COSO Corporate Governance Framework - Opportunities for refinement

This is the second article in a 2-part series discussing the COSO (Committee of Sponsoring Organizations of the Treadway Commission) Corporate Governance Framework (CGF) public exposure draft. For the introduction to the framework click here.

Despite COSO’s withdrawal of the exposure draft quoting shifting economic and regulatory conditions, we still believe it is valuable to highlight improvement areas for this pivotal framework, which would be a game‑changer for corporate governance since the US Sarbanes‑Oxley Act.

To recap, the COSO CGF is a principles-based framework designed to guide entities through the rapidly evolving corporate governance environment. It aims to enhance agility, clarify roles, and extend accountability beyond the boardroom, shaping culture, guiding decisions, and building stakeholder confidence.

The framework is structured around six essential components; Oversight, Strategy, Culture, People, Communication, and Resilience, all of which are equally important and reinforce one another in support of long-term value creation.

Here are areas within the COSO CGF that may benefit from further emphasis or modification, informed by global best practices and emerging trends.

Scope of Board Oversight Responsibilities (COSO Principle 1, Point of Focus 1.2)

COSO CGF acknowledges that board oversight responsibilities are "numerous and continually expanding," encompassing strategic initiatives, legal obligations, regulatory requirements, financial performance, and major enterprise risks.

Recommended Improvement: While comprehensive, the document could further emphasize specific emerging oversight areas that demand dedicated board attention, such as complex digital transformation initiatives and their associated risks. Many boards are not yet addressing AI and cyber crime risks. This implies a need for more explicit guidance on allocating emerging risk oversight beyond traditional committees.

Board Leadership Attributes and Responsibilities (COSO Principle 2, Point of Focus 2.1, 2.2)

The framework emphasizes the role of an independent board leader in providing direction, guiding board work, influencing the agenda, and acting as a liaison.

Recommended Improvement: The CGF could more strongly advocate for the clear separation of the CEO and Chair roles as a leading practice for enhancing board objectivity. For example, the UK Corporate Governance Code explicitly states that "The roles of chair and chief executive should not be exercised by the same individual". While COSO notes that an independent board leader "helps position the board to provide objective oversight", stronger wording could reinforce this structural separation as a preferred mechanism for ensuring robust independent judgment, aligning more closely with the UK Code as well as other global corporate governance frameworks.

Individual Director Assessments (COSO Principle 16, Leading-Edge Considerations, "Individual Director Assessments")

COSO CGF includes individual director assessments as a "Leading-Edge Consideration," noting they evaluate contributions, understanding, participation, skills, and overall contribution.

Recommended Improvement: Given the increasing scrutiny on board effectiveness, this should be elevated to a more central or explicit expectation within the "Oversight" or "People" component's main Principles. The widespread questions around director competence and contributions require more than a "leading-edge" suggestion; it needs to be integral to maintaining board quality and accountability.

Shareholder Rights and Engagement in Cross-Border Contexts (COSO Principle 6):

COSO CGF Principle 6 focuses on upholding shareholder rights through transparency and dialogue.

Recommended Improvement: The CGF could incorporate more explicit guidance on eliminating impediments to cross-border voting and ensuring equitable treatment for foreign investors, as emphasized by OECD G20/OECD Principles of Corporate Governance. OECD Principle II.C.7 states, "Impediments to cross-border voting should be eliminated", noting the challenges of intermediary chains and short notice periods. While COSO mentions diverse shareholder perspectives, deeper practical guidance on overcoming these international barriers would enhance its applicability for global companies.

Strategic Agility in the Face of Geopolitical and Economic Shifts (COSO Principle 10, Point of Focus 10.3 and 10.4)

The framework addresses strategic agility by recommending boards and executive management stay informed of market trends, macroeconomic conditions, and regulatory changes, and use scenario planning. It also touches on crisis response.

Recommended Improvement: The CGF could more explicitly integrate the current, specific geopolitical, technological and economic pressures into the discussion of strategic adjustments. While COSO's language is broad, concrete examples or "Deeper Insights" on navigating these specific external forces would make the framework more actionable and relevant for today's complex environment.

Addressing Financial Fraud and Embedding Ethics Proactively (COSO Principle 12, Point of Focus 12.1)

COSO CGF emphasizes maintaining a code of ethics and conduct, reinforced through training and communication, and supporting transparency by sharing ethical concerns and resolutions. It also has a "Deeper Insights" box on Whistleblower Policy.

Recommended Improvement: The CGF could strengthen its emphasis on proactive rooting out of bad actors and the critical communication lines between compliance functions and the board. There should be a direct, consistent line of communication from the Chief Compliance Officer (CCO) or General Counsel (GC) to the board. Accordingly, the CGF could benefit from a Point of Focus or Deeper Insight under Principle 12 that highlights the importance of formalized, direct, and consistent communication channels for compliance officers to the board to address fraud and abuse, not just general ethical concerns.

Culture and Technology Ethics (COSO Principle 11, Point of Focus 11.3 and Principle 12, Deeper Insights, "Cultural Consistency Across Partnerships and Global Subsidiaries")

The framework discusses defining and communicating desired culture and integrating cultural priorities into business functions. It also addresses cultural consistency across partnerships and global subsidiaries.

