Which COSO ERM component addresses governance structure, culture, and ethical values that influence how risk is managed?

Governance and Culture focuses on how the organization is governed and the culture and ethical values that shape risk decisions. It sets the tone at the top, defines roles and accountability for risk management, and establishes the expected behaviors and ethics that guide how risk is perceived, escalated, and addressed. This environment directly influences risk appetite, tolerance, and how people throughout the organization act in the face of risk. Without a strong governance and culture foundation, risk management processes can falter or become misaligned with objectives, even if other ERM components exist. The other areas cover setting strategy and objectives, how risk information is communicated and reported, and how ongoing monitoring occurs, but they do not directly establish the governance framework and cultural drivers that influence risk behavior.