Tag: COSO Corporate Governance Framework

Categories
Compliance Tip of the Day

Compliance Tip of the Day – COSO Governance Framework: Part 4, Culture

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

We continue our multi-part review of the new COSO Governance Framework (CGF). Today, we look at Component 3-Culture.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – COSO Governance Framework: Part 3, Strategy

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

We continue our multi-part review of the new COSO Governance Framework (CGF). Today, we look at Component 3-Strategy.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – COSO Governance Framework: Part 2, Oversight

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with concise, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

We continue our multi-part review of the new COSO Governance Framework (CGF). Today, we examine Component 2: Oversight.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Blog

COSO’s Corporate Governance Framework: Component 6 – Resilience

We continue our exploration of the recently released COSO  Corporate Governance Framework (the Framework) as a Public Exposure Draft.  Today, we begin a deep dive into the six individual components with a discussion of Component 6—Resilience. In today’s volatile business climate, one thing is sure: disruption is no longer the exception; it has become the norm. Whether it’s a cybersecurity incident, regulatory upheaval, geopolitical instability, or reputational crisis, the organizations that thrive are those that can bend without breaking. That’s why Component 6 – Resilience in the COSO Corporate Governance Framework (CGF) is more than timely; it may well be foundational.

For the compliance professional, resilience isn’t just about bouncing back—it’s about designing governance systems that withstand, anticipate, and even leverage disruption. The CGF reframes resilience as an integrated model that weaves together risk management, compliance, internal control, and continuous monitoring. This final Component of the framework is where compliance moves from policy enforcement to value creation. It is where compliance becomes a partner in operational continuity, strategic foresight, and cultural durability.

What Is the Resilience Component?

COSO defines resilience as the ability to withstand disruption, adapt to change, seize opportunity, and sustain long-term value. It is not reactive firefighting but rather about proactive design. This Component is structured around four principles:

  1. Manage and Oversee Risks and Opportunities
  2. Manage Compliance Responsibilities
  3. Establish and Evaluate Internal Control
  4. Monitor Governance Effectiveness

These principles span strategic, operational, and cultural dimensions of governance, reinforcing that a single function doesn’t own resilience. It’s built collaboratively across the board, executive leadership, internal audit, risk, and yes, compliance.

Why Resilience Belongs to Compliance

Compliance has continuously operated at the intersection of policy, people, and process. But in the Framework view, compliance is a key architect of resilience. Why? Because of the following:

  • Compliance sees how risks evolve across geographies, regulations, and business lines.
  • Compliance manages escalation, remediation, and accountability processes.
  • Compliance helps define the thresholds for risk acceptance and control failure.
  • Compliance monitors ethics and behavior—early indicators of cultural cracks.
  • Compliance is a trusted communicator in times of crisis.

The Resilience Component is our invitation to lead not just to prevent harm, but to build strength.

Five Key Lessons for Compliance Professionals

Lesson 1: Governance Without Risk Integration Is Incomplete

Principle 21: Manage and Oversee Risks and Opportunities

Executive management, with board oversight, must establish a structured, dynamic risk management process that aligns strategy, performance, and risk appetite. The board must allocate oversight of risk areas across committees while maintaining integrated ownership of enterprise-level risks.

Compliance Tip: Engage with your risk management function to ensure your compliance risks, such as regulatory enforcement, third-party integrity, and misconduct, are embedded in enterprise risk registers and heatmaps. Use scenario planning to show how legal and compliance risks could disrupt strategic objectives. Partner with the CRO to lead cross-functional risk workshops that consider both downside risk and upside opportunity (e.g., entering new markets with strong compliance advantages).

Lesson 2: Compliance Is Not a Silo—It’s a System

Principle 22: Manage Compliance Responsibilities

Compliance must be embedded across the enterprise, with clear ownership, independent oversight, robust policies, and responsive change management. The CCO must have the authority, access, and independence to lead an effective compliance program that evolves with risk.

Compliance Tip: Ensure your program includes both centralized compliance (for policy and strategy) and decentralized compliance partners (within functions or geographies). Consistency is key, but so is contextualization. Build a compliance change management protocol that activates when laws shift or operations expand. This should include regulatory horizon scanning, impact assessments, stakeholder training, and updated controls. Resilience depends on staying current, not compliant with yesterday’s standards.

Lesson 3: Internal Control Is Not Just Finance—It’s Enterprise Resilience

Principle 23: Establish and Evaluate Internal Control

Internal controls must support the achievement of operational, reporting, and compliance objectives. Executive management must align controls with ethics, legal obligations, and the entity’s risk profile, and boards must oversee their design and effectiveness.

Compliance Tip: Expand your oversight of controls beyond SOX and financial reporting. Review controls around conflicts of interest, data protection, anti-corruption, and third-party oversight. Collaborate with internal audit and risk to integrate compliance controls into enterprise-wide control frameworks and control testing cycles. Use this alignment to identify duplication, streamline assurance, and enhance board visibility.

