps in policy or performance. Both the board and management should receive real-time insights on culture, compliance, and risk exposure.
Compliance Tip: Build dashboards that combine hard compliance metrics (e.g., training rates, hotline activity) with qualitative indicators (e.g., engagement survey results, tone-at-the-top assessments). Present these to executive leadership as part of quarterly reporting. Lead a governance “lookback” exercise after key incidents, such as investigations, regulatory inquiries, or market shifts. What worked? What broke down? What signals were missed? This practice turns mistakes into muscle.
Lesson 5: Technology Is a Force Multiplier—Use It to Scale Resilience
COSO highlights the power of technology, like GRC systems, data analytics, and artificial intelligence, to drive smarter, faster governance. Resilience requires visibility and agility, which technology can deliver when thoughtfully deployed.
Compliance Tip: Leverage tech to automate monitoring of high-risk processes, such as gifts & hospitality, vendor onboarding, or export controls. Use exception alerts to flag potential issues before they escalate—pilot predictive analytics for culture and ethics risk. Combine internal data (e.g., survey responses, exit interviews, training patterns) with external signals (e.g., Glassdoor, whistleblower trends) to identify emerging hotspots. That’s how resilient organizations get ahead of reputation-damaging crises.
Building a Resilience-Driven Compliance Program
Use COSO’s Resilience Component as the blueprint for a more integrated, forward-looking compliance program. Here’s how to begin:
- Risk Integration: Map compliance risks to strategic objectives and ensure alignment with ERM.
- Compliance Ownership: Assign roles and responsibilities at all levels, with a clear reporting line to the board.
- Controls Framework: Ensure compliance controls are part of your internal control evaluation process, not isolated.
- Technology Enablement: Deploy automation and analytics to monitor, report, and adapt.
- Monitoring Infrastructure: Create a system for real-time visibility and feedback across all six COSO governance components.
This is not simply about regulatory defense. It’s about strategic readiness and stakeholder trust.
What Boards Need to Hear from Compliance
Bring these messages to your next governance, audit, or risk committee meeting:
- Resilience is the outcome of integrated governance, compliance, risk, internal control, and culture that must work together.
- Compliance is a strategic partner in managing disruption, not just avoiding penalties.
- The board should regularly review compliance monitoring dashboards alongside risk and financial data.
- The compliance function must be properly resourced and independent to support resilience.
- Resilience is not just bouncing back; it is about designing systems that do not fold under pressure.
When boards see compliance as an enabler of value, not just a cost center, they make better decisions and support stronger programs.
Final Thoughts: Resilience Is the Future of Compliance
The COSO Resilience Component confirms what many of us have been saying for years: compliance must evolve from a reactive function to a proactive pillar of enterprise stability.
Do not simply write the policy. Build the process. Don’t just monitor conduct. Predict behavior. Don’t just advise in hindsight. Prepare with foresight. Because in governance, resilience isn’t a buzzword; it is a business model. And compliance is right at the center of making it real.
To read or comment on the full CGF Public Exposure Draft, click here. The comment period closes July 11, 2025.
