Business and human rights: a match made in third-party risk management
November 2020 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
November 2020 Issue
Business and human rights often seem like new friends forced to shake hands. Since the United Nations adopted the ‘Guiding Principles on Business and Human Rights’ in 2011, many businesses have for the first time introduced human rights approaches into their business decisions.
Progress in this new relationship has been steady, but slow. Based on a survey recently conducted by the United Nations Global Compact, approximately 90 percent of participating companies established human rights policies, but less than 20 percent acted upon them by conducting human rights due diligence. To paraphrase Martin Luther King, Jr., “A right delayed is a right denied”, and if a policy is in place, but the corresponding due diligence is non-existent, someone’s rights somewhere are likely being denied.
All parts of a business, in various ways, are linked to human rights topics. Along with topline expansion and bottom line management, should not the respect of human rights be a key priority for all companies? For this to happen, governance structures, awareness and adherence to human rights must run across the entire value chain of an organisation, both within the organisation and in its relationships with third parties.
This article presents the business case for integrating human rights into third-party risk management (TPRM), provides an overview of the key human rights issues at stake, describes the integration process and concludes by highlighting joint approaches to increase leverage over third parties.
Why should companies care about human rights and third parties?
Beyond the ethical responsibility to respect human rights, businesses have a growing obligation under international standards and regulations extending to third parties. The Guiding Principles, a voluntary standard referred to as ‘soft law’, requires companies to adopt policies to incorporate existing human rights standards, conduct human rights due diligence across the business, identify human rights risks and impacts, mitigate risk, remedy impacts, develop effective grievance mechanisms, train relevant employees on human rights, engage with external stakeholders and publicly report on progress.
These expectations are not limited to the four walls of the company but extend throughout a company’s value chain and to all third parties contributing to it. Under the Guiding Principles, where companies have “contributed to” or “caused” human rights harm through a third party, they are expected to provide a remedy or participate in the provision of a joint remedy. Where companies are “directly linked” to human rights harm in their supply chain, they should pressure their third-party partners to understand human rights and reduce risk exposure, remedy current impacts and train business partners on their human rights obligations.
Emerging legislation is turning the ‘soft law’ Guiding Principles into enforceable ‘hard law’ in domestic courts. For example, the UK and Australian modern slavery legislation requires large companies to report modern slavery risks throughout their supply chains. The Netherlands now requires companies to conduct due diligence on child labour in their supply chains, and large French companies are required to conduct full human rights due diligence throughout all their companies and subsidiaries. Similar laws are under consideration in Switzerland, Germany, the US, and across the European Union (EU), as well as in other parts of the world. Victims are also actively using non-judicial systems as recourse to remedy where courts may not hear their cases, for example through the Organisation for Economic Co-operation and Development (OECD) national contact point system.
Beyond ethical and regulatory drivers, the investment management community is actively pressuring companies to raise the bar on human rights in their supply chain. Investment managers are increasingly combining financial and environmental, social and governance (ESG) evaluations in their investment decision models. Investor interest aligns with society’s increased support for ESG regulations, which have a strong overlap with human rights, and the financial opportunities in marketing ESG funds to an increasingly conscious society.
Finally, for business organisations the reputational risks connected to human rights harm are a major risk. Thanks to increased scrutiny by regulators and society, severe human rights harm can lead to media coverage, product boycott by customers, partners unwilling to engage in business relationships, and civil and criminal consequences.
Key human rights issues for companies and how to identify them
While each industry, sector and company are different, all companies have labour rights risks, which are documented in International Labour Organization (ILO) standards. These include rights to adequate working conditions, adequate pay (a living wage), premium pay for overtime, the right to form a union, the right to be free from discrimination anywhere in the workplace, and healthy and safe working conditions, among others.
Companies also have industry and company-specific human rights risks, which could range from impacts to communities, property acquisition, risk of products being used in harmful ways, and risks around privacy and emerging technologies such as artificial intelligence, to name a few.
Most companies begin identifying human rights risks by conducting a corporate-wide human rights assessment. The scope covers potential risks and impacts across the company’s operations and catalogues existing corporate-level controls. Follow-on targeted risk assessments in specific markets, products or services may provide a more detailed view of risk in narrower parts of the company.
This is no small task. Companies often spend at least six months to a year identifying human rights risk exposure. Some companies have small dedicated teams working full time on human rights, primarily responsible for identifying risks, developing risk mitigation techniques and conducting internal training on human rights.
In addition to these specific tasks, human rights should be embedded across an organisation in various functions. For example, internally, human resources, health and safety, and environment take care of protecting labour, as well as the health and safety-related rights of the workforce. For pharmaceutical companies, teams in the areas of clinical trials protect patients’ human rights. The diversity and inclusion function looks after equality in gender, disability and lesbian, gay, bisexual and transgender employees. Likewise, relevant third-party risk areas, such as labour rights, health and safety, and data privacy, cover key human rights aspects in their assessment process. The expertise of a dedicated human rights team further strengthens ongoing due diligence efforts.
Integrating human rights into TPRM
Third-party risk assessments include several domains: labour rights, environment, health and safety, information security, data privacy, anti-bribery, manufacturing quality, animal welfare and business continuity. The human rights team provides a broader lens to the risk areas above, by augmenting the risk assessments to identify gaps and bringing in topics that are especially relevant at any point in time. To avoid ‘boiling the ocean’, the risk assessments are selective, focusing on where human rights issues and business risks are most likely to occur.
Large companies with this type of TPRM process perform, in general, thousands of third-party risk assessments every year, with a mix of technology-based tools, such as automated information gathering and processing, specialised third-party evaluations, desk-based reviews and virtual or on-site audits. Risk assessment findings lead to remediation plans that positively impact communities by reducing impact on the environment, addressing modern slavery cases or addressing discriminatory hiring practices. If the findings are too severe and cannot be mitigated or remediated, this may lead to interruption or termination of the business relationship.
The Guiding Principles emphasise that identifying a human rights risk does not always mean that a company should immediately cease doing business with the third party. The preferred outcome is to engage with the third party to provide guidance or support on mitigating a risk, changing business practices and implementing sustainable management systems, even if this takes several years. Engagements could include targeted capacity building and remediation plans, development and rollout of a human rights management toolkit, and longer-term engagement models that may include meeting milestones along the way with key performance indicators (KPIs) and regular monitoring.
Doing more by working collaboratively
Regardless of your industry, only the largest companies may have enough leverage to meaningfully engage with and support third parties in enacting reforms. Joining forces with other companies can significantly improve an individual company’s leverage. To this end, many organisations engage through the pharmaceutical supply chain initiative (PSCI), working jointly to address a range of issues, including forced labour risks in collective supply chains, human rights risks associated with commonly used raw materials and to develop training materials specifically tailored to suppliers in the pharmaceutical industry.
Many other collaborative initiatives are bringing companies together to advance human rights understanding in their supply chains by developing common standards, certifications or approaches to working with third parties. When considering how to address issues in the supply chain, look to join forces with other companies who may have identified the same issues and are also looking for ways to address them.
Conclusion
Human rights concern us all. When interacting with third parties you have the unique chance to exercise a positive impact and drive change.
The “easy times of living with our eyes closed”, as John Lennon put it, are over. Tightened regulations and increasing pressure from investors and society no longer allow ignoring this topic for the sake of speed in business and cost-saving opportunities.
In the latest example, the coronavirus (COVID-19) pandemic revealed in dramatic fashion the vulnerability of human rights protection for many workers in global supply chains, perhaps evidenced most tragically in the temporary suspension of labour rights announced by several states in India.
Is your organisation equipped to handle such breaches in your supply chain? Are you equipped to respond to the challenge and exercise leverage through a collaborative industry network? It is not an impossible mission. As laid out in this article, measures can be applied effectively to embed different levels of human rights due diligence into the engagement and management processes of your third parties.
Human rights experts, either in-house or brought in externally, advising and upskilling your leadership and risk management teams are instrumental in building a strong foundation for awareness. Their work will lead to greater transparency and improved mitigation measures. To move the needle strategically on business and human rights, there are no shortcuts: industries must jointly flex their collaborative muscles to achieve meaningful, sustainable and lasting outcomes.
Peter Nestor is head of human rights, Gabriele Harttung is global head of human rights & third-party risk management and Andrea Orani is head of strategy, human rights and third-party risk management at Novartis. Mr Nestor can be contacted by email: peter.nestor@novartis.com. Ms Harttung can be contacted by email: gabriele.harttung@novartis.com. Mr Orani can be contacted by email: andrea.orani@novartis.com.
© Financier Worldwide
BY
Peter Nestor, Gabriele Harttung and Andrea Orani
Novartis