Lesson 4: Monitoring Isn’t About Activity—It’s About Insight

Principle 24: Monitor Governance Effectiveness

Governance must be continuously monitored, not just audited periodically. This includes reviewing trends, stakeholder expectations, and gaps in policy or performance. Both the board and management should receive real-time insights on culture, compliance, and risk exposure.

Compliance Tip: Build dashboards that combine hard compliance metrics (e.g., training rates, hotline activity) with qualitative indicators (e.g., engagement survey results, tone-at-the-top assessments). Present these to executive leadership as part of quarterly reporting. Lead a governance “lookback” exercise after key incidents, such as investigations, regulatory inquiries, or market shifts. What worked? What broke down? What signals were missed? This practice turns mistakes into muscle.

Lesson 5: Technology Is a Force Multiplier—Use It to Scale Resilience

COSO highlights the power of technology, like GRC systems, data analytics, and artificial intelligence, to drive smarter, faster governance. Resilience requires visibility and agility, which technology can deliver when thoughtfully deployed.

Compliance Tip: Leverage tech to automate monitoring of high-risk processes, such as gifts & hospitality, vendor onboarding, or export controls. Use exception alerts to flag potential issues before they escalate—pilot predictive analytics for culture and ethics risk. Combine internal data (e.g., survey responses, exit interviews, training patterns) with external signals (e.g., Glassdoor, whistleblower trends) to identify emerging hotspots. That’s how resilient organizations get ahead of reputation-damaging crises.

Building a Resilience-Driven Compliance Program

Use COSO’s Resilience Component as the blueprint for a more integrated, forward-looking compliance program. Here’s how to begin:

  • Risk Integration: Map compliance risks to strategic objectives and ensure alignment with ERM.
  • Compliance Ownership: Assign roles and responsibilities at all levels, with a clear reporting line to the board.
  • Controls Framework: Ensure compliance controls are part of your internal control evaluation process, not isolated.
  • Technology Enablement: Deploy automation and analytics to monitor, report, and adapt.
  • Monitoring Infrastructure: Create a system for real-time visibility and feedback across all six COSO governance components.

This is not simply about regulatory defense. It’s about strategic readiness and stakeholder trust.

What Boards Need to Hear from Compliance

Bring these messages to your next governance, audit, or risk committee meeting:

  • Resilience is the outcome of integrated governance, compliance, risk, internal control, and culture that must work together.
  • Compliance is a strategic partner in managing disruption, not just avoiding penalties.
  • The board should regularly review compliance monitoring dashboards alongside risk and financial data.
  • The compliance function must be properly resourced and independent to support resilience.
  • Resilience is not just bouncing back; it is about designing systems that do not fold under pressure.

When boards see compliance as an enabler of value, not just a cost center, they make better decisions and support stronger programs.

Final Thoughts: Resilience Is the Future of Compliance

The COSO Resilience Component confirms what many of us have been saying for years: compliance must evolve from a reactive function to a proactive pillar of enterprise stability.

Do not simply write the policy. Build the process. Don’t just monitor conduct. Predict behavior. Don’t just advise in hindsight. Prepare with foresight. Because in governance, resilience isn’t a buzzword; it is a business model. And compliance is right at the center of making it real.

To read or comment on the full CGF Public Exposure Draft, click here. The comment period closes July 11, 2025.

Categories
Blog

COSO’s Corporate Governance Framework: Component 5 – Communication

We continue our exploration of the recently released COSO  Corporate Governance Framework (the Framework) as a Public Exposure Draft.  Today, we begin a deep dive into the six individual components with a discussion of Component 5—Communication. Suppose culture is the heart of an organization, and people are its muscle. In that case, communication is the circulatory system, carrying oxygen (information), nutrients (values), and antibodies (escalations and feedback) to every part of the governance body.

Most assuredly, it is not a side note. Communication is a core governance function, equally as critical as oversight, strategy, and culture. This component affirms something that compliance professionals have long known: poor communication creates risk, while effective communication fosters trust, resilience, and accountability. The Framework lays out a comprehensive roadmap for governing the quality, flow, and purpose of information both inside and outside the enterprise. It addresses communication as both a technical capability and a leadership responsibility, making it a perfect area for compliance professionals to lead from the front.

Today, we examine what Component 5 encompasses and identify five actionable lessons for compliance professionals who are ready to champion the communication function in governance.

What Does the Communication Component Cover?

COSO organizes this component around four principles:

  1. Commit to Information Quality
  2. Engage Stakeholders Strategically
  3. Communicate Effectively with Internal Stakeholders
  4. Communicate Effectively with External Stakeholders

Taken together, these principles stress that communication is strategic, multidirectional, and accountable. It is not just about what is said; rather, it is about who says it, how it is said, where it flows, and whether the message enables ethical decision-making, risk awareness, and stakeholder engagement.

