Corporate Governance

Framework
May 27, 2025

Public Exposure Draft

To submit comments on this Public Exposure Draft, please visit the CGF Public Exposure page. Responses are due by July 11, 2025.

A summary of comments received will be published shortly after the conclusion of the public comment period and will remain
publicly available for approximately 90 days.

For any further questions, please feel free to contact us.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), in collaboration with
the National Association of Corporate Directors (NACD), awarded PwC US Consulting LLP a professional
services agreement to assist COSO in developing a Corporate Governance Framework (CGF). The CGF
aligns with COSO’s existing Internal Control—Integrated Framework (ICIF), updated in 2013; COSO’s
Enterprise Risk Management framework (ERM Framework), updated in 2017; and COSO’s Fraud Risk
Management Guide, updated in 2023. The CGF uses the principles-based approach of COSO’s prior
frameworks to help guide entities through the rapidly evolving corporate governance environment.

COSO is a globally recognized organization dedicated to providing thought leadership that enhances
governance, risk management, internal control, and fraud detection, primarily through the development of
comprehensive frameworks and guidance to help entities reduce fraud and improve performance and
oversight. COSO is a private-sector initiative, jointly sponsored and funded by:

• American Accounting Association (AAA)

• American Institute of Certified Public Accountants (AICPA)
• Financial Executives International (FEI)
• Institute of Management Accountants (IMA)
• The Institute of Internal Auditors (IIA)

The NACD is the leading U.S. member organization for corporate directors who want to expand their
knowledge, grow their network, and advance their potential. It offers corporate director education,
resources, and best practices to enhance board leadership and governance effectiveness.

COSO | Corporate Governance Framework

Public Exposure Draft ii
Committee of Sponsoring Organizations of the Treadway Commission
Board Members
Lucia Wind Douglas F. Prawitt Larry R. White
COSO Board Chair and COSO Lead Director Institute of Management
Executive Director American Accounting Accountants
Association
Jennifer Burns Lisa Halper Benito Ybarra
American Institute of Certified Financial Executives The Institute of Internal
Public Accountants International Auditors

National Association of Corporate Directors

Collaboration Partner

Peter Gleason Friso Van der Oord

President and CEO Senior Vice President

PwC
Principal Authors and Contributors

Brian M. Schwartz Lillian M. Borsa Paul DeNicola

Co-Engagement Leader and Co-Engagement Leader and Managing Editor and Principal,
Principal, Governance Insights Principal, Governance Insights Governance Insights Center
Center Center
Carin Robinson Matt DiGuiseppe Claudia Montgomery
Lead Director and Writer Managing Director Managing Director

Catherine Hall Katee Puterbaugh Ashley Burgstahler

Director Director Senior Manager

Lauren Cohen Nicholas Bochna

Manager Manager

COSO | Corporate Governance Framework

Public Exposure Draft iii
Advisory Council
The members of the Advisory Council were selected by the COSO Board and NACD. Consideration was given to
each member’s corporate governance knowledge and expertise to provide advice and feedback in connection with
the development of the CGF.

Patty Miller Lucia Wind Friso Van der Oord

Advisory Council Chair COSO Board Chair & Executive NACD
Director
Glenn Booraem Maureen Bujno William Gipson
Vanguard Deloitte & Touche LLP Rockwell Automation
Board of Directors
Holly Gregory Dawnella Johnson Lindsay Jordan
Sidley Austin LLP Crowe LLP Ernst & Young LLP

Dan Konigsburg Aeisha Mastagni Karen Narwold

KPMG International CalSTRS Ingevity Board of Directors

Kris Pederson Paul Perry Laura Phillips

Independent Governance Warren Averett (AICPA)* Independent Governance
Professional Professional (FEI)*
Michael Phillips Andrew Struthers-Kennedy Mark Taylor
South Georgia Banking Protiviti (IIA)* University of South Florida
Company (IMA)* (AAA)*
Paul Washington
Society for Corporate
Governance

*COSO Sponsoring Organization representative

Regulatory Observers
Observers from select regulatory agencies were identified to provide input from their respective agencies.

Anita Doutt Jimmy Moore Jessica Watts

Securities and Exchange Office of the Comptroller of the Public Company Accounting
Commission Currency Oversight Board

Shaz Niazi Larry Hattix

Securities and Exchange Office of the Comptroller of the
Commission Currency

COSO | Corporate Governance Framework

Public Exposure Draft iv
Table of Contents

Foreword vi
Current State of U.S. Corporate Governance vii
Business case for COSO’s Corporate Governance Framework: Why now? viii
How to Use the Corporate Governance Framework xii
Components 1
Oversight 1
Strategy 15
Culture 22
People 27
Communication 34
Resilience 42
Conclusion 50
Appendix: Corporate Governance Framework Glossary 51

COSO | Corporate Governance Framework

Public Exposure Draft v
Introduction

Foreword
Strong corporate governance is more than a safeguard—it’s a strategic advantage. It provides the clarity, agility, and
oversight that an entity needs to seize opportunities, manage risk, and stay resilient through disruption. As strategies shift
and markets evolve, so too must governance. Done right, it boosts trust, strengthens reputation, attracts investors, and
drives long-term shareholder value.

The United States has the world’s leading capital markets and exchanges, yet there has been no integrated and
comprehensive corporate governance framework to guide boards, management, and stakeholders. While the marketplace
offers thoughtful guidance, a practical framework can connect the interrelated aspects of governance into one clear and
actionable framework.

This corporate governance

framework offers a common
language, one grounded in
enduring principles but flexible COSO’s Definition of Corporate Governance
enough to adapt to each entity’s Beyond the Boardroom: A Broader Viewpoint
unique reality. It aims to enhance
agility, clarify roles, and extend COSO encourages a holistic approach to defining corporate
accountability beyond the governance, extending beyond the boardroom to encompass the
boardroom: shaping culture, practices, information channels, and processes that govern how an
guiding decisions, and building entity is being directed, managed, and controlled.
stakeholder confidence at every
level. Corporate governance involves the oversight and processes by which an
informed board and management team steers an entity toward
Meaningful improvements in executing its strategies and goals while maximizing long-term
corporate governance have often shareholder value in an ethical manner and within the relevant legal
followed major corporate failures and regulatory environment.
or crises, moments that exposed
gaps in oversight and catalyzed Corporate governance focuses on principled behaviors and well-
broader reform. But in today’s defined policies, standards, and practices to delineate authority and
complex environment—marked by responsibility, inform and guide decision-making, and facilitate the
shifting expectations, disruptive flow of reliable information throughout an entity.
technologies, and evolving
business models—waiting for crisis
is not a viable option.
Corporate leaders should take the opportunity to proactively align governance with the demands of a fast-moving business
environment. Making this work begins with asking two key questions:

1. Is your corporate governance truly fit for purpose?

2. What governance expectations or standards are being used to guide that determination?

These questions are more than reflections—they offer a real opportunity. Corporate governance practices are frequently
inherited and challenged only when something goes wrong or there are external disruptions. Today’s boards and
executives have the chance to take a more deliberate and forward-looking approach: reassessing existing practices,
identifying blind spots, and making intentional choices about how they lead, govern, and build trust with stakeholders.

Many stakeholders increasingly expect boards and executives to be accountable, transparent, and oriented toward long-
term value, even when facing short-term pressures. A strong corporate governance framework can close that gap—not by
imposing rigid rules but by making effective governance the norm.

COSO | Corporate Governance Framework

Public Exposure Draft vi
Introduction

Current State of U.S. Corporate Governance

U.S. Corporate Governance Drivers

Corporate governance practices in the United States, while they vary by entity, are shaped by a baseline of expectations
established by courts, regulators, investors, and market forces. Much of the variation stems from an entity’s state of
incorporation, with Delaware long considered the leading jurisdiction due to its robust statutory and case law. Other states
have begun to develop and strengthen their own governance structures, with additional differences arising based on listing
exchange requirements, regulatory environments, organizational size, and the nature of an entity’s shareholder base.

State Corporate Law

• State corporate law governs the formation, operation, and dissolution of corporations within each state, providing a
legal framework for governance, shareholder rights, and fiduciary responsibilities.
• States with well-developed statutory and case law provide many commonly used U.S. corporate governance maxims
and rules, such as director and officer powers, duties, fiduciary responsibilities, and corporate structuring and control.
In some cases, state rules serve as a model on which other states and countries can rely. Differences create space for
competition over corporate incorporation.

Federal Statutory and Regulatory Requirements

• Lawmakers have typically developed federal statutes, regulations, and rules—e.g., the Foreign Corrupt Practices Act,
Sarbanes-Oxley Act, Dodd-Frank Act, and USA PATRIOT Act—in response to major corporate failures, financial crises,
or fraud.
• Often, such laws and regulatory requirements focus on specific aspects of corporate governance and financial markets.
For example, the Securities Act of 1933 and the Securities Exchange Act of 1934, along with the regulations enforced by
the Securities and Exchange Commission, establish key disclosure and compliance obligations for U.S. public
companies.

Stock Exchange Listing Requirements

• The New York Stock Exchange (NYSE) and the National Association of Securities Dealers Automated Quotations
(Nasdaq) are the pre-eminent U.S. listing exchanges. They each have listing standards for equity and debt securities
traded on their platforms.
• The specific corporate governance requirements include but are not limited to board independence, committee
structure, audit and other committee composition, and the adoption of governance guidelines and a code of ethics and
conduct to promote transparency, accountability, and ethical conduct. For information on NYSE and Nasdaq
governance requirements, please see the Appendix of PwC’s guide Going public? What you need to know about
corporate governance (available at www.pwc.com/us/ipo).

Market-Based Solutions or Rules

• Shareholders, market intermediaries, and proxy advisors may seek influence to effect systemic or entity-specific change
and adoption of new or evolved corporate governance standards.
• These changes tend to be adopted in waves, often led by large-cap corporations that set the tone for broader market
practices. While adoption varies, there’s growing interest in developing more flexible governance standards applicable
to companies of different sizes, industries, and stages of maturity.

Navigating the legal and regulatory environment of corporate governance involves understanding governance
requirements and standards unique to each entity, often based on size and jurisdiction. But corporate governance must go
beyond compliance and regulatory requirements. Durable, principles-based guidance can bring cohesion to this evolving
landscape, offering a foundation while enabling adaptability over time.

COSO | Corporate Governance Framework

Public Exposure Draft vii
Introduction

Business Case for COSO’s Corporate

Governance Framework: Why Now?
For corporate governance to be a strategic enabler that drives long-term value creation, it has to align decision-making
with purpose, direction, and strategic priorities. While many entities may devote significant time and resources to
developing strategy, leaders often take corporate governance as a given or address governance issues in isolation. Without
strong governance, based on a comprehensive, system-wide set of policies and procedures, even the soundest strategies
can falter. Using a well-defined corporate governance framework to assess and continuously improve practices fosters
greater transparency by clarifying roles and responsibilities, enhancing accountability, and improving reliable information
flow.

The Case for a Comprehensive Corporate Governance Framework

Corporate Governance Is a Competitive Advantage

Most leaders today understand that corporate governance is about more than compliance and protecting current value—it
offers a means by which entities can strengthen strategy and set direction to further long-term value creation. Strong
governance can enhance reputation and brand, build workforce and customer trust and loyalty, attract investors, and
boost overall stakeholder confidence. By promoting clarity in decision-making, aligning behaviors with the entity’s
purpose, and enabling faster, more informed responses to opportunity and risk, governance helps entities operate with
greater agility and resilience.

The Risk Landscape Is Broadening

Entities must contend with many significant threats, including shifting economic conditions, cybersecurity breaches,
uncertain regulatory change, geopolitical conflicts, resource and labor scarcity, social and investor activist pressures, and
potential reputational damage. These risks are increasingly complex and interconnected, making effective oversight by
boards and executive management ever more challenging. Using a comprehensive corporate governance framework to
evaluate, implement, and monitor corporate governance practices is essential to protect the strategy from value erosion
and support effective risk management.

Issue-Specific Governance Is Increasing Complexity

Leaders today face a proliferation of specialized governance models, covering areas such as cybersecurity, artificial
intelligence (AI), data, and supply chain management, each with distinct expectations, policies, and assessment criteria.
This fragmentation, with conflicts and overlapping guidance, can slow decision-making, dilute strategic clarity, and
challenge boards striving to maintain cohesive oversight. Adopting a unified corporate governance framework with a well-
defined structure and processes can help entities align and integrate these disparate efforts and enable more efficient and
effective change and growth.

Entities Are Adapting to a Multi-Stakeholder Model

For decades, public companies have largely operated under the principle of shareholder primacy, which holds that an
entity’s primary obligation is to maximize value for its shareholders. While accountability to shareholders remains
foundational, most leaders now understand that delivering long-term shareholder value requires meaningfully considering
the interests of other stakeholders as well. To truly maximize shareholder value, entities must also consider the full range
of stakeholders whose engagement and well-being directly influence business performance and resilience. This robust view
is not about diluting shareholder interests but about strengthening them, since these stakeholders often share in the
entity’s risks and are critical to executing strategy and maintaining competitive advantage. A multi-stakeholder
perspective, when clearly governed and aligned with purpose, supports more informed decision-making and enhances the
entity’s ability to generate long-term shareholder value.

COSO | Corporate Governance Framework

Public Exposure Draft viii
Introduction

Technology Is Transforming Information and Communication

Technology is transforming how entities operate, communicate, and compete by introducing new opportunities while also
amplifying complexity and risk. Corporate governance must evolve to match the speed and scale of change brought by
disruptive technologies such as generative AI (GenAI), edge computing, and data-driven decision-making. As cyber threats
intensify and market disruptions become more common, corporate governance plays a critical role in managing risk,
protecting assets, and enabling informed, agile responses. Tools like analytics systems, board platforms, and sustainability
data pools are reshaping how leaders execute oversight, allowing entities to stay ahead of disruption, strengthen trust, and
lead with purpose.

Governance Is at All Levels

Corporate governance extends beyond the boardroom; it helps guide practices throughout the entity. While the board
provides oversight and executive management drives execution, governance delivers the greatest impact when integrated
into every level, engaging the full workforce in shared behaviors, systems, and values. A cohesive corporate governance
framework connects decision-making at the top with day-to-day actions throughout the entity, clarifying roles and
reinforcing accountability. Culture illustrates this connection clearly: it is shaped, lived, and sustained by employees at
every level. When corporate governance is explicitly linked across all organizational layers, not just within leadership
circles, it becomes a powerful driver of alignment, resilience, and sustained value creation.

Why Should Entities Focus on Corporate Governance Practices?

• Enhance competitive advantage by strengthening reputation and driving long-term value creation
• Safeguard organizational value through proactive risk management and oversight
• Confirm that governance model is fit –for purpose now and into the future, considering technological
advances, emerging disruptive risks, and the full range of stakeholders
• Uphold ethical business practices and corporate responsibility, promoting integrity and accountability

COSO | Corporate Governance Framework

Public Exposure Draft ix
Introduction

What The Corporate Governance Framework Is and Is Not

Given the scope and intended audience, it is important to understand the CGF’s boundaries.

What It Is: What It Is Not:

 Tailored to U.S. public companies but useful to × A set of suggested regulatory standards for
non-U.S. public companies, global companies, the U.S. market
private companies, and public-sector organizations
× Intended to supplant current or future
 Cognizant of existing laws and regulations regulatory requirements
 Agnostic of industry and size of organization × A one-size-fits-all approach
 A leading practices-based approach for corporate
governance
 Consistent in style and substance with other COSO
frameworks

Who Benefits the Most from the Corporate Governance Framework?

Designed for entities of varying sizes, industries, and jurisdictions, the CGF serves as a valuable resource for all corporate
governance stakeholders. It recognizes the critical governance roles played by boards, executive management,
shareholders, and other internal and external stakeholders. The CGF offers leading practices and principles-based guidance
that stakeholders can apply depending on their distinct roles and influence within the governance ecosystem.

• Boards. The CGF’s flexible yet comprehensive approach empowers boards to confirm that their approach to corporate
governance aligns with their entity’s values, strategy, and long-term objectives. Boards can use the CGF to establish the
tone and direction for the entity, reinforce cultural expectations, and evaluate how governance supports stakeholder
trust and strategic execution. The CGF also provides a structure for assessment, enabling boards to routinely evaluate
the structures that support their work, assess their own effectiveness, identify areas for improvement, and strengthen
their oversight of management.
• Executive management. The CGF is designed to support executive management in acting based on a deep
understanding of the entity’s unique needs, while balancing that authority with accountability and transparency. It
serves as a guide to help leaders confirm that their approach is grounded in leading corporate governance practices and
aligned with the entity’s strategic goals. Executive management can use the CGF to assess and strengthen governance
practices to enhance decision-making.
• Shareholders. The CGF offers an opportunity to increase visibility into governance practices and processes, helping
shareholders understand how executive management is working to meet their expectations. Shareholders can use the
CGF to develop engagement strategies to determine whether an entity’s approach to corporate governance is aligned
with how shareholders expect it to deliver value. It can serve as an assessment tool for evaluating corporate governance
effectiveness, helping shareholders assess companies.

COSO | Corporate Governance Framework

Public Exposure Draft x
Introduction

• Management and employees. The CGF offers insights on connecting management and employees to the decision-
making and strategies set by the board and executive management. Management can use the CGF as a guide to navigate
their roles in supporting, informing, and implementing those decisions and strategies. It also aims to clarify governance
roles, from management up to the board, and to show how to operate effectively within this structure.
• Other stakeholders. Stakeholders can use the CGF to assess governance practices, inform policy development, and
strengthen oversight efforts. For example:
o Regulators and policymakers can evaluate market conduct and consider updates to regulatory expectations or
governance standards
o Investment professionals can analyze how governance practices align with evolving leading practices and market
priorities
o Assurance providers and oversight functions—including internal audit (IA), external consultants, compliance
functions, and other assurance providers—can benchmark governance practices and provide independent
evaluations
• Growing and evolving organizations. The CGF provides a principles-based approach designed for smaller, privately
held, or growing entities that recognize the need for more comprehensive and structured governance guidance.
Elements of the CGF can guide boards and executives of these organizations in establishing an organization-wide
approach to creating and sustaining value in today's dynamic business environment.

By offering a common structure and language, the CGF promotes transparency, strengthens accountability, and fosters
consistency across corporate governance practices, enabling all stakeholders to engage more effectively in governance
processes.

COSO | Corporate Governance Framework

Public Exposure Draft xi
Introduction

How to Use the Corporate Governance Framework

The CGF is designed to help entities assess and enhance their corporate governance practices in alignment with their
unique organizational needs. The goal is not to impose new mandates but to outline widely accepted principles that
enhance governance effectiveness. By emphasizing leading practices, the CGF aims to be a valuable reference that leaders
can tailor to their entities’ specific circumstances. This approach allows corporate governance to remain both consistent
and adaptable, strengthening oversight and decision-making without being overly prescriptive.

Of course, navigating the legal and regulatory governance environment involves understanding industry-specific
requirements and governance standards, often based on size and jurisdiction. To understand and comply with specific
legal and regulatory requirements, leaders should consult their entities’ legal and tax advisors.

The Framework’s Broad Applicability

While the CGF highlights leading corporate governance practices for U.S. public companies, it also aims to
provide a common language for governance that may be applicable to other types of entities. Though significant
legal, economic, and business implications exist for various legal structures, the CGF primarily uses the word
entity to emphasize its broad applicability and to be consistent with other COSO frameworks.

How the Corporate Governance Framework Was Developed

The team followed a rigorous development process involving multiple stages of primary research and collaboration with
corporate governance professionals. COSO conducted extensive market research to validate the business case for
developing such a framework. And the team reviewed established corporate governance frameworks from around the
globe and leveraged subject-matter knowledge from COSO, NACD, and PwC.

The COSO Board appointed an Advisory Council to provide strategic advice, share leading practices, and balance diverse
stakeholder interests. Additionally, official Observers were selected to provide perspectives through a regulatory and policy
lens.

The development process also included stakeholder interviews spanning multiple roles across sectors and entity types,
peer roundtable discussions to gather additional market insights, and a 45-day public exposure period—all providing
valuable guidance that helped inform the CGF’s development.

Corporate Governance Framework Structure

The CGF reimagines corporate governance as a dynamic and adaptable system rather than a checklist of policies and
requirements. As entities grow more complex and interconnected, understanding the cross-functional linkages and
stakeholder dynamics essential to effective governance becomes increasingly challenging. The CGF views governance as an
interdependent system of checks and balances that enhances strategic and operational decision-making by considering
both internal and external influences.

