My friend and colleague, John Sherman recently delivered a presentation entitled "Integrating Human Rights Risk Assessments into Enterprise Risk Management Systems", at the conference Engaging Business: Implementing Respect for Human Rights, held in Atlanta, Georgia and sponsored by the United States Council for International Business (USCIB), U.S. Chamber of Commerce and the International Organization of Employers and hosted by the Coca-Cola Company.
Mr. Sherman is a Senior Fellow at the Harvard Kennedy School's Corporate Social Responsibility Initiative, where he is an adviser to Professor John Ruggie, the Special Representative tot he U.N. Secretary General for Business and Human Rights. He is a former Vice Chair of the Corporate Responsibility Committee of the International Bar Association and is a member of the UN Global Compact Human Rights Working Group. He retired in 2008 as Deputy General Counsel for National Grid, a major international utility company. Mr. Sherman is a graduate of Dartmouth College and Harvard Law School.
Mr. Sherman started by reminding his audience that enterprise risk management in its current form is a relatively new business process innovation. From his first encounter, about a decade ago, enterprise risk management proved to be a flexible and useful tool with benefits for the company and its stakeholders.
It was a top down, bottom up, collaborative annual assessment of all of the risks that kept us up at night as an organization. This wasn’t a mathematical, computer driven exercise, designed to reduce all risks to a single dollar number. Rather, it was based on face-to-face conversations and workshops throughout the company. We looked at all major risks to the company’s stakeholders, internal and external—including shareholders, employees, customers, suppliers, communities, regulators, and the environment, among others. These included many impacts that are covered by human rights, such as the right to life and the right to be free from discrimination. We assessed ways to mitigate the impact and likelihood of each major risk, and assigned responsibility to specific people in the organization to implement them. (John Sherman, Integrating Human Rights Impact Assessments into Enterprise Risk Management Systems, supra).Enterprise Risk Management serves a useful institutional purpose. It provides a framework for corporate monitoring that serves a large number of purpose. These include corporate obligations to develop and integrate monitoring systems that touch on the fiduciary obligations of U.S. corporate directors (Stone v. Ritter, 911 A.2d 362 (Del 2006)). It is also a critically important element of corporate compliance with monitoring and surveillance requirements under federal securities law. See, e.g., Backer, Larry Catá, The Duty to Monitor: Emerging Obligations of Outside Lawyers and Auditors to Detect and Report Corporate Wrongdoing Beyond the Securities Laws. St. John's Law Review, Vol. 77, No. 4, p. 919, 2003. It serves the interests of management and its investor stakeholders and was related in direct and indirect ways to the core objectives of corporate management--the maximization of shareholder/corporate value.
But the framework was not necessarily tied to the traditional sources of risk to corporations. As a system, it might also be usefully applied to emerging areas of corporate risk (or better put, of corporate obligation to refrain from adverse consequences) .
So when I first heard about human rights impact assessments a few years ago, I thought that it could be integrated with an enterprise risk management system like ours. I still think so, because the key challenge is embedding human rights impact assessments into a company’s DNA. That means ensuring that the process doesn’t expire shortly after the departure of the executive who initially promotes it. The insertion of foreign systems into a company’s bloodstream can generate antibodies that will attack it. So if a company already has an Enterprise Risk Management System—and the best-run companies do—a human rights impact assessment should be integrated into it. (John Sherman, Integrating Human Rights Impact Assessments into Enterprise Risk Management Systems, supra).Mr. Sherman first connected human rights due diligence to its source within the U.N.'s proposed Guiding Principles for business and human rights. See Report of the Special Representative of the Secretary-General on the issue of human rights and transnational corporations and other business enterprises, John Ruggie Guiding Principles on Business and Human Rights: Implementing the United Nations “Protect, Respect and Remedy” Framework.
The commentary to Guiding Principle 17 says that:
Human rights due diligence can be included within broader enterprise risk management systems, provided that it goes beyond simply identifying and managing material risks to the company itself, to include risks to rights holders.
GP 17, Commentary, par. 3., p16. Moving to prioritization, the Guiding Principles focus on the importance of a human rights risk’s severity as the key factor in prioritizing company action. GP 24 provides that:
Where it is necessary to prioritize actions to address human rights risks and impacts, business enterprises should first seek to prevent and mitigate those that are most severe or where delayed response would make the impact irremediable.
By their very nature, the severity and irreparability of impacts on life and safety are self-evident. But there is no hard and fast definition. (John Sherman, Integrating Human Rights Impact Assessments into Enterprise Risk Management Systems, supra).
Enterprise Risk Management grew in stature and power in companies in response to the need for companies to address the impact of their business on external stakeholders. Historically, therefore, Enterprise Risk Management was never focused solely on the risk to company shareholders. From the start, it has included the perspectives of all of the company’s important stakeholders, both internal and external.
Contemporary enterprise risk management principles have carried this view forward. ISO 31000, entitled “Risk Management—Principles and Guidelines” is the global risk management standard adopted by the International Standards Organization in 2009. It was created through the same international consultative process that led to the development of ISO 26000 in 2010—that’s the international standard organization’s Guidance on Social Responsibility, which contains a chapter on human rights due diligence inspired by the Protect, Respect, and Remedy Framework. (John Sherman, Integrating Human Rights Impact Assessments into Enterprise Risk Management Systems, supra).