Why Communication Matters to Compliance

For compliance professionals, communication is both a tool and a test. How we communicate policies, processes, and expectations shapes how employees behave. How the board receives information determines the quality of its decisions. How stakeholders perceive our transparency defines our license to operate.

More than ever, regulators, investors, and employees demand not just disclosure but meaningful, timely, and values-driven communication. That means compliance must go beyond the whistleblower hotline and annual training; we must build communication systems that enable governance excellence.

Five Key Lessons for Compliance Professionals

Lesson 1: Information Quality Is a Governance Issue—Own the Integrity of the Message

Principle 17: Commit to Information Quality

Boards and management must ensure that all internal and external information is accurate, complete, timely, and relevant to the decisions being made. This includes maintaining systems and controls to validate data and eliminate ambiguity in terminology.

Compliance Tip: Perform a communication audit of compliance reporting. Are your dashboards jargon-heavy or decision-ready? Do your risk reports help the board prioritize issues or confuse the message? Work with IT, internal audit, and risk to deploy governance, risk, and compliance (GRC) platforms that centralize and standardize your reporting. Use these tools not just to track activities but to tell a governance story.

Lesson 2: Stakeholder Engagement Is Risk Management—Make Communication Strategic

Principle 18: Engage Stakeholders Strategically

Executive management must identify key internal and external stakeholders and ensure that appropriate channels exist to share information, solicit feedback, and address concerns. This includes employees, investors, regulators, customers, suppliers, and communities.

Compliance Tip: Map your stakeholder communication channels, including the messages sent to whom, when, and through which medium. Identify gaps where feedback isn’t captured or transparency is lacking. Lead a quarterly cross-functional stakeholder forum with representatives from legal, ESG, investor relations, operations, and compliance. Use it to review messaging consistency, flag potential disconnects, and align on communication strategy for high-impact governance topics.

Lesson 3: Internal Communication Must Flow in All Directions—Not Just Top-Down

Principle 19: Communicate Effectively with Internal Stakeholders

Effective communication within the entity must support timely, secure, and informed decision-making across all departments and levels. It must include not only top-down directives, but also cross-functional collaboration and bottom-up feedback.

Compliance Tip: Evaluate whether your policies and training materials are accessible and understandable to frontline employees. Simplify complex legal language. Reinforce messaging across multiple touchpoints, not just once a year. Establish a compliance “listening architecture.” This could include monthly manager check-ins, anonymous digital suggestion boxes, and cultural pulse surveys. Use the insights to adapt your messaging, identify unspoken risks, and refine your program in real-time.

Lesson 4: External Communication Requires Guardrails—Balance Transparency and Confidentiality

Principle 20: Communicate Effectively with External Stakeholders

Boards and executive management must govern external communications with care, thereby ensuring transparency while protecting sensitive information and aligning with legal, regulatory, and reputational considerations. This includes formal disclosures, media engagement, investor briefings, and even social media interactions.

Compliance Tip: Coordinate with legal, investor relations, and public affairs to ensure external compliance disclosures (e.g., investigations, regulatory actions, ESG updates) are accurate and strategically timed. Recommend creating or expanding the entity’s disclosure committee beyond financial reporting. Include ethics, cybersecurity, and ESG in its scope. This ensures consistent governance over all public-facing statements, not just 10-Ks and earnings calls.

Lesson 5: Escalation Protocols and Whistleblower Systems Are Core Communication Channels

COSO stresses that communication is not simply about planned messaging, but it is about creating pathways for critical issues to reach decision-makers quickly. That includes whistleblower programs, hotline escalation, and crisis protocols that support real-time visibility and accountability.

Compliance Tip: Review your escalation policy. Is it clear when, how, and to whom an issue must be reported? Is there redundancy if a leader is implicated? Does the board know what “red lines” exist? Include whistleblower trends and escalation effectiveness as standing items in your board or audit committee materials. Go beyond volume and share insights about culture, responsiveness, and process quality. That’s how you earn board confidence and budget support.

Building a Governance Communication Program

To operationalize COSO’s Communication Component, compliance leaders should help lead the development of an integrated governance communication program with the following features:

  • Message alignment across all internal and external platforms;
  • Defined roles for who speaks, who approves, and who responds;
  • Feedback mechanisms like surveys, listening sessions, and open-door policies;
  • Secure reporting systems that support anonymity and protect whistleblowers; and
  • Crisis playbooks that define escalation paths, communications teams, and messaging protocols.

The goal? To ensure that communication is not just noise, but a narrative that guides behavior, enables decisions, and builds trust with all stakeholders.

What Boards Need to Hear from Compliance

Here’s what to communicate to your board:

  • The quality of governance depends on the quality of information.
  • Misaligned or confusing communication creates regulatory and reputational risk.
  • Stakeholders expect timely, truthful, and values-aligned information, not just compliance.
  • Compliance has a unique view into cross-functional communication gaps and whistleblower data.
  • The board should actively monitor communication systems and protocols, just as it does financial reporting.

When the board understands that communication is a control, not just a convenience, they will begin to ask better questions and set higher expectations.

Final Thoughts: Communication Is Governance in Motion

To determine whether your governance program is effective, listen to what people say and, equally importantly, what they do not. COSO’s Communication Component reminds us that in governance, silence is a risk, confusion is a vulnerability, and transparency is a strength.

As compliance professionals, we are communicators by necessity, but COSO invites us to become communicators by design. That means building systems that convey messages, address concerns, and connect people to their purpose. Governance is not just about structure; in many ways, it is about story. Make sure yours is told well.

To read or comment on the full CGF Public Exposure Draft, click here. The comment period closes July 11, 2025.

Categories
Blog

COSO’s Corporate Governance Framework: Component 4 – People

We continue our exploration of the recently released COSO  Corporate Governance Framework (the Framework) as a Public Exposure Draft.  Today, we begin a deep dive into the six individual components with a discussion of Component 4—People. It was allegedly Warren Buffett who coined the phrase Culture eats strategy for breakfast. But let me tell you something else that’s equally true: people make or break both. In Component 4, the focus is squarely on people: how we attract, develop, compensate, and ultimately hold them accountable for creating long-term value.

This is a vital message for compliance professionals. Why? Because the most sophisticated compliance program on paper won’t protect your organization if the wrong people are making the wrong decisions for the wrong reasons. Compliance is not about abstract rules; it is about human behavior. And COSO’s People Component brings that reality home.

The framework outlines how boards and executive leadership must take responsibility for aligning people, systems, hiring, training, leadership development, compensation, and succession planning with the entity’s purpose, culture, and strategy. In other words, governance doesn’t end at the boardroom door; it extends to the front line.

Today, we break down COSO’s guidance and explore five key lessons for compliance professionals ready to lead on the people side of governance.

What Is the People Component?

COSO’s CGF defines the People Component as the foundational element that ensures the right individuals are in the right roles, with the proper support, and aligned to the right objectives. This component contains three key principles:

  1. Deploy People Strategy and Succession Planning
  2. Manage People and Compensation
  3. Drive Performance and Development

From the board to the front line, these principles focus on accountability, integrity, ethical leadership, and performance through the lens of talent governance.

Why This Matters to Compliance

This component affirms what we in compliance have always known: talent decisions are, in fact, ethical decisions. Incentives shape behavior. Leadership shapes tone. And people’s strategy shapes resilience.

For compliance professionals, the People Component is a golden opportunity to build bridges with HR, executive management, and the board. It empowers us to bring our risk lens to hiring, our ethics lens to incentives, and our accountability lens to performance management.

Five Key Lessons for Compliance Professionals

Lesson 1: People Strategy Is a Governance Issue—Be Part of the Planning Table

Principle 14: Deploy People Strategy and Succession Planning

Executive management must align people strategy with business goals, assessing future workforce needs, talent gaps, and leadership succession. The board provides oversight to ensure that the right talent is in place to deliver strategic objectives in an ethical and effective manner.

Compliance Tip: Partner with HR to understand how workforce planning encompasses compliance-critical roles, including data privacy, risk management, internal audit, and ESG. Ask how your company identifies future leaders who can model ethical conduct and resilience. Propose a compliance risk overlay in succession planning. Ask: “If this person moves into a high-impact role, do they have a track record of integrity and sound judgment under pressure? ”Build that into leadership assessments.

Lesson 2: Compensation Drives Behavior—So Monitor It Carefully

Principle 15: Manage People and Compensation

The board and executive management must ensure that compensation structures reward long-term value creation and ethical behavior, not just short-term results. This includes executive compensation, employee incentives, and total rewards strategies that align with core values.

Compliance Tip: Request visibility into compensation metrics, especially for sales, finance, and procurement teams. If employees are being rewarded solely based on volume or cost savings, that could signal a misalignment with ethical standards. Collaborate with HR and the compensation committee to include compliance and ethics indicators in bonus calculations. Consider investigation outcomes, training compliance, audit results, and peer feedback on values-based behavior.

Lesson 3: Onboarding and Offboarding Are Compliance Moments of Truth

The People Component makes it clear: onboarding and offboarding are governance checkpoints. Onboarding is your chance to set expectations. Offboarding is your last opportunity to capture lessons and protect integrity.

Compliance Tip: Work with HR to ensure onboarding includes live ethics training, culture orientation, and clear escalation procedures. Offboarding should include structured exit interviews with questions on pressure, misconduct, and retaliation risks. Review offboarding data for red flags. If high-performing employees are leaving due to ethical concerns or if leaders with compliance histories are going quietly, you need to escalate those patterns to leadership and the board.

Lesson 4: Performance Reviews Must Reflect How Results Are Achieved—Not Just What Is Achieved

Principle 16: Drive Performance and Development

The board and executive management are responsible for performance systems that reflect both outcomes and behaviors. Reviews must consider how goals were achieved in an ethical, collaborative, and aligned manner with core values.

