Tag: COSO Governance Framework

Categories
Compliance Tip of the Day

Compliance Tip of the Day – COSO Governance Framework: Part 5, People

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

We continue our multi-part review of the new COSO Governance Framework (CGF). Today, we look at Component 4-People.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – COSO Governance Framework: Part 1, Introduction

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide you with bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we introduce a multi-part review of the new COSO Governance Framework (CGF). 

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing Your Compliance Program, 6th edition, which LexisNexis recently released. It is available here.

Categories
Blog

COSO’s Corporate Governance Framework: What It Means for Compliance

For decades, COSO has been the gold standard in internal controls and enterprise risk management. But with the release of its new Corporate Governance Framework (CGF), now open as a Public Exposure Draft, COSO has thrown down the gauntlet to the compliance profession. This isn’t just a governance checklist. It is a call to action: step up, shape governance, and lead your organization into the future.

After exploring each of the six CGF Components in depth, I wanted to conclude this series by bringing it all together. What does the new COSO framework mean for compliance professionals? How should you adjust your strategy, your conversations with the board, and your daily work? Here are the big lessons and the practical next steps.

1. The Big Picture: A New Era for Governance and Compliance

The COSO CGF is a principles-based, integrated system designed to make governance everyone’s business, not just the sole responsibility of a Board of Directors. The six Components—Oversight, Strategy, Culture, People, Communication, and Resilience, each include key Principles with practical Points of Focus and leading-edge considerations. This is not a compliance framework by name, but it is a governance framework that places compliance at the heart of value creation, accountability, and enterprise resilience.

Compliance Takeaway: The CGF is arriving at a moment of regulatory complexity, stakeholder activism, and reputational volatility. Boards and management face evolving risks from AI, cyber, and ESG while being held to standards of transparency and trust by investors, employees, and society itself. If you’re a compliance leader, COSO just handed you the blueprint for embedding compliance deeper than ever before.

2. Oversight: Compliance’s Seat at the Table

Effective governance starts with the board, but it extends through management to every level of the organization. Oversight is about structure, independence, and accountability across board composition, executive delegation, and shareholder engagement. Do not be a bystander in governance; be a builder. Propose committee enhancements, brief leadership on independence and risk, and ensure compliance is on the board’s standing agenda. Your role is to clarify escalation protocols, support board effectiveness, and ensure oversight extends beyond mere numbers to encompass culture and ethical tone.

Compliance Takeaway: Start benchmarking your BOD structure and practices against COSO’s principles. Bring data to governance discussions and push for compliance metrics and risk topics to be regular board agenda items.

3. Strategy: From Afterthought to Co-Pilot

Strategy is no longer a C-suite sandbox. COSO makes clear: the board must oversee strategy, management must align it with purpose, and compliance must be at the table from planning to performance review. Step into the strategic conversation early. Embed compliance considerations into scenario planning, risk assessment, and incentive design. Move beyond being a “fixer” after decisions are made. You are now a co-pilot in shaping resilient, risk-aware, and stakeholder-driven strategy.

Compliance Takeaway: Map your organization’s strategic plan to the four COSO strategy principles: purpose, development, execution, and measurement. Create or enhance compliance dashboards with ethical and cultural KPIs, and ensure the board is briefed on them.

4. Culture: From Soft Topic to Measurable Mandate

Culture is not simply a poster on the wall; rather, it is how people behave when nobody is watching. The CGF calls for boards to own culture oversight, with management embedding values in every business process, from hiring to crisis response. Culture is now measurable, manageable, and mission-critical. Create culture dashboards, integrate ethics into leadership assessments, and bring employee sentiment to the board. Remember, misaligned culture leads to misconduct, and compliance has the data to prove it.

Compliance Takeaway: Launch a culture governance program with clear metrics (hotline use, training engagement, exit interview themes). Schedule regular board updates and recommend third-party culture assessments every few years.

5. People: Talent Is Governance in Action

People make or break both strategy and culture. COSO’s People Component focuses on workforce planning, succession, compensation, and development, with the board responsible for oversight of the front line—partner with HR on leadership development, succession planning, and ethics in incentives. Review onboarding and offboarding for compliance moments of truth, and advocate for ethics questions in performance reviews. Do not simply check the HR box; bring a compliance risk lens to every talent conversation.

