GuardVae
Back
Article·

People and Culture Risk and the Governance Architecture Gap

Regulatory regimes increasingly assume governance-ready structures for human capital related risks, yet many organizations lack them. PCRM provides the architectural foundation to bridge this gap.

Governance Architecture Gap diagram illustrating how regulatory regimes assume governance-ready structures for people-related risk while many organizations lack them
The Governance Architecture Gap: Regulatory expectations vs. organizational readiness

I.A. Regulatory Developments in Workforce-Linked Disclosure and Due Diligence

While regulatory regimes focus on workforce-linked disclosures and due diligence, the underlying drivers of these obligations often sit in people and culture systems that fall outside traditional compliance structures. Across major jurisdictions, such regimes are no longer optional. They are increasingly statutory and structured, imposing concrete obligations on companies to disclose, monitor, or prevent adverse impacts related to people, workforce conditions, and organizational practices.

India (SEBI BRSR)

Under the Securities and Exchange Board of India's Business Responsibility and Sustainability Reporting (BRSR) framework, the top 1,000 listed companies (by market capitalization) are legally required to disclose standardized environmental, social, and governance (ESG) information as part of annual reporting. BRSR Core refined by SEBI's 2024–25 updates also introduce value-chain disclosures and assurance/assessment requirements that deepen corporate accountability for social and human capital metrics over time.

SEBI BRSR reporting is a mandatory regulatory obligation for companies in scope.

European Union CSRD & Pay Transparency Directive

The Corporate Sustainability Reporting Directive mandates standardized sustainability reporting including social and workforce dimensions for a broad scope of companies in the EU, with phased implementation into national law. The EU Pay Transparency Directive (Directive (EU) 2023/970) requires employers above specified sizes to make structural changes to compensation transparency, with first reporting obligations beginning as early as 2027. These are legal requirements once transposed into domestic legislation under EU procedures.

European Due Diligence (CSDDD)

The Corporate Sustainability Due Diligence Directive, adopted in 2024, requires companies to integrate human rights and environmental due diligence into policies, identify and assess impacts across their operations and value chains, and take action to prevent or mitigate them. EU member states are required to incorporate this directive into national law within a prescribed period, making it a binding legal obligation once implemented domestically.

Other Mandates (Supply Chain Acts)

Hard legal obligations on human rights and labor risk also exist outside ESG reporting frameworks. For example, Germany's Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz or LkSG) requires companies with over 1,000 employees in Germany to establish risk management systems and conduct human rights and environmental due diligence across their own operations and supply chains, with compliance obligations enforced by national authorities. Organizations not directly in-scope will also be impacted if they are in the supply chain of large organizations in-scope.

Together, these regimes constitute a substantive set of mandatory regulatory obligations, not voluntary frameworks that intersect with people and culture risk.

I.B. Voluntary Frameworks and Standards Relevant to People and Culture Risk

In addition to mandatory legal requirements, organizations often engage with voluntary frameworks and standards that shape how workforce risk, human rights, labor practices, and organizational governance are understood, assessed, and disclosed. These frameworks are not legally enforceable by themselves but are widely used by companies as best practice or preparatory architecture for internal governance and external stakeholder expectations.

ESG Reporting Frameworks (Voluntary)

  • Global Reporting Initiative (GRI): An internationally recognized voluntary sustainability reporting framework covering environmental, social (including labor practices), and governance topics. Organizations use GRI to structure disclosures on impacts, workforce data, and governance processes even where not legally required.
  • SASB / ISSB-Aligned Guidance: Voluntary but investor-oriented sustainability disclosure guidance that helps organizations define and present financially material ESG information, including aspects of workforce risk.

International Responsible Business Conduct Frameworks (Voluntary)

  • UN Guiding Principles on Business and Human Rights (UNGPs): A globally accepted non-binding framework on how companies should respect human rights, including labor rights; it influences expectations for due diligence processes though it is not itself law.
  • OECD Guidelines for Multinational Enterprises: Non-binding recommendations on responsible business conduct, including human rights and labor practices. Though not enforceable, they are referenced by stakeholders and inform interpretation of due diligence norms.
  • Voluntary Principles on Security and Human Rights: A voluntary multi-stakeholder initiative providing guidance on how extractive companies should respect human rights in security and workforce contexts; not legally binding but influential in risk planning.

These voluntary frameworks are often adopted by organizations to guide risk assessment, enhance transparency, align with investor expectations, and prepare governance systems that support compliance when future regulatory obligations arrive. They play a complementary role to mandatory standards by influencing what constitutes good practice and credible disclosure, even where the law does not yet require specific disclosures.

Key Distinctions

  • Mandatory frameworks carry legal obligations enforced by regulators, often tied to administrative penalties, board oversight responsibilities, or potential liability for non-compliance. Examples: BRSR, CSRD, CSDDD, national supply chain due diligence laws.
  • Voluntary frameworks and standards are non-binding guidance organizations adopt to structure disclosures, align with investor expectations, and build internal governance systems. They do not carry direct legal penalties but influence stakeholder expectations and preparedness for mandatory regimes.

Why This Matters in Practice

Organizations often begin by adopting voluntary frameworks to:

  • Build internal data systems and controls ahead of regulatory mandates.
  • Align with investor and stakeholder expectations even where law has not yet required specific disclosures.
  • Benchmark performance against peers using recognized global guidance.

Legal compliance obligations under mandatory regimes require structures ready for reporting, auditability, assurance, and board-level oversight, underscoring the need for integrated risk governance systems.

II. Structural Implications for Fiduciary Oversight

These regulatory developments share three features:

  1. Standardization: Social, workforce, and governance data must be disclosed in structured formats, not ad-hoc narrative.
  2. Assurance: Independent assurance or formal assessment of specified sustainability and workforce disclosures is embedded in frameworks such as BRSR Core and mandated under the EU's Corporate Sustainability Reporting Directive.
  3. Due Diligence Integration: Human rights and labor aspects across both internal operations and value chains, must be embedded in corporate policies and risk systems (CSDDD and national supply chain laws), not treated as separate compliance checkboxes.

This transforms people and culture risk to matters embedded within governance frameworks, where directors and senior officers are expected to exercise oversight and ensure appropriate governance structures are in place to address disclosure and due diligence obligations.

III. Limitations of Current Organizational Approaches

Most organizations already do a range of activities that interact with workforce disclosure or regulatory compliance, such as:

  • Engagement surveys
  • Diversity metrics
  • Sustainability or ESG narrative reports
  • Basic labor compliance programs

However, these activities often lack systemic integration into risk governance. Specifically, many entities struggle to:

  • Define leading indicators of people and culture, or organizational vulnerability that meaningfully predict material outcomes before they occur.
  • Establish escalation thresholds that translate HR or culture signals into governance-level risk alerts.
  • Link people and culture signals to enterprise risk management and board oversight processes.
  • Prepare structured documentation ready for assurance or regulatory scrutiny.

The absence of structured risk architecture means that obligations which look like compliance checkboxes can transform into governance stress points, especially when requiring senior-level attestation or independent assessment.

IV. Conditions Under Which People and Culture Exposure Becomes Fiduciary Exposure

People and Culture exposure becomes fiduciary exposure where directors and senior management may face governance scrutiny, litigation risk, or liability when three conditions align:

  1. Material Impact: The issue has a plausible effect on enterprise value, reputation, or strategic execution.
  2. Formal Reporting/Disclosure: The company must disclose related data in a mandatory regulatory context (e.g., BRSR, CSRD, gender pay).
  3. Oversight Expectation: Regulatory frameworks assume governance-level oversight and integration (e.g., due diligence embedded in policies, board review obligations).

Under such conditions, what was once a narrative or checkbox compliance exercise becomes intertwined with formal governance obligations that can affect stakeholder confidence, audit outcomes, and legal exposures.

V. People & Culture Risk Management as a GRC Sub-Discipline

The emerging regulatory architecture reveals a gap: regulation increasingly assumes governance-ready structures for people-related risk, yet many organizations lack them. This shortfall is not merely operational but architectural.

People & Culture Risk Management (PCRM) is a GRC sub-discipline designed to fill that gap by:

  • Identifying leading risk indicators prior to materialization and business impact.
  • Defining measurement frameworks that support structured escalation for governance.
  • Integrating people and culture risk signals into enterprise risk management and board oversight mechanisms.
  • Translating people-related risk events into governance language and materiality profiles.
  • Supporting documented processes that align with assurance and external reporting requirements.

Unlike traditional HR functions or voluntary ESG programs, PCRM sits within GRC architecture: a set of systems, processes, thresholds, and accountabilities necessary to satisfy both regulatory expectations and enterprise risk management requirements.

VI. Implications for Enterprise Risk Architecture

As regulatory regimes expand their reach into workforce-linked disclosure and due diligence, the expectation that organizations can systematically govern people and culture related risks will only become clearer. Entities that rely on transactional compliance (e.g., reporting when asked) will find themselves vulnerable when regulators, investors, or auditors demand evidence of:

  • Systematic identification of organizational vulnerabilities
  • Structured escalation and oversight
  • Active risk mitigation and governance integration

In this context, PCRM is not a nice-to-have discipline. It is the structural foundation organizations need to align internal risk governance with external disclosure and due diligence obligations.

Conclusion

Regulatory obligations relating to workforce disclosure and due diligence, from India's mandatory BRSR to EU sustainability reporting and due diligence directives, reflect a systemic shift in what regulators expect organizations to govern, not just report. These mandates are explicit, enforceable, and increasingly interwoven with governance oversight.

Yet many entities lack the risk governance architecture that these regimes presuppose.

Bridging that gap requires a discipline that treats people and culture as sources of enterprise risk, not only as compliance metrics or narrative reports.

People & Culture Risk Management provides that architecture: enabling organizations to detect, govern, and disclose related risk in ways that satisfy regulatory obligations while reinforcing enterprise resilience.