Thus, for Mr. Sherman, "an ongoing and dynamic human rights impact assessment that looks at impacts from the perspective of the rights holder is well within the scope of ISO 31000." (John Sherman, Integrating Human Rights Impact Assessments into Enterprise Risk Management Systems, supra). Conceptually, then, enterprise risk management appear up to the task of serving as a structural framework for incorporating human rights due diligence within corporate cultures of monitoring and behavior assessment.
But ISO 31000 also serves another purpose--it helps a company determine how to respond to information its monitoring and assessment systems bring to light. The Guiding Principles suggest that corporations do not choose between human rights. Yet there is an element of prioritization in responses to negative human rights impacts that suggest the need to create hierarchies of responses that mirror or parallel the prioritization of risk in other areas.
Severity and likelihood are typically linked, but there are circumstances—and human rights impacts are one of them—in which likelihood must take a back seat to severity in determining the priority of a company’s response.Mr. Sherman here acknowledges a point of potential tension between risk assessment systems, like the enterprise risk management system, and the fundamental approach of human rights due diligence which is grounded in the presumption that the object of assessment is to prevent and mitigate all adverse human rights impacts of corporate activity. Yet there may be common ground between the risk assessment approach and its tolerance for risk and the impacts approach of the Guiding Principles.General Principle 24 provides that
The reason is something called “risk tolerance”—which is a concept that most risk managers understand. Take the old Ford Pinto case as an example. A company’s shareholders may be able to “tolerate” the economic consequences of a wrongful death suit from a poorly designed gas tank that explodes in a collision. But from the perspective of the driver and her children in the car, the consequences are intolerable. And this is the perspective from which a human rights impact must be assessed. This is not as much of a conceptual hurdle for companies that recognize that the perspective of external stakeholders must be factored into their risk assessments. (John Sherman, Integrating Human Rights Impact Assessments into Enterprise Risk Management Systems, supra).
Where it is necessary to prioritize actions to address actual and potential adverse human rights impacts, business enterprises should first seek to prevent and mitigate those that are most severe or where delayed response would make them irremediable. (Guiding Principles Principle 24).The Commentary to the Guiding Principles emphasizes that prioritization is tolerated though but risk tolerance falls outside the parameters of the principles. That is, the Guiding Principles suggest that one need not remediate or avoid all risk, but that over time all adverse impacts must be addressed and none tolerated because, for example, the cost to mitigate exceeds the shor term financial costs to the company.
While business enterprises should address all their adverse human rights impacts, it may not always be possible to address them simultaneously. In the absence of specific legal guidance, if prioritization is necessary business enterprises should begin with those human rights impacts that would be most severe, recognizing that a delayed response may affect. (Guiding Principle 24 Commentary).Mr. Sherman suggests that enterprise risk management systems can be adapted to this orientation toward impact assessment and remediation by moving from an internal to an external assessment framework. For that purpose, ISO 31000 again provides a conventional basis for the operation.
ISO 31000 asks companies to appreciate the tolerance of risks by those external stakeholders who must bear the risk, knowingly or unknowingly. One company can agree with another company about who should bear the risks of a transaction, or they can buy insurance, in order to achieve a risk tolerance level that is comfortable. But these options are not available to those whose human rights are infringed upon by business conduct. Moreover, they may not even know that they are assuming a risk. (John Sherman, Integrating Human Rights Impact Assessments into Enterprise Risk Management Systems, supra).Mr. Sherman reminds us that such impacts approaches rather than a tolerance-assessment approach are not unknown in conventional business responses to risk.
The importance of severity in prioritizing company response to human rights impacts is highlighted by a trio of recent corporate disasters—the global financial liquidity crisis in 2008; the Macondo well blowout in the Gulf of Mexico in 2010; and the Fukushima nuclear power plant accident in 2011. Each had severe human rights impacts. Each was thought virtually impossible the year before they happened.Substitute adverse human rights impact for "severe" and you have the essence of an enterprise risk management system in which monitoring and assessment of risk are identical but in which remediation and avoidance are substituted for cost balancing. It is in this sense that business already has developed the infrastructure for human rights due diligence. It has the tools for the job and it has already wholly embraced the culture of monitoring, surveillance and reporting at the heart of any assessment program. The difference, and perhaps the critical one, is not on assessment, but on the consequences of assessment.
Yet few are saying that the seemingly low likelihood of these disasters justified taking less than the most robust and rigorous steps to prevent them from occurring. It simply makes sense from the perspective of all stakeholders—internal and external—to prevent these severe impacts from happening. (John Sherman, Integrating Human Rights Impact Assessments into Enterprise Risk Management Systems, supra).
For human rights risks, assessment always leads to remediation if necessary and avoidance if possible. The only real questions are how and when. For other risks, the traditional system of remediation rather than avoidance, if the costs of remediation are smaller than that of avoidance, remain a viable alternative. That is not the fault of the company, nor any criticism of the approach that produces risk tolerance. Rather, it suggests that the system of laws under which the state complies with its human rights duties may require adjustment. The use of tort and contract principles for the assessment of the impacts of risks itself promotes within law-state systems, the incentive to risk tolerance and post facto compensation that emerging human rights regimes suggest is itself fundamentally flawed. The Guiding Principles, especially Principle 1, suggest that perhaps the greater deficiency lies not with companies, which comply with the law and reasonably react to incentives provided through law by the state. Rather the greater fault lies with states, which has imposed through law a system that encourages the sort of risk tolerance that is built into the culture of corporate activity. Changing the law, rather than changing corporate behavior despite the law, should be the primary task of states that seek to comply with their own duty to protect human rights under the Guiding Principles.