COSO’s Draft Corporate Governance Framework

Executives and board directors are always searching for a better way to manage their organizations — and rightly so, considering how messy and bewildering corporate governance can be at large organizations. Now COSO is trying to remedy that situation with a proposed framework for corporate governance, and we should all take a close look.

COSO released a draft of the framework last week, and it’s open for public comment until July 11. COSO will then take those comments, digest them for what they’re worth, and release a final version of the governance framework sometime after that. 

Why should compliance and audit executives care? Because corporate leaders (both boards and executive management teams alike) are now pulled in a zillion directions at once, which makes forward progress on business objectives painfully difficult. Frameworks such as COSO’s can help leadership teams instill discipline amid that confusion. They can help senior management understand the policy and control infrastructure it should put in place, and help audit and compliance teams understand how you can support (read: help the brass understand what they’re doing wrong) those efforts. 

Anyway, let’s take a look at what this exposure draft proposes. 

COSO defines corporate governance as a set of six components, meant to serve four distinct groups, all in pursuit of long-term value for the organization. And like all COSO frameworks, the framework includes a nifty visual to help people understand how this is all supposed to fit together. Introducing… the corporate governance circle!

These six components — oversight, strategy, culture, people, communication, and resilience — are then expanded into a list of 24 principles. Each of the 24 principles are supported by several more specific “points of focus.” So in total, this governance framework offers several dozen potential steps that your organization should take to ensure that its governance is effective, durable, and flexible.

First, the Big Strategic Stuff

The first three components (oversight, strategy, and culture) are more about organizing your business at the fundamental levels: establishing basic structures and authority, defining values and strategy, and creating the corporate culture. Those three components are supported by a total of 13 principles. See Figure 1, below. 

Right away we can see some wise concepts embedded in this part of the framework, such as establishing the board structure and defining how the board oversees the CEO. This strikes me as an extremely important first step, because corporate ethics and compliance history is riddled with examples of overweening CEOs who dominate feckless boards: Bernie Ebbers at WorldCom, to Steve Wynn at Wynn Resorts, Elizabeth Holmes at Theranos, Elon Musk at Tesla, and many more. Just look at the messes (from criminal misconduct to strategy stupidity) that those arrogant egos have made, because their boards weren’t holding them accountable.

On the other hand, while I applaud steps like Principle 6, Uphold Shareholder Rights — also I wonder how that’s going to go over with some political authorities, who seem to think shareholders are pests to be subdued until they dump their shares and go away. We’ll take a deeper look at this item in a future post, but I wonder whether it might be one principle (or more precisely, its points of focus, which talk about specific good governance practices) that catches criticism. 

For compliance officers, the most important component might be Culture, and its three principles for establishing and modeling culture, promoting ethics and open communication, and assessing the culture on a regular basis. The Justice Department’s guidelines for effective compliance programs include a small but important section on measuring corporate culture (example: “How and how often does the company measure its culture of compliance?”), so embracing these principles can be a fantastic way to meet those goals.

Next, the More Tactical Stuff

The second three components of the governance framework (people, communication, resilience) will probably appeal more to HR, internal audit, and risk management teams. They get to the more tactical issues of how you organize the company’s people, technology, and other resources to achieve your objectives. See Figure 2, below. 

Take the People component as an example. Clearly the three principles here are the HR team’s domain, calling on HR and senior leaders to address the most basic issues you have with employees. How do you structure compensation to get the performance you want? How do you measure that performance? What’s your strategy to develop and maintain the right talent, now and in the future? 

Too often, HR ponders those questions in a vacuum; good governance should force HR (and senior management, and the board) to ponder those questions in the context of everything else. For example, paying employees gobs of money for success is a great way to make them hit quota; it can also be a great way to get them to break the law. How often does senior management really consider that risk? How often do they think about investing in ethics and culture, rather than concrete approval controls and audits? A framework like this one helps to answer those questions.

Meanwhile, we also have principles near and dear to audit and risk managers, too, such as:

• Principle 17, Commit to Information Quality — hugely important in our IT- and AI-saturated world; so how do you equip your business functions to meet the data management challenges involved?
• Principle 23: Establish and Evaluate Internal Control — one could say this principle in the governance framework should spawn a whole sub-effort to implement the COSO internal control framework, which I assume is the point. Regardless, a modern organization cannot succeed without effective internal control.

We should pause here to stress that this is all an exposure draft, meant to solicit feedback. Twenty-four principles with dozens of points of focus is a lot; if adopted as is, this would be the biggest and most complicated COSO framework yet. So don’t be surprised if we see a slimmed-down final version (which is what happened with the COSO risk management framework in 2017) when all is said and done.

Still, great work here from COSO. Give the draft a read, offer comments, and see what material you could put to good use even now. 

Speaking of which… 

From Framework to Action

The theory of how to put frameworks to use is straightforward. The framework defines certain principles you should follow; you define risks to achieving those principles and possible controls that could address those risks; then you somehow track or audit the company’s progress to implementing those controls effectively.

So even now, you can take the exposure draft and start putting it through that cycle. For example, here’s a simple risk-control matrix for the first three principles of the Oversight component.

So a board audit or governance committee could ask the corporate secretary to draft the appropriate policies (in the controls column). Then a head of internal audit could confirm that necessary oversight activities (in the board oversight column) have taken place, with the necessary documents or reports drafted and circulated to the board. 

There’s a lot more to it than that, of course; and a lot more principles to consider than the three I outlined above. We can explore those questions in future posts. 

For now, however, the COSO exposure draft offers plenty of food for thought. Enjoy the meal.