Compliance Tip: Request that HR include ethics-based questions in performance reviews. For example: “Does this employee act as a role model for integrity? ” or “Does this person raise concerns appropriately? Pilot a 360-degree review process for leaders that includes peer, subordinate, and compliance input on tone, transparency, and trustworthiness. Utilize these results in succession planning and leadership development initiatives.

Lesson 5: Development Programs Must Include Ethics, Governance, and Risk Awareness

Too often, leadership development focuses on financial acumen and strategy but remains silent on ethics, oversight, and compliance. COSO advocates for executive and board education that enhances governance throughout the organization.

Compliance Tip: Offer to design or co-lead development sessions on ethical decision-making, speak-up culture, conflicts of interest, and stakeholder trust. Focus not just on what leaders should do, but on how they should think. Ask the board to adopt a continuing education policy that includes topics related to compliance and ethics. Bring in external experts, regulators, or thought leaders in ethics to refresh perspectives and address emerging risks.

Compliance’s Role in Talent Governance

Compliance professionals are not necessarily HR specialists, but they are the stewards of ethical risk, organizational culture, and accountability. COSO’s People Component gives us a clear lane to add value in three ways:

  1. Risk insight: Help assess where people-related risks are most concentrated, such as in high-pressure sales, international expansion, and acquisitions.
  2. Behavioral analytics: Use data to flag misaligned incentives, weak training completion, or trends in misconduct.
  3. Governance alignment: Support the board in aligning people, systems, and ethics with strategy and long-term value creation.

By engaging early and often in talent conversations, compliance can prevent misconduct, protect stakeholders, and promote resilience.

Educating the Board on People Governance

Bring these insights to your next board or audit committee session:

  • Governance includes oversight of people, not just policies.
  • Talent gaps in ethics, risk, or leadership can derail strategy execution.
  • The board must understand how people systems align with values.
  • Compliance can help assess whether compensation, performance, and succession planning are risk-aligned.

When boards connect people’s decisions to governance outcomes, compliance moves from operational support to strategic leadership.

Final Thoughts: People Are Governance in Action

Compliance is no longer just about controls. It is about character at every level of the organization. COSO’s People Component recognizes that the fundamental drivers of governance are people: directors who ask the hard questions, managers who model ethical behavior, and employees who speak up when something doesn’t feel right.

In the spirit of the Compliance Evangelist: Use this component to engage deeply with the human side of your organization. Help your company build a workforce that not only follows the rules but also embodies its values. That should be your legacy.

To read or comment on the full CGF Public Exposure Draft, click here. The comment period closes July 11, 2025.

Categories
Blog

COSO’s Corporate Governance Framework: Component 3 – Culture

We continue our exploration of the recently released COSO Corporate Governance Framework (the Framework) as a Public Exposure Draft. Today, we begin a deep dive into the six individual components with a discussion of Component 3—Culture. When discussing corporate culture, we often do so in vague, inspirational terms. However, in Component 3 – Culture, the Framework culture is positioned as a measurable, manageable, and mission-critical governance function. For compliance professionals, this is not just validating; it is moving to a mandate.

In today’s risk environment, culture should not be a soft topic. Properly viewed, it is a leading indicator of whether your organization can weather disruption, comply with complex regulations, and maintain trust with stakeholders. COSO’s culture guidance transforms tone at the top into governance in action. It links behaviors to strategy, values to risk, and leadership to accountability.

What Is Culture in the COSO Framework?

COSO defines culture as “the set of shared values, attitudes, and behaviors shaped by leadership that influence how individuals act with integrity, make decisions, and respond to risk.” It is not a slogan, but how people behave when no one is watching.

The Culture Component is built around three core principles:

  1. Establish and Model Culture and Behaviors
  2. Promote Ethics, Respect, and Open Communication
  3. Assess and Adapt Culture

These principles emphasize that culture is dynamic and strategic, rather than passive or peripheral. It must be designed, led, measured, and, when necessary, corrected.

Why Culture Belongs to Compliance

Culture has long been a central component of compliance. But COSO now gives it a governance home—under the board’s oversight and executive leadership’s execution. Compliance leaders are uniquely positioned to monitor, assess, and influence culture in real time, across all levels of the organization.

Culture impacts:

  • How decisions are made.
  • Whether employees speak up;
  • How misconduct is handled.
  • Whether the strategy is executed ethically, and
  • Whether compliance programs are seen as check-the-box or mission-critical.

With COSO’s Culture Component in hand, the compliance function has the playbook, and the board has the responsibility to govern culture as seriously as they govern financial controls.

III. Five Key Lessons for Compliance Professionals

Lesson 1: Culture Starts at the Board—Help Them Set the Tone and Model the Way

Principle 11: Establish and Model Culture and Behaviors

Boards and executive management must define the desired culture and model expected behaviors in alignment with purpose, values, and strategy. They must actively reinforce ethical norms through actions, decisions, and communications.