Compliance Takeaway: Review how people-related risks (succession gaps, compensation misalignment) are addressed in board and committee agendas. Propose ethics- and compliance-driven enhancements to talent processes, and pilot 360-degree reviews for key leaders.

6. Communication: Governance’s Nervous System

Communication is not simply about reporting; rather, it is the way governance breathes. The CGF emphasizes trustworthy data, technology enablement, escalation protocols, and stakeholder engagement. Ensure your GRC systems provide real-time, accurate insights. If your compliance program runs on spreadsheets, it’s time for an upgrade. Push for integrated platforms, streamlined reporting, and regular “lookback” exercises after incidents.

Compliance Takeaway: Lead a review of your communication tools and escalation pathways. Bring technology-enabled dashboards to executive and board meetings, combining compliance, risk, and culture indicators for holistic governance oversight.

7. Resilience: From Compliance Cost Center to Value Enabler

Resilience is the ability to anticipate, withstand, and adapt to disruption. The Resilience Component weaves together risk, compliance, internal control, and continuous monitoring and positions compliance as a pillar of enterprise stability. Expand your oversight of internal controls beyond financials—leverage technology to automate high-risk monitoring. Lead post-incident reviews that turn mistakes into governance muscle. Compliance is not just about “bouncing back” from crisis; it is about building systems that don’t break in the first place.

Compliance Takeaway: Map compliance risks to strategic objectives and ensure alignment with enterprise risk management (ERM). Use predictive analytics to flag emerging cultural or ethical risks and brief the board on how compliance is driving not just compliance but resilience.

What Makes COSO’s CGF Different—and What You Should Do Now

Cross-functional by design. Each Component connects with others—culture shapes strategy, people enable resilience, and communication powers oversight.

Principle-based, not prescriptive. The framework is adaptable across industries and geographies. It is not about ticking boxes but building a system that fits your organization.

Tech-forward and future-focused. AI, data, and technology are built in from the start, not an afterthought.

Final Takeaways for Compliance Professionals:

  • Engage early and often: Do not wait for the board to call you. Proactively map your program to the CGF’s Components.
  • Benchmark and build: Use the framework as a lens to spot gaps, propose improvements, and advocate for compliance in new domains (talent, tech, ESG).
  • Educate and evangelize: Socialize the CGF across the C-suite, HR, IT, and risk. Make compliance the bridge that connects governance with value creation.

Closing Thoughts: A Call to Action

The new COSO Corporate Governance Framework is a leadership manual for the modern compliance professional. It challenges us to see compliance as more than defense; it is the engine of long-term value, trust, and resilience.

If you are ready to move from risk mitigator to governance architect, COSO just handed you the playbook. Now’s the time to roll up your sleeves, engage with the board, and help build a governance system that will stand the test of disruption, scrutiny, and change.

Categories
Blog

COSO’s Corporate Governance Framework: Component 1 – Oversight

We continue our exploration of the recently released COSO  Corporate Governance Framework (the Framework) as a Public Exposure Draft.  Today, we begin a deep dive into the six individual components with a discussion of Component 1: Oversight. It is a pillar that every compliance professional should study with the care of a board director preparing for their first 10-K briefing. The Framework is a clarion call for compliance professionals to rethink how we engage with governance, board structure, and accountability. Today, we will break it down and then dive into five lessons we must take back to our programs.

What Is Oversight in the COSO Framework?

The CGF defines oversight as the foundation of effective governance and long-term value creation. It begins with a board that is informed, independent, and proactive in directing strategy, supervising executive leadership, and maintaining organizational integrity.

But COSO doesn’t stop at roles and titles. The Oversight Component is made up of six principles:

Principle 1: Establish Board Structure and Exercise Oversight

This principle emphasizes that the board must create a well-defined governance structure with clearly assigned roles, responsibilities, and committees. It must actively exercise its oversight duties to support management’s execution of strategy while maintaining accountability to shareholders and stakeholders. Compliance professionals should engage early to ensure that governance structures also include strong compliance and ethics coverage, whether as standalone committees or integrated into audit or risk structures.

