I have recently been working with NAVEX on a series of events and webinars regarding the emerging field of Human Rights Impact Assessments. As part of that work, I co-authored a two-part series with Robert Smith of Serco Group Plc.
The following blog is cross-posted from the Q&A Robert and I wrote after we received a huge number of questions during the Human Rights Impact Assessment how-to webinar.
Welcome to part two! If you missed my previous post, click here to read the first part of this series in Risk & Compliance Matters.
Please enjoy my Q&A answers with Robert.
Most of Kristy’s focus was on "how" goods and services are produced. Robert mentioned "what" services are being offered (e.g., defense, immigration) was also in scope. Do the regulations focus on the former, latter or both?
Robert: Human rights is about risks to people. So, the goods and services are about the people that are producing, making or providing them. Equally where you provide a service that has a duty to other people, then there are potential rights breaches. The principles applied are the same, you are just looking at the same potential impacts through a different lens. The regulations generally are set up for the former, but the principles in them apply to both (i.e., if an action by you or someone who works for you breaches human rights of another person, then you will be in breach).
Kristy: The laws differ in how industries are reviewed – the “what” as you’re describing it. The draft EU Corporate Sustainability Due Diligence Directive names three “high-impact sectors,” namely textiles, agriculture, and the extraction of minerals. Companies operating in these sectors will be subject to the law sooner (in Group 2) regardless of the size of the company.
The “what” assists in creating your risk-based approach. There are several resources that can help you determine whether your products, or products created in your supply chain, are likely to be high risk. A good place to start is with the Annual U.S. Trafficking in Persons Report: Information by country, including details on industry risk.
How often do these assessments result in opening an investigation and reporting to authorities?
Monitoring your assessment of human rights should be part of the regular process you have for managing any risk. The level of probability and potential impact needs to be considered in the level and frequency of review. By understanding the impacts, you can educate the organization so potential breaches can be highlighted through regular speak-up channels.
As human rights are so broad, you will already be investigating human rights-related issues. For example, a speak-up report relating to unsafe work practices is in fact a potential breach of human rights – everyone has the right to the highest attainable standard of protection against natural and man-made hazards. Similar grievances against unfair treatment etc., could also fall under it. Like any issue that is investigated, if you believe there is a breach, and it is something covered by a regulatory authority, then you will need to report just as you would a significant bribe or instance of fraud. Your focus and consideration when it comes to regulatory reporting should be on salient human rights – i.e., those that are the most severe potential negative impacts on human rights.
Most severe: defined in the UN Guiding Principles as those impacts that would be greatest in terms of:
➡️ Scale: the gravity of the impact on the human right(s); and/or
➡️ Scope: the number of individuals that are or could be affected; and/or
➡️ Remediability: the ease with which those impacted could be restored to their prior enjoyment of the right(s).
Potential: meaning those impacts that have some likelihood of occurring in the future, recognizing that these are often, though not limited to, those impacts that have occurred in the past;
Negative: placing the focus on the avoidance of harm to human rights rather than unrelated initiatives to support or promote human rights;
Impacts on human rights: placing the focus on risk to people, rather than on risk to the business
How do you scope an assessment? Do you review the whole company for all human rights issues? Or if you select certain business lines and/or certain geographies and certain standards to review, how do you choose?
A simple way to start is to hold a workshop with relevant stakeholders. Down the side of the list, identify the standard set of potential human rights (the 30 rights as defined in the UN universal declaration on human rights is a good list). Then along the top, list your areas of business or services, and tick off those that are relevant. Then for each consider probability and potential impact. This will filter down the long list of rights and the areas of the business where they might need to be considered. For those areas where you believe there may be salient human rights impacts, you then do a full impact assessment.
Remember to consider the different lenses, and consider how you might be involved with adverse human rights impacts:
➡️ You might cause adverse impacts. For example, if employees are injured due to unsafe working conditions
➡️ You might contribute to adverse impacts. For example, if purchasing practices incentivize suppliers to force workers into unpaid overtime to meet contract requirements
➡️ Your operations might be directly linked to adverse impacts. For example, if forced labor or child labor is used in developing something that we need to use, despite our reasonable efforts to avoid these outcomes
It is therefore important to understand where you might cause, contribute or be linked to human rights abuses through your operations, directly or indirectly, through your relationships with other entities.
➡️ Legal and social – covering relevant human rights laws and practice
➡️ Customer – covering whether potential connections to adverse human rights exist
➡️ Third parties – covering in particular business partners and key suppliers
➡️ Activity – covering the services we will be expected to deliver
In your opinion, would it be possible to algorithmize this impact assessment scheme and proceed to this evaluation using software? In other words: do you think it is possible to automate the human rights impact assessment procedure?
Robert: If we were assessing the risk of bribery and corruption, I believe you could. However due to the subjective nature of human rights, and the fact you are talking about impacts to people, I believe you need to consider each in the context of your business. You can use data sources including screening due diligence to inform your thinking, but I can’t see an algorithm doing the work for you.
Click here to watch a recording of our webinar, “Human Rights Impact Assessments: A How-To Guide,”.