Compliance Tip: Offer directors a quarterly culture dashboard that includes whistleblower activity, employee sentiment, training engagement, and ethics concerns. Use anonymized narratives to make the data more relatable and human. Collaborate with your board chair or lead independent director to include ethics and culture in the annual board assessment. If board behaviors contradict stated values, it’s your role to surface that constructively.

Lesson 2: Promote Ethics and Psychological Safety—So People Speak Up Before the Headlines

Principle 12: Promote Ethics, Respect, and Open Communication

Executive management, with board oversight, must foster an environment of ethical behavior, respect for diversity of thought, and open communication at all levels of the organization. This includes codes of conduct, anti-retaliation protections, and speaking-up programs.

Compliance Tip: Go beyond the hotline. Create structured opportunities for employees to raise concerns in a safe and low-friction manner, such as listening sessions, surveys, or informal feedback channels. Use data to prove psychological safety gaps. If your hotline volume is too low, if anonymous feedback is not being received, or if exit interviews reveal unspoken concerns, bring this to the board’s attention and recommend action.

Lesson 3: Culture Is Built into Systems—Integrate It into Business Processes

COSO makes it clear: culture is operational. It is not just about the value posters on the wall. It must be embedded in hiring practices, incentive structures, performance reviews, vendor relationships, and even crisis response plans.

Compliance Tip: Partner with HR and operations to integrate ethical behavior into job descriptions, bonus structures, and leadership assessments. Help managers understand how their daily decisions influence and shape the organizational culture. Audit your incentive systems. If employees are being rewarded for outcomes that conflict with your values, such as cutting corners to meet targets, that should be an evident and loud red flag. Share these insights with leadership and propose alignment strategies to enhance their effectiveness.

Lesson 4: Assess Culture with the Same Rigor as Financial Controls

Principle 13: Assess and Adapt Culture

Boards and executives must continuously monitor culture through both qualitative and quantitative means, like surveys, exit interviews, focus groups, and misconduct trends. They must use this insight to adjust behaviors, policies, and communications.

Compliance Tip: Develop a culture scorecard that blends hard metrics (e.g., hotline use, turnover, audit findings) with soft indicators (e.g., pulse survey sentiment, values alignment). Share it regularly with senior leadership and the board. Recommend a third-party cultural assessment every 2–3 years. A fresh outside perspective can validate internal findings or reveal misalignment between what leaders think the culture is and what employees experience.

Lesson 5: Culture Must Adapt in Crisis—So Plan Ahead

COSO acknowledges that culture is stress-tested in times of disruption, be it a cyber breach, executive misconduct, acquisition, or societal crisis. The Culture Component encourages entities to integrate cultural expectations into their change management and crisis response processes.

Compliance Tip: Collaborate with risk and crisis teams to develop culture-aligned responses in your business continuity or crisis management playbooks. This includes messaging protocols, decision-making principles, and escalation thresholds. After any major incident, conduct a post-crisis culture audit. Ask: Did we live our values? Were our responses timely, ethical, and transparent? Feed those insights into board reporting and future crisis planning.

Building a Culture Governance Program: Where Compliance Leads

To bring COSO’s Culture Component to life, compliance professionals should spearhead a culture governance program that includes:

  • Clear definitions of desired behaviors linked to purpose and values
  • Measurement tools (dashboards, surveys, listening posts, audits)
  • Accountability mechanisms (ownership in performance reviews, board oversight)
  • Responsive feedback loops to adjust based on data and stakeholder input
  • Ethics-based training that evolves with risk and reality

This program should be integrated into your ERM process, strategic reviews, and board governance cycle, rather than being siloed off as “compliance only.”

What Boards Need to Hear from Compliance

Bring these messages to your next board or audit committee meeting:

  • Culture is a governance issue, not just a management function.
  • Misaligned culture leads to misconduct, regulatory failure, and reputational damage.
  • Compliance has real-time data on how values are being lived or violated.
  • Boards must monitor culture as a key component of enterprise risk and strategy.
  • Tone at the top must be modeled, not just messaged.

When directors understand this, they begin to treat culture metrics with the same gravity as revenue forecasts or audit findings.

Final Thoughts: Culture Is Compliance’s Moment to Lead

In the world of governance, culture is where compliance and leadership intersect. COSO’s Framework not only endorses this idea, but it also institutionalizes it. If culture determines how strategy is executed, how risks are mitigated, and how stakeholders perceive your organization, then compliance is not merely a monitor; rather, it is a culture architect. So step up. Utilize the COSO Culture Component to foster ethical leadership, safeguard long-term value, and ensure that your organization not only talks the talk but also walks the walk.

To read or comment on the full CGF Public Exposure Draft, click here. The comment period closes July 11, 2025.

Categories
Blog

COSO’s Corporate Governance Framework: Component 2-Strategy

We continue our exploration of the recently released COSO  Corporate Governance Framework (the Framework) as a Public Exposure Draft.  Today, we begin a deep dive into the six individual components with a discussion of Component 2—Strategy. This component prioritizes compliance at the forefront of value creation. This is not just about watching for missteps. It’s about enabling the entity to pursue bold goals while staying grounded in ethics, purpose, and accountability.

For compliance professionals, this is a welcome and long overdue shift. Strategy is no longer just a business conversation; it’s a strategic imperative. COSO makes it clear: strategy is governance, and governance must include compliance at every stage—from definition to execution to performance monitoring. Today, we extract five key lessons for compliance professionals ready to step into a new leadership role.

I. Strategy in the COSO CGF: What It Covers

The Strategy Component of COSO’s CGF focuses on aligning the entity’s strategic direction with its purpose, values, and long-term objectives. It’s made up of four core principles:

  1. Define Purpose and Core Values
  2. Develop and Communicate the Strategy
  3. Execute the Strategy
  4. Measure Performance Against Strategy and Adjust

These principles provide a governance framework that not only connects the board and executive management but cascades responsibility throughout the entity, from strategy rooms to front-line decision-making.

Why Strategy Matters to Compliance

For years, strategy has been seen as the exclusive domain of the CEO, CFO, and business development leaders. Compliance was invited in after the fact, to clean up, audit, or assess risks. But COSO’s framework changes the conversation.

As compliance professionals, we bring a risk-aware, ethics-focused, stakeholder-sensitive perspective to the table. In an era of ESG mandates, AI disruption, global volatility, and regulatory scrutiny, strategy without compliance is incomplete. If your compliance function is not integrated into the strategy process, you are not practicing governance; you are essentially doing damage control.

II. Five Key Lessons for Compliance Professionals

Lesson 1: Start with Purpose—Not Just Policy

Principle 7: Define Purpose and Core Values

Boards and management must define the entity’s fundamental purpose, the “why” behind the business, and articulate the core values that guide decision-making, behavior, and stakeholder relationships. These values must be embedded into operations, strategic priorities, and performance incentives.

Compliance Tip: Tie your compliance policies, training, and reporting to the entity’s purpose and values. Do not discuss rules; instead, focus on alignment. Offer to help HR and communications integrate purpose into onboarding, annual certifications, and code of conduct messaging. When purpose becomes the language of the enterprise, compliance becomes a strategic partner.

Lesson 2: Compliance Must Be at the Strategy Table

Principle 8: Develop and Communicate the Strategy

Executive management, in consultation with the board, is responsible for developing the strategic plan, which encompasses competitive positioning, market risks, stakeholder expectations, and capital allocation. Strategy development must consist of scenario planning and risk alignment to maximize long-term value.

Compliance Tip: Join strategic planning conversations early. Provide insight on regulatory trends, reputational risks, geopolitical shifts, and stakeholder concerns that could derail strategy if not addressed upfront. Offer to run a pre-mortem exercise: If this strategy fails, why will it fail? Use compliance-led facilitation to identify blind spots in the business model.

Lesson 3: Execution Is Where Ethics Live or Die

Principle 9: Execute the Strategy

Executing the strategy requires a well-defined operating model, clear accountability, aligned incentives, and integrated reporting. Middle management translates strategic goals into action, and it’s here that ethical risk often emerges.

Compliance Tip: Get involved in operational risk reviews. Ask how incentives are aligned with values. Review whether performance metrics encourage long-term thinking or shortcut-taking. Collaborate with the COO or HR to incorporate ethical conduct and risk awareness into performance evaluations and team KPIs. This helps you drive a values-based strategy from the ground up.

Lesson 4: Metrics Matter—And So Does What You Measure

Principle 10: Measure Performance Against Strategy and Adjust

Management must develop and track both financial and non-financial KPIs to assess progress against strategic goals. The board oversees these metrics and ensures that adjustments are made when results or risks shift.

Compliance Tip: Contribute to KPI development. Suggest ethical culture indicators, hotline trends, third-party risk metrics, or audit closure rates as part of strategy dashboards. Push for the inclusion of lagging and leading indicators. It’s not enough to track what went wrong. Compliance needs metrics that alert us to potential issues before they occur. Compliance analytics is your secret weapon.

Lesson 5: Agility Requires Structure—Be the Change Advisor

COSO’s Strategy Component emphasizes the need for strategic agility. This is the ability to pivot in the face of market disruptions, new risks, or regulatory change. But agility does not mean chaos. It requires disciplined change management, escalation procedures, and decision-making protocols.

Compliance Tip: Be a Governance Resource During Change. Whether it’s a reorg, a product launch, a merger, or a crisis response, help ensure that the right people are consulted, documented, and accountable. Offer a compliance impact assessment for major strategic shifts. Show how culture, third-party relationships, data privacy, or anti-bribery obligations will be affected and what the plan is to stay in control.