Recommended Improvement: The CGF should more explicitly address the ethical implications of new technologies like AI within its Culture component. AI, for example, isn’t transparent and has biases, which can complicate decision-making for boards. A new Point of Focus could be added under Principle 11 or 12, specifically stating the need to embed ethical considerations and bias mitigation strategies into technology adoption policies to ensure cultural alignment in the digital age.

Addressing Evolving Workforce Dynamics and Talent Attraction (COSO Principle 14, Points of Focus 14.1, 14.3)

COSO CGF addresses people strategy, planning, and varied workforce composition, including attracting and retaining talent across demographic groups.

Recommended Improvement: The CGF could provide more detailed insights into adapting to contemporary workforce trends, such as the rise of "job hopping" and the increasing proportion of Millennials and younger generations in the workforce. A Point of Focus under Principle 14 could specifically guide executive management on rethinking talent management strategies, including compensation, development, and work models (e.g., hybrid work), to appeal to and retain younger generations, given their distinct expectations and career paths.

Leveraging Technology for Real-Time Board Reporting and Dashboards (COSO Principle 17, Point of Focus 17.4 and Principle 19, Point of Focus 19.3)

COSO CGF encourages enhancing information with technology, including automated verification and monitoring, and mentions dashboard reporting to convey critical information to the board.

Recommended Improvement: The CGF could more strongly advocate for the adoption of integrated digital platforms and "dashboards" for real-time oversight and data-driven decision-making, emphasizing their role in streamlining board meetings. A "Deeper Insight" or "Leading-Edge Consideration" could be added under Principle 17 or 19 to provide more specific examples and benefits of using centralized, real-time dashboards to improve board efficiency and compliance with disclosure rules.

Public Policy Stance and Geopolitical Communications (COSO Principle 20, Leading-Edge Considerations, "Taking a Public Policy Stance")

The framework includes a "Leading-Edge Consideration" on entities taking public policy stances, advising on establishing policies and involving the board.

Recommended Improvement: This area deserves a more prominent position or expanded detail given the current global climate. The CGF could expand this leading-edge consideration into a more explicit Point of Focus under Principle 20, detailing how boards should develop a robust framework for responding to and communicating on major socio-political and geopolitical events, including managing internal ideological divides and external stakeholder expectations.

Managing Comprehensive Digital Security Risks (COSO Principle 21, Point of Focus 21.6)

COSO CGF addresses managing risks associated with technology, including cybersecurity, by establishing governance structures and policies.

Recommended Improvement: The CGF could intensify its focus on the escalating threat of cyber crime and the specific vulnerabilities introduced by emerging technologies like Generative AI. While COSO acknowledges the risk, adding a "Deeper Insight" that outlines specific board-level responsibilities for overseeing proactive infrastructure and data upgrades, rigorous change management for software, and continuous vigilance against evolving cyber threats would be highly beneficial. The OECD Principles of Corporate Governance also highlight the importance of managing digital security risks, including data security, privacy, and the risks of AI and algorithmic decision-making.

Integration of Sustainability and Climate-Related Risks (COSO Principle 21, Point of Focus 21.3)

COSO CGF notes that executive management incorporates risk and opportunity considerations into strategic planning, including evaluation against risk appetite.

Recommended Improvement: While COSO addresses this, the CGF could further emphasize the specific integration of sustainability and climate-related risks and opportunities into the risk management framework, aligning with the heightened global focus. The OECD's Chapter VI, "Sustainability and resilience," provides extensive detail on the need for "consistent, comparable and reliable disclosure of material sustainability-related information," including climate change risks. It also states that boards should "adequately consider material sustainability risks and opportunities" in their functions. A stronger emphasis on quantifying and overseeing climate transition and physical risks, and ensuring coherence between lobbying activities and sustainability goals, would enhance this section.

Accountability for Internal Controls (COSO Principle 23, Point of Focus 23.1)

The framework states that executive management designs and implements a system of internal control, with the board and audit committee reviewing key control policies.

Recommended Improvement: The CGF could be more explicit about the board's direct accountability and declaration of effectiveness for internal controls, similar to the recent changes in the UK Corporate Governance Code. The UK Code's Provision 29, effective for accounting periods beginning on or after 1 January 2026, requires the board to "provide in the annual report, a declaration of effectiveness of the material controls as at the balance sheet date". While COSO requires the board to monitor and review effectiveness, a formal declaration of effectiveness would enhance transparency and accountability. This enhancement can add a complimentary Board governance angle to Sarbanes Oxley Internal Control over Financial Reporting certification by management which has a narrower external reporting focus.

In conclusion, while the COSO CGF Public Exposure document offers a robust and adaptable framework for corporate governance, we believe incorporating more granular details and explicit guidance on rapidly evolving area such as the ethical implications and cybersecurity risks of AI, specific geopolitical impacts on strategy, contemporary workforce dynamics, and direct board accountability for internal control effectiveness, would further enhance its relevance and utility for entities navigating the complexities of the modern business environment.

We look forward to the re-introduction of the revised exposure draft and sharing our subsequent perspective in due course.

References: