Over the past several years, companies have been dramatically increasing their focus on risks associated with environmental, social and governance issues, and human rights in particular (ESG/HR). These have led a growing number of companies to create dedicated ESG/HR compliance programs or management systems. While managing these issues and impacts is increasingly critical, given the interconnectedness of virtually all international regulatory compliance-related risks – including anti-corruption, sanctions and trade controls, and money laundering, to name a few – it is important also to consider how ESG/HR risks can be integrated into broader, more comprehensive compliance programs. This post, the first in a series, outlines the approaches that businesses are starting to take.
The Rise of Business and Human Rights Risks to Companies
Over the past several years, ESG/HR-related compliance risks for companies have continued to grow. These include high-profile litigation in the U.S. and elsewhere premised on alleged human rights violations (the subject of a detailed future posting). Current examples include the U.S. Supreme Court considering another major case under the Alien Tort Statute, the U.K. Supreme Court considering another case seeking to hold a parent liable for alleged abuses by a foreign subsidiary, a recent Canadian Supreme Court holding that Canadian corporations can be sued in tort for violations of international human rights norms that occur abroad, and a Dutch Supreme Court ruling that protecting citizens from climate change is a human rights issue. There are dozens of civil cases in U.S. courts against hospitality companies under the Trafficking Victims Protection Reauthorization Act, major human rights cases pending against the extractive sector in Canada, South Africa, and elsewhere, a group action involving a tobacco company in the U.K., roughly 25 OECD National Contact Point Specific Instances filed against companies each year, cases in U.S. state courts premised on deceptive trade practices because of human rights marketing, and numerous other cases involving a wide span of sectors progressing in other courts around the world. In addition to litigation, business and human rights-specific legislation continues to expand. Modern Slavery Acts now exist in the U.K. and Australia and are being considered in Canada and elsewhere. The U.S. enacted specific legislation in June of this year in relation to alleged abuses in the Xinjiang Uighur Autonomous Region of China. The EU and more than a dozen EU member states are actively considering laws that would require companies to undertake mandatory diligence that encompasses human rights. The U.K. Criminal Finances Act allows the government to seize profits connected to gross human rights abuses. U.S. Customs and Border Protection is actively seizing goods at the border suspected of having been created with forced labor under Section 307 of the 1930 Tariff Act, the U.S. government has included similar requirements in the USMCA (the new NAFTA), and it is incorporating related human rights standards in foreign aid packages. In short, human rights has grown into a standalone international regulatory compliance field with breaches that now carry sharp business and legal risks.
At the same time, however, we have seen ESG/HR increasingly integrated into other international regulatory areas. The UN, leading global business groups, TRACE International and others have identified the close connection and correlation between human rights and anti-corruption. As they make clear, human rights violations can lead to corruption, and corruption can lead to human rights abuses. Inspectors might be paid to ignore forced or child labor, licenses might be improperly granted to buildings with rampant safety code violations, and customs agents might be asked to look the other way as people are trafficked across borders. Evidence of a human rights violation is, in anti-corruption parlance, a red flag of corruption, just as evidence of corruption is a red flag for a human rights violation.
Likewise, ESG/HR is being integrated into sanctions, export control and AML regimes. Global Magnitsky Acts now exist in multiple countries, including the U.S., Canada and the U.K. These acts are being employed to strictly limit the economic activity of individuals and entities associated with alleged human rights abuses, such as rigged elections in Belarus, forced labor in China, and security abuses in Iraq, Nigeria and Burma. Similarly, over the past year, some 50 companies – and dozens more subsidiaries – have been added to the U.S. Department of Commerce’s Entity List for allegedly enabling human rights abuses in Xinjiang, making it difficult for them to purchase products from U.S. suppliers. Further, in September an Australian bank settled with the Australian financial crime agency for $1.3 billion for lax AML controls that led to some 250 transactions consistent with child exploitation. In October 2020, the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) issued updated guidance to financial institutions on red flags associated with human trafficking, and trafficking is included as a box on suspicious activity reports. See Recent FinCEN Advisory Targets Recognition of Human Trafficking, at https://www.paulhastings.com/publications-items/blog/international-regulatory-enforcement/international-regulatory-enforcement/2020/11/03/recent-fincen-advisory-targets-recognition-of-human-trafficking.
Establishing a System or Program
These developments increasingly point to a need to create systems and processes that focus on ESG/HR compliance, and to integrate them into other areas of international regulatory compliance. Most obviously, AML, export controls, anti-corruption and sanctions programs should consider human rights issues, whether as red flags, as part of diligence exercises, or otherwise. For instance, a company deciding to finance an initiative designed to bring potable water to a community in need is a laudable goal. However, it can also lead to risks of fraud, corruption and conflicts of interest if the entity used to manage the project, for instance, is owned (directly or indirectly) by a government official pivotal to the company’s ability to build its plant and hire workers. It can also lead to a diversion of funds away from the water project into the pockets of the government official, thereby undermining the very goals of providing potable water to the community.
Given these developments and increasing vulnerabilities, companies are well-advised to establish management systems or compliance programs to address ESG/HR risks, and to integrate them into existing compliance systems. Shaped by the UN Guiding Principles on Business and Human Rights (“UNGPs”), the leading set of business and human rights guidelines, best practices in compliance programs that should be leveraged to address ESG/HR risks include the following six areas. Each is described generally here, and will be explained in greater detail in a series of subsequent posts.
- Governance. ESG/HR programs generally have a governance structure that includes (a) board-level oversight, with a board or committee charter encompassing all compliance-related risks and expressly including ESG/HR risks, and (b) day-to-day supervision of an appropriately tailored compliance program by one or more senior officers that expressly includes ESG/HR. Indeed, there are growing legislative expectations, and sometimes requirements, that corporate boards oversee salient human rights risks. For instance, the U.K. and Australian Modern Slavery Acts, and the pre-draft of the EU legislative directive on mandatory diligence, create board-level responsibilities. Further, enforcement agencies such as the U.S. Department of Justice consider the effectiveness of a company’s compliance program, including how well it has assessed and addressed its full myriad of risks, in determining how the agencies will handle a company engaged in questionable practices. Finally, there is a growing line of cases looking more critically at whether a company’s board of directors fulfilled its fiduciary duty in its oversight of the company’s legal, regulatory and operational risks, moving away from tradition. Therefore, assigning day-to-day program management to senior personnel, with active oversight by the board, provides the program with gravitas and internal authority and allows for more effective implementation, understanding of its effectiveness, and defensibility. As part of this governance structure, personnel with authority for the ESG/HR program can be expected to report on the status, progress and challenges in the program, with appropriate organizational metrics and key performance indicators.
- Policies & Procedures. ESG/HR programs have a high-level commitment incorporated into a company Code of Conduct adopted by the board of directors, supported by a distinct human rights policy or standard, with implementing procedures. As the UNGPs make clear, a human rights policy should apply throughout the organization and to third parties, detail the company’s stance regarding respecting human rights, define human rights to include the International Bill of Human Rights and International Labor Organization’s core conventions, and identify other key instruments and principles the company follows. The policy generally is further supported by relevant procedures, such as immediate escalation of concerns, supplier or third party codes of conduct, and relevant functional unit management systems that incorporate human rights components, which can be tailored and localized to best address the issues and risks that arise in practice at relevant operating locations. It is further important to create a policy coherence with other international regulatory and compliance areas, to best develop an integrated and coordinated approach.
- Diligence, Risk Assessments, and Program Testing. Critical to an ESG/HR program are due diligence, risk and impact assessments, and program testing. These identify the company’s actual and potential inherent risks, the degree of adherence to the company’s processes to address those risks, the effectiveness of those processes in mitigating inherent risks, and any actual, potential and perceived impacts on individuals and communities. Assessment exercises can include desktop research, a review of policies, procedures and standards, and on-the-ground interviews with employees and stakeholders. While some companies conduct some or all of these exercises separately for regulatory functions, companies increasingly are undertaking integrated diligence approaches, seeking to create efficiencies and best leverage the results in assessing risks and mitigating measures.
Diligence also is undertaken for potential employees and third parties. General pre-screening questionnaires may include questions related to past issues that raise human rights red flags, such as accusations of forced labor, litigation, discrimination, security-related abuses, or other controversies. Internet and database searches also encompass such issues. Enhanced diligence is undertaken for potential employees or third parties in functions closely connected to a company’s salient ESG/HR risks, or where red flags are present. Further, to mitigate potential risks, ESG/HR expectations can be included in job applications, RFPs, and agreements, training can be provided, performance can be closely monitored and documented, post-engagement third-party assessments can be done, and diligence can be periodically refreshed, among other steps.
- Training. Training is another critical component of a human rights program. That can include live trainings, e-trainings, just-in-time trainings, and workshops. Further, while companies often pursue generic ESG/HR training that is delivered globally, tailored training is critical for employees and third parties who because of their job function, or personal or professional histories, may have enhanced risks of negative impacts or who otherwise may be in a position to influence the company’s performance. Indeed, training that effectively seeks to connect different areas of regulatory compliance will help break down traditional silos that have prevented compliance functions from operating at peak capacity.
- Grievance Mechanisms. As UNGP 29 makes clear, companies are expected to establish operational grievance mechanisms “accessible directly to individuals and communities who may be adversely impacted by a business enterprise.” These are designed to allow individuals and communities to raise concerns directly to the company, provide information and insights to the company, and reduce tensions and problems that can escalate to human rights abuses. When the company has caused or contributed to a negative impact, it is expected to take steps to remediate the issue. Remedy can mean different things in different circumstances, and encompasses a wide range of potentially appropriate actions, from compensation to apologies to prevention of recurrence.
- Reporting. There are an increasing number of mandatory and encouraged ESG/HR reporting requirements around the world. These range from the EU non-financial reporting directive, to modern slavery acts, to the new EU conflict mineral regulation. Indeed, UNGP 21 itself states that companies should provide details regarding their approach to addressing human rights risks and that formal reporting should exist where their operations or operating contexts pose risks of “severe” impacts. Many companies make public their policies and procedures and overall program approach, and disclose explicitly their salient human rights risks and the various steps they take to mitigate them. They also often publish relevant metrics, such as the number of human rights grievances filed, the number of individuals trained, and other similar data. Companies similarly often provide public information related to their anti-corruption programs and some provide further detail related to revenue transparency and similar matters.
The growth of ESG/HR – as its own compliance area and as part of other international regulatory schemes – has been rapid and comprehensive. It is continuing to gather momentum and will expand at least for the foreseeable future. Instituting a program, and integrating substantive ESG/HR issues into other international regulatory programs to develop a holistic means of addressing company risks, is becoming a business imperative, protecting the company and its stakeholders from the harms that can arise.