COSO Releases Board Governance and ERM Guidance

The recently released From Guidance to Action: Exploring Practical Enterprise Risk Management examines how organizations can make ERM more useful in day-to-day strategic decisions rather than treat it as a compliance exercise.

The report draws on a global survey of risk professionals and interviews with senior executives across industries. The findings highlight how little ERM programs influence business decisions.

According to the report, more than half of respondents say their ERM program is still viewed primarily as a compliance or assurance function, with only 7% describing ERM as fully integrated into strategic decision-making. At the same time, 98% say ERM should play a more strategic role in helping organizations evaluate trade-offs, identify triggers, and assign accountability.

“Organizations today face unprecedented complexity, and ERM must evolve to keep pace,” Lucia Wind, executive director and chair of COSO, said in a press release. She added that the guidance is intended to help organizations move beyond documentation and toward “embedded, real-time, decision-led practices.”

The report outlines how organizations can apply COSO’s ERM Framework as “a toolkit for embedding risk thinking into everyday decision-making.” It includes a model for linking strategy and risk.

Anthony Pugliese, president and CEO of The IIA, emphasized the implications for internal audit in a LinkedIn post about the report. “Closing that gap requires moving beyond process and connecting risk more directly to strategy, performance, and decision-making,” Pugliese wrote. He added that internal audit can help organizations clarify strategic trade-offs, connect risk insights to real-time decisions, and enable greater confidence and resilience.

COSO also released Corporate Governance: Guiding Principles for Board Oversight, which outlines 12 principles to help boards evaluate whether governance structures and oversight practices remain effective amid growing stakeholder expectations, emerging technologies, and more complex risks.

“Boards are being asked to make decisions with greater speed, transparency, and accountability than ever before,” Wind said. “This guidance gives directors a common reference point to further enhance oversight, clarify roles, and support disciplined, long-term decision-making.”

The guidance covers board structure, accountability, culture, technology oversight, and risk management. COSO describes the publication as supporting board assessments, director education, and stronger oversight practices, without prescribing a single governance model.

In another LinkedIn post, Pugliese said the COSO guidance reinforces the importance of internal audit’s role in helping boards gain “clear insight into risk, controls, and oversight.”

Wind stated, “Effective governance depends on how oversight responsibilities connect and reinforce one another. COSO offers this publication to support boards and those charged with governance as they assess and refine oversight over time, in pursuit of long-term value.”