To this end, the CGF is built on core components that collectively drive the entity’s corporate governance, recognizing the
dynamic interplay among stakeholders and prioritizing alignment of these components across the entity. The objective of
bolstering long-term value serves as the foundation, guiding leaders toward sound decision-making on strategy and risk,
aligning organizational goals, and fostering a culture of integrity and accountability.

COSO | Corporate Governance Framework

Public Exposure Draft xii
Introduction

Corporate Governance Framework Visual

COSO’s Corporate Governance Framework
The CGF is illustrated as a circle, symbolizing effective
governance’s ongoing, iterative nature. Surrounding
the center are six essential Components—Oversight,
Strategy, Culture, People, Communication, and
Resilience—each equally important and reinforcing
one another in support of long-term value creation. At
the heart of the CGF are four stakeholder groups: the
board, executive management, shareholders, and other
stakeholders. Each stakeholder shapes governance in a
distinct way: the board and executive management are
active participants, while others influence governance
indirectly or periodically. Each of the four stakeholder
groups is connected in some way to all six components.
Anchoring the entire framework is Long-Term Value,
positioned at the center to signify both the foundation
and goal of governance. Together, these elements
establish corporate governance as a dynamic,
principles-driven process tailored to each entity’s
journey toward long-term value creation.

The CGF’s structure and style is consistent with the design of the other major COSO frameworks: the ICIF and
ERM Framework.

Components

The CGF is organized around six core Components that represent the foundational elements of effective corporate
governance: Oversight, Strategy, Culture, People, Communication, and Resilience.

Oversight Strategy Culture People Communication Resilience

These six Components are interconnected and equally important; this balance creates a holistic approach to corporate
governance, enabling all Components to work together rather than in isolation.

While the Components provide broad coverage, the CGF does not attempt to address every specific or highly specialized
governance topic. Instead, it highlights principles that support sound decision-making, accountability, and performance
across diverse entities.

COSO | Corporate Governance Framework

Public Exposure Draft xiii
 Introduction

Principles

Across the six Components are 24 Principles, broad in scope, that form the foundation of effective corporate governance,
articulating key objectives. Consistent with the other COSO frameworks, governance is considered effective when all
Components and their related Principles are present, functioning, and operating together in an integrated manner. This
principles-based approach reflects stakeholder expectations and leading practices without prescribing a one-size-fits-all approach.

Principle 1: Establish Board Structure and Exercise Oversight

Principle 2: Appoint Board Leadership and Members
Principle 3: Select CEO and Delegate Authority
Principle 4: Establish Executive Structure and Effectively Manage
Principle 5: Operate the Board Effectively
Oversight Principle 6: Uphold Shareholder Rights and Accountability

Principle 7: Define Purpose and Core Values

Principle 8: Develop and Communicate the Strategy
Strategy Principle 9: Execute the Strategy
Public Exposure Draft

Principle 10: Measure Performance Against Strategy and Adjust

Principle 11: Establish and Model Culture and Behaviors

Principle 12: Promote Ethics, Respect, and Open Communication
Culture
Principle 13: Assess and Adapt Culture

Principle 14: Deploy People Strategy and Succession Planning

People Principle 15: Manage People and Compensation

Principle 16: Drive Performance and Development

Principle 17: Commit to Information Quality

Principle 18: Engage Stakeholders Strategically
Communication
Principle 19: Communicate Effectively with Internal Stakeholders
Principle 20: Communicate Effectively with External Stakeholders

Principle 21: Manage and Oversee Risks and Opportunities

Principle 22: Manage Compliance Responsibilities
Principle 23: Establish and Evaluate Internal Control
Resilience Principle 24: Monitor Governance Effectiveness

COSO | Corporate Governance Framework

Public Exposure Draft xiv
Introduction

Points of Focus

Each Principle is supported by Points of Focus that expand on how entities may elect to work toward achieving the
Principles. Points of Focus help leaders understand how to put the related Principle into action or to assess current-state
effectiveness based on an entity’s unique circumstances. While they are based on leading practices, they are not the only
way to achieve the Principles. Note that some Points of Focus may relate to multiple Principles and Components within
the CGF, and cross-references are provided, as applicable.

The Principles and Points of Focus that follow each Component in the CGF assert key aspects of leading practice for
corporate governance. Leaders can use these as guideposts for assessing the quality of an entity’s governance practices and
can serve as an aspirational blueprint.

Other Framework Sections

The CGF includes two types of call-out boxes:

Deeper Insights Leading-Edge Considerations

Used to expand upon Points of Focus, offering Used to highlight more advanced
additional depth of understanding as relating to a governance considerations that go above
leading practice and beyond leading practice

Note: The color of the Deeper Insights and Leading-Edge Considerations boxes varies by Component

These Deeper Insights and Leading-Edge Considerations are drawn from the governance experiences of the Advisory
Council and PwC.

COSO | Corporate Governance Framework

Public Exposure Draft xv
Introduction

Relationship Among COSO’s CGF, ICIF, and ERM Framework

The CGF not only encompasses elements of the prior two COSO
frameworks but also provides a more in-depth perspective on
key governance elements associated with these topics. In
addition, COSO’s Fraud Risk Management Guide offers entities
implementation guidance for fraud risk management programs Corporate
in alignment with COSO’s ICIF. Fraud risk governance is an Governance
integral part of corporate governance and a critical oversight
responsibility of the board and executive management.

The visual on the right represents the relationship among the

three primary COSO frameworks and COSO’s fraud guidance. Enterprise Risk
Management

Governance as a concept is a broader topic area than internal

control or ERM, and while the three frameworks overlap, each Fraud Risk
provides insights relevant to its specific subject matter. Management

For example, the ICIF’s Control Environment Component and the

ERM’s Governance and Culture Component both contain
considerable discussion on the impact of strong governance at the Internal Control
entity level from a leadership and culture standpoint, providing a
comparative perspective to the content within the CGF’s
Oversight and Culture Components. Though both frameworks
elaborate on governance’s impact on internal control and ERM,
respectively, neither covers as broad a scope as the CGF.

COSO’s ERM Framework dedicates a Component to Strategy and Objective-Setting, linking the discussion of risk with
strategy and performance. The CGF’s Strategy Component focuses on the development and enablement of strategy
through leading governance practices—specifically, the responsibilities of executive management and the board.

Furthermore, the Information and Communication Component in the ICIF and the Information, Communication, and
Reporting Component in the ERM Framework focus on communicating quality control and risk information. The CGF
Communication Component focuses on the quality of information needed to enable better governance and strategic
decision-making and the processes around communication that produce better governance around information.

Leaders looking to understand the practical application and detailed nuances of internal control and risk management
should reference both the ICIF and the ERM Framework. Both publications can be read alongside the CGF for entities
looking to understand the impacts of internal control and risk management from a governance perspective. Together, the
COSO suite of frameworks and guidance—addressing corporate governance and the more specific areas of ERM, internal
control, and fraud deterrence—work together to enhance entities’ ability to create long-term value.

COSO | Corporate Governance Framework

Public Exposure Draft xvi
 Oversight Effective oversight is fundamental to strong corporate
governance and long-term value creation. It begins with
a board that serves as an informed, independent
decision-making body responsible for overseeing
strategy, executive leadership, and financial stewardship.
While executive management handles day-to-day
operations, the board retains ultimate accountability for
the entity’s performance and integrity.

Oversight responsibilities are shaped by legal and

regulatory requirements, listing exchange standards, and
the evolving expectations of shareholders and other key
stakeholders. These external requirements establish a
baseline, but leading entities go beyond compliance,
adopting practices that enhance transparency,
strengthen accountability, and support sound judgment.

Shareholders play a vital role in this system of checks

and balances. Through director elections, votes on key
matters, and shareholder proposals, shareholders help
hold the board accountable, keep governance aligned
with their interests, and support the board’s ability to
operate effectively on their behalf.

Principle 1
Establish Board Structure and Exercise Oversight
The board establishes a governance structure with well-defined roles, responsibilities, and committees and actively
exercises oversight to support management in achieving the entity’s strategy and business objectives while maintaining
accountability to shareholders and other key stakeholders.

Points of Focus

1.1. The role of the board. While delegating day-to-day operations to executive management, the board is ultimately
responsible for management of the entity on behalf of shareholders and for providing ongoing oversight, including having
final decision-making authority over significant matters. Directors, in collaboration with executive management, help to
develop, approve, and oversee the long-term strategy and actively engage in understanding the entity’s financial
performance and operations. The board exercises its oversight by constructively challenging executive management while
providing support and advice. For information on the board’s role in strategy, refer to the Strategy Component and COSO’s
ERM Framework.

COSO | Corporate Governance Framework

Public Exposure Draft 1
Oversight

1.2. Board oversight responsibilities. The board’s

oversight responsibilities are numerous and continually
Leading-Edge Considerations expanding, encompassing strategic initiatives, legal
obligations, regulatory requirements, financial
Building a Healthy Board- performance and reporting, major enterprise risks,
Executive Management Dynamic contractual duties, equity and bondholder interests, and
commitments to shareholders and other key stakeholders.
To promote clarity, the board’s core responsibilities and
Although the board stays out of day-to-day
additional expectations are well defined and
operations, its degree of engagement largely
documented—whether in the entity’s corporate
depends on the entity’s specific circumstances.
governance guidelines, board/committee charters, or
Boards and executive management must be
other relevant documentation—and approved by the full
skilled in managing disruptions, working together
board. See NACD’s The Future of the American Board
to prepare and respond effectively. Regular
(published in January 2022 by NACD’s Future of the
informal meetings and open communication
American Board Commission) for additional information
between board and executive management can
on objectivity and oversight, further highlighting core
enhance brainstorming and problem solving.
board responsibilities.
Trust is essential during challenging times, but
1.3. Director responsibilities. The responsibilities of
behaviors around it can become strained, so it is
individual directors are largely determined by legal
vital for boards and executive management to
principles—specifically, the fiduciary duties of care and
consciously prioritize trust and for those
loyalty, including the obligation to act in good faith, as
behaviors to remain resilient. Directors are
defined by state statutes and judicial precedents in equity
prepared to engage more deeply during a crisis or
law. Directors also operate under the protections of the
when facing a significant strategic shift or
business judgment rule, a doctrine that presumes that, in
disruption. In such situations, the board may
making informed and good-faith decisions, they act in the
assume a more active role, and strong
entity’s best interests and consistent with their fiduciary
relationships with executive management can
duties of care and loyalty. Directors are also responsible
enhance the entity’s ability to operate more
for upholding high standards of ethics and integrity: they
effectively and efficiently. For information on open
must handle confidential information with discretion,
communication between boards and executive
disclose and properly manage conflicts of interest,
management, refer to COSO’s Enhancing Board
advance the entity’s purpose, and adhere to its policies.
Oversight: Avoiding Judgment Traps and Biases.
These individual responsibilities and oversight
expectations are clearly defined, documented—whether
through a director role description or other relevant governance documentation—approved by the board, and
acknowledged by each director. Additionally, boards regularly evaluate director performance to maintain accountability
and effectiveness in fulfilling these responsibilities. For information on individual director assessments, refer to the People
Component.

1.4 Director attributes and capabilities. Directors actively engage in thoughtful inquiry, demonstrating a capacity to
challenge constructively and encourage robust discussion that enhances decision-making processes. They foster a culture
of transparency, integrity, and accountability, consistently aligning their actions with the entity’s core values and ethical
standards. Directors exercise professional skepticism, maintaining an objective mindset that prompts them to question
assumptions, evaluate evidence critically, and rigorously assess management’s representations. They pose purposeful
questions that uncover underlying issues, promote deeper understanding, and ultimately lead to more informed decisions.
Directors commit to continuous learning, working to stay informed about emerging trends, risks, and opportunities, and
apply this knowledge proactively to governance decisions. They also leverage their interpersonal skills and emotional
intelligence to build trust, collaborate effectively, and communicate clearly with fellow board members, management, and
stakeholders. For information on leadership behaviors, refer to the Culture Component. For information on sound
professional judgment in governance, refer to COSO’s Enhancing Board Oversight: Avoiding Judgment Traps and Biases.

COSO | Corporate Governance Framework

Public Exposure Draft 2
Oversight

1.5. Board committee structure, roles, and responsibilities. The board establishes an audit committee, a compensation
committee, and a nominating/governance committee. These committees operate independently from management, enabling
focused attention on specific governance areas before matters are presented to the full board for discussion. The committees’
scope and allocation of responsibilities are clearly articulated in formal charters that define the scope and limits of each
committee’s decision-making authority and establish protocols for documenting deliberations and reporting decisions to the
board. The board adds other committees as needed, including ad hoc or temporary committees, to address the expanding
mandates of the board and these three primary committees. The entity’s individual circumstances determine the nature,
structure, and membership of additional committees.
Note: There is no one-size-fits-all as it relates to the committees and their responsibilities. Thus, the references here to
committees’ functions are not intended to preclude an entity from allocating these functions differently. Additionally, the scope
and names for each of these committees continues to evolve.

Audit committee. The audit committee oversees the entity’s

financial reporting processes, internal control, and IA function,
enabling IA’s independence through a direct reporting line to the Leading-Edge Considerations
audit committee. The committee’s core responsibilities include
monitoring the integrity of financial statements, overseeing Expanding the Role of the
compliance with legal and regulatory requirements related to Compensation Committee
financial reporting, and assessing the effectiveness of internal control
across financial, operational, and compliance areas. It engages with Some compensation committees look
management and both internal and external auditors to approve beyond executive compensation to
significant accounting policies and audit plans, review findings, and focus on the strategies, policies, and
to address risks, control deficiencies, and reporting issues. As part of programs that support workforce
its IA oversight, the committee also reviews and approves resource attraction, retention, development,
and budget plans, evaluates the function’s performance, and compensation, and well-being. Thus,
confirms that identified issues are appropriately addressed. In some boards delegate responsibility to
addition, the board typically delegates oversight of risk management this committee for the oversight of
processes to the audit committee —unless there is a board-level risk culture, diversity, safety, employee
committee —either way confirming that a robust, coherent structure development, and other applicable
exists for identifying and managing key risks. While financial workforce-related topics. Adding to or
reporting risks remain central to its remit, the audit committee may restructuring the compensation
also be delegated oversight of specific non-financial risks, such as committee to include talent and/or
cybersecurity, environmental compliance, or health and safety, culture reflects a broader recognition
depending on the entity’s risk governance structure. Broader or of the strategic role that talent plays in
cross-cutting risks may be allocated to the full board or other organizational success. This
committees, as appropriate. For information on board allocation of underscores the committee’s expanded
risk, refer to the Resilience Component. focus beyond executive compensation
to encompass a holistic view of its
Compensation committee. The compensation committee, acting workforce management oversight
on behalf of the board, develops and oversees executive responsibilities. By integrating
compensation policies that align with the entity’s strategic objectives traditional HR considerations such as
and shareholder interests. The committee develops the entity’s talent development, representation,
executive compensation philosophy, designs competitive chief and employee engagement, the
executive officer (CEO) remuneration packages, approves CEO committee aims to align talent
compensation based on performance evaluations and market strategies with broader organizational
benchmarks, and oversees compensation for other executive goals. This restructuring also signals a
management, utilizing independent advisors as appropriate. It also commitment to a more comprehensive
establishes and monitors performance-based incentives, equity governance approach, confirming that
awards, and performance-based compensation structures intended to the entity’s compensation policies are
foster robust financial performance without incentivizing unethical not only competitive but supportive of
or excessive risk-taking behaviors. Additionally, the committee often the culture and long-term objectives.
reviews succession planning, assesses the effectiveness of For information on board oversight of
compensation policies, and confirms compliance with regulatory people strategy, refer to the People
requirements and shareholder expectations, including disclosure Component.
obligations in the proxy statement. For information on director and
executive compensation, refer to the People Component.

COSO | Corporate Governance Framework

Public Exposure Draft 3
Oversight

Nominating/governance committee. The nominating/governance committee shapes the entity’s corporate

governance guidelines and promotes an engaged and strategically aligned board. This committee identifies,
evaluates, and recruits potential board candidates—considering their qualifications, experience, and
independence—and oversees the composition of the board and its committees, board succession planning, and the
process for evaluating board performance. On a continual basis, the committee reviews the board’s overall
committee structure, including the scope of each committee’s responsibilities, and confirms that each committee’s
charter reflects those respective responsibilities. The committee also regularly considers whether the board’s overall
committee structure is properly positioned to enable optimal oversight of the entity’s strategy and associated risks
and opportunities, along with overseeing committee assignments and rotation of assignments. Additionally, the
committee monitors changes to and trends in shareholder voting and governance policies and evaluates whether
modifications to the board’s corporate governance guidelines would be beneficial, recommending those to the full
board for approval. For information on board assessments, succession planning, onboarding, and development, refer
to the People Component.

Deeper Insights

Additional Board Committees

In certain instances, the board may opt to create additional assignments, task forces, or committees to address
specific issues requiring focused oversight. Examples include:

• An executive committee to act on behalf of the board for urgent matters or managing crises, as well as to
oversee strategic planning or evaluate executive performance
• A technology committee to monitor IT capabilities and cybersecurity risks
• A risk committee to oversee the entity’s risk management program (not including financial reporting, which
remains under the audit committee’s purview), confirming robust processes for identifying, assessing, and
mitigating key risks that could impact the entity if not addressed
• A compliance and ethics committee to oversee the entity’s compliance and ethics program and confirm
alignment with applicable legal and regulatory standards
• A finance committee to oversee the entity’s capital structure, including debt instruments and equity
offerings

Boards may also establish special-purpose committees or sub-committees for specific needs, such as selecting a
new CEO, approving time-sensitive actions, or complying with heightened independence requirements in
strategic transactions. The decision to form additional committees depends on several factors, including listing
exchange and regulatory requirements, the sector in which the entity operates, director competencies, and the
entity’s specific circumstances.

Whether responsibilities are delegated to a committee or retained by the full board involves evaluating the issue’s
complexity, frequency, and need for specialized expertise. Material risks or significant strategic priorities often
warrant dedicated committee oversight, while the full board may address topics that are cross-cutting or critical
to the entity’s overall strategy. Committees are established when focused expertise, independence, or
concentrated attention enhances oversight without reducing overall board involvement on key matters.

COSO | Corporate Governance Framework

Public Exposure Draft 4
Oversight

1.6. Committee governance and reporting. Each committee operates under a documented charter that specifies its
authorities and responsibilities, as well as the committee’s structure, processes, membership qualifications, and meeting
requirements such as frequency, attendance, meeting materials, meeting minutes, and any routine reports that the
committee reviews for discussion and/or for the board. The board appoints a chair for each of its committees with the
requisite experience and independence. Committee chairs encourage their members to operate with transparency and rigor,
promoting clear and open communication with the full board and management, while adhering to leading practices and
confirming compliance with applicable legal and regulatory requirements. Committee chairs also facilitate periodic
committee assessments to enhance effectiveness and continuously improve governance practices. The board, when possible,
assigns members to serve on multiple committees, with each member also serving on at least one other committee, to
promote cohesion and collaboration within the committee structure, and with periodic rotation. The committee—usually
through the committee chair—establishes regular reporting to the board, inclusive of committee decisions and any
recommendations that require board approval. For information on board assessments, refer to the People Component.

Principle 2
Appoint Board Leadership and Members
The board appoints competent board leadership and diverse members who collectively possess the skills and experience needed
to enable performance, foster accountability, and operate with integrity, independence, and objectivity.

Points of Focus

2.1. Independent board leadership. The board has a leader to provide direction and guide the board’s work, which can
take the form of an independent board chair or a lead independent director, or equivalent, enabling effective corporate
governance, decision-making, and strategic oversight. The independent board leader has influence over the agenda,
facilitates board meetings, acts as a liaison between the board and executive management, and plays a crucial role in
conflict resolution and board and CEO succession planning.

“Appointing a board leader who is not a member of management and

empowering that leader to influence the board agenda and information
flow and to engage with shareholders and other stakeholders helps
position the board to provide objective oversight and to act with agility.”
Source: NACD, 2023 NACD Blue Ribbon Commission Report, September 2023.

Deeper Insights

The Critical Role of Independent Board Leadership

An independent board leader enhances the confidence of shareholders and other stakeholders, reflecting that
their interests are effectively represented and safeguarded. Having an independent leader allows directors to
voice issues and concerns for board deliberation without immediately involving management. Entities
addressing board leadership in their annual proxy statement or other periodic reporting channels can use this
disclosure to describe the role their independent board leader plays in board effectiveness.

COSO | Corporate Governance Framework

Public Exposure Draft 5
Oversight

2.2. Board leadership attributes and responsibilities. Board leaders, including committee chairs, are competent and
experienced, fostering an environment of inclusion, open discussion, and debate. They regularly communicate with board
members, executive management, and external parties such as external auditors and compensation advisors. They work
with the corporate secretary and executive management to set meeting agendas, including the annual shareholder
meeting, and provide input into meeting briefing materials. Board leaders guide discussions, facilitate productive
deliberations, solicit dissenting views, build consensus, and encourage input from a wide range of voices. They are also
capable of delivering difficult or unpopular messages when necessary and are open to feedback on their leadership. For
information on board culture, refer to the Culture Component.

Leading-Edge Considerations

Board Leadership’s Relationship with the CEO

A strong, collaborative relationship between independent board leadership and the CEO is essential for effective
corporate governance, as it fosters strategic alignment, enhances decision-making, and strengthens board-
management dynamics. This relationship is built on mutual trust, open communication, and defined roles to
balance oversight with support. A well-functioning partnership allows the independent board leader to serve as
a strategic advisor and sounding board for the CEO while maintaining the independence needed for robust
oversight. Regular and candid discussions between the two can help anticipate challenges, align priorities, and
make sure the board remains well-informed without overstepping into management functions. As corporate
governance evolves, entities are increasingly recognizing that structured yet flexible engagement between
independent board leadership and the CEO—through scheduled check-ins, informal dialogues, and shared
commitment to governance excellence—can lead to a more resilient, adaptive, and high-performing board.

2.3. Board independence. A supermajority

of the board is independent and free from Deeper Insights
material relationships with the entity. The
board, guided by legal counsel, establishes Director Independence Considerations
independence standards and the processes
employed to evaluate director Although non-independent executive directors, such as the
independence, considering legal and CEO, bring valuable insights on daily operations and strategic
regulatory requirements, the perspectives of challenges, having a supermajority of independent directors is a
shareholders, and other factors including leading practice that promotes robust, objective oversight and is
tenure, interpersonal relationships, and aligned with shareholder preferences. Note that external sources
non-public affiliations. The board meets its define director independence differently. Federal and state
responsibility to manage conflicts of standards and listing exchange (NYSE and Nasdaq) rules apply
interest to maintain board independence when identifying board candidates and determining on which
and prevent biased decision-making. The committees they may serve. Though both exchanges require
entity has developed and maintains a boards to have a majority of independent directors, each has
conflict-of-interest policy that promotes unique criteria. Controlled public entities can elect to be
disclosure-based transparency for exempt from having a majority of independent directors, but
shareholders, regulators, and other key they must disclose their status and the basis for the election in
stakeholders. The board actively oversees their annual proxy statement or in their annual report. Legal
and resolves conflicts to protect the entity’s counsel as well as outside directors should remain alert to the
integrity and maintain stakeholder trust. changing landscape of director independence, as changes in
director activities and relationships, amendments to rules and
regulations, and court decisions can impact director
independence definitions and determinations.

COSO | Corporate Governance Framework

Public Exposure Draft 6
Oversight

2.4. Board competencies, skills, experience, and cognitive

diversity. Board composition reflects a range of experience and
Leading-Edge Considerations
expertise aligned with the key opportunities and risks derived
from the entity’s strategy. The board regularly reviews its Robust Disclosure of
composition, with input from management, to identify the
competencies, skills, and experience necessary to stay current, Director Qualifications
as well as potential gaps. This begins with a dynamic and multi-
year skills matrix to help the board evaluate both individual and As shareholders increasingly seek
collective capabilities against the entity’s long-term strategy and transparency and disclosure regarding
needs. Boards also consider directors with a wide range of board composition, it is essential that
backgrounds and demographics to promote cognitive diversity boards include this information in their
and enhance their ability to consider the perspectives and needs proxy statements. Individual
of a diverse set of stakeholders. competencies and expertise are
prominently detailed in director
Board committees are composed of board members with the biographies and the board’s skills matrix,
relevant and requisite competencies, independence, and with a focus on competencies that are
objectivity. Committee membership requirements vary specific to the entity and strategy over
depending on the type of entity, sector, jurisdiction, and specific general business experience. Depending
regulations governing the entity. For example, listing exchanges on the nature of the entity and its
require all U.S. public entity audit committee members to be products or services, the board may need
financially literate, and at least one member must be a qualified specific regulatory, financial, industry,
“audit committee financial expert” as per requirements in the technology, or legal expertise, and the
Sarbanes-Oxley Act of 20021 (SOX). board’s disclosures reflect attention to
this need.

2.5. Director commitments. The board establishes and

discloses a policy to prevent director overcommitment, Leading-Edge Considerations
including setting clear limits on the number of board roles that
directors and executives may hold concurrently. On an annual Overboarding
basis, the board evaluates each director’s professional, personal,
and board-related commitments to confirm sufficient capacity Director commitment policies prevent
to fulfill their governance responsibilities effectively. The “overboarding” by limiting the number of
evaluation considers each role’s specific time demands and boards on which a director is permitted to
incorporates shareholder perspectives regarding the risks posed simultaneously serve, to make sure they
by overcommitted directors. have sufficient time and focus to
effectively fulfill their governance
responsibilities. Some entities restrict
directors to a maximum of four fiduciary
boards and sitting CEOs and other top
executives to no more than two, including
their own, recognizing the demands of
their primary roles.

1 SOX is a U.S. federal law that mandates strict financial reporting and internal control requirements for public companies to protect investors from corporate fraud. It was
enacted in response to major accounting scandals and aims to improve transparency and accountability in corporate governance.

COSO | Corporate Governance Framework

Public Exposure Draft 7
Oversight

2.6. Director recruitment and selection. Supported by the

nominating/governance committee or another independent Leading-Edge Considerations
committee responsible for director nominations, the board
establishes clear criteria for director recruitment, aligned with the Maximum Lengths of
entity’s strategic needs and requirements and identified gaps in
director expertise. The board maintains a pipeline of qualified
Service for Board and
candidates or potential successors, sourcing them through various Committee Leadership
channels such as professional networks, executive search firms,
and shareholder recommendations, and cultivates relationships
with prospective candidates to assess their cultural fit. The board’s Even if a board decides not to implement
nominating/governance committee members evaluate director term limits or mandatory retirement ages
candidates (including any submitted by shareholders) and submit for all of its directors, it should consider
the best candidates, to be elected by shareholders. For information setting maximum lengths of service for
on board succession planning, refer to the People Component. board and committee leadership
positions. Establishing defined terms for
2.7. Director tenure. To maintain a diversity of tenures, the board leadership roles—such as board and
seeks to balance short, medium, and longer tenures, in part by committee chairs—helps promote fresh
addressing the issue of board turnover. While periodically perspectives, broaden participation
considering the implementation of director term limits and/or among qualified directors, and support
mandatory retirement ages, the board does not rely on these independent oversight. Regular rotation
mechanisms alone, instead setting clear expectations and of leadership roles can prevent the
emphasizing that director roles are not permanent. Board consolidation of influence and encourage
leadership fosters a culture in which directors consider their the development of future leaders.
renomination as something to be earned—and works to eliminate
any stigma associated with the decision to off-board a director or
with an individual stepping away from a leadership role.

Principle 3
Select CEO and Delegate Authority
The board selects the CEO and delegates authority to the CEO and executive management to execute the strategy and
manage operations, allowing for effective and efficient decision-making and accountability.

Points of Focus

3.1. CEO selection. In selecting a CEO, the board understands and agrees on the factors that are most likely to impact the
business in the foreseeable future and identifies the leadership skills and capabilities needed to navigate those challenges
and opportunities. The board considers the combination of skills, experience, essential qualities, and culture fit that will
best support the entity’s long-term viability and growth; board leaders often form or designate a committee to lead the
selection, hiring, and negotiation process. The board maintains a short list of internal and external CEO candidates to
determine the best fit for the role at the time of selection or in an emergency succession circumstance. The board seeks
perspectives from multiple parties—perhaps including the current and previous CEO, other key executives, or directors—
to gain insights into the demands of the role and the skills and capabilities of the current executive management team.
The board may engage an executive search firm to identify external candidates and conduct due diligence. High-
performing internal candidates are considered due to their skills, experience, familiarity with the entity, established
relationships, and demonstrated leadership abilities. The board remains objective and adaptable, ready to consider new
candidates if the strategic direction or business conditions change. For information on CEO succession, refer to the People
Component.

COSO | Corporate Governance Framework

Public Exposure Draft 8
Oversight

3.2. Board delegations to the CEO and executive management. Although the board is legally responsible for
management of the entity, it typically delegates significant authority to the CEO and other members of executive
management. The relationship is collaborative, with directors guiding and supporting executive management while
holding them accountable for achieving strategic goals and driving organizational success. The board defines and
formalizes matters reserved for the board versus those to be delegated, specifying the authorities, decisions, and monetary
thresholds assigned to the CEO and other members of executive management. Delegations could include transactions
such as operating obligations, capital expenditures, or mergers and acquisitions that are within specified spending
authority limits. These delegations are documented through a delegation-of-authority policy that the board regularly
reviews and approves to determine whether changes to the entity’s strategy or operating environment necessitate revisions
to the delegations.

3.3. CEO and executive management delegations. The decision-making powers for each executive role are clearly
defined, indicating which decisions can be made independently and which require collaboration, escalation, or board
approval. The delegation-of-authority policy includes monetary limits and decision thresholds (often referred to as an
approval matrix) as well as guidance on when and how authority may be delegated. The board reviews and approves the
policy to confirm the delegations are clear, appropriate, and consistently applied across the entity, aligning on what roles
have been given what authority and when issues should be escalated to the board. The policy is also clear on what
delegations may be extended to professional service providers and the protocol for selecting and relying on their advice.
This policy is regularly reviewed and updated, especially around changes in leadership, significant events such as
acquisitions, or shifts in executive management capabilities.

Principle 4
Establish Executive Structure and Effectively Manage
Executive management, with board oversight, establishes a governance structure with defined roles, responsibilities, and
committees to effectively develop and execute the strategy, manage risks, and uphold the entity’s integrity.

Points of Focus

4.1. The roles and responsibilities of executive management. Executive management develops the strategy in
collaboration with the board, executes the strategy, manages risks and opportunities, promotes integrity, and upholds
legal and ethical behavior. Each executive role has clearly defined responsibilities, documented in job descriptions that
outline key duties, required qualifications, and performance expectations. These responsibilities are aligned with the
entity’s strategic objectives, and each executive understands how their role contributes to overall performance.
Mechanisms are established to identify and address any overlaps, gaps, or ambiguities in executive roles, creating clarity
in accountability and minimizing operational disruptions. Executive roles and responsibilities are reviewed periodically
and adjusted as needed to reflect changes in strategy, organizational growth, or succession planning. For information on
executive succession planning, refer to the People Component.

COSO | Corporate Governance Framework

Public Exposure Draft 9
Oversight

Deeper Insights

Essential Executive Roles in Corporate Governance

The specific executive management roles involved in corporate governance may vary depending on an entity’s
size, structure, industry, and maturity, but there are several key positions—beyond the CEO—that are commonly
essential to governance and critical to the board’s oversight responsibilities. These often include the corporate
secretary, chief legal officer, general counsel, or equivalent; executives responsible for assurance functions such
as the chief audit executive (CAE), chief risk officer (CRO), and chief compliance officer (CCO); and the chief
financial officer (CFO), chief accounting officer (CAO), chief operating officer (COO), chief information security
officer (CISO), and the chief human resources officer (CHRO), or equivalents. The board may even delegate
certain matters to these roles to drive the right expertise and involvement in key or material matters and to set
up appropriate segregation of duties. These roles are crafted with specific authority—and, in some cases,
independence—to provide unbiased information that helps the board make strategic decisions aligned with
legal, financial, and ethical standards, while supporting the entity’s core values, integrity, and accountability.

4.2. Executive management

attributes and capabilities. Under
Deeper Insights
the board’s guidance, the CEO
assembles an executive management Executive Management’s Interactions
team with the skills and experience
necessary to effectively and ethically with the Board
execute the strategy. These executives
combine technical expertise with To build trust and foster effective governance, executive
strong leadership abilities, motivating management engages with the board in ways that are distinct from
their teams and collaborating with interactions with peers or internal teams. Successful engagement
colleagues to drive the strategy forward. requires a refined set of capabilities that go beyond subject-matter
Their ability to execute the strategy, expertise. Executives demonstrate strategic communication,
identify and manage risks, make tailoring insights to board-level priorities through concise
informed decisions, and adapt to summaries, visuals, and context that provoke meaningful dialogue.
change is vital for sustaining the Equally important is boardroom awareness and emotional
entity’s progress and long-term success. intelligence—the ability to read the room, navigate interpersonal
The entity establishes a performance dynamics, and adjust communication in real time. Executives with a
management process to regularly cross-functional perspective add value by connecting the dots across
evaluate and assess these executives. the entity and aligning their messaging with broader strategic goals.
For information on executive Effective engagement also demands strong preparation and
development, performance foresight, including anticipating board questions, understanding
management, and succession planning, where pushback may arise, and clearly articulating the purpose of
refer to the People Component. each interaction. Finally, follow-through and accountability are
essential: tracking commitments, delivering timely updates, and
maintaining open lines of communication with board and
committee leaders build the credibility needed for sustained, high-
impact board relationships. For information on communication and
reporting to the board, refer to the Communication Component.

COSO | Corporate Governance Framework

Public Exposure Draft 10
Oversight

4.3. Management committees. Executive management establishes and maintains management-level committees that
align with the entity’s strategic priorities and operating model. These committees support cross-functional collaboration,
decision-making, monitoring, and escalation for critical business areas such as finance, operations, and risk. Where
appropriate, executive management may form industry-specific committees to address emerging risks or specialized
oversight needs. Committees operate under formal charters that define roles, responsibilities, authority, and membership,
with adequate executive representation to enable informed and timely contributions. Executive management establishes
and maintains structured communication, reporting, and escalation mechanisms to promote integration and information
flow between management committees, executive management, and the board. The committee structure is periodically
reviewed and updated to reflect changes in strategic priorities or external conditions. For information on escalation and
reporting, refer to the Communication Component.

Principle 5
Operate the Board Effectively
The board, in collaboration with the corporate secretary, develops and periodically revisits governance processes to optimize
board operations and strengthen board engagement, enabling effective governance and oversight.

Points of Focus

5.1. Board work plan and meeting agendas. In collaboration with the corporate secretary, the board establishes and
regularly updates its annual work plan or calendar and meeting agendas. The annual plan sets expectations for director
time commitments, serves as a framework for committee meetings, and allocates sufficient time for strategy and risk.
Agendas are driven by the board’s defined roles and responsibilities, regulatory requirements, and corporate governance
guidelines, with board leaders reserving adequate time for strategic discussion. Annual work plans incorporate deep dives
into priority topics, director education, and time for board assessments. The board also reflects on past risks, challenges,
and performance gaps to adjust time allocation and strengthen oversight where needed. Annual planning aligns with
external reporting cycles and stakeholder engagement to support timely and informed decision-making.

5.2. Executive sessions. The board and its committees reserve

certain discussions and decisions (e.g., CEO performance and
compensation, succession planning, board performance, Deeper Insights
significant legal or compliance matters, or discussions with the
external and internal auditor) for themselves via regular Executive Sessions to
executive sessions. Board and committee agendas routinely Focus Board Agendas
designate time for these sessions, before and/or after each
board or committee meeting. Executive sessions convened
Conducting executive sessions with the
toward the end of scheduled board/committee meetings with
CEO at the outset of board meetings can
select members of management, as well as with no
help focus the discussion on the most
management present, provide an environment for board
relevant agenda items, allowing the CEO
members to openly discuss sensitive issues, reflect on decisions
and board to adjust the agenda based on
made during the meeting, and address any unresolved matters
discussions held in the executive session.
through the chair/lead independent director. This private
setting also allows for candid evaluations of leadership and
strategic planning without external pressures.

COSO | Corporate Governance Framework

Public Exposure Draft 11
Oversight

5.3. Board minutes. The board and its committees appropriately document and maintain records of each board and
committee meeting, including executive sessions and virtual meetings, and fully executed forms of director consent for
any actions taken by unanimous written consent in lieu of meetings. A corporate secretary, often the entity’s general
counsel, is designated to maintain and keep the entity’s records and board meeting minutes. Minutes aim to capture key
discussions, the rationale behind decisions, and the board’s oversight of risks and compliance, reinforcing that those
directors exercised due care and diligence. Timely preparation, formal review, and approval help confirm completeness
and accuracy, while secure retention safeguards confidentiality and preserves the integrity of board records.

5.4. Access to management. Directors have access to management beyond the CEO, in both formal and informal
settings. Informal one-on-one discussions offer directors an opportunity to address specific concerns, gain deeper
understanding, and foster candid communication. They avail themselves of this access to familiarize themselves with
operations, tour facilities, and better assess the capabilities and performance of key executives. Directors keep the CEO
informed of these interactions, helping the CEO stay aware of ongoing conversations with other members of management
and understand the context in which they are taking place.

Deeper Insights

Key Governance Documents Supporting Corporate Oversight

The following are common corporate governance documents or disclosures that support corporate oversight.
This is not an exhaustive list, and specific requirements may vary based on regulatory frameworks, corporate
policies, and industry standards.

• Articles of incorporation. Establishes the corporation’s legal existence, structure, and purpose
• Bylaws. Defines the corporation’s internal governance rules, including board structure, meeting procedures,
and officer roles
• Corporate governance guidelines. Outlines governance principles, board responsibilities, and ethical
expectations
• Board and committee charters. Specifies the roles, composition, and authority of the board and its
committees
• Delegation-of-authority policy and matrix. Clarifies decision-making authority across the entity
• Proxy statement. Provides governance disclosures, executive compensation details, and shareholder voting
matters
• Stakeholder engagement model. Details how the entity engages with shareholders, regulators, and other
key stakeholders
• Conflict-of-interest policy. Defines procedures for identifying, disclosing, and managing conflicts that
could compromise director independence

COSO | Corporate Governance Framework

Public Exposure Draft 12
Oversight

Principle 6
Uphold Shareholder Rights and Accountability
The board and executive management uphold shareholder rights through clear, transparent disclosures, and actively
facilitate meaningful dialogue to enable shareholders to make informed decisions while holding directors accountable for
their fiduciary duties.

Points of Focus

6.1. Shareholder rights. The entity recognizes

and upholds the rights of shareholders through Deeper Insights
transparency and accessibility. Executive
management provides clear and comprehensive Evolving Shareholder
disclosure of shareholder rights in its
governance documents, annual reports, and Rights Expectations
proxy statements, with special attention on
variable rights, such as proxy access, director Although minimum shareholder rights are embedded in
nominations, the ability to call a special federal and state laws and regulations, as well as the rules of
meeting, and voting rights among share classes. listing exchanges, the landscape of shareholder expectations
The board evaluates variable shareholder rights, often extends beyond these foundational requirements.
considering market norms and shareholder Shareholders frequently seek enhanced rights through
expectations, and clearly communicates its market-driven mechanisms such as litigation and shareholder
decisions—especially when deviating from proposals. These mechanisms have become significant
common practices—to explain how such avenues for shareholders to voice their expectations on
choices align with the entity’s and shareholders’ various topics, including proxy access, director nominations,
best interests. The board confirms that these and voting rights. The evolving nature of these expectations
disclosures are accessible and written in plain reflects a broader trend toward more aggressive shareholder
language to facilitate understanding so that activism, with investors advocating for greater transparency,
shareholders feel empowered to participate accountability, and influence over corporate governance
actively in corporate governance. Any actions practices. As a result, entities increasingly recognize the
that may impact shareholder value are importance of proactively engaging with shareholders to
undertaken with due consideration of their address these heightened expectations, fostering a more
rights and interests, promoting long-term collaborative and responsive governance environment.
growth and corporate accountability.

6.2. Informed shareholder voting. The entity keeps its shareholder base engaged and informed by giving owners timely
information to exercise their voting rights. This includes providing shareholders with comprehensive information about
governance practices, director candidates, executive compensation, the external auditor, and any other matters on the
voting ballot. Proxy materials are made available to shareholders well in advance, allowing voters sufficient time to review
resolutions and proposals, assess performance metrics, and consider potential impacts. To further support informed
voting, the entity facilitates ongoing dialogue between shareholders, the board, and executive management. By taking
these steps, the entity enables shareholders to make informed decisions and exercise their voting rights to express their
preferences and hold directors accountable.

COSO | Corporate Governance Framework

Public Exposure Draft 13
Oversight

6.3. Shareholder director nominations and election. Shareholders can nominate directors either by suggesting names
to the board or by availing themselves of direct access to the proxy statement. When a shareholder makes a nomination to
the board, the board’s nominating/governance committee will assess the candidate and either place that name on the
proxy statement or decline the nomination, with a clear explanation of its decision. Although not required, shareholders
have established a strong preference for directors to be elected by majority vote through their use of, and voting on,
shareholder proposals. Majority voting in director elections at U.S. public companies is understood to be when a director
must receive more votes for than against to be elected or re-elected. This can be achieved through a pure majority voting
standard, in which a director who fails to receive a majority of votes is not elected, or a policy in which directors not
receiving a majority must resign and the board has discretion to accept or reject it.

6.4. Shareholder stewardship. The entity actively facilitates ongoing, transparent dialogue to allow shareholders to
effectively engage and share their perspectives on key governance matters with the board and executive management,
when they want to. The board provides structured opportunities for shareholder input, including direct engagement on
topics such as entity performance and executive compensation—both with and without management present. The entity
does not impose undue burden on shareholders advocating for governance reforms, using appropriate legal and regulatory
channels. For information on shareholder engagement and communication, refer to the Communication Component.

6.5. Diverse shareholder perspectives and investment timelines. Entities often have a wide spectrum of shareholders
(active, passive, activist, institutional), each with different investment objectives, obligations, and regulatory constraints.
To effectively engage with shareholders, entities map out their shareholder universe to understand shareholders’ diverse
perspectives and investment timelines. Entities use this information to make corporate governance decisions,
acknowledging that they cannot satisfy all shareholders and investment objectives. They develop targeted communication
strategies tailored to different shareholder groups’ expectations and priorities. They facilitate dialogue through
shareholder forums and meetings to receive their feedback. Entities maintain a system to document and respond to
shareholder feedback to further refine strategies and enhance support for governance decisions. Entities also recognize
that shareholders’ investment objectives shape their perspectives on the impact of other stakeholders, whose engagement
and trust are essential to sustained performance and strategic success. For information on stakeholder engagement and
communication, refer to the Communication Component.

COSO | Corporate Governance Framework

Public Exposure Draft 14
 Strategy Corporate governance is a critical enabler of strategy,
providing the structure and discipline an entity needs to
develop, execute, and oversee strategic goals and
objectives. Effective governance clarifies the alignment
between strategy and the entity’s purpose, core values,
and short- and long-term goals. It supports strategic
feasibility and focus by guiding resource allocation,
monitoring performance, and promoting adaptability in
changing environments.

The board plays an essential role in shaping and

overseeing the entity’s strategy. It works closely with
executive management to review and approve the
strategy and resulting strategic plans, challenge
assumptions, and drive accountability for execution.
This oversight is continuous and embedded in board
activities.

Executive management is responsible for formulating

and implementing the strategy. Management connects
strategic goals and objectives to day-to-day operations,
sets clear expectations, and monitors performance to
confirm the workforce is aligned and focused on
delivering long-term value.

Principle 7
Define Purpose and Core Values
The board and executive management clearly define and communicate the entity’s purpose and core values, and
management embeds them into the strategy and operations to guide decisions and promote long-term viability.

Leading with Purpose

“The company’s purpose, as defined by the problems addressed and the needs
filled by its goods and/or services, should drive its behavior, shape its
governance, and position the company to create sustainable long-term value.”
Source: NACD, NACD’s The Future of the American Board: A Framework for Governing into the Future, October 2022.

COSO | Corporate Governance Framework

Public Exposure Draft 15
Strategy

7.1. Purpose as the foundation for strategy. The board

and executive management define a clear, enduring purpose What Is Purpose?
that shapes the entity’s identity and short- and long-term
success, serving as the foundation for major decisions and An entity’s purpose is its fundamental
strategic priorities. The purpose informs the entity’s core
values and culture, remaining consistent and relevant
reason for being, guiding strategy,
despite market and societal changes. Once approved by the decision-making, and culture. In COSO’s
board, it is embedded into decision-making, communicated ICIF and ERM Framework, purpose sets
clearly across all levels, and integrated into performance
metrics to drive accountability. Employees understand how the foundation for aligning objectives,
their roles contribute to fulfilling the entity’s purpose, managing risk, and fostering an ethical,
which guides innovation, risk-taking, and leadership
actions. Purpose is also communicated externally to act as
values-driven environment.
an anchor for the entity’s strategy.

Deeper Insights

The Power of Purpose

A clear purpose acts as a north star and helps attract, engage, and motivate employees, customers, and other
stakeholders. It’s the why behind what the entity does. When an entity’s purpose aligns with core values, it
fuels greater connection between an entity and its people. Strong employee engagement can be the catalyst to
unlock creativity and inspire innovation, critical to the development of new products, services, or business
models that support the entity’s goals. For customers, a clear purpose fosters trust and loyalty, just as it helps
employees feel more connected to an entity that aligns with their values. This connection can encourage
greater loyalty and advocacy, as consumers tend to prefer brands that share their values and contribute
positively to society. However, if an entity’s actions diverge from its stated purpose, there is a risk of damaging
loyalty among its stakeholders. Ultimately, a clear purpose that resonates with stakeholder values can be a
powerful tool for building trust and driving long-term value creation.

7.2. Aligning core values to purpose. The board and

executive management define the entity’s core values to
align with its purpose, guiding decision-making and shaping What Are Core Values?
behaviors at all levels. The entity embeds its core values into
key processes, including recruitment, learning and
development, performance management, and stakeholder
Core values represent an entity’s ethical
interactions, reinforcing that they extend beyond and cultural foundation, shaping
statements and actively influence strategy, culture, and behavior, decision-making, and risk
operations. The entity’s performance management process
rewards behaviors that reflect these core values and awareness at all levels. In both COSO’s
identifies and addresses behaviors that are in conflict. ICIF and ERM Framework, core values
Executive management uses regular assessments, such as
employee engagement surveys, to evaluate how well the
are essential for setting the tone at the
entity is living its purpose and core values, allowing for top, guiding ethical conduct, and
adjustments to remain aligned with the strategy and aligning risk, control, and performance
business objectives. These values serve as a moral compass,
helping employees navigate ethical dilemmas, resolve with the organization’s purpose.
conflicts, and uphold the entity’s reputation, ultimately
fostering a culture of integrity, adaptability, and trust. For
information on the role of purpose and core values in shaping
culture, refer to the Culture Component.

COSO | Corporate Governance Framework

Public Exposure Draft 16
Strategy

Principle 8
Develop and Communicate the Strategy
Executive management, with board input, leads the development and communication of the entity’s strategy, aligning it with
the entity’s purpose and long-term value creation.

Points of Focus

8.1. Understanding competitive value. Before developing a strategy, the board and executive management gain a clear
understanding of the key sources of the entity’s value, how it is created, and what threatens it. This includes a thorough
assessment of the entity’s core strengths, competitive advantages, and market positioning. The board and executive
management evaluate key sources of value: financial performance, operational capabilities and efficiencies, intellectual
property, brand equity, customer relationships, and talent. They also identify internal and external risks—such as market
disruptions, regulatory changes, technological advancements, or competitive pressures—that could erode this value. Once
the value landscape is clear, executive management determines how to leverage, protect, and expand this value in ways
that align with long-term strategic goals. All strategic decisions tie back to value creation, confirming alignment with
shareholder expectations and broader stakeholder interests.

Leading-Edge Considerations

Balancing Long-Term Value Creation with Short-Term Pressures

Entities often face difficult decisions that require balancing short-term pressures with long-term value creation.
In activist shareholder scenarios, for example, boards and executive management evaluate whether responding
to immediate demands—such as cost-cutting, asset divestitures, or leadership changes—aligns with the entity’s
strategic vision or risks undermining sustainable growth. While the board’s primary responsibility is to promote
the entity’s long-term success, this is fundamentally defined by the creation of sustainable value that benefits
shareholders over time. Maximizing long-term shareholder wealth and creating broader value are not mutually
exclusive—rather, they are closely aligned objectives. Effective corporate governance resists short-term demands
or interests that may conflict with these long-term goals. At times, compromise or tactical shifts may be
necessary to maintain shareholder confidence, avoid prolonged distractions, or prevent more disruptive
interventions. This may involve working with executive management to adjust capital allocation, revisit
operational priorities, or modify governance structures to address concerns while preserving the entity’s
strategic direction. The board and executive management critically assess trade-offs, distinguishing between
actions that build long-term resilience and those that provide only temporary relief. Navigating these tough calls
requires independent judgment, stakeholder engagement, and disciplined decision-making, with a consistent
focus on the entity’s enduring success and shareholder value.

8.2. Strategic planning. Executive management, led by the CEO, develops the strategy and resulting strategic plan,
with meaningful board input and guidance. Executive management establishes a formal and iterative strategic planning
process that clearly defines roles and responsibilities of management and the board. The process considers the
competition, the entity’s unique competitive advantages, key risks and opportunities, unmet customer needs, and
stakeholder perspectives, and includes scenario analyses to test the potential impact of different strategic options. As
part of this process, management defines strategic goals and objectives that guide decision-making, resource allocation,
and performance measurement across the entity. Management also integrates risk management into the strategic

COSO | Corporate Governance Framework

Public Exposure Draft 17
Strategy

planning process by aligning strategic initiatives with the entity’s risk appetite, identifying and mitigating risks, and
seizing opportunities for growth and innovation. The board offers external perspectives, challenges assumptions, examines
alternatives, reviews executive management’s priorities, and approves the resulting strategy.

The outcome of this collaborative development of the strategy is a formal, multi-year strategic plan that considers different
time horizons (e.g., one year, three years, five years). The strategic plan is a living document that is regularly reviewed and
updated—typically through annual reviews, ongoing monitoring, and trigger-based adjustments—to remain relevant
while maintaining long-term focus and adaptability. For information on aligning risk and opportunities with strategy, refer
to the Resilience Component. For further details on developing the strategy, refer to COSO’s ERM Framework.

8.3. Strategy communication. Relevant parts of the

strategic plan are communicated internally to
Leading-Edge Considerations
employees at all levels and externally to relevant
Business Model Review stakeholders, with the level of detail tailored to each
audience based on their role, needs, and level of
involvement. Executive management determines the
When developing a strategy, executive management stakeholders who require an understanding of the
proactively assesses the validity of an entity’s entity’s strategy, which aspects will be shared, and
current business model, recognizing that past through which channels. Management creates
successes do not guarantee future ones. By messaging for employees and encourages open dialogue
understanding evolving customer needs and macro and feedback to hear concerns and promote
forces such as technological disruption and understanding. Management also leverages
demographic shifts, an entity can determine when a performance systems and metrics to communicate
business model shift is necessary. To effectively strategic priorities and regularly updates them to
assess business models and inform shifts, maintain clarity, relevance, and alignment. Executive
management can leverage structured frameworks to management and the board consider how the strategic
evaluate external forces, context mapping to plan can be used to foster engagement and strengthen
identify industry trends, and tools to visualize, test, the entity’s relationship with shareholders, and the
and refine potential new models before board reviews and approves the overall communication
implementation. A business model reinvention is a approach, confirming that it aligns with the entity’s
radical transformation that can be necessary for an strategy and governance expectations. While the board
entity’s long-term viability, requiring changes in is not typically involved in day-to-day communications,
core operations, operating models, revenue models, it stays informed about the transparency, consistency,
and offerings through digital innovation, new and effectiveness of strategic messaging through
customer experiences, and sustainability initiatives. regular updates and discussions with executive
For information on operating models, refer below management. For information on stakeholder
within this Component. engagement and communication, refer to the
Communication Component.

Principle 9
Execute the Strategy
Executive management, with board oversight, leads the execution of the strategy, creating a supporting structure, allocating
resources, and aligning initiatives throughout the entity.

COSO | Corporate Governance Framework

Public Exposure Draft 18
Strategy

Points of Focus

9.1. Structure to support the strategy. Executive management, led by the CEO, establishes an operating model to
effectively support the execution of the strategy and strategic objectives. Executive management evaluates the entity’s
strategic goals, size, industry, geographic presence, market conditions, and regulatory requirements, among other factors,
to determine the optimal operating model. This involves understanding the key functions, resources, technology,
processes, and capabilities required to execute the strategy, and includes determining decision-making authority,
accountability, and how teams collaborate across functions and geographies. Executive management periodically reviews
the operating model and structure to confirm their alignment with the entity’s evolving needs, adjusting processes,
reporting relationships, and resource allocation as necessary to maintain strategic agility and operational effectiveness.
For information on people strategy and planning, refer to the People Component.

9.2. Management's role in strategy execution. Management plays a crucial role in executing the strategy by acting as a
bridge between executive management and the frontline workforce. Strategy execution is a shared responsibility that
cascades throughout the entity, with management at all levels developing and implementing business line and functional
strategies and action plans tailored to their specific units. Management is responsible for implementing discrete strategic
initiatives, problem solving to overcome execution challenges, and motivating teams to maintain alignment with the
entity’s overall strategic goals. Managers provide timely and accurate information and reporting to executive management
and the board on progress, challenges, and successes in strategy execution. Additionally, executive management
maintains a feedback loop with management to refine strategy and facilitate effective change management, enabling the
adaptation of new processes and technologies. For an example of a functional strategy that rolls up to the entity’s overall
strategy, refer to the People Component.

9.3. Capital and resource allocation.

Executive management, led by the CEO,
allocates financial and non-financial Leading-Edge Considerations
resources to support the strategy. The
board or executive management, when
Making Capital Allocation Decisions:
appropriate, tasks a board-level or Investing in Organic and Inorganic
management-level committee to evaluate
and prioritize investment opportunities. Growth
The committee offers the CEO
recommendations on the entity’s capital Management is responsible for developing a focused investment
allocation, and the CEO then submits strategy that aligns with the entity’s overall strategy, incorporating
proposals to the board in accordance both organic growth (e.g., internal innovation, capacity expansion,
with established delegations and and operational improvements) and inorganic growth (e.g.,
authority limits. As part of this process, acquisitions, partnerships, and strategic investments) as needed.
the committee develops a multi-year For inorganic growth opportunities, the board’s responsibility is to
capital allocation plan that aligns with thoroughly understand each material or significant transaction or
the entity’s strategic objectives and structural change—subject to the delegation-of-authority policy in
financial goals. Additionally, executive place—and assess how it fits into the overall strategy. The board
management identifies the most suitable engages in proactive discussions about potential growth paths,
sources of capital for the business model, guiding executive management as it evaluates specific
optimizing the entity’s debt and capital opportunities. Boards establish clear criteria for their involvement,
structure to support the strategy. The considering both quantitative factors such as the relative size of the
board helps executive management transaction and qualitative factors such as strategic alignment. The
define the capital requirements to align entity’s delegation-of-authority policy delineates when board input
with the strategy, approves the capital is required. Management regularly updates the board on potential
allocation plan and budget, monitors targets and ongoing transactions, providing details on business
results through management reporting, plans, due diligence, and pricing. This ongoing communication
and evaluates whether capital and allows directors to offer timely feedback and guidance, so that by
resources are being allocated to the time board approval is sought, directors are prepared to make
maximize long-term value creation. informed decisions.

COSO | Corporate Governance Framework

Public Exposure Draft 19
Strategy

Deeper Insights

Shareholder Influence in Capital Allocation

Shareholders can influence capital allocation through proxy voting and direct engagement with executive
management, particularly active institutional investors or activist shareholders who advocate for financial
strategies they believe maximize shareholder value. For example, some shareholders may push for increased
dividends or share buybacks to generate immediate returns, while executive management may prioritize
reinvesting profits into research and development, acquisitions, or infrastructure to sustain long-term growth.
Executive management and the board should understand the necessity of clearly articulating the rationale
behind capital allocation decisions—grounding those decisions in the long-term interests of the shareholder
base as a whole, even when they diverge from specific shareholder groups’ short-term demands. Where
appropriate, executive management and the board are prepared to engage with shareholders to explain how
these decisions support the entity’s strategy and value creation.

9.4. Operating plans and budgets to align with the strategy. Management creates both annual and longer-term (e.g.,
three to five years) operating plans and budgets that align with the entity’s strategic plans. These translate the entity’s
strategic plans into actionable, measurable initiatives, establishing a roadmap for execution. By setting specific
performance targets and capital allocations, they enable effective oversight, allowing the board to monitor progress and
hold management accountable. Management regularly reviews and adjusts these plans through a reforecasting process,
aiming to adapt to market changes and confirm that operations and investment decisions are advancing corporate goals.
The board considers and monitors the implementation of operating plans and reviews and approves annual budgets.

Principle 10
Measure Performance Against Strategy and Adjust
Management, with board oversight, tracks progress and performance against the strategy using agreed-upon metrics and
adjusts the strategy as necessary.

Points of Focus

10.1. Performance measurement. Management establishes a process for consistently monitoring and assessing the
execution of the strategy, including the use of tools and techniques to measure progress against strategic goals and
objectives. Financial and non-financial key performance indicators (KPIs) as well as other indicators related to the entity’s
values, people, and impact—such as learning (e.g., employee training hours), growth (e.g., number of projects in R&D),
and sustainability (e.g., carbon footprint)— are linked to the strategic plan. With the board’s input and approval,
management develops both quantitative and qualitative measures to assess the strategy’s success over time, periodically
reassessing these metrics to confirm they remain relevant, meaningful, and aligned with the entity’s evolving strategic
priorities. Management creates reporting based on established measures to monitor and oversee strategic performance.
Executive management, with oversight from the board, determines which of these financial, operational, strategic, or
other relevant performance metrics will be disclosed, to whom (e.g., shareholders), and how (e.g., proxy statement, direct
engagement). For information on performance management, refer to the People Component.

COSO | Corporate Governance Framework

Public Exposure Draft 20
Strategy

10.2. Board oversight of strategy. The board’s oversight of strategy is an ongoing process, embedded in regular meetings
and discussions throughout the year. With support from executive management, the board monitors strategic execution
through dashboard reporting on KPIs, milestones, and trends, enabling it to assess progress, identify emerging challenges,
and evaluate whether resources are effectively allocated. In addition to continuous updates from the CEO, the board and
executive management engage in focused strategy sessions—such as annual offsites—to align on strategic priorities and
consider external influences like market dynamics, competitive pressures, and emerging risks. Oversight extends to
monitoring financial and operational performance to confirm alignment with strategic objectives. The board reviews
financial and non-financial metrics to track performance, while reinforcing that results must be achieved through ethical
and responsible conduct. Through regular reporting, strategic dialogue, and stakeholder engagement, the board remains
focused on both short-term execution and long-term value creation. For information on management reporting and
communication to the board, refer to the Communication Component.

10.3. Strategic agility and adjustments. Executive

management and the board maintain strategic agility
Deeper Insights
by staying informed of market trends, macroeconomic
conditions, regulatory changes, and other external Navigating Uncertainty
forces that could impact strategy or disrupt execution.
To remain responsive, they align on early warning Through Scenario Planning
indicators—such as declining market share, shifts in
consumer behavior, or technological disruption—and Boards and executive management integrate
conduct scenario planning to stress-test the strategy scenario planning into the ongoing strategic
against potential challenges. When the strategy is not process to strengthen strategic agility and reduce
delivering as intended, the board helps diagnose the uncertainty. Management defines key strategic
underlying issues, challenges management’s uncertainties, develops a range of plausible
assumptions, and confirms that corrective action is scenarios, quantifies potential impacts, and
taken. Together with executive management and, when outlines the strategic options and associated
appropriate, external advisors, the board explores trade-offs. The board actively challenges
options such as cost realignment, mergers and management’s assumptions, tests scenario
acquisitions, or business model shifts. Open, candid outcomes, and evaluates whether proposed
dialogue helps distinguish between tactical adjustments strategies effectively mitigate risks or capture
and significant strategic pivots, which may involve opportunities. Boards and management regularly
reallocating resources or refining operations. All revisit and update scenario plans, adapting
strategic changes are evaluated through a disciplined strategic priorities as conditions evolve.
process, with the board reviewing assumptions, risks,
and alternatives before approving adjustments.

10.4. Crisis response and business continuity. Crises—such as data breaches, product failures, leadership misconduct,
or geopolitical disruptions—can arise unexpectedly and must be addressed swiftly to limit reputational and operational
damage. The entity maintains comprehensive, regularly tested crisis response and business continuity plans to sustain
operations, protect assets, support employee safety and well-being, and bolster stakeholder confidence. Executive
management engages the board in scenario planning, early issue identification, and crisis preparedness discussions.
Together, they define clear roles and responsibilities, including those of board leadership, and participate in regular crisis
simulation exercises. Protocols are established to guide information flows and provide the board with timely, reliable
updates. During a crisis, the board contributes independent oversight, pressure-tests management decisions, and helps
reinforce stakeholder trust. Post-crisis, the board and executive management evaluate impacts, guide recovery, and
integrate lessons learned into future governance, risk management, and business continuity practices. For information on
culture in crisis and change, refer to the Culture Component.

COSO | Corporate Governance Framework

Public Exposure Draft 21
 Culture Culture is a foundational element of effective corporate
governance, influencing how decisions are made, how
risks are managed, how people behave, and how
stakeholders perceive the entity. Culture defines the
norms, expectations, and ethical climate that shape
interactions from the boardroom to employees at every
level.

A healthy culture reinforces the entity’s strategy,

purpose, and core values. It enables ethical conduct,
accountability, innovation, and adaptability—essential
ingredients for long-term value creation. Because
culture can be both a source of strength and a potential
risk, leaders must intentionally define, actively shape,
and continuously monitor it.

The board and executive management share

responsibility for establishing the tone at the top and
embedding cultural expectations across the entity. Their
role includes promoting alignment between culture and
the entity’s strategic goals and objectives, core values,
and stakeholder expectations. By treating culture as a
strategic asset, leadership helps position the entity to
support long-term performance, resilience, and
stakeholder trust.

Culture, as defined across COSO’s ICIF and ERM Framework, is the set of shared
values, attitudes, and behaviors shaped by leadership that influence how individuals
act with integrity, make decisions, and respond to risk. It reflects the organization’s
ethical foundation and risk awareness, guiding consistent behavior in support of
strategy and objectives.

Principle 11
Establish and Model Culture and Behaviors
The board and executive management work collaboratively to establish and model the desired culture and behaviors to align
with the entity’s strategy, core values, and ethical standards.

COSO | Corporate Governance Framework

Public Exposure Draft 22
Culture

Points of Focus

11.1. Board culture. The board sets the tone at the top by modeling the entity’s core values in its governance practices,
including adopting a documented board-specific code of ethics and conduct aligned with those values. Board leadership
fosters trust, openness, and accountability through respectful dialogue, active listening, and structured discussions that
invite diverse perspectives and challenge assumptions. The board conducts regular self-assessments—such as 360-degree
feedback among directors and evaluations of group dynamics—to identify behavioral board issues as well as opportunities
to strengthen alignment with the entity’s culture. Insights from these assessments inform targeted development actions,
such as governance training, conflict-resolution coaching, and adjustments to board processes. These activities are
transparently communicated to executive management and, when appropriate, to stakeholders, reinforcing the board’s
commitment to leading by example. For information on tone at the top, refer to COSO’s ICIF and ERM Framework. For
information on board assessments, refer to the People Component.

11.2. Executive management expectations and behaviors. The CEO, with board oversight, defines and regularly
reinforces expectations for executive behavior that reflect the entity’s core values and strategic priorities. These
expectations are operationalized through a formal leadership framework or competency model, integrated into executive
management performance evaluations, succession planning, and reward systems. Evaluations assess both outcomes and
leadership behaviors, using structured input from peers, direct reports, and the board, and may lead to targeted coaching
or development plans. Executive management models desired behaviors in communications, meetings, and daily
decisions, linking their actions to core values; deviations are addressed through clear accountability measures such as
prompt feedback, remediation plans, or disciplinary actions. Executive management also promotes transparency by
communicating how key decisions align with the entity’s purpose and core values, and by actively engaging stakeholders
to reinforce cultural priorities across the entity. For information on executive management performance, refer to the People
Component.

11.3. Defining and communicating the desired culture. Executive management, in collaboration with the board,
defines the entity’s desired cultural traits and links them directly to its purpose, core values, and strategic objectives.
These expectations are operationalized through policies, decision-making frameworks, onboarding, leadership
development, and values-based training, emphasizing that culture is demonstrated through day-to-day behaviors.
Management communicates regularly with employees to underscore cultural expectations and illustrate how individual
roles contribute to strategic goals. Two-way communication is supported by structured feedback mechanisms—such as
surveys, listening sessions, and focus groups—that are used to monitor alignment and employee sentiment. Management
reviews this feedback, adjusts messaging or programming as needed, and communicates changes made in response,
reinforcing accountability and continuous alignment with the desired culture. For information on how the entity defines
its desired culture, refer to COSO’s ERM Framework.

11.4. Integration into business practices. Executive management integrates cultural priorities into business
functions—such as talent acquisition, performance management, incentive design, and operational decision-making—to
confirm that daily practices reinforce the desired culture. The hiring process uses behavioral assessments and scenario-
based questioning to assess candidate alignment with core values, while performance evaluations include criteria that
measure how results are achieved, not just what is achieved. Incentive structures, including compensation and bonus
plans, are routinely reviewed to promote ethical behavior and long-term thinking over short-term, high-risk actions.
Management conducts periodic reviews or cultural audits to identify policies or practices that may be misaligned with
core values and updates them to support cultural consistency. The board oversees these efforts by reviewing
management’s reports on cultural integration and engaging in discussions about these practices’ effectiveness in
supporting strategic execution.

COSO | Corporate Governance Framework

Public Exposure Draft 23
Culture

Deeper Insights

Cultural Consistency Across Partnerships and Global Subsidiaries

Executive management extends the entity’s cultural expectations to external partnerships and global
subsidiaries by embedding ethical, cultural, and behavioral standards into third-party contracts, onboarding,
and oversight processes. This includes providing vendors, contractors, affiliates, and subsidiaries with clear
guidance, training, and ongoing communication from the corporate center. Management proactively assesses
cultural differences when entering new regions or partnerships and adapts materials and engagement
approaches—such as training and communications—to reflect local norms while maintaining standards. For
example, in geographies less culturally open to candid communication, management tailors practices to foster
psychological safety and speaking up. Compliance audits, site visits, and stakeholder surveys are used to
monitor adherence and address deviations promptly. The board oversees these efforts by reviewing
management’s reporting on third-party and subsidiary alignment with cultural expectations, confirming that
governance frameworks are in place to maintain consistency across the extended enterprise.

Principle 12
Promote Ethics, Respect, and Open Communication
Executive management, with board oversight, fosters a culture in which ethical behavior, respect, and open communication
are expected and supported at all levels.

Points of Focus
Deeper Insights
12.1. Ethical standards and conduct.
Executive management, with board Whistleblower Policy
oversight, maintains a comprehensive
code of ethics and conduct that defines To support the enforcement of ethical standards, executive
expected behaviors aligned with the management also maintains a robust whistleblower policy that
entity’s core values and promotes a provides secure, confidential, and anonymous channels for
culture that encourages doing the right reporting code violations or other employee concerns,
thing. The code translates values into including independent hotlines and secure online tools. The
clear behavioral guidelines and is policy is communicated and reinforced through training and
reinforced through mandatory ethics internal messaging and includes specific procedures for
training, regular updates, and ongoing handling complaints and protecting against retaliation. A
communication across channels such as dedicated team, typically led by the CCO, or equivalent,
newsletters, meetings, and internal investigates concerns using standardized protocols, with
platforms. To support transparency and findings documented and reported to the board through the
accountability and demonstrate appropriate committee. Substantiated violations result in
leadership commitment, executive corrective action, and the team follows up with whistleblowers
management shares recent ethical when appropriate. Investigative outcomes are tracked, with
concerns, breaches, and resolutions— recurring issues addressed through policy or process
while maintaining confidentiality, of improvements, reinforcing trust, transparency, and
course. continuous improvement in the entity’s ethical culture.

COSO | Corporate Governance Framework

Public Exposure Draft 24
Culture

12.2. Respectful workplace. Executive management fosters a work environment in which all employees are treated with
dignity and respect and that encourages openness to different perspectives. This includes implementing practices that
promote fairness and consistency in hiring, promotions, and daily interactions, such as standardized interview questions,
clearly defined role criteria, and behavioral expectations for respectful conduct. Management monitors the workplace
environment through tools like engagement surveys, anonymous feedback channels, sentiment analysis, and exit
interviews to identify issues such as favoritism, unclear advancement processes, or lack of psychological safety. When
concerns arise, executive management implements targeted corrective actions such as leadership coaching,
communication adjustments, or policy updates. These interventions’ effectiveness is tracked over time and regularly
reported to the board and employees, reinforcing accountability, trust, and a respectful workplace culture.

12.3. Open communication. Executive management fosters a culture in which employees feel safe to raise concerns,
challenge assumptions, and share alternative viewpoints without fear of retaliation. The entity promotes open
communication through structured channels such as town halls, team roundtables, whistleblower hotlines, and
anonymous digital feedback tools, and are trained to invite input, listen without defensiveness, and respond
constructively. Anti-retaliation protections are clearly communicated, reinforced through training, and consistently
enforced. The board monitors indicators of psychological safety—such as employee survey results, reporting trends, and
feedback mechanisms—and incorporates this information into its oversight. To validate whether open dialogue is
genuinely supported throughout the entity, board members may participate in listening sessions or informal
conversations without executive management present. For information on internal communication, refer to the
Communication Component.

Principle 13
Assess and Adapt Culture
The board and executive management actively support the desired culture by assessing its health, integrating insights
into governance, and adapting practices in response to internal and external feedback.

Points of Focus

13.1. Cultural metrics and monitoring. Executive management uses a combination of qualitative and quantitative
methods to continuously assess and monitor cultural health. These include engagement surveys, exit interviews, focus
groups, structured cultural audits, and key talent metrics such as turnover, promotion trends, ethics hotline usage, and
conduct violations. External perceptions—such as customer satisfaction, investor feedback, and social media sentiment—
are also monitored to detect gaps between internal culture and external reputation. Management analyzes and
benchmarks these insights over time, reporting findings to the board through dashboards or summary briefings. Early
signs of misalignment prompt targeted cultural interventions, and management communicates follow-up actions to
employees and stakeholders, reinforcing responsiveness and commitment to cultural integrity.

13.2. Board oversight of culture. The board actively oversees cultural alignment with the entity’s strategy and risk
appetite by incorporating cultural considerations into its review of strategic plans, scenario analysis, and ERM. Specific
oversight responsibilities—such as monitoring ethical conduct, incentive structures, and leadership behavior—are
delegated to relevant board committees. Executive management regularly gives the board detailed culture assessments,
including dashboards, engagement data, and feedback summaries. The board also confirms that cultural factors are
integrated into executive performance evaluations and succession planning. To gain independent perspective on whether
the lived culture reflects stated values and expectations, board members may solicit an objective review of culture from IA
or engage directly with employees or external stakeholders through listening sessions or site visits.

COSO | Corporate Governance Framework

Public Exposure Draft 25
Culture

13.3. Culture in crisis and change. Executive management incorporates cultural considerations into crisis response and
organizational change initiatives—such as leadership transitions, mergers, or reputational events—by developing change
management plans that define the purpose of the change, expected behaviors, and clear success metrics like engagement
levels, retention, and cultural alignment. The board and executive management model adaptability and resilience
throughout the change process, regularly communicating the cultural rationale behind decisions and reinforcing key
messages. Management monitors workforce response using tools such as pulse surveys, listening sessions, and
anonymous feedback mechanisms, and tracks predefined cultural indicators to assess impact. When cultural risks or
misalignments emerge, strategies and interventions are adjusted to maintain alignment with desired values and
behaviors. For information on crisis response and business continuity, refer to the Strategy Component.

13.4. Feedback and responsiveness. Executive management actively monitors cultural misalignment—such as gaps
between stated values and actual behaviors—using feedback channels such as anonymous surveys, digital suggestion
tools, listening sessions, and IA and third-party assessments. Feedback from both internal and external stakeholders is
reviewed, analyzed for trends, and shared with the board to inform oversight. When issues are identified, management
develops and communicates targeted action plans and follows up with employees to show how their input led to specific
improvements. This visible responsiveness reinforces trust, psychological safety, and a culture of continuous
improvement.

COSO | Corporate Governance Framework

Public Exposure Draft 26
 People People at every level are fundamental to corporate
governance, strategy execution, and long-term value
creation. Directors, executives, and employees each play
distinct yet interconnected roles in shaping ethical culture,
surfacing and managing risk, and making decisions that
align with the entity’s purpose and objectives. When every
individual understands and owns their governance
responsibilities—whether casting votes in the boardroom,
upholding controls, or speaking up about concerns—the
result is a system of distributed oversight that strengthens
accountability and protects stakeholders.

At the same time, a skilled and engaged workforce powers

operational excellence and strategic agility. Effective
people management that attracts, develops, and retains
capabilities at every level is critical to sustained
performance and competitive advantage. While boards
have traditionally focused on overseeing executive
management, increasing complexity and workforce-related
risks have expanded the scope of their attention. Boards
today must understand broader workforce dynamics and
their impact on strategy.

Under board oversight, executive management builds

leadership pipelines, fosters accountability, and aligns
people programs with purpose and culture. Compensation,
performance management, and continuous learning serve
as critical levers that translate workforce capability into
long-term value creation.

Principle 14
Deploy People Strategy and Succession Planning
Executive management develops and executes a comprehensive people strategy—paired with succession plans for directors,
executives, and other business-critical roles—that aligns with the entity’s long-term strategy and business needs.

Points of Focus

14.1. People strategy and planning. Executive management establishes a people strategy that supports the execution of
the entity’s business strategy, taking into account growth plans, labor market trends, and the needed skills and capabilities.
The CHRO, or equivalent, manages a robust process to evaluate current skills and capabilities, capacity, costs, risks,
technology, and other critical factors to inform strategic decision-making. The planning process includes organizational
design considerations, identifies adjustments needed to enhance operating efficiency, and integrates business continuity
and resiliency planning. For information on attracting, developing, and retaining talent in alignment with strategic objectives,
refer to COSO’s ICIF.

COSO | Corporate Governance Framework

Public Exposure Draft 27
People

14.2. Impacts of technology on the workforce.

Executive management maintains a process to evaluate
Leading-Edge Considerations how new technologies impact the workforce. This
includes identifying roles at risk of displacement,
Talent Planning and the Use of assessing opportunities for augmentation, and
External Resources integrating human oversight to mitigate potential risks
such as bias. The board and executive management
evaluate strategic decisions through both an operational
Executive management considers internal and
lens and the entity’s core values, confirming that
external resources to address skill gaps, weighing
workforce transformation aligns with long-term
the entity’s immediate and long-term needs,
shareholder value and is carried out with care and
urgency, available labor, and budget constraints
transparency. The entity maintains a comprehensive
to determine how a “buy” (hire externally), “build”
approach to employee development, with targeted
(develop internally), or “borrow” (hire temporary
investments in reskilling and upskilling to support
external talent) strategy could address open
employee readiness for evolving business and technology
issues. The entity can leverage all three
needs. The board oversees the alignment of workforce
approaches by tapping an established talent
technology with the entity’s long-term strategy and
acquisition program, a talent planning process,
ethical standards for responsible use. For information on
and employee development programs. In addition
employee development programs, refer below within this
to hiring or contracting talent, executive
Component.
management may utilize shared service models,
which can include internal centralized teams, co-
14.3. Varied workforce composition. Executive
sourced arrangements with third parties, or
management is committed to attracting and retaining the
captive service centers. When the entity needs
right mix of top talent to drive the strategy and considers
immediate improvements in capabilities such as
how workforce composition plays a role in doing so.
operational performance or enhanced risk
Management sets recruitment and retention objectives to
response, executive management can engage
attract and retain people with a mix of attributes that will
these resources for support in areas such as data
best support the entity’s ability to deliver products and
analysis, IT, AI, or cybersecurity.
services that its customers want. Executive management
monitors talent attraction and engagement across all
demographic groups and supports the cultivation of a fair and respectful culture to boost employee retention. They also
consider the strategic implications of both mandatory and voluntary disclosures, aligning transparency efforts with the
entity’s broader talent goals. For information on fostering a respectful culture, refer to the Culture Component. For
information on attracting, developing, and retaining talent, refer to COSO’s ERM Framework.

14.4. Board oversight of people strategy. The board provides oversight of the entity’s people strategy and talent
pipeline, recognizing its importance in supporting the successful execution of the entity’s strategy. The board monitors
how management is addressing key talent-related risks and opportunities such as geographic labor dependencies, third-
party reliance, workforce availability, and technological disruption. Executive management also updates the board on
regulatory and labor compliance as well as broader workforce trends that may impact business performance. To maintain
a future-ready workforce, the board monitors investments in job redesign, upskilling, and alternative talent models that
align with long-term business goals. As part of its oversight, the board engages with the CHRO, or equivalent, to gain
visibility into workforce dynamics, leadership development, and succession planning at the executive level. For
information on board oversight responsibilities, refer to the Oversight Component.

14.5. Board succession. The board annually reviews a multi-year board succession plan with a horizon of at least three to
five years and considers board roles (including board and committee leadership and committee membership), director
tenure, expected retirement dates, and other relevant factors. The succession plan also outlines the board’s approach to
fostering and developing future board leadership. For information on board composition and director nominations, refer to
the Oversight Component.

COSO | Corporate Governance Framework

Public Exposure Draft 28
People

14.6. CEO, executive, and critical-role

succession. The board maintains a comprehensive
succession planning process for the CEO role that Leading-Edge Considerations
includes contingency plans for an unexpected
departure. The CEO, in collaboration with the
Communicating the Plan for
CHRO, or equivalent, has a succession planning CEO Succession
process for executive management and other
business-critical roles. These plans identify Boards understand the importance of communicating
potential internal and external candidates, assess their succession process to shareholders and other key
their readiness, and support their development to stakeholders. The entity outlines the CEO succession
enable smooth and effective transitions. Succession process in the proxy statement, including a description
plans, including emergency plans, are reviewed of who leads the process, how the entity identifies and
with the board at least annually, with greater assesses candidates, how often the board reviews the
frequency in circumstances such as succession plan, and how the board would respond to
underperformance, individual health concerns, a CEO departure. This enhances confidence among
industry changes, or shareholder pressure. shareholders and other stakeholders that the entity
Executive management maintains a pipeline of can handle expected or unexpected departures. For
successor candidates (including candidates for information on communication with external
interim and emergency succession scenarios), stakeholders, refer to the Communication Component.
regularly briefs the board on their readiness, and
periodically exposes them to the board.

Principle 15
Manage People and Compensation
The board and executive management establish comprehensive onboarding and offboarding programs and align compensation
and incentives with performance and ethical behavior, regularly evaluating the programs’ effectiveness to attract and retain
talent in alignment with the entity’s strategic needs.

Points of Focus

15.1. Director and executive onboarding. The board provides comprehensive director onboarding that covers, among
other things, the entity’s products and services, strategic goals, financial performance, organizational structure,
operations, risk management, the competitive landscape, and key risks and opportunities. This process includes one-on-
one meetings with board leadership, board peers, and executive management, and may include the assignment of a board
mentor. Executive management also participates in a structured onboarding program designed to accelerate integration,
build alignment with the entity’s strategy and culture, and establish early connections with key stakeholders, including
directors. For information on director nominations and CEO selection, refer to the Oversight Component.

15.2. Director compensation. The board approves market-competitive director compensation packages aligned with the
entity’s long-term strategy and performance. An appointed committee makes compensation recommendations to support
transparency, regular review, and compliance with legal and ethical standards. Board compensation includes a balanced
mix of cash and equity incentives, with equity grants drawn from a pool approved by shareholders. The entity provides
director and officer liability insurance policies to protect directors and other key executives from personal financial losses
as a result of legal actions related to their roles. The entity regularly reviews these policies to reflect changing legal and
business environments.

COSO | Corporate Governance Framework

Public Exposure Draft 29
People

15.3. Compensation aligned with performance and ethical behavior. The board, through its compensation
committee, oversees the entity’s compensation philosophy and regularly evaluates the effectiveness of executive
compensation and incentives against performance goals. Performance metrics in compensation reward achievement and
deter short-termism or unethical tactics such as aggressive sales pressure or rushing unready products to market. The
compensation committee verifies that plans balance near-term goals with long-term value creation and comply with
regulations. Executive management reviews how compensation and incentives influence behavior, compares incentive
payouts to results and explains how those results were achieved, and reports insights to the compensation committee.

15.4. CEO and executive compensation. The board and its compensation committee establish a compensation plan for
the CEO, and in some cases, executive management, that links pay to performance, based on clear, measurable metrics
that support both short-term and long-term strategic goals and objectives. The committee regularly benchmarks
compensation plans against market practices to remain competitive in attracting and retaining top talent within the
entity’s operating environment. The board considers the effectiveness of compensation in reinforcing desired outcomes,
aligning executive incentives with shareholders’ interests, and disincentivizing unethical behavior. The board maintains
transparency in executive compensation policies and engages directly with shareholders when appropriate. The
compensation committee also reviews and approves required disclosures to accurately reflect the entity’s compensation
philosophy and practices. For information on the compensation committee’s responsibilities, refer to the Oversight
Component.

15.5. Employee compensation.

The board and executive
management are aligned on the Leading-Edge Considerations
compensation philosophy and the
design of employee pay, benefits, Total Rewards
and other incentives in a way that
matches the entity’s strategy, Executive management delivers a total rewards program designed to attract,
purpose, core values, and culture. retain, and engage a varied workforce, with flexibility to personalize offerings
Through analysis and based on individual preferences, career stages, and life circumstances.
benchmarking, executive Programs emphasize a mix of competitive base pay, performance-based
management shows the board that incentives, health and wellness benefits, flexible work arrangements, paid
pay is competitive and equitable. caregiving leave, learning and development opportunities, equity
Executive management reviews participation, and purpose-driven elements such as volunteer time.
compensation plans including Recognizing that employees value different types of rewards, the program
salaries, bonuses, equity-based offers tailored options—for example, student loan assistance for early-career
compensation, and benefits, and employees or phased retirement for those later in their careers. The value and
reviews associated risks and structure of the program are clearly communicated to promote employee
compliance to enable transparent understanding and participation. Executive management may engage third-
disclosure. For information on party advisors to benchmark offerings, assess employee preferences, and
rewarding performance in optimize the program to remain competitive and cost-effective while
alignment with strategy, refer to reinforcing the entity’s values, culture, and strategic objectives.
COSO’s ERM Framework.

15.6. Offboarding. The board and executive management oversee a structured offboarding program that respects
departing directors and employees, protects the entity’s brand, and extracts insights to strengthen culture and people
strategy. Executive management conducts exit interviews, knowledge-transfer sessions, and feedback reviews to
understand departure drivers and identify cultural or strategic misalignments, later reporting aggregated findings to the
board. For executive departures, the board reviews transition plans, contractual obligations, and external communications
to mitigate legal and reputational risk and preserve future relationships. The relevant board committee periodically
evaluates offboarding metrics and themes to confirm that practices uphold ethical standards, comply with regulations,
and support long-term value creation.

COSO | Corporate Governance Framework

Public Exposure Draft 30
People

Principle 16
Drive Performance and Development
The board and executive management drive performance management and tailored development programs that align goals
with strategy, strengthen capabilities, and reinforce accountability at every level.

Points of Focus

16.1. Board assessments. The board annually Leading-Edge Considerations

assesses its own accomplishments and performance,
drawing on a range of inputs to support continuous Individual Director Assessments
improvement. Performance assessments include a
review of board composition and structure, board The board conducts periodic individual director
roles and responsibilities, committee effectiveness, assessments, through surveys and/or interviews, to
operations and efficiency, reporting and evaluate each director’s contributions and
communication, decision-making processes, training performance in support of the entity’s strategy.
and development needs, and board culture. The Assessments may include questions about the
board actively seeks input from executive director’s strategic thinking abilities, understanding
management to inform its performance assessment of the entity and any current issues, level of
and provide additional perspectives on board participation and commitment, interpersonal
effectiveness. The board periodically conducts communication skills, and overall level of
interviews as part of the assessment process and contribution. A self-assessment is included to
engages a third party to perform independent prompt self-reflection and added accountability. For
assessments. The board integrates assessment results information on assessing board culture as part of the
into its annual action plans; the chair also solicits assessment process, refer to the Culture Component.
ongoing real-time feedback about director
performance in debrief or executive sessions.

16.2. CEO performance. The board conducts a formal evaluation of the CEO’s performance at least annually, based on
established metrics, and periodically supplements this with 360-degree feedback. The evaluation considers both short-
and long-term financial and non-financial performance results, progress against strategic goals and objectives,
effectiveness in capital allocation, and qualitative factors such as leadership capability and alignment with the entity’s
values and culture. The CEO and board maintain open communication regarding performance expectations and confirm
that CEO goals are fully aligned with the strategy. Board leadership offers real-time feedback and discusses learning and
development opportunities to enhance the CEO’s ability to lead the entity in alignment with shareholder interests. If
necessary, board leadership, in consultation with the board, takes corrective actions, including termination, to address
performance and reinforce CEO accountability.

16.3. Executive management performance. The CEO sets clear, measurable, and time-bound goals for executive
management that are aligned to strategy and cascade through the entity, helping to align individual and team targets
with the broader entity objectives. Annually, the CEO and executive management agree on specific goals and KPIs,
incorporating both financial and non-financial metrics, which are shared with the board. The CEO provides ongoing
performance feedback as well as formal performance reviews, at least annually. The board holds the CEO accountable for
executive management performance through the CEO performance-management process. The board provides
performance feedback on select executive roles (e.g., audit committee feedback on the CAE) based on its oversight role
and firsthand interactions and observations. The board also monitors performance through regular reporting on agreed-
upon KPIs to reinforce executive management accountability. For information on performance measurement against the
strategy, refer to the Strategy Component.

COSO | Corporate Governance Framework

Public Exposure Draft 31
People

16.4. Employee performance. The entity has an established process to assess employee performance based on
standardized and objective evaluation criteria, applied consistently and transparently across all levels. The process
establishes individual performance goals and assesses outcomes using a balanced set of metrics, such as innovation,
operational excellence, risk management, workplace safety, ethics and conduct, and compliance. Individual performance
goals and metrics are directly linked to the entity’s performance goals and objectives, cascading throughout all levels of
the organization to drive accountability and results. Management conducts real-time or interim performance discussions
throughout the year, in addition to a comprehensive annual review, to provide employees with constructive feedback
that clarifies expectations, highlights strengths and development areas, and enables timely course correction. The process
also includes a structured approach for recognizing high performance aligned with strategic goals, core values, and
cultural awareness as well as a clear approach for addressing performance concerns. It is integrated with the entity’s
broader people strategy to support employee development, mobility, and succession planning. Executive management
regularly reviews and updates the process to align with the entity’s goals.

16.5. Board development. Each director has tailored learning opportunities to refresh and advance knowledge and
fluency in areas critical to effective board oversight. The board regularly evaluates its learning and development needs,
establishes a continuing education policy for directors that includes external learning opportunities, and requires
directors to report annually on their participation.

16.6. CEO and executive development. The entity offers CEO and executive management opportunities to develop
knowledge, skills, and capabilities through formal coaching and mentoring and access to internal and external
development programs. The CEO and executive management take ownership of their own development plans by
proactively identifying areas for growth and seeking learning opportunities to stay ahead in a rapidly evolving business
landscape. All executives have tailored learning and development plans that may include formal training, personalized
assessments, coaching, and mentorship based on individual needs and the resources available. Directors may be
leveraged as executive mentors or coaches to bring their experience, strategic insights, and external perspectives.

Leading-Edge Considerations

Board Members as Executive Coaches and Mentors

Board involvement in executive development can be valuable, but it requires a carefully structured approach
with clearly defined guardrails. To be effective, such programs are carefully designed to protect the board’s
independence, support objective evaluation of leadership potential, and avoid introducing bias into CEO
succession planning. When done well, access to executive management can support informal coaching and
leadership development, while giving the board deeper insight into the entity’s bench strength. A formal
program, when appropriate, can allow for the thoughtful transfer of experience and insight from seasoned
directors to executives. The success of these efforts depends on transparency, clear role definitions, and a
commitment to objectivity, which together help boards contribute to executive growth while maintaining the
integrity of board-management relationships.

COSO | Corporate Governance Framework

Public Exposure Draft 32
People

16.7. Employee development. The entity

maintains a structured employee learning
Deeper Insights
and development program that supports
both the entity’s goals and individual High-Potential Employee
growth. Management periodically conducts
a skills-gap analysis to compare current Development Programs
skills and capabilities with those necessary
for the future, highlighting needed Executive management implements and maintains a
upskilling or reskilling. Learning and high-potential employee development program that
development programs include mandatory maintains a leadership pipeline to support long-term
compliance training as well as general organizational continuity and success. These programs
upskilling to prepare employees for evolving systematically identify, assess, and develop high-potential
roles. High-potential employees participate talent—particularly for roles critical to business
in targeted development programs that continuity—using tools such as performance reviews,
build leadership capabilities and serve as a 360-degree feedback, psychometric evaluations, and
pathway to career advancement. Executive management input. Development plans are tailored to
management regularly reviews these individual needs and integrated into broader succession
programs to confirm they are meeting planning, with structured opportunities for mentorship,
strategic goals, performance KPIs, and leadership rotations, stretch assignments, and coaching.
compliance requirements—and addressing Progress against these plans is regularly reviewed by
feedback to maintain their effectiveness. executive management and shared with the board.

COSO | Corporate Governance Framework

Public Exposure Draft 33
 Communication Communication is a cornerstone of effective
governance, enabling stakeholders to stay informed,
engaged, and aligned with the entity’s strategic
direction. At its core, good communication provides
complete, accurate, timely, and relevant information—
building transparency and trust and supporting long-
term value.

Entities must balance the need for openness with the

responsibility to protect sensitive information. While
some disclosures are required by regulation, others must
be carefully considered based on competitive risks,
privacy concerns, and stakeholder needs. Corporate
governance plays a critical role in guiding these
decisions and promoting consistency across
communication channels.

Communication takes many forms, from regulatory

filings to internal messaging; its purpose shapes its
content, format, and audience. Leaders need to apply
corporate governance principles and practices in the
context of the specific type of communication being
considered.

Principle 17
Commit to Information Quality
Executive management, with board oversight, maintains high standards of information quality to support informed
decision-making.

Points of Focus

17.1. Information accuracy and reliability. Executive management maintains the accuracy and reliability of information
by overseeing verification processes and allocating necessary resources for validation. Management designs and
implements data verification processes and controls and collaborates with internal and external auditors to evaluate
effectiveness and validate the integrity of information being disseminated. The board or responsible committee reviews
and monitors these processes to confirm their robustness and effectiveness, focusing on the accuracy of financial reports,
strategic updates, and operational disclosures. The board also promotes a culture of accountability by encouraging
stakeholders to appropriately question and verify the information they receive. For information on establishing robust
information and communication processes, refer to COSO’s ICIF.

COSO | Corporate Governance Framework

Public Exposure Draft 34
Communication

17.2. Relevance and clarity of information. Executive management is accountable for information being relevant and
clear, with minimal technical jargon. Management structures communications to meet the specific needs and interests of
various stakeholder groups, making certain that the information is fit for the purpose or decisions that leaders need to
make, whether on financial and economic performance, strategic initiatives, operational developments, or other topic
areas. For internal stakeholders, information helps them make decisions that allow effective pursuit of the entity’s
strategic goals and objectives. The board and executive management promote feedback mechanisms and support ongoing
refinement of communication practices to uphold high standards of information accessibility, quality, and stakeholder
understanding.

17.3. Using language purposefully. Executive management emphasizes the importance of consistent terminology to
promote a shared understanding across stakeholder groups, including defining industry-specific jargon and strategic
concepts such as sustainability and innovation. To help eliminate ambiguity and misinterpretation, management
maintains definitions of commonly used terms and makes them accessible to all levels of the entity. The board supports
these efforts by advocating for precision in language use during meetings and strategic planning sessions, encouraging
directors and executive management to reinforce common understanding when discussing key initiatives. Management
solicits employee feedback to identify terms that require clarification or additional context.

17.4. Enhancing information with technology. Executive management enables informed decision-making by
establishing processes and overseeing the adoption of advanced technology solutions to enhance information quality,
timeliness, and usability. Management defines roles and responsibilities for maintaining data accuracy and reliability
through automated verification and monitoring processes. Technology-enabled processes, including analytics and real-
time monitoring, allow prompt identification and resolution of data issues, bolstering confidence in decision-making.
Management periodically assesses the effectiveness of these technologies and related controls, reinforcing data security,
privacy, and stakeholder trust in the information. For information on managing technology risk, refer to the Resilience
Component.

Deeper Insights

Enhancing Corporate Governance Through Advanced Information

Management Technology
Technology can enhance corporate governance by supporting effective information management in several
ways:

• Advanced information management systems and data analytics tools contribute to data integrity by
automating verification processes and minimizing human error
• Machine learning algorithms and AI can continuously monitor data inputs, flagging anomalies for review
and allowing only verified data to support decision-making processes
• Cloud computing and high-speed data processing capabilities enable entities to handle large volumes of data
in real time, facilitating the rapid identification and correction of inaccuracies
• Integrated platforms that consolidate data from multiple sources create a readily available source of
information accepted for decision support analyses, enhancing consistency across departments and reducing
discrepancies
• Technological frameworks bolster data security and privacy through encryption, access controls, and regular
security audits, protecting information from unauthorized access and manipulation
• Digital platforms further support stakeholder engagement by providing timely access to information and
enabling feedback mechanisms, fostering trust and transparency

COSO | Corporate Governance Framework

Public Exposure Draft 35
Communication

17.5. Balancing transparency with

strategic confidentiality. Executive Deeper Insights
management balances transparency with
confidentiality when distributing Document Retention
information to internal and external
stakeholders. This requires establishing Effective information management relies on document
and adhering to a communication schedule retention policies that maintain accurate, relevant, and
that aligns with stakeholders’ decision- accessible information for stakeholders while preserving
making timelines while considering the traceability to its source. This includes establishing data
sensitive nature of certain information. classification systems that differentiate between public
Management establishes clear protocols to disclosures and confidential documents, setting retention
balance mandatory disclosures, voluntary timelines based on regulatory mandates and business
communication goals, and the protection requirements, and defining protocols for secure document
of internal information critical to strategic disposal. For example, an entity might implement a policy
execution and intellectual property. By requiring board meeting minutes to be retained indefinitely
leveraging advanced technology and clear to uphold historical accountability, with preliminary drafts
communication protocols, management of finalized internal reports securely deleted after a specified
allows for efficient dissemination of period. For information on policy documentation, refer to the
necessary information while preserving Resilience Component.
confidentiality.

17.6. Communication policies, monitoring, and compliance. Executive management establishes communication
policies designed to support the effective dissemination of information to internal and external stakeholders. These
policies are crafted to align with regulatory requirements while being cognizant of stakeholder preferences, emphasizing
transparency and accountability through clear expectations and responsibilities. Management conducts regular
monitoring and maintains appropriate documentation of communications to verify compliance with policies and address
any issues promptly. Any significant policy violations are promptly reported to executive management and, when
necessary, escalated to the board.

Principle 18
Engage Stakeholders Strategically
Executive management identifies its key internal and external stakeholders and establishes appropriate channels to
effectively share information, solicit feedback, and address concerns.

Points of Focus

18.1. Identification of stakeholders. Periodically, executive management conducts a thorough analysis to determine the
entity’s key stakeholders and their expectations, how decisions and activities impact them, and what information they
require. Internal stakeholders may include relevant parties such as the board, executive management, management, and
employees. External stakeholders may include shareholders, regulators, customers, consumers, vendors, community
members, business partners, and others who may materially impact the entity or vice versa. Executive management clearly
distinguishes between internal and external stakeholders and the impact they can have on the business. This analysis
allows for careful consideration of paths forward when different stakeholders’ perspectives and interests are not aligned.

COSO | Corporate Governance Framework

Public Exposure Draft 36
Communication

18.2. Communication channels. Executive management maintains a range of communication channels tailored to the
needs and preferences of different stakeholder groups. These channels serve distinct purposes: all-hands meetings are
used to communicate strategic priorities and updates directly to employees; surveys gather feedback; newsletters share
performance and initiative highlights; social media provides real-time engagement; and portals offer centralized access to
important documents and announcements. Management conducts periodic assessments of these communication tools to
identify areas for improvement and confirm that they continue to meet stakeholder needs and expectations. By providing
timely access to information and facilitating ongoing dialogue, these channels help build trust and make stakeholders feel
valued and engaged.

18.3. Shareholder engagement. Executive management, with support from the board, periodically identifies
shareholders’ key concerns and priorities through direct meetings and other means, allowing the entity to consider their
perspectives in decision-making processes. Executives, such as the CFO, corporate secretary, and the investor relations
(IR) function, work together to identify which shareholders to engage based on the topics to be addressed as well as a
process to prepare for engagement meetings. The board works with executive management to be accessible and
responsive to appropriate shareholder inquiries related to corporate governance, such as board leadership and executive
compensation. Encouraging active shareholder participation in corporate governance is vital and requires understanding
of their interests and expectations.

18.4. Board engagement with other key

stakeholders. The board engages with key Deeper Insights
stakeholders, beyond shareholders, based on the
importance of these relationships to the entity’s Legal or Regulatory Obligations
long-term value. Board priority is given to high-
value activities, focusing on key stakeholders such to Stakeholders
as employees and regulators. The entity actively
monitors a channel for stakeholder communications While entities commit to upholding their obligations to
to the board, and directors participate in key shareholders, they recognize that legal and regulatory
stakeholder meetings, facility tours, and regulatory obligations may extend to other stakeholders. Compliance
engagements as appropriate. Executive with labor laws and employment regulations govern the
management prepares directors for stakeholder entity’s responsibilities toward its workforce, enabling fair
engagements, aligning communications with the treatment and workplace protections. Additionally, the
entity’s positions and summarizing engagement entity may be subject to regulatory requirements within
outcomes. The board directs executive management the communities in which it operates, addressing areas
to assess key stakeholder interests, establishing such as public safety, economic impact, and
processes to evaluate and prioritize their influence environmental sustainability. Environmental regulations,
on the entity. Executive management provides the in particular, may impose obligations that influence
board with an analysis of stakeholder impact prior operational decisions, even when they result in short- or
to the board’s review and approval of key strategic intermediate-term financial trade-offs. Policymakers and
decisions. Management reviews and reports on regulators establish these frameworks, and the entity
engagement outcomes and feedback mechanisms, commits to adhere to them while balancing shareholder
integrating this information into strategic planning interests with broader legal and societal responsibilities.
and decision-making.

Principle 19
Communicate Effectively with Internal Stakeholders
Effective internal reporting and communications enable timely, accurate, and secure information flow through the entity,
fostering informed decision-making, transparency, and internal alignment.

COSO | Corporate Governance Framework

Public Exposure Draft 37
Communication

Points of Focus

19.1. Facilitating cross-functional information flow. Executive management establishes systems and processes that
enable seamless horizontal communication between departments or functions, making relevant information accessible to
all parties involved in achieving entity goals. These systems include integrated platforms and collaborative tools that
support real-time information-sharing, eliminating silos, and enhancing decision-making. Management encourages regular
interdepartmental meetings and workshops to promote the exchange of ideas and insights across departments or functions.
By fostering an environment of open communication and collaboration, executive management harnesses diverse
perspectives to drive strategic initiatives and enhance operational efficiency. Executive management monitors the
effectiveness of cross-functional communication and adjusts as necessary to optimize information flow.

19.2. Enhancing top-down and bottom-up communication. Executive management communicates strategic objectives
and priorities to all organizational levels, aiming to translate strategic directives into actionable plans that align with the
entity’s strategy and goals. Disseminating information effectively involves using a variety of communication channels, such
as meetings, reports, and digital platforms. In parallel, management supports bottom-up communication, empowering
employees to share feedback, ideas, and concerns. Tools such as surveys, suggestion systems, and open forums capture
employee insights and incorporate their voices into decision-making processes. Executive management promotes a culture
of transparency and inclusivity, regularly reviewing the effectiveness of communication practices to foster engagement
across all levels. For information on active listening and other forms of internal information flow, refer to the Culture
Component.

19.3. Management reporting and

communication to the board. Executive
management provides timely, relevant, and clearly Leading-Edge Considerations
structured information to support informed board
decision-making. Reports align with agenda topics Optimizing Board Effectiveness
and are tailored for board use, and an executive of
the relevant function or department reviews all
Through Secure Digital Platforms
materials to confirm quality and relevance.
Executive management appoints a high-level Emerging technologies are transforming how boards
reviewer—such as the CFO, general counsel, or operate, enabling greater transparency and agility in
corporate secretary—to confirm that materials decision-making. Integrated board oversight platforms—
across departments and functions are jargon-free such as secure board portals and centralized governance,
and provide essential details. Management is clear risk, and compliance (GRC) systems—streamline
on the goal of providing information to the board collaboration and offer quick access to critical
(e.g., providing updates, seeking board guidance, information, strengthening the board’s oversight abilities.
and seeking board approval) and communicates Electronic board books provide an efficient and secure
the goal upfront through an executive summary. alternative to paper materials, supporting instant updates
Messaging is transparent, providing the board and enhanced data protection through encryption and
with insight into not only positive news but access controls. When thoughtfully implemented, these
executive management’s concerns and challenges. platforms go beyond document management by offering
Dashboard reporting is leveraged to convey messaging, communication, and director education tools
critical information and trends, providing data that foster engagement and continuous learning.
and messaging that are appropriately Customization features allow alignment with the entity’s
contextualized for a board audience; the board specific governance structures and reporting processes,
regularly offers feedback to enhance report quality further supporting analytics and strategic oversight.
and relevance. The board may also receive However, adopting emerging technologies may have
objective reporting from functions such as risk implications for confidentiality, oversight responsibilities,
management, compliance, and IA, supplementing and personal liability that should be reviewed to confirm
the information with external sources, from that practice aligns with fiduciary duties and does not
industry reports and expert opinions to market introduce new governance or compliance risks.
analyses and benchmarking data.

COSO | Corporate Governance Framework

Public Exposure Draft 38
Communication

19.4. Governing the use of technology. The board sets expectations for the responsible adoption and oversight of
technology, emphasizing ethical considerations, risk mitigation, and compliance with relevant laws and regulations.
Executive management establishes governance structures, policies, and procedures to assess and guide the deployment of
technologies such as AI, machine learning, and blockchain. These processes recognize that technology can differ in
maturity, risk profile, and applicability across functions. For example, technologies used in finance may require a higher
level of human oversight, while operational areas may benefit from greater automation and scale. Management actively
fosters a culture of responsible technology use by providing ongoing training and resources, embedding ethical, strategic,
and legal considerations in the evaluation, implementation, use, and monitoring of emerging technologies. For information
on managing technology risk, refer to the Resilience Component.

19.5. Escalation. Executive management, with board oversight, establishes and maintains clearly defined escalation
processes for critical matters so they are promptly communicated to the relevant levels. Management establishes policies
and training for how to identify and determine when to escalate critical matters, such as illegal acts or cybersecurity
incidents. Policies define the roles and responsibilities of involved parties, including reporting structures and lines of
communication to executive management, the board, and its committees. Escalation policies and processes are reviewed
annually to confirm they are working as intended and support appropriate coordination and communication among
assurance functions such as compliance, risk management, and IA. For information on delegation-of-authority policies and
authority limits, refer to the Oversight Component. For information on escalation related to crisis response, refer to the
Strategy Component.

Principle 20
Communicate Effectively with External Stakeholders
Executive management, with board oversight, directs a transparent and compliant external communications program that
builds and protects the entity’s reputation, meets legal obligations, and reinforces strategy.

Points of Focus
Deeper Insights
20.1. Executive oversight of external
communications. Executive management Maintaining a Social Media Policy
oversees the rigorous review and approval
(or recommends to the board/committees Social media is a powerful tool for public communications,
for their approval) of external reports, influencing perception as well as employee engagement. An
disclosures, and communications. effective social media communications policy is crucial for
Appropriate members of management managing an entity’s reputation and maintaining consistent
assess the risks associated with the messaging across all platforms. Executive management, with board
dissemination of external information, oversight, develops a policy that emphasizes oversight and
aligning accountability with the type of accountability, potentially assigning a dedicated team to monitor
information, which can range from mentions of the entity on social media platforms. This team
regulated filings to marketing campaigns. operates within predefined crisis communication protocols, swiftly
Based on their assessment, executive addressing any incidents that may arise, such as controversial posts
management may establish controls to that tie back to the entity. The policy includes regular employee
verify the information’s quality and training sessions on regulatory compliance and the impact of
relevance, such as involving multiple levels online activity on public perception. By empowering employees as
of cross-functional management oversight, brand ambassadors, the entity not only enhances its public image
appointing a specific committee or but fosters a culture of responsible and positive engagement.
individual to be accountable, or enhancing
review protocols before dissemination.

COSO | Corporate Governance Framework

Public Exposure Draft 39
Communication

20.2. Board oversight of external communications. Directors understand their oversight role with respect to the entity’s
various types of external communications, from regulated filings to disclosures such as sustainability reports and general
communications such as marketing campaigns. The board also understands how executive management monitors the
quality of external information, as defined above. Executive management provides guidance on which communications
require board approval, and which are being presented to the board, while the board and its committees regularly review
and approve critical disclosures.

20.3. Disclosure committee. Executive

management establishes a dedicated
committee that oversees the entity’s Leading-Edge Considerations
external reporting and disclosure practices
to help maintain the integrity and Expanding the Role of the Disclosure
reliability associated with significant Committee Beyond Financial Topics
disclosures. This committee consists of
executives and key leaders from various
Traditionally, disclosure committees have focused almost
functions, such as finance, IA, legal,
exclusively on financial disclosures and communications.
compliance, IR, and communications,
However, executive management can leverage the discipline
reflecting a diverse range of expertise
the committee brings to make other external communications
necessary for comprehensive review and
more effective. After considering the relationship between the
analysis of disclosures. The committee’s
disclosure committee and relevant functional leaders
charter defines its purpose, authority, and
responsible for disclosure in other areas (e.g., sustainability or
responsibilities, with members
cybersecurity), executive management may expand the
accountable for reviewing information
disclosure committee’s scope and/or membership or establish
that could significantly influence
other protocols to confirm appropriate coordination and
investment decisions before public release.
alignment in external communications.

20.4. Entity spokespeople. Executive

management establishes clear guidelines
for identifying and designating official Leading-Edge Considerations
entity spokespeople, including those
responsible for two-way communication, Taking a Public Policy Stance
such as IR professionals. These individuals
are authorized to communicate externally Entities increasingly face pressure to take public policy
on behalf of the entity and play a vital role positions on issues currently in public conversation.
in conveying messages from the market Stakeholders may expect entities to voice a stance on
and key stakeholders back to executive controversial matters that may or may not directly impact the
management. Recognizing these roles’ entity’s operations. To navigate these forces, entities establish
dual function is crucial for promoting policies and procedures for engaging in public policy debates.
consistent, professional, and aligned This includes identifying issues that are relevant to the entity
communications that advance the entity’s and its stakeholders; assessing the incremental costs and
strategic objectives. This includes defining benefits of taking a public position; considering the entity’s
spokespeople’s roles and responsibilities capability to follow with action if executive management
and confirming that they are trained in the decides to take a stance; and confirming that any public stance
entity’s communication policies and is consistent with the entity’s purpose, values, and long-term
adhere to ethical standards. The board strategic goals. The board plays a critical role in overseeing the
receives regular updates on the entity’s entity’s policy positions by validating that a robust process is
public engagement, including workforce in place and acting as a sounding board for management.
interactions and social media activity. Management’s policies and procedures for reviewing and
approving public statements, and for monitoring the outcomes
of these statements, include how and when they will involve
the board in the process.

COSO | Corporate Governance Framework

Public Exposure Draft 40
Communication

20.5. Safeguarding information. Management develops comprehensive protocols to safeguard material non-public
information to protect the entity’s reputation and value and maintain operational effectiveness; and establishes policies
that define such information, providing examples and scenarios to promote employee understanding. Scenarios might
include insider trading, the use of trading windows, and other preclearance requirements. Management implements access
controls and monitoring systems to regulate the flow of sensitive information, restricting access to authorized personnel.
Training programs and awareness initiatives enhance employee vigilance regarding the risks associated with the improper
use or disclosure of information. Encryption, secure document storage, and controlled access to information systems are
employed to protect confidential data. The board oversees these initiatives, promoting a culture of accountability and
responsibility, and mandates regular reviews of policies and practices to maintain alignment with strategic objectives and
evolving regulatory requirements.

COSO | Corporate Governance Framework

Public Exposure Draft 41
 Resilience
Resilience is an important aspect of corporate
governance, helping entities withstand disruption, seize
opportunities, adapt to change, and sustain long-term
value. Leaders build resilience through proactive risk
management, robust internal control, responsive
compliance processes, and comprehensive monitoring—
each contributing to stronger decision-making and
sustained performance.

Risk management, compliance oversight, and control

processes are critical enablers of effective governance:
they provide insights into the health of the entity from a
financial and operational perspective, alerting executive
management to the areas of the business that need
additional support or areas of untapped opportunity. A
well-governed, resilient entity stays vigilant and aware,
not only to mitigate downside risk but to capitalize on
emerging opportunities, enhancing stakeholder
confidence and helping the entity deliver on its purpose
and create long-term value.

Deeper Insights

The Three Lines Model

Executive management establishes risk management structures by defining ownership, accountability, and action
to identify, assess, manage, and monitor risk within the entity. The IIA’s Three Lines Model provides a framework
for executive management and the board to leverage in determining who is responsible for governance and risk
management activities across the entity. Specifically, the first line has ownership for risk and control activities,
while the second line is responsible for risk oversight, including providing support through expertise,
monitoring, and, where necessary, challenging those in the first line on the management and mitigation of key
risks. IA occupies the role of the third line, providing objective assurance and advisory services to assess the
adequacy of the entity’s governance, risk management, and internal control processes.

COSO | Corporate Governance Framework

Public Exposure Draft 42
Resilience

Principle 21
Manage and Oversee Risks and Opportunities
Executive management, with board input and oversight, establishes and maintains a risk management approach that aligns
business processes and initiatives with the entity’s strategic plan and risk appetite, enabling effective oversight and resiliency
across the entity.

Enterprise risk management: “The culture, capabilities, and practices, integrated

with strategy-setting and performance, that organizations rely on to manage risk in
creating, preserving, and realizing value.”
Source: COSO, Enterprise Risk Management: Integrating with Strategy and Performance, June 2017. –

For information on how entities identify and manage risk to maximize value, refer to COSO’s ERM Framework.

Points of Focus

21.1. Establish a risk management process. Executive management establishes and maintains a structured risk
management process to identify, prioritize, manage, and monitor key risks that may impact the achievement of the
entity’s strategic, operational, financial, and compliance objectives. The process defines clear roles and responsibilities for
risk ownership and includes formal mechanisms for risk assessment, response planning, and reporting. Risk information
is updated regularly and communicated to executive management and the board. The risk management process is
integrated into strategic planning and decision-making to support agility, protect value, and enhance performance. For
information on the broader alignment of risk and strategy, refer to COSO’s ICIF and ERM Framework.

21.2. Board oversight and allocation of risk.

The board oversees the overall effectiveness of
the entity’s risk management approach and Leading-Edge Considerations
confirms that the approach enables and protects
the achievement of strategic objectives. The Risk Reporting to the Board
board reviews and approves the entity’s risk
appetite and promotes alignment with overall Management reports to the board on risk
business strategy. Risk oversight responsibilities management at each board meeting. The board is also
are clearly defined and allocated across the full briefed on the progress of new initiatives and
board and its committees based on subject opportunities along with the evolving risks and
matter and director expertise. While committees associated rewards. Additionally, as part of an annual
may oversee specific risk areas—such as deep dive into the overall risk management process,
cybersecurity, emerging technologies, or management presents its process to the board for
regulatory compliance—the full board retains identifying and assessing the entity’s key risks. These
oversight responsibility for strategic and key risks (generally 10 to 15) are consistently part of
enterprise-level risks. This structure enables the premeeting reading materials for the board and/or
integrated oversight and supports informed, board committee(s).
timely responses to evolving risk exposures.

COSO | Corporate Governance Framework

Public Exposure Draft 43
Resilience

21.3. Risk and opportunities aligned to strategy. Executive management incorporates risk and opportunity
considerations into the strategic planning process to support long-term value creation. The board oversees executive
management’s approach to identifying, assessing, and responding to risks and opportunities that may impact strategy.
Risks related to strategic initiatives are evaluated against the entity’s defined risk appetite to confirm alignment and
manage downside exposure and upside opportunity. Executive management develops and regularly updates risk mitigation
plans for critical initiatives and, when evaluating risk scenarios, considers the potential for positive outcomes, such as
innovation, market expansion, or operational improvements. This integration of risk and strategy supports agility,
resilience, and competitive advantage. For information on aligning risk management with strategic planning, refer to the
Strategy Component.

21.4. Appoint risk leadership and embed risk mindset. Executive management, with board input, designates an
individual of appropriate stature and experience (or establishes a management-level risk committee) to oversee day-to-day
risk management activities. This executive is responsible for coordinating risk practices across the entity, aggregating risk
information, and providing a comprehensive risk profile to executive management and the board. Risk leadership
promotes a culture in which risk awareness is integrated into strategic planning, operational decisions, and daily activities.
The risk leader collaborates with business units to assign ownership of specific risks and to challenge assumptions and
decisions that may impact the entity’s risk profile. This structure enables a consistent and coordinated approach to risk
management that aligns with the entity’s strategy and risk appetite.

“Organizations are now

Leading-Edge Considerations
pinpointing an individual to
lead the organization’s risk
Increasing Demand for Chief Risk Officers
management process in about
Increasingly, entities of all sizes and structures are using a chief one-half of the organizations
risk officer role or other senior executive of equivalent stature surveyed, suggesting greater
and experience to oversee the risk management program or to
coordinate risk management across the entity. This individual
recognition that leadership is
may report directly to the CEO or another member of executive required if risk oversight is to
management, with direct access to the board or a designated be value adding.”
board committee.
Source: NC State University, AICPA and CIMA, Global
State of Enterprise Risk Oversight, October 2024.

21.5. Monitor and report risks to support

oversight. Executive management maintains
processes to monitor key risks and deliver
timely risk information to the board. Risk Deeper Insights
reporting includes updates on key risks, risk
exposure, key risk indicators, and progress Advanced Risk Monitoring Analytics
against mitigation plans, aligned with the
entity’s defined risk appetite and tolerance Risk-sensing analytics are critical for enabling an
levels. The board reviews these reports regularly entity to move from reactive risk management to a
to assess whether the entity is effectively proactive, intelligence-driven approach. These
managing and monitoring risks, and to stay analytics harness advanced technologies—such as
informed on emerging risks and strategic artificial intelligence, machine learning, and natural
opportunities. To supplement management’s language processing—to detect emerging risks and
reporting, IA provides independent assessments patterns from a wide range of structured and
of the entity’s risk management activities. The unstructured data sources, including social media,
board defines its expectations regarding the news feeds, regulatory updates, and internal systems.
type, frequency, and format of risk reporting
and communicates these requirements to
management to support effective oversight.

COSO | Corporate Governance Framework

Public Exposure Draft 44
Resilience

21.6 Manage risks associated with technology. Executive management, with oversight from the board, establishes
governance structures to assess and manage risks related to technology. These structures may include cross-functional risk
committees, technology governance frameworks, and dynamic risk assessment processes. Management evaluates the
potential impacts of disruptive technologies on strategy, operations, and risk exposure, implementing robust policies and
controls to address data integrity, cybersecurity, and third-party technology services. The board monitors the effectiveness
of technology oversight and confirms that the entity remains agile and resilient in the face of rapid innovation and digital
disruption.

Principle 22
Manage Compliance Responsibilities
Executive management, with board oversight, develops robust, transparent, and responsive compliance processes that
define ownership and accountability for legal and policy compliance, allow independent access to the board, and safeguard
employees from retaliation when they report concerns.

Points of Focus

22.1. Establish a structured compliance program. Executive management establishes and maintains a compliance
program that is tailored to the entity’s risk profile and regulatory environment. Compliance ownership is assigned to
individuals or teams with the appropriate expertise to design, implement, and manage controls to address compliance
requirements. Due to the volume and complexity of legal and regulatory requirements to which entities are subject,
discrete compliance programs are often established to monitor and address specific compliance risks. These programs—
such as those addressing environmental impact, safety, cybersecurity, data privacy, or SOX—are integrated into business
operations and are coordinated and aligned with the central compliance program. Compliance programs are reinforced
through policies, training, and monitoring activities to support consistent execution and awareness. Management
conducts periodic compliance risk assessments, develops remediation plans for identified gaps, and tracks progress
through resolution. The board receives regular updates on program effectiveness, emerging risks, and key compliance
matters.

22.2. Appoint compliance leadership and define accountability. Executive management is accountable for the overall
effectiveness of the entity’s compliance program and appoints a chief compliance officer (CCO), or equivalent, to lead its
execution. With the authority and independence to oversee compliance activities across the entity, the CCO regularly
updates the board or designated committee on key issues, risks, and program performance. The CCO maintains alignment
between compliance efforts, strategic objectives, and legal requirements. Where applicable, compliance functions across
business units report into a centralized program to support consistency, coordination, and a unified approach to
managing compliance risk.

22.3. Implement a compliance change management process. Executive management maintains a structured process
to identify, assess, and respond to new or evolving compliance requirements across jurisdictions. This includes tracking
changes in international, federal, and state laws, as well as updates to industry requirements or internal business
operations that may trigger new obligations. Compliance requirements are analyzed for impact, and corresponding
updates are made to policies, controls, and monitoring activities. Significant developments are communicated to the
board, along with management’s response plans. This change management process allows the compliance program to
remain current, responsive, and aligned with requirements.

COSO | Corporate Governance Framework

Public Exposure Draft 45
Resilience

Deeper Insights

Intelligent Governance, Risk, and Compliance

GRC platforms are essential tools that enable entities to manage risk, promote regulatory compliance, and
uphold strong governance practices in an integrated, efficient, and scalable way. As legal requirements grow
more complex and risk environments more dynamic, GRC platforms provide a centralized system for tracking
policies, assessing risks, monitoring controls, managing incidents, and reporting to stakeholders. The
integration with AI enhances the capabilities of GRC platforms through tools such as AI-driven regulatory
intelligence, virtual GRC chatbots, and scenario generation and simulations.

22.4. Communicate and reinforce compliance

expectations. Executive management reinforces a
Deeper Insights
culture of compliance by setting an ethical tone at
the top and integrating compliance expectations Common Compliance Policies
into daily operations. These expectations are
communicated through formal corporate policies, • Code of ethics and conduct
procedures, and internal control, with compliance
messaging supported by recurring and targeted • Conflict of interest
training, employee attestations, and access to a • Whistleblower
whistleblower hotline. Expectations are further
reinforced through additional channels such as • Equal employment opportunity
town halls, entity-wide emails, and executive • Workplace health and safety
management communications. The board monitors
ongoing compliance through performance • Anti-harassment/discrimination
indicators and confidential reporting mechanisms, • Data privacy/information security
using these insights to challenge management and
strengthen the effectiveness of the compliance • Anti-corruption
program. Consequences for non-compliance are • Insider trading
clearly defined and consistently communicated. For
information on the influence of culture and ethical
behavior on the entity and the related compliance
policies, refer to the Culture Component.

COSO | Corporate Governance Framework

Public Exposure Draft 46
Resilience

22.5. Investigate incidents and enforce

compliance consistently. Executive
Deeper Insights
management maintains documented
processes to manage, track, and investigate Fraud Risk Management
allegations or instances of non-compliance
with established guidelines or policies. The Fraud risk management is critical to the proactive prevention,
entity conducts investigations in accordance detection, and correction of fraud at the entity. Management
with policies that are applied consistently, establishes policies and procedures so that employees
regardless of the individual’s role or level. understand their roles in preventing, detecting, and reporting
When violations are identified, management fraud. Programs often utilize advanced data analytics and
determines and implements appropriate monitoring tools to identify unusual patterns and potentially
remedial or disciplinary actions. Significant fraudulent activities in real time. These programs also emphasize
compliance matters are escalated to the the importance of a strong ethical culture, promoting
board, with complaints related to accounting transparency and accountability at all organizational levels
or financial reporting directed to the audit through regular training and awareness initiatives. For
committee. These processes support information on how entities can establish, monitor, and evaluate
accountability, promote fairness, and fraud risk through a formal fraud management program, refer to
reinforce the entity’s commitment to ethical COSO’s Fraud Risk Management Guide: Second Edition.
conduct.

Principle 23
Establish and Evaluate Internal Control
The board exercises oversight of the development and performance of internal control, and executive management designs and
monitors a system of internal control that supports risk mitigation toward the achievement of objectives.

Internal control: “Internal control is a process, effected by an entity’s board

of directors, management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives relating to operations,
reporting, and compliance.”
Source: COSO, Internal Control — Integrated Framework, May 2013.

Points of Focus

23.1. Design and manage a system of internal control. Executive management designs and implements a recognized
system of internal control (e.g., COSO’s ICIF) to increase the likelihood the entity can achieve its strategic, operational,
financial, and compliance objectives. Controls are aligned with ethical standards, legal requirements, and the entity’s risk
profile, and are integrated into relevant policies and procedures to confirm that business processes operate as intended.
Management utilizes a variety of controls—including compliance, operational, and reporting—to mitigate risks across the
entity. These controls are periodically assessed for effectiveness and updated as needed to reflect changes in strategy or the
risk environment. The board and audit committee review key control policies to support oversight responsibilities.
Management establishes monitoring mechanisms to detect risk events at the operational level and assess control performance
on an ongoing basis. For information on designing and implementing a system of internal control, refer to COSO’s ICIF.

COSO | Corporate Governance Framework

Public Exposure Draft 47
Resilience

23.2. Document and implement policies and controls. Executive management develops and maintains corporate
policies that define the internal rules, guidelines, and procedures necessary to support the entity’s strategic, financial,
operational, and compliance objectives. These policies establish a foundation for designing and documenting internal
control across the entity. Management maintains a structured process for policy governance, including creation, review,
approval, training, implementation, and oversight. Clear ownership and accountability are assigned at the control level
and throughout executive management to support consistent execution and oversight. Policies of critical importance—
such as the entity’s code of ethics and conduct and the conflict-of-interest policy—are typically reviewed and approved by
the board and formally documented to reinforce their authority. For information on document retention policies, refer to
the Communication Component. For information on the development of policies and procedures, refer to COSO’s ICIF.

Deeper Insights

Robotic Process Automation

Robotic process automation (RPA) transforms how entities handle high-volume, repetitive tasks by enabling
faster, more accurate execution of routine processes. By automating structured workflows such as data entry,
transaction processing, and report generation, RPA reduces manual effort, mitigates the risk of human error,
and boosts overall efficiency. Well-designed RPA solutions can incorporate built-in controls such as access
restrictions, audit trails, and exception-handling mechanisms, enhancing consistency and compliance and
enabling effective monitoring over these processes. For information on how to establish controls over RPA, refer
to COSO’s Achieving Effective Internal Control Over Robotic Process Automation.

23.3. Leverage IA for assurance and insights. IA, as the third line, provides independent and objective assurance to the
board and executive management on the effectiveness of risk management, internal control, and governance processes. IA
delivers data-driven analysis across strategic, operational, financial, and compliance risk areas, offering insights into the
control environment and alignment with legal requirements and industry practices. Beyond traditional financial audits, IA
conducts governance assessments, culture reviews, and operational evaluations that inform decision-making and highlight
opportunities for improvement. Through regular testing and reporting, IA helps identify gaps or emerging issues,
supporting proactive risk mitigation and continuous enhancement of the control environment.

23.4. Engage external providers for select control assessments. Executive management may engage external auditors
or third-party providers when specialized expertise is required, to perform targeted assessments of select internal control.
These assessments may focus on financial reporting, cybersecurity, data privacy, sustainability, compliance, or operational
performance, depending on the entity’s risk profile and legal requirements. External providers bring subject-matter
expertise and independent perspective, helping to identify potential threats, assess the effectiveness of control measures,
and recommend enhancements. Insights from these evaluations support informed decision-making, strengthen the
control environment, and assist in prioritizing and mitigating risks across the entity.

COSO | Corporate Governance Framework

Public Exposure Draft 48
Resilience

Principle 24
Monitor Governance Effectiveness
Executive management, with board oversight, routinely monitors governance effectiveness, evaluating internal and external
changes, identifying improvement opportunities, and refining governance processes to support sound decision-making,
achieve strategic objectives, and create long-term value.

Points of Focus

24.1. Maintain an integrated monitoring infrastructure. Executive management develops and maintains an integrated
monitoring infrastructure that consolidates data related to risk, strategy, compliance, controls, performance, and
governance into a centralized process. This infrastructure provides timely and transparent insights to executive
management and the board, enabling early identification of emerging risks, potential anomalies, and strategic
opportunities. Management establishes defined processes to track key governance areas—oversight, strategy, culture,
people, communication, and resilience—with clear ownership, performance indicators, and reporting protocols. Cross-
functional collaboration is promoted to break down silos, strengthen accountability, and accelerate the resolution of
material issues.

24.2. Monitor governance effectiveness and oversight practices. Executive management and the board monitor the
effectiveness of corporate governance by regularly reviewing indicators of sound governance. Across the six core
Components of corporate governance, indicators are monitored and included in relevant reporting and can include items
such as board operations, executive compensation, compliance practices, and shareholder engagement. Management uses
internal audits, performance evaluations, and independent assessments to evaluate areas such as conflicts of interest,
leadership succession, board composition, risk management and alignment of risk appetite with strategy, stakeholder
communications, and corporate culture. Open communication channels support early detection and response to
governance risks. Regular evaluations—guided by internal reviews, stakeholder feedback, and external benchmarks—help
identify gaps, track progress, and drive continuous improvement across the governance framework.

Leading-Edge Considerations

Internal Audit’s Role in Assessing Corporate Governance

Entities can leverage IA to perform corporate governance assessments to evaluate the effectiveness of
governance structures and processes compared to leading practices. Specifically, IA can evaluate board
composition, structure, and assessment processes, as well as the effectiveness of executive management’s
strategy-setting processes and oversight. In addition, IA may perform assessments of culture and incentive
programs to determine the alignment of culture with strategy, values, and ethics, and evaluate the reliability
and transparency of communications with stakeholders.

24.3. Report monitoring results and reinforce continuous improvement. Executive management establishes a
structured cadence and reporting format to communicate monitoring results to the board and relevant committees
across all governance elements. These reports include analysis of trends, regulatory developments, stakeholder
expectations, and recommended updates to the entity’s policies, controls, and practices. The board and management use
these insights to inform strategic decision-making, enhance oversight, and confirm alignment with the entity’s purpose,
core values, and long-term strategic goals. As part of its commitment to continuous improvement, the entity regularly
reviews the effectiveness of its governance systems to identify gaps and opportunities for refinement. This process
supports adaptability in the face of disruption and promotes transparency, accountability, and ethical leadership.

COSO | Corporate Governance Framework

Public Exposure Draft 49
Conclusion
Corporate governance is not a static structure but a dynamic, evolving integrated system. When
executed effectively, it enables strategy, fosters trust, supports resilience, and creates long-term
value for shareholders and stakeholders alike. The integrated application of the six Components—
Oversight, Strategy, Culture, People, Communication, and Resilience—provides a foundation for
entities to strengthen corporate governance in both principle and practice. By aligning corporate
governance with the realities of today’s complex business environment, entities can lead with
purpose, respond with agility, and position themselves for success in achieving long-term value.

COSO’s Corporate Governance Framework

COSO | Corporate Governance Framework

Public Exposure Draft 50
Appendix: Corporate Governance
Framework Glossary
To understand the CGF, it is essential to understand key terms in the context of the CGF structure
and how they are used relative to the CGF.

Corporate Governance Framework Key Terms

• Corporate Governance Framework (or CGF): The six Components and related Principles,
Points of Focus, Deeper Insights, and Leading-Edge Considerations, consisting of (1) Oversight,
(2) Strategy, (3) Culture, (4) People, (5) Communication, and (6) Resilience.
• Component: One of the six foundational areas that collectively form the foundation of effective
corporate governance as defined in the CGF.
• Principles: High-level objectives embedded within each of the CGF’s six Components. They
articulate essential governance expectations and provide a flexible foundation that can be adapted
to an entity’s specific needs and circumstances.
• Points of Focus: Each Principle is supported by Points of Focus that expand on how entities may
choose to achieve the Principles. Points of Focus assist the entity in understanding how to put the
related Principle into action or in assessing current-state effectiveness tailored to an entity’s
unique circumstances.
• Deeper Insights: Used to expand upon Points of Focus, offering the user additional depth of
understanding as it relates to a leading practice.
• Leading-Edge Considerations: Used to highlight more advanced governance considerations
that go above and beyond leading practice.

Other Terms
• Accountability: The obligation of directors, executive management, and employees to fulfill their
responsibilities, report transparently on outcomes, and accept consequences for performance
aligned with the entity’s strategic objectives and core values.
• Artificial intelligence (or AI): AI, as defined by the U.S. National Institute of Standards and
Technology (NIST), refers to “a machine-based system that can, for a given set of objectives,
generate outputs such as predictions, recommendations, or decisions influencing real or virtual
environments.”
• Board (or board of directors): The governing body appointed or elected to oversee
management, provide strategic guidance, monitor performance, and uphold accountability
aligned with the entity’s purpose, core values, and long-term objectives.
• Board leadership: The individual or individuals, such as the board chair, lead independent
director or committee chair(s), responsible for guiding the board’s activities, fostering
collaboration, promoting effective governance practices, and serving as a liaison between the
board and management.
• Business judgment rule: A legal principle that protects directors from liability for decisions
made in good faith, with due care, and in the entity’s best interests. It presumes that directors act
on an informed basis, without conflicts of interest, and within their authority, shielding them
from personal liability as long as their decisions are reasonable and made with honest judgment.

COSO | Corporate Governance Framework

Public Exposure Draft 51
• Business model: The fundamental approach an entity uses to create, deliver, and capture value.
It encompasses the entity’s core operations, revenue streams, customer relationships, and key
resources, reflecting how it sustains profitability and competitiveness.
• Capital allocation: The process of distributing financial resources to support an entity’s strategy,
investment priorities, and long-term value creation. It involves evaluating funding needs,
optimizing the capital structure, and determining how to deploy capital across initiatives such as
operations, growth investments, and shareholder returns.
• Code of ethics and conduct: A formal set of principles and expectations that guide ethical
behavior, integrity, and responsible decision-making within an entity. They establish standards
for professional conduct, inclusion, and accountability, reinforcing the organization’s
commitment to ethical business practices and aligning culture with strategic objectives.
• Compliance: The process of confirming that an entity adheres to all applicable laws, rules,
regulations, standards, ethical practices, and corporate policies relevant to its business operations.
• Conflicts of interest: Refers to any personal, professional, or financial interest that could impair,
or appear to impair, a director’s or executive’s ability to act objectively and in the entity’s best
interests.
• Control: (1) As a noun (i.e., existence of a control), a policy or procedure that is part of internal
control. (2) As a verb (i.e., to control), to establish or implement a policy or procedure that affects
a principle.
• Core values: The ethical and cultural foundation of an organization, shaping behavior, decision-
making, and risk awareness at all levels. Core values are essential for setting the tone at the top,
guiding ethical conduct, and aligning risk, control, and performance with the organization’s
purpose.
• Corporate governance: Corporate governance involves the oversight and processes primarily
carried out by an informed board and management team to steer an entity toward executing its
strategies and goals, while maximizing long-term shareholder value in an ethical manner and
within the relevant legal and regulatory environment.
• Corporate governance guidelines: A set of principles and practices adopted by the board to
define its roles, responsibilities, structure, and operating procedures. These guidelines support
effective oversight by aligning board activities with regulatory requirements, strategic priorities,
and stakeholder expectations.
• Corporation: A legal entity that is separate and distinct from its owners, with its own rights and
responsibilities, created under law to conduct business or other activities.
• Culture: The set of shared values, attitudes, and behaviors shaped by leadership that influences
how individuals act with integrity, make decisions, and respond to risk. It reflects the
organization’s ethical foundation and risk awareness, guiding consistent behavior in support of
strategy and objectives.
• Delegation-of-authority policy: A formal policy that defines decision-making powers within an
entity, specifying which roles have the authority to make decisions independently, which require
collaboration or approval, and under what conditions authority can be delegated. It includes
monetary limits, decision thresholds, and escalation protocols, helping align the entity’s strategy
and governance structure.

COSO | Corporate Governance Framework

Public Exposure Draft 52
• Director: An individual appointed or elected to serve on the board of directors, responsible for
overseeing management, guiding strategy, and upholding accountability in alignment with the
entity’s purpose, values, and long-term objectives.
• Disclosures: Information that an entity publicly shares to provide transparency on its operations,
financial performance, governance, and strategic direction. Disclosures can be mandatory, such as
regulatory filings and financial reports, or voluntary, such as sustainability reports and board
qualifications.
• Employees: Workers who are employed by a U.S. legal entity as W-2 workers, versus 1099
contractors or vendor-provided talent.
• Enterprise risk management (or ERM): The culture, capabilities, and practices, integrated with
strategy-setting and its performance, on which organizations rely to manage risk in creating,
preserving, and realizing value.
• Entity: Any for-profit, not-for-profit, or governmental body. An entity may be publicly listed,
privately owned, owned through a cooperative structure, or any other legal structure.
• Equity law: A body of legal principles developed alongside common law to promote fairness and
justice in cases where strict application of statutory law would result in an unfair outcome. Rooted
in judicial precedents, equity law provides remedies such as injunctions, specific performance,
and fiduciary obligations, including the duties of care, loyalty, and good faith that govern
corporate directors and other fiduciaries.
• Ethical behavior: The consistent practice of acting with integrity, fairness, and respect, in line
with the entity’s core values and expectations.
• Executive management: The most senior-level executives (C-suite), such as the CEO, CFO, and
chief operating officer, responsible for executing strategic plans, making high-level operational
decisions, and achieving entity success and profitability. They engage with the board of directors
and shareholders to uphold governance best practices, maintain ethical standards, fulfill fiduciary
duties, and establish a strong corporate culture from the top.
• Executive sessions: Private meetings of the board or its committees, held without management
present, to facilitate open discussions on sensitive matters such as CEO performance, succession
planning, board effectiveness, legal and compliance issues, and auditor discussions.
• Fiduciary duties: Legal and ethical obligations to act in the best interests of another party,
typically associated with fiduciary duties such as the duty of care, duty of loyalty, and the
obligation to act in good faith.
• Financial statements: Typically refers to balance sheet, income statement, cash flow statement,
statement of changes in equity, etc.
• Fraud: Any intentional act or omission designed to deceive others, resulting in the victim
suffering a loss and/or the perpetrator achieving a gain.
• Generative AI (or GenAI): A system of algorithms or computer processes that can create novel
output in text, images, or other media based on user prompts. These systems are created by
programmers who train them on large sets of data. The AI learns by finding patterns in the data
and can then provide novel outputs to users’ queries based on its findings. GenAI systems are
distinguished from other AI systems by their ability to create novel output.

COSO | Corporate Governance Framework

Public Exposure Draft 53
• Goals: Broad, long-term outcomes the entity aims to achieve, reflecting its strategic vision and
overall direction.
• Independent (or independence): The state of being free from conflicts of interest, undue
influence, or bias, enabling objective judgment in decision-making processes.
• Independent directors: Board members who have no material relationship with the entity that
could compromise their ability to exercise objective judgment. Their independence is defined by
federal and state laws, listing exchange rules (such as NYSE and Nasdaq), and corporate
governance best practices.
• Integrity: The quality or state of being of sound moral principle; uprightness, honesty, and
sincerity; the desire to do the right thing, to profess and live up to a set of values and expectations.
• Internal audit (or IA): An independent, objective assurance and advisory service designed to add
value and improve an organization’s operations. It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of
governance, risk management, and control processes. For information on the standards and
principles which govern internal audit, refer to the IIA’s Global Internal Audit Standards.
• Internal control: A process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives
relating to operations, reporting, and compliance.
• Investors: Individuals or entities that allocate capital to an organization with the expectation of
generating financial returns.
• Leaders: Individuals responsible for guiding and inspiring others toward achieving entity goals,
shaping culture, and driving strategic success. Leaders can include board, executive management,
and management.
• Management: Beyond the C-suite, individuals overseeing the employees who are executing daily
operations across varying entity levels and functional or business lines. Management is
responsible for coordinating tasks to achieve organizational goals through planning, organizing,
leading, executing, and then reporting to executive management.
• Mandatory retirement age: A policy that sets a predetermined age at which directors are
required to step down from the board, used as a mechanism to promote board refreshment and
turnover.
• Objectives: Specific, measurable, and time-bound targets that support the achievement of
broader goals.
• Operating model: The structure that defines how an entity organizes its people, processes,
technology, and resources to execute its strategy. It establishes roles, responsibilities, reporting
lines, and decision-making authority, adapting as needed to align with strategic goals and market
conditions.
• Organizational structure: The manner in which authority, roles, responsibilities, and reporting
lines are clearly established throughout an entity to effectively support strategy, manage risks, and
enable robust internal control.
• Overboarding: A situation in which a director serves on an excessive number of boards,
potentially limiting their ability to dedicate sufficient time, attention, and oversight to each
entity.

COSO | Corporate Governance Framework

Public Exposure Draft 54
• Oversight: The process by which the board and management monitor, guide, and evaluate the
entity’s operations, risks, and performance to promote accountability, ethical conduct, and
alignment with strategic objectives.
• Performance management: The measurement of efforts to achieve or exceed the strategy and
business objectives.
• Purpose: An entity’s fundamental reason for being, guiding strategy, decision-making, and
culture.
• Risk: The possibility that events will occur and affect the achievement of strategy and business
objectives. Risks (plural) refers to one or more potential events that may affect the achievement of
objectives; risk (singular) refers to all potential events collectively that may affect the achievement
of objectives.
• Risk appetite: The types and amount of risk, on a broad level, that an organization is willing to
accept in pursuit of strategy.
• Risk management: The policies, procedures, and control processes that an entity establishes to
identify, assess, monitor, and report risks, confirming risks are managed in a way that helps the
entity achieve its objectives.
• Risk profile: A composite view of the risk assumed at a particular level of the entity, or aspect of
the business that positions management to consider the types, severity, and interdependencies of
risks, and how they may affect performance relative to the strategy and business objectives.
• Shareholders: Individuals or entities that own shares in a corporation, granting them ownership
interest and certain rights, such as voting on major corporate decisions, receiving dividends, and
reviewing financial performance.
• Shareholder engagement: Refers to the direct and indirect communication between an entity
and its shareholders through methods such as one-on-one meetings, group presentations,
conferences, and proxy voting to address concerns, align interests, and support long-term value
creation.
• Shareholder rights: The entitlements granted to shareholders, typically defined by law or the
corporation’s governing documents, including the right to vote on major decisions, receive
dividends, and access financial reports.
• Skills matrix: A tool the board uses to assess and map its members’ collective competencies,
expertise, and experience to help align with the entity’s strategic needs.
• Stakeholders: Individuals or groups, either internal or external, that may impact or be impacted
by the entity’s operations, business environment, reputation, brand, and trust. Internal
stakeholders include parties working within the entity, such as employees, management, and the
board. External stakeholders are those who are not directly part of the company but are affected
by or have an interest in its business operations and financial performance, such as shareholders,
regulators, customers, vendors, community members, and business partners.
• Strategy: A set of informed, sometimes difficult choices an entity makes about how to compete
and create long-term value, guided by the entity’s unique current and future advantages. It
defines where and how the entity will focus its resources, respond to disruption, and differentiate
itself in a constantly evolving environment in alignment with its purpose and core values.

COSO | Corporate Governance Framework

Public Exposure Draft 55
• Strategic plan: A formal, multi-year roadmap developed by executive management, with board
input and approval, that defines the entity’s long-term goals, competitive positioning, and key
initiatives. It outlines how resources will be allocated, risks managed, and opportunities leveraged
to achieve sustainable growth and value creation.
• Supermajority: A threshold higher than a simple majority, often defined as two-thirds or more of
a group, required for certain decisions or governance standards.
• Sustainability: The ability of an entity to create long-term value by integrating economic,
environmental, and social considerations into its strategy and operations.
• Talent: Individual people or pools of skilled people within the workforce.
• Term limits: A policy that sets a maximum length of service for board members to promote
board refreshment, independence, and diversity of perspectives.
• Tone at the top: The ethical climate, culture, and values established by the board and executive
management, which influence the organization’s behavior and decision-making at all levels.
• Total rewards: A comprehensive program that encompasses all forms of compensation, benefits,
and development opportunities that an entity offers to attract, retain, and engage its workforce.
• Transparency: The practice of providing stakeholders with clear, accurate, and accessible
information about the entity’s operations, performance, and governance.
• Value: The tangible and intangible benefits an entity generates through its operations, assets, and
relationships, including financial performance, brand equity, intellectual property, customer
loyalty, and talent.
• Value creation: The process by which an entity generates long-term economic, social, and
strategic benefits for its stakeholders through effective decision-making, resource allocation, and
sustainable growth initiatives.
• Whistleblower: An individual, often an employee, who reports suspected misconduct, unethical
behavior, or violations of laws or policies within an organization.
• Workforce: The entirety of workers, on or off the balance sheet, who deliver outcomes or goals.

COSO | Corporate Governance Framework

Public Exposure Draft 56
 Public Exposure Draft

PwC and COSO have exercised reasonable care in the collecting, processing, and reporting of this information but
have not independently verified, validated, or audited the data to verify the accuracy or completeness of the
information. PwC and COSO gives no express or implied warranties, including but not limited to any warranties of
merchantability or fitness for a particular purpose or use and shall not be liable to any entity or person using this
document or any information contained therein, or have any liability with respect to this document or any
information contained therein.

© 2025 PwC US Consulting LLP. All rights reserved. PwC US Consulting LLP refers to the US group of member firms,
and may sometimes refer to the PwC network. Each member firm is a separate legal entity.

No part of this publication may be reproduced, redistributed, transmitted, or displayed in any form or by any means
without written permission of COSO and PwC US Consulting LLP.