III. Strategy Is a Compliance Priority—Not Just a Business One

COSO’s Framework makes something crystal clear: strategy is no longer “off-limits” to compliance. The board must oversee it. Executive management must align it with the purpose. And the compliance function must embed integrity, risk foresight, and stakeholder accountability into every strategic decision. We should break the old model that treated compliance as a back-end reviewer. We are now co-pilots. COSO has provided compliance with the governance language to claim its seat at the strategy table. Now it is up to us to use it.

How to Put This Into Practice

Here are five actionable steps for compliance teams:

  1. Review your company’s strategic plan through the lens of COSO’s four strategy principles. Start by mapping your organization’s current strategic plan against the four COSO Strategy principles: defining purpose and core values, developing the strategy, executing it, and measuring performance. Ask critical questions—Does the plan reflect your core values? Are ethical risks explicitly considered? Do compliance concerns inform strategic KPIs? This exercise helps compliance professionals identify gaps where compliance can bring additional value, ensuring the organization’s long-term strategy is rooted in accountability, integrity, and transparency. It also positions compliance as a proactive contributor to governance, not a reactive afterthought.
  2. Schedule a briefing with strategy or finance leaders to explore how risk and ethics are being integrated into the process. Establish a strategic dialogue with your CFO, head of strategy, or business development leadership to understand how ethical considerations and compliance risks are being integrated into planning. Bring COSO’s Strategy principles to the table as a common framework and ask how the company’s strategic models account for reputational risk, regulatory change, and stakeholder expectations. Use this time to identify areas where compliance can provide valuable insights, such as in ESG, M&A due diligence, or geopolitical risk assessment. These conversations open doors for cross-functional collaboration and foster trust with executives as they manage high-impact decisions.
  3. Develop compliance metrics that align with strategic objectives, such as trust, resilience, and stakeholder engagement, to ensure effective management and oversight. Move beyond traditional compliance outputs (e.g., number of training sessions or hotline reports closed) and align your metrics with enterprise-level strategic outcomes. Consider how to measure ethical culture, employee trust, third-party integrity, and the entity’s overall resilience to misconduct. Develop dashboards that can be integrated into strategic performance reviews or presented to executive management and the board of directors. Metrics might include culture survey participation, average investigation time, or third-party onboarding risk ratings. When compliance shows it can measure what matters to business leaders, it becomes a strategic asset, not a regulatory cost center.
  4. Pilot a strategic compliance review for a major initiative (product launch, M&A, market expansion). Choose a significant upcoming business initiative, perhaps a new product launch, geographic expansion, or merger, and embed compliance into the project team from the start. Conduct a compliance risk assessment tailored to the initiative’s strategy, market, and operating model. Ask how data privacy, third-party risk, anti-bribery compliance, and ethical culture will be protected during execution. Create an action plan that includes clear governance checkpoints, escalation triggers, and controls. This pilot not only demonstrates the value of compliance in driving strategic success, but it also establishes a replicable model for integrating compliance into future enterprise initiatives.
  5. Educate your board on the compliance implications of COSO’s Strategy Component—especially in strategy execution and performance monitoring. Prepare a board-level briefing or an audit committee presentation that focuses on how the compliance function supports strategic execution and long-term value creation. Use COSO’s Strategy principles to show how compliance intersects with business model design, culture, risk oversight, and scenario planning. Discuss how your function contributes to measuring non-financial performance indicators and adjusting strategy considering regulatory shifts or reputational risks. Reinforce the message that compliance is a governance tool, not just a defensive mechanism. By educating the board on these dynamics, you elevate the role of compliance in strategy and support a culture of forward-looking governance.

Final Thoughts: The Future of Strategy Is Compliance-Infused

We often say that strategy sets the tone for the business. However, as compliance professionals, we now have the tools and the COSO framework to ensure that our tone is ethical, risk-aware, stakeholder-conscious, and purpose-driven. Compliance should not simply review strategy; we should all move to shape it. Bring your questions, our insights, and our integrity to the table where the most important business decisions are made. That is what governance leadership looks like. COSO just gave compliance the playbook.

To read or comment on the full CGF Public Exposure Draft, click here. The comment period closes July 11, 2025.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The COSO Governance Framework

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Are you seeking insightful perspectives on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss the recently released COSO Corporate Governance Framework.

Tom and Matt take a deep dive into the new COSO Corporate Governance Framework draft. They discuss the importance of public comment on the draft, which is open until July 11, and explore the framework’s six key components. The framework aims to provide discipline in achieving good governance within organizations, covering areas such as strategy, culture, human resources, and resilience. Kelly highlights the significance of culture in compliance and the role of information quality in the future, providing practical tips on implementing and testing the framework. The episode highlights the importance of this framework for various stakeholders, encouraging practitioners to review and provide feedback on the draft.

Key highlights:

  • Overview of COSO’s Draft Corporate Governance Framework
  • The Six Objectives of the Framework
  • Importance of Culture in Compliance
  • Principles and Points of Focus
  • Resilience in Corporate Governance

Resources:

Matt Kelly in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds, was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast.