I am preparing for another trip next week to the United Kingdom/Europe and reflecting on the differences in GRC – governance, risk management, and compliance – between North America and the UK/Europe. BTW: if you want to meet next week in London and discuss GRC strategy, process, technology, and/or content/intelligence solutions . . . let me know . . .
OK, let me be clear. What I am about to state is generalizing. There are exceptions, but this is the overall picture of the differences between North America (USA and Canada) and the U.K./Europe in the context of GRC, particularly risk management and compliance.
Consider (generalizing as there are exceptions) . . .
- Risk management. The USA too often approaches risk management (and its acronyms of ERM, ORM, IRM) as a compliance exercise from SOX. Risk starts with a risk and control register mapping in North America. It is a bottom-up approach.
- Risk management in Europe, which is most often aligned with ISO 31000, in this context risk management is a more business perspective that starts with objectives (e.g., entity, division, department, process, project, asset). Risks are understood and managed in the context of objectives, and the business is more involved in risk management as it provides more value to the business. It is often a top-down approach aligned with strategy and performance. I see a lot more board-level involvement in risk management in Europe, and risk management is seen as a business tool and enabler. There are several RFPs this year that are driven by the board. In Germany, you have things like IDW PS 340 requiring enterprise risk normalization, aggregation, and quantification up to the board-level
- Compliance. Compliance is very different between USA and Europe. From a product safety side, the USA generally has a prove it is harmful perspective while Europe has a prove it is safe perspective. But the regulatory regimes take a very different approach. The USA is a checklist/tickbox mentality. North American firms want to be told what they have to do, let them check the checkboxes, and then they want a get-out-of-jail-free card.
- Europe has an outcome/principled base approach to compliance. They generally do not create checklists but define principles and objectives that must be achieved. For example, the UK Consumer Duty has a core principle as its foundation, which then rolls into three more sub-principles (duties), focusing on four outcomes. There is no detailed checklist. The focus is on principles being embraced in the culture and conduct of the organization and measured by outcomes
- This outcome/principled-based approach started with what was the UK FSA, which later became the UK FCA, and rolled into the EU Better Regulatory Policy twenty years back.
- This outcome/principled-based approach to compliance requires a risk-based approach as the focus is on principles and outcomes, or we can say objectives (like the European approach to risk management). Everything is objective-based. How one organization complies to achieve principles/outcomes/objectives may differ from another, but the achievement of objectives/outcomes is measured. This requires a different way of approaching and thinking about compliance than what you see in North America.
- Focusing on principles and outcomes is very different than detailed checklists of rules. It requires a deeper focus on ethics and culture driving the conduct.
- ESG. This is another difference. The USA does not have broad sweeping legislation tackling ESG like the EU does with CSRD, CSDDD, CSRS, or individual country laws like Germany’s LkSG (on the third-party side). In the USA, some fragments tackle parts of ESG (e.g., FCPA, Conflict Minerals, California Transparency in Supply Chains Act), but no broad legislation mandating expansive ESG reporting, assurance, attestations, and due diligence like Europe has. ESG in the USA is too often thought of as only the E for the environment. Too many think ESG regulation is the proposed SEC Climate Change regulation (should it ever be finalized). But the reality is that it is only a part of the E in ESG, not even all of the E. And the political environment is in a stalemate, and there is back and forth on things like the SEC climate disclosure rules and a forthcoming Supreme Court ruling that might undermine all of that.
- In Europe, the EU CSRD, CSDDD. CSRS (the ESG trifecta) impacts 50,000 firms that have to start doing ESG reporting (and many North American firms with operations in Europe). You have Germany’s LkSG, which has global concerns about ongoing due diligence in supply chains.
- ESG is a huge focus in Europe; in North America, it has fragmented attention but not the same momentum. The exception is firms that have significant operations in Europe.
- I discuss this in detail in the 2023: How to Market & Sell ESG Solutions & Services Research Briefing.
- Privacy is another example. The EU has GDPR while the USA has . . . nothing at the Federal level . . .