Principle 2: Appoint Board Leadership and Members

Boards must appoint competent, diverse, and independent leaders who possess integrity, objectivity, and a range of skills necessary to guide the organization effectively. Board leadership, whether a chair or lead independent director, must also foster effective decision-making and conflict resolution within the boardroom. Compliance teams should be prepared to assess and brief leadership on whether the board’s independence and composition are suited to today’s complex risk environment.

Principle 3: Select CEO and Delegate Authority

The board is responsible for selecting the CEO and formally delegating authority for strategic execution and operational decision-making. This includes maintaining clarity over which powers the board retains and which are delegated to management, ensuring accountability and effectiveness. Compliance should help define these boundaries, ensuring they include escalation protocols for compliance violations, investigations, and significant legal risks.

Principle 4: Establish Executive Structure and Effectively Manage

Executive management, with board oversight, must implement a governance structure that clearly outlines roles and responsibilities while enabling strategic execution, risk management, and ethical conduct. It requires maintaining effective internal communication and accountability mechanisms across business units. This principle affirms the compliance officer’s role in building the scaffolding for transparency and internal integrity in decision-making.

Principle 5: Operate the Board Effectively

Boards must regularly evaluate and refine their processes, calendars, and communication practices to optimize their oversight role. This includes utilizing executive sessions, clear meeting agendas, providing director access to management, and maintaining structured documentation to promote effectiveness and accountability. Compliance can support this effort by briefing directors on best practices for board effectiveness and helping to integrate compliance topics into existing agendas.

Principle 6: Uphold Shareholder Rights and Accountability

Boards and executive leadership must ensure that shareholder rights are protected and that disclosures enable informed decision-making and active engagement. This includes facilitating transparent communication, majority voting, and responding to shareholder concerns with respect and accountability. Compliance should assist in evaluating disclosure risks, supporting governance transparency, and managing the evolving expectations of institutional and activist investors.

Why It Matters to Compliance

Here’s the bottom line: Oversight defines the altitude from which the board governs—and the depth to which management is held accountable. It is where compliance either has a voice or is left scrambling to clean up messes.

As COSO puts it, oversight is shaped by:

  • Legal and regulatory obligations
  • Listing exchange standards
  • Shareholder and stakeholder expectations
  • Evolving risks and strategic complexity

Crucially, effective oversight depends on trust, transparency, and the willingness of directors to challenge management when necessary. If you are a compliance officer, you are the steward of that trust every time you walk into the boardroom or brief an audit committee.

Five Key Lessons for Compliance Professionals

Lesson 1: Structure Drives Behavior—Support the Right Board Composition

COSO reminds us that structure is not simply about paperwork; rather, it is about performance in waiting. Boards must have the right mix of committees, including audit, compensation, and nominating/governance, as well as tailored structures for emerging risks such as cybersecurity, ethics, and compliance.

Compliance Tip:

Be proactive in suggesting committee enhancements. If you see ESG risks mounting, propose a joint compliance-risk-ESG working group. If your board lacks a compliance-specific charter, now is the time to offer a draft. Offer benchmarking from peer organizations or industry regulators. Bring data to the table when proposing changes to board governance.

Lesson 2: Director Independence and Expertise Matter—Help Evaluate It

The CGF emphasizes that a supermajority of the board should be independent and that independence extends beyond a lack of financial ties; it also encompasses freedom from undue influence, appropriate tenure, and cognitive diversity.

Compliance Tip:

Your compliance and risk reports can shape how directors perceive their effectiveness. Provide clear, factual, and nuanced briefings, especially around risk appetite, incident investigations, and policy gaps. Encourage your board to adopt a skills matrix and evaluate directors on competencies related to ethics, compliance, and oversight, in addition to finance and operations.

Lesson 3: Board–Executive Relationships Are a Two-Way Street—Support the Feedback Loop

COSO emphasizes that executive management and the board need a trust-based, collaborative relationship. This means access to information, clarity of delegation, and open channels of communication, especially in a crisis.

Compliance Tip:

Use your role as a bridge, not a barrier, between management and the board. Ensure the board has access to accurate, real-time insights into investigations, emerging compliance issues, and root cause analyses. Help define and document escalation protocols. In times of crisis, ambiguity kills. Clear lines of escalation protect both the board and the business.

Lesson 4: Oversight Extends to Culture—Not Just Numbers

One of the most progressive moves COSO makes in this component is tying board oversight to organizational culture and behavior modeling. Directors must demonstrate ethics, respect, and transparency, just like the CEO.

Compliance Tip:

Start including culture indicators in your regular reporting, such as hotline trends, employee engagement results, training completion rates, and code of conduct violations. Do not simply report metrics; instead, contextualize them to make them more meaningful for your audience. Invite board members to participate in listening sessions or ethics town halls. Direct exposure to employee sentiment builds empathy and accountability.

Lesson 5: Shareholders Are Oversight Partners—Prepare for Transparency

The CGF challenges entities to uphold shareholder rights and engagement through transparent disclosures, majority voting for directors, and stewardship activities.

Compliance Tip:

Work closely with investor relations and legal to ensure your compliance-related disclosures are accurate, meaningful, and aligned with shareholder expectations. Don’t wait until an activist investor demands it. Conduct a pre-mortem with your team and board: If an activist investor were to challenge our compliance program, where would they strike first? Fix that area today.

What’s New and Noteworthy?

There are several leading-edge considerations embedded in the Oversight section that every compliance officer should note:

  • Expanding compensation committee roles to include culture, diversity, and talent oversight
  • Increased use of executive sessions for confidential discussions without management
  • Policies to prevent overboard, especially for sitting executives and CEOs
  • Structured onboarding and offboarding for directors to maintain freshness and avoid stagnation

These are not just governance best practices. They are compliance enablers. A stagnant board is a blind board. A distracted director is a dangerous one.

Final Thoughts: Oversight Is a Team Sport

Too often, compliance professionals think of board oversight as something that happens to us; we prepare the decks, present our updates, and answer tough questions. But COSO’s Oversight Component invites us to flip the narrative. We are not bystanders in governance; we are builders of it. Tell the story.

When we engage with the board with clarity, courage, and consistency, we not only raise the profile of compliance but also enhance our credibility. We help shape an oversight model that can weather disruption, lead through crisis, and deliver long-term value. Let your voice be heard in the boardroom. Do not just brief on the risks; build the systems that make risk manageable. This is our moment. Let’s own it.

To read or comment on the full CGF Public Exposure Draft, click here. The comment period closes on July 11, 2025.

Categories
Blog

COSO’s Corporate Governance Framework: A New Compass for the Compliance Professional

The compliance profession has long relied on the COSO frameworks for a solid foundation in internal controls and enterprise risk management. Now, in a move that promises to unify governance practices across sectors, COSO has released a Corporate Governance Framework (CGF) as a Public Exposure Draft. It’s not just a policy document—it’s a strategic blueprint. For compliance professionals, it represents an opportunity to elevate our role from risk mitigators to architects of long-term value. Today, we begin a multipart exploration of the Framework: what you need to know, why it matters, and how it changes the governance game.

The Big Picture: What Is COSO’s Corporate Governance Framework?

At its core, the CGF is a principles-based, integrated governance system that complements COSO’s earlier frameworks for internal control (ICIF) and enterprise risk management (ERM) while extending beyond them. It is designed to guide boards, executives, shareholders, employees, and other stakeholders in aligning governance structures and practices with the creation of long-term value.

The CGF is built around six interdependent components:

  • Oversight
  • Strategy
  • Culture
  • People
  • Communication
  • Resilience

Each Component contains several Principles (24 in total), supported by Points of Focus, Deeper Insights, and Leading-Edge Considerations.

In short, this is not a checkbox approach to governance. It’s a holistic, iterative model that adapts to an entity’s purpose, risk profile, stakeholder expectations, and regulatory landscape.

Why This Framework—and Why Now?

The business case for the CGF is compelling and overdue. COSO makes clear that good governance is no longer just about compliance; rather, it should be seen as a competitive differentiator.

Consider the drivers:

  • Regulatory complexity and fragmentation—Boards face a maze of requirements (state law, SEC rules, listing standards, ESG expectations).
  • Multi-stakeholder capitalism—Long-term shareholder value now demands attention to customers, employees, communities, and ecosystems.
  • Technology disruption—AI, cyber risk, and data ethics—demands new models of oversight.
  • Reputation and trust—Ethics, culture, and transparency are now strategic assets.

COSO’s framework encourages organizations to move beyond the reactive “check-the-box” mindset and embed governance into every aspect, from executive decision-making to workforce engagement.

The Six Components: What Compliance Needs to Know

Now, consider each component through a compliance lens.

1. Oversight

This section reminds us that effective governance starts with the board, not ends there. It focuses on board structure, independence, committee roles, director selection, and accountability.

Compliance takeaway: The audit committee remains central, but boards are encouraged to create or expand roles for risk, technology, ethics, and culture oversight, which is great news for CCOs who want more engagement at the top.

2. Strategy

This is where compliance shifts from gatekeeper to enabler. The CGF pushes alignment between strategy and purpose, with boards and management jointly accountable for development, execution, and course correction.

Compliance takeaway: This is your call to integrate risk and ethics into strategic planning. Be present in the room when business models are reviewed, not after decisions have been made.

3. Culture

The CGF recognizes culture as both a risk and an asset. Boards are expected to model ethical conduct and oversee cultural assessments, while management must embed values into decision-making, hiring, rewards, and performance management.

Compliance takeaway: If culture eats policy for breakfast, this is your lunch menu. From whistleblower protections to leadership coaching, this is your roadmap for making culture measurable and actionable.

4. People

Talent is governance. This Component covers workforce strategy, succession planning, performance management, and incentives. It also underscores the board’s growing responsibility to understand workforce-related risks.

Compliance takeaway: Pay attention to the alignment between values, behaviors, and rewards. Compensation structures are now squarely in the realm of ethical risk, and compliance should have a voice in this area.

5. Communication

Information flow is framed as a governance issue, not just a reporting function. This section covers data quality, internal and external communications, technology platforms, escalation protocols, and stakeholder engagement.

Compliance takeaway: Effective GRC programs rely on reliable data and timely communication to ensure effectiveness. If your systems still rely on spreadsheets and email, the CGF serves as a reminder to modernize.

6. Resilience

This section ties together risk management, compliance, internal controls, and adaptability. It encompasses principles related to compliance ownership, fraud management, third-party risk, and continuous monitoring.

Compliance takeaway: The CGF validates what we already know —that compliance is a pillar of enterprise resilience. However, it also encourages us to adopt more intelligent tools (e.g., risk analytics, AI-driven monitoring, integrated assurance platforms).

What Makes This Framework Different?

Several innovations stand out:

  • Cross-functionality: The CGF is not siloed. Each Component is tied to others through stakeholder dynamics and shared responsibilities.
  • Flexibility with discipline: It’s grounded in principles, not prescriptive rules, making it adaptable across industries and organizational types.
  • The tone throughout the organization: Culture, communication, and people strategies extend well beyond the C-suite.
  • Forward-looking: Technology governance, AI risk, and stakeholder capitalism are not afterthoughts; instead, they are built in.

What Should Compliance Professionals Do Now?

The CGF is in the public exposure draft phase, with comments due by July 11, 2025. You should take the time to respond proactively:

  1. Read it, annotate it, and engage with it. COSO wants stakeholder feedback. If you’re a CCO, CAE, or GRC leader, now’s your chance to shape the future.
  2. Map your current practices to the six components. Where are your gaps? What metrics do you need? Start small, with one principle per quarter, perhaps.
  3. Socialize the CGF internally. Use it to open conversations with HR, IT, legal, risk, and the board. This is not simply a governance framework; instead, it should be viewed as a bridge to enterprise-wide alignment.
  4. Rethink your compliance program as a governance engine, especially in areas such as culture, people, and communication, where compliance can become a valuable partner in strategic execution.

Final Thoughts

COSO’s Corporate Governance Framework is more than a governance tool. It is a leadership manual for the modern era. For those of us in compliance, it validates that our work is not merely about avoiding risk but about enabling performance, trust, and value creation.

In the spirit of the Compliance Evangelist: Preach governance, embed culture, and lead with purpose.

Now, we should all roll up our sleeves and help build the future of corporate governance, one component at a time.

To read or comment on the full CGF Public Exposure Draft, click here. The comment period closes on July 11, 2025.