Hostname: page-component-745bb68f8f-g4j75 Total loading time: 0 Render date: 2025-02-11T05:39:36.865Z Has data issue: false hasContentIssue false
  • English
  • Français

Human Rights Due Diligence as Risk Management: Social Risk Versus Human Rights Risk

Published online by Cambridge University Press:  11 October 2016

Björn FASTERLING
Rights & Permissions [Opens in a new window]

Abstract

The UN Guiding Principles on Business and Human Rights endorse a risk management perspective of human rights due diligence, which may create ambiguities with regard to the nature of risk and the objectives of risk management. By ‘human rights risk’ we understand a business enterprise’s potential adverse human rights impacts. Human rights risk can be contrasted to an enterprise’s ‘social risk’ which refers to the actual and potential leverage that people or groups of people with a negative perception of corporate activity have on the business enterprise’s value.

This article puts forward the argument that due diligence in respect of human rights risk is conceptually incompatible with the management of social risk, because social risk management and human rights due diligence vary at each step of the risk management process (risk identification, risk measurement and assessment, risk reduction measures). To resolve this incompatibility, an effective integration of human rights due diligence processes into corporate risk management systems would require an elevation of human rights respect to a corporate goal that determines corporate strategy.

Keywords

corporate strategydue diligencehuman rights riskrisk managementsocial risk
Type
Articles
Information
Business and Human Rights Journal , Volume 2 , Issue 2 , July 2017 , pp. 225 - 247
Copyright
Copyright © Cambridge University Press 

I. Introduction

This article seeks to answer the question whether and under which conditions business corporationsFootnote 1 can fulfill responsibilities pursuant to the UN Guiding Principles on Business and Human Rights (UNGPs)Footnote 2 by integrating human rights due diligence into their existing corporate risk management systems. The question arises because some business corporations may separate the management of human rights issues from managing risks.Footnote 3 Other business corporations, however, may consider that conducting human rights due diligence in an isolated manner would create process redundancies. Many elements of human rights due diligence would already be covered by existing due diligence tools and processes that assess and deal with social and environmental risks, for example Social Impact Assessments (SIA), Environmental and Social Impact Assessments (ESIA), Labour Audits, Health Impact Assessments (HIA), Security Risk Assessments and so on.Footnote 4 It will be argued in this article that the UNGPs do, indeed, envisage human rights due diligence as a risk management task. And further, it will be suggested that managing the risks of adverse human rights impacts pursuant to UNGPs requirements is conditional upon treating human rights respect as a corporate objective that determines a corporation’s strategic concerns. For the risk management process this would imply that business-related adverse human rights impacts are defined and managed as vulnerabilities for the business corporation. To the extent that this does not happen, human rights risk could only be managed as a ‘social risk’, a term that herein will refer to the actual and potential leverage that people or groups of people with a negative perception of corporate activity have on the business’s (financial) value. The goal of human rights due diligence under the UNGPs, by contrast, is to prevent or mitigate ‘human rights risk’, which the commentary to the UNGPs does not define as a ‘social risk’, but as the ‘business enterprise’s potential adverse human rights impacts’.Footnote 5 This article will demonstrate the difficulties for business corporations in dealing with social risks and preventing or mitigating human rights risk in a single coherent process, even if—to some extent—these risks may converge.Footnote 6 At each step of the risk management process, different approaches apply to the treatment of social and human rights risks respectively.Footnote 7 First, social risk is identified differently than human rights risk, meaning that different knowledge becomes relevant for risk identification. Second, social and human rights risks each require different assessment methods. Third, human rights and social risk reduction measures differ from each other, and finally, risk management systems addressing a business’s social risks allow for certain trade-offs that would be unacceptable under the UNGPs.

This article is structured as follows. First it will explain that the UNGPs ‘human rights due diligence’ concept has been informed and shaped by corporate risk management frameworks, in particular ‘Enterprise Risk Management’ (ERM) models.Footnote 8 In the subsequent sections, the dissimilarities between human rights due diligence and a corporate risk management system that ultimately serves a corporate value maximization objective will be spelled out. To begin with, the concept of ‘human rights risk’ will be opposed to that of social risk. The ensuing sections demonstrate how this difference affects each step of the risk management process. Then, this article will draw implications from the conclusion that the integration of human rights due diligence into corporate risk management frameworks depends on the business corporation’s willingness to acknowledge human rights respect as a business goal that orientates corporate strategy. The final section concludes with an outlook regarding the implementation of human rights due diligence with the objective to manage human rights risk.

II. Human Rights Due Diligence and Risk Management

In the preparatory work for the UNGPs, business-related human rights issues were regularly expressed in terms of risk and risk management.Footnote 9 Risk management was viewed as the ‘foundation’ of corporate responsibility and access to effective remedy.Footnote 10 Therefore, the human rights due diligence standard of the UNGPs is at least not primarily to be understood as a liability standard that exerts a certain standard of care, against which a business enterprise’s actions are judged in order to attribute ex-post responsibility. Human rights due diligence under the UNGPs consists of a managerial process that is to operate as a prophylactic measure, whereby the term ‘responsibility’ is forward-looking. John Ruggie is quite clear on this point when he explains that the UNGPs preferred a prevention-orientated ‘risk management’ approach over the ‘enterprise liability model’.Footnote 11 The UNGPs due diligence requirement, despite its voluntary nature, could be associated with enhanced risk-based approaches to regulation that provide for mandatory obligations of companies to implement risk management processes.Footnote 12 Such risk-based regulatory approaches seek to leverage on a regulated entity’s internal control processes and governance systems for solving public interest problems.Footnote 13 With regard to norm design, the UNGPs due diligence provisions resemble international standards that stipulate holistic approaches to risk management, notably the standards put forward by the International Standards Organization (ISO) and the Committee of Sponsoring Organizations of the Treadway Commission.

The ISO defines ‘risk’ in risk management processes as the ‘effect of uncertainty on objectives’, where ‘uncertainty’ is understood as a ‘state, even partial, of deficiency of information related to a future event, consequence or likelihood’.Footnote 14 While this risk definition might raise questions,Footnote 15 it does make clear that risk management essentially provides a system that establishes a relevant knowledge base for managers who are held to make informed decisions in the interest of the organization they are serving. Just as risk management techniques are designed to increase knowledge about risk so that the managers of an organization can better pursue its objectives in the light of this knowledge, human rights due diligence is designed to increase knowledge about human rights violations so that managers better know how to prevent and mitigate them.Footnote 16

Human rights due diligence, as it is set out under UNGP 17, was modelled on existing practices by which companies manage risk, in particular with regard to social and environmental issues.Footnote 17 The parallels between human rights due diligence and ERM become conspicuous, if you compare the constituent elements of human rights due diligence with renowned ERM frameworks. UNGP 17 names the four elements that constitute ‘human rights due diligence’: (a) assessing actual and potential human rights impacts, (b) integrating and acting upon the findings, (c) tracking responses, and (d) communicating how impacts are addressed. Each of these steps could be matched up with one of the elements of the COSO ERM framework that is comprised of ‘event identification, risk assessment and response, control activities, information and communication and monitoring’.Footnote 18

Risk management frameworks that deal with social and environmental risks are also like human rights due diligence in the sense that both must employ risk management methods other than conventional ones to be effective. Risks stemming from social concerns often arise in complex and, at times, unpredictable environments, possibly resulting in unforeseeable consequences. Conventional risk management methods that are employed for dealing with known probabilities of frequently occurring events are generally inadequate in this respect.Footnote 19 With regard to social risks, a business corporation is well advised to use enhanced, qualitative analytical risk management tools such as ‘scenario planning’, ‘trial and error learning’ and ‘selectionism’ that address rare, unforeseeable or complex events.Footnote 20 In these contexts stakeholder engagement could play a central role. ‘Stakeholder engagement’ can be considered to be a risk management technique or at least supportive of risk management insofar as communication and dialogue with stakeholders increases relevant knowledge about stakeholders, making their behaviour more predictable, or enabling the corporation to better influence them, both of which would reduce uncertainties that give rise to stakeholder-related risk.Footnote 21 The UNGPs, likewise, do not consider conventional risk management techniques to be sufficient for carrying out human rights due diligence. UNGP 18 states that meaningful consultation with affected people and other stakeholders is necessary for human rights risk assessment. Ruggie points out that the integration of human rights risk management would necessitate ‘an inherently dialogical process that involves engagement and communication, not simply calculating probabilities’.Footnote 22

These parallels between human rights due diligence and social risk management (in so far as the latter is enhanced by techniques that more appropriately deal with social concerns) point to the conclusion that human rights due diligence pursuant to UNGPs 17–19 could be essentially viewed as a risk management framework. However, its integration into an ERM system, whose principal purpose is to address a business corporation’s vulnerabilities, faces a set of difficulties that will be specified in the following sections.

III. Human Rights Risk Unlike Social Risk

While risk management uses positive techniques, it is not normatively neutral.Footnote 23 Risks emerging from complex human activity give rise to social expectations of risk managementFootnote 24 that influence the decision, which risk to manage and how to delineate it. The definition of risk implies a host of moral choices and policy priorities that encode the process and affect the decisions that that process will recommend.

‘Social risk’, defined here as the actual and potential leverage that people or groups of people with a negative perception of corporate activity have on the business’s (financial) value, is a determinant of risk exposures for the business corporation.Footnote 25 The normative justification for social risk management, thus understood, is that managers fulfil responsibilities that they owe to the stakeholders that have a legitimate interest in the perenniality and profitability of the business corporation. Business management has since long acknowledged the importance of managing social risk. This is particularly true for the extractive sector, in which activities tend to take a heavy toll on communities located in the vicinity of the business’s operations. Social risk management’s objective in such cases is to secure the acceptance or approval by local communities and stakeholders of a business enterprise’s operations or projects in a certain area. In practice, businesses claim to have obtained a ‘social license to operate’ (SLO) to indicate that their activities are considered as legitimate in the eyes of society.Footnote 26 The purpose of managing social risk is to facilitate business activity, in particular when and where it could be perceived as socially contentious.

While the UNGPs have been drawn up against the backdrop of corporate risk management practice, the corporate responsibility to respect human rights has a different normative trajectory than mandating social risk management. The relevant risk for fulfilling corporate responsibilities under the UNGPs is ‘human rights risk’, which is defined as a business enterprise’s potential adverse human rights impacts. Since an ‘adverse human rights impact’ occurs when an action removes or reduces the ability of an individual to enjoy his or her human rights,Footnote 27 the assessment of human rights risk not only requires analyzing potential harm, but also makes necessary a normative judgment whether such harm qualifies as a human rights violation. Human rights risk therefore determines normatively qualified exposures for people who do not necessarily have any stake in the business. The raison d’être of human rights risk management is not to fulfil responsibilities owed to persons who have an interest in the corporation’s success, but to meet responsibilities owed to people, whose human rights could become exposed due to or in the context of a business corporation’s activities.

That the conceptual differences between social risk and human rights risk have strategic and operational implications for managers, who have to assess and judge issues on the ground, will be demonstrated in the following sections.

IV. The Problem of Policy Integration

As mentioned, ERM frameworks help an organization integrate fundamental policies throughout all of that organization’s operational functions. The International Organization for Standardization recommends integrating the risk management process into an organization’s overall governance, strategy and planning, management, reporting processes, policies, values and culture.Footnote 28 Under an ERM approach, the function of risk management is not only to create a common risk terminology throughout the organization, but also to support organizational objectives that are determined by organizational culture and values.Footnote 29

The implementation of human rights due diligence through a comprehensive ERM system offers an appealing prospect: ERM could become instrumental for making human rights respect a routine managerial process that permeates the entire organization. An ERM system, which requires an internal environment that is conducive to better enterprise risk management, could principally include the adoption of a dedicated human rights policy, provided, however, that such policy becomes ingrained in the organization’s ultimate objectives. This is a consequence of the ERM’s general purpose, which is to provide a coherent and comprehensive system of risk management that is informed by the business’s goals and strategy.Footnote 30 The promise of regulating corporate behaviour by asking businesses to implement risk management processes lies precisely in leveraging managerial routines that are compatible with a business corporation’s strategy to achieve desired prophylactic effects.Footnote 31 Now, nothing in an ERM framework prevents an organization from paying adequate respect to human rights even if this does not create value. In the specific case of a business corporation, however, this would mean that its supposed value maximization objective would become subject to the condition of adequate human rights respect, possibly as a ‘necessary cost of doing business’.Footnote 32 In theory, business managers could establish human rights respect as a corporate goal and determinant of corporate strategy beyond regarding human rights respect as a mere operational issue.Footnote 33

Consider a construction company that seeks to establish a branch office in a target country, because the company sees great potential to develop its business there, and suppose that the application of the target country’s laws effectively result in a denial of freedom of association. If human rights respect were treated as an operational issue only, the human rights issue would be addressed once the branch is operating and the contradictions between compliance with local laws and human rights respect practically surface. Treated as a strategic issue, the company would query the human rights situation of the target country prior to the investment decision and could come to the conclusion that the unavoidable conflict between human rights respect and local law would weigh heavily against the otherwise lucrative investment. By contrast, if human rights respect was viewed through the lens of social risk only, the company would hardly reconsider its decision to invest in the target country, as long as the absence of effective freedom of association does not endanger the company’s assets or reputation.

The question whether or not human rights respect should become a strategic consideration for a business corporation is circumvented by the popular notion that there would be a ‘business case for respecting human rights’, meaning that managing human rights risk would eventually and systematically lead to a better management of social risks.Footnote 34 If this was true, there would be no need to have human rights issues determine corporate strategy, because respecting human rights would already be instrumental to achieving a corporation’s value maximization objectives. The ‘business case for human rights respect’ is predicated on the premise that a corporation’s strategic interests with regard to maximizing value and the interest of the rights-holder not to have human rights violated would, at least in the long term, be largely aligned. Some organizations and authors have expressed a fair amount of optimism in this respect. The Institute for Human Rights and Business (IHRB) conducted interviews with several business managers and found that most of them understood that while traditional business risk approaches were not adequate in understanding the risks the most vulnerable people face, they believed that in the ‘medium’ or ‘long-term’ business risks and human rights risks would converge.Footnote 35 We find similar expectations expressed in some human rights recommendations for businesses.Footnote 36 The Human Rights Reporting and Assurance Frameworks Initiative (RAFI) states that human rights respect would improve a business corporation’s risk management ‘with less chance of business disruptions, public campaigns and criticism, litigation, reputational harm, and harm to employee retention and recruitment’.Footnote 37 In their ‘sustainable approach’ to risk management, Spedding and Rose argue that managing human rights risk reduces a business’s value at risk.Footnote 38 Taylor et al contend that human rights due diligence could result in lower costs and higher profits for the corporation.Footnote 39 These views are seconded by the view that the integration of human rights due diligence into risk management processes could bring to the surface hidden costs to the business by introducing new forms of gaining knowledge and assessing risk, such as dialogue with local communities, and cooperation with NGOs.Footnote 40 Business for Social Responsibility (BSR) contends that there is actually ‘increasing evidence that risks to human rights frequently converge with risks to business’ and that ‘where the most severe human rights impacts are concerned, this convergence is particularly strong’.Footnote 41

Strikingly, none of the abovementioned positions provide, or are built on, evidence that would reliably confirm their hypothesis that a business’s social risk and human rights risk tend to converge in the long run. To date, the evidence that negative human rights impacts regularly affect firm value negatively is in fact quite thin, and where there is some evidence, it is at most indirect.Footnote 42 For example, when Davis and Franks exemplify ‘social costs’ for extractive industries in terms of lost productivity due to temporary shutdowns or delay, presenting a list of 33 different types of cost, they do not measure the costs that a human rights violation would generate for a business corporation, but rather the financial consequences of a business’s conflict with local communities.Footnote 43 Follow-up research would have to prove the linearity between such ‘costs of conflict’ and costs that human rights violations represent to the business. While it is entirely plausible that business-related human rights violations could eventually result in losses for a business corporation, the contrary view, namely that a lucrative business opportunity or the effective prevention of financial harm to the business, even in the long term, comes at the cost of tolerating or contributing to human rights abuse, does not appear implausible.Footnote 44

For the moment, talking about how human rights violations may result in losses to the business, or insisting that human rights due diligence could effectively reduce a business corporation’s operational risk,Footnote 45 could be considered in some cases to be a supporting argument to persuade business managers to adopt human rights due diligence routines, rather than an accurate representation of the current level of empirical evidence.Footnote 46 While evoking the business case as a supportive argument might be a pragmatic way to convince business managers to actually implement the UNGPs, it tends to evade potential conflicts, even long-term, between corporate value-maximization objectives and human rights respect.Footnote 47

Without addressing these conflicts on a business corporation’s highest strategic level, ERM frameworks can hardly integrate the management of risks for rights-holders and the management of social risks to the business in a coherent system, as will be shown in the following sections.

V. Risk Identification: Relevant Knowledge

The definition of risk has consequences for the entire risk management process. Risk and the ‘exposures’ that are at peril are determined in the light of a clearly defined set of objectives.Footnote 48 Therefore, the decision as to which objective to pursue determines the concrete issues on which an organization will focus its risk management efforts. In other words, only knowledge deficiencies pertaining to future events, consequences or likelihoods that may impinge upon organizational objectives become relevant for the risk identification process.

The integration of a human rights impact assessment into a risk management system that aims at a business corporation’s value maximization would assume that adverse human rights impacts could become causal drivers or are in some way correlated to losses that result in risk costs for the business. This assumption is problematic in two respects. First, as mentioned, in order to observe adverse human rights impacts, not only must one investigate facts, but also qualify these facts normatively. While the facts underlying the normative assessment could become causal for financial loss, not so the assessment itself. For example, where a company’s actions prompt social unrest, in the absence of court proceedings, the potential financial losses for a company do not depend on the question whether or not the company’s actions amounted to a human rights violation. The social unrest’s factual consequences are all that count.Footnote 49 Second, facts that underlie a business enterprise’s adverse human rights impacts represent, at most, an indirect cause for losses. The direct causes of losses to firm value—and consequently the sources of uncertainty most relevant to a business corporation’s risk management system—are the potential reactions or resistance from people, groups or organizations against the corporation’s operations.Footnote 50 Only to the extent that the normative conclusions of such persons (that corporate behaviour would have an adverse human rights impact) add to the intensity of negative response, will it be taken into account by a business corporation’s social risk management. If a business corporation seeks to optimize its social risk management processes, it will largely confine itself to understanding the immediate social context of its operations and reduce uncertainties related to direct causes for losses. To this end, social risk management will concentrate its efforts on eliminating deficiencies of knowledge about such persons or groups of persons, upon whom the success of a business operation concretely depends (these persons will in the following be referred to as ‘stakeholders’Footnote 51 ). Business corporations have an interest in engaging with stakeholders in order to gain knowledge about their behavioural patterns so that their reactions may be better predicted. Yet business corporations will not necessarily engage with rights-holders, i.e., people who might become victims of a business-related human rights violation. Instead, they will try to identify when and which stakeholders have leverage to effectively impose social sanctions upon a business enterprise’s actions that they do not approve of (social sanction would include taking legal action). As a result, social risk management is principally concerned with the effective management of power relations with stakeholders. The more influential the stakeholder, the more corporate risk management will prioritize engagement with that stakeholder. Rights-holders’ interests will be sufficiently addressed only to the extent they have leverage over the business (for example through effective access to justice and available legal remedies), are sufficiently represented through influential stakeholders, or, with the help of such stakeholders, can effectively pressure business corporations into taking their concerns into account. To the extent that human rights respect is not an effective factor of corporate strategy, business corporations tend to discount information about vulnerable, unrepresented rights-holders who have no leverage over the business—in other words, those who are probably in most need of human rights protection.Footnote 52 Such an outcome would run contrary to the aims of the UNGPs, pursuant to which, as John Ruggie writes, human rights due diligence must ‘meaningfully engage rights-holders or others who legitimately represent them’, meaning independently of a rights-holder’s leverage over the business’s success or failure.Footnote 53

By contrast, if human rights due diligence was not exercised as social risk management, ‘loss’ would not be defined in terms of a corporation’s loss of value, but instead be equivalent to ‘adverse human rights impact’. Consequently, ‘risk’ would stem from the deficient knowledge about a business’s potential negative impact on human rights. The knowledge deficiencies requiring attention would relate to circumstances leading to adverse human rights impacts. In this case, risk management does not assess stakeholder reactions to business activity as causal drivers, but rather it seeks to obtain knowledge about the effects of the business corporation’s activities on rights-holders, normatively assessing such effects. The prioritization of risks to be identified would not occur according to a stakeholder’s potential leverage over the business, but according to the severity of the potential harm inflicted upon rights-holders.Footnote 54

To conclude, the information required by human rights due diligence to reduce and manage knowledge deficiencies differs in content and nature from information that is relevant for a business corporation’s social risk management.

VI. Risk Assessment: The Problem of Measure and Commensurability

Under any risk management framework managers are expected to be able to quantify risk, since the mode of rational decision-making in risk management is one that is based upon the assessment of operational indicators.Footnote 55 This does not mean that qualitative assessments are ignored by risk management, but it presupposes that qualitative assessments can in some manner translate into quantifiable terms so that managers can compare alternative courses of action using a single measure. Therefore, by adopting a risk management approach to corporate responsibility, the UNGPs imply that ‘adverse human rights impacts’ can in fact be measured. This premise alone is challenging, because convincing methodologies for measuring ‘adverse human rights impact’ have yet to be developed or disclosed.Footnote 56 Indicators for gauging human rights risk should not be confused with benchmarks that seek to exhibit so-called ‘human rights performance’. The latter are established in order to help third parties (for example investors that take social, environmental and governance concerns into account when making investment decisions) evaluate an organization’s efforts regarding human rights issues, and not to measure human rights risk. For example, the ‘Corporate Human Rights Benchmark’ (CHRB) falls into this category of ‘measure’.Footnote 57 Such benchmarks could provide additional motivations or pressures for business corporations to implement the UNGPs’ human rights respect, but they do not provide assistance to managers to actually evaluate human rights risk.

The interpretative guide to the UNGPs provides essential criteria with regard to developing a measure for human rights risk: First, any such measure should not be a mere function of probability and severity but emphasize the latter.Footnote 58 Second, the measure would have to take into account the necessary normative assessment regarding a corporation’s actions and links to a human rights violation because, unlike tornadoes and earthquakes, human right violations are acts or omissions for which ultimately some persons may be held responsible based on a normative judgment of their behaviour. The framework for normatively assessing the link between business operations and human rights violations is set out under UNGP 19(b), which differentiates between causation, contribution and direct links. The interpretation and translation of these terms into quantifiable parameters useful for risk management purposes is the implicit task that the UNGPs have assigned to future applied academic researchers. To illustrate the point, if a business corporation is granted a concession to exploit a gas field under the condition that it enters into a joint venture with a government that continuously perpetrates severe human rights violations, there is no uncertainty about the corporation’s business operations being linked with a government that neither respects nor protects human rights. The relevant question for gauging human rights risk in such a case is whether the corporation’s involvement with the regime, after analysis of the involvement’s nature, effects and intensity, entails an adverse impact that is related to the business’s operations. In this example, it becomes clear that analyzing uncertainties related to the effects of corporate behaviour is only part of the human rights risk assessment. The other part consists in normatively evaluating the link between the corporation’s activity and human rights violations according to UNGP 19(b).

Even if there were methods of adequately measuring ‘adverse human rights impact’ in the form of operational indicators, the integration of human rights due diligence into a comprehensive corporate risk management system would have to deal with the ensuing issue of what a certain level of human rights risk would mean for the business corporation and consequently for managerial decision-making. For example, how does a manager decide to carry out a project that receives a poor human rights risk ‘score’, if the project ‘scores’ very well on other corporate objectives such as profitability or market share, or if the project is essential to avert a massive loss of business and resulting lay-offs?

Comprehensive risk management systems such as ERM are supposed to provide a structure that combines all risk management activities into one integrated framework that accounts for interdependencies between various corporate objectives,Footnote 59 and in doing so, this structure must consolidate multiple measures of risk into a coherent system that enables rational decision-making. As mentioned, the method of rational decision-making in risk management is based on assessing quantifiable indicators. In order to measure losses, risk managers must analyze the probability of peril to an exposed resource, and finally assess the expected severity of such peril to the organization’s objectives. Such a method presupposes that all risks relevant to an organization’s objectives and strategy can be ultimately rendered in strongly commensurate terms.Footnote 60 For example, if a business corporation ultimately pursues a single objective of maximizing value, the common risk measure must consequently be ‘value at risk’. An example for a human rights risk assessment that operates in this sense is offered by Spedding and Rose.Footnote 61 They break down various non-financial risks (including risks stemming from human rights issues) into estimations of ‘risk to market value’ that are based on research and analysis of publicly accessible records. They estimate ‘human rights risk outside the workplace’ at an average of 0.3 per cent of risk to market value, and human rights risks inside the workplace at 0.7 per cent of risk to market value, their sample being the top 500 US and EU companies. They assert that good risk management techniques have reduced risk exposure to 0.4 per cent of risk to market value (concerning external human rights risks) and 1.1 per cent of risk to market value (concerning internal human rights risks).Footnote 62 Such a risk assessment is appropriate for what this article refers to as management social risk, but not to the assessment of human rights risk. Indeed, the only conceivable way to make a human rights score commensurable with other risk assessments under a ‘value at risk’ yardstick is to contemplate human rights risk as equivalent to social risk to the business corporation—which, as has been argued above, is not what the UNGPs aim for.

Once again, the only way to overcome this difficulty is for a business corporation to elevate human rights respect to a strategy-determining corporate objective, where exposure of rights-holders to business-related human rights risk would be considered not only to affect vulnerabilities but to generate corporate vulnerability. However, if this was effectively achieved, a further measurement problem would occur, because ERM or other comprehensive risk management frameworks do not provide any guidance on how to deal with risks that impinge on corporate objectives and underlying values that cannot be expressed in strongly commensurable terms. ERM, as comprehensive as the system may be, faces limits as a rational decision-making method once an organization pursues more than a single ultimate objective. While ERM may work well for single-objective organizations, as business corporations are presumed to be, ERM has weaknesses when it is implemented by other types of organizations or government institutions that typically have to deal with a number of potentially conflicting finalities.Footnote 63

If a business corporation treated human rights risk as a primary risk, meaning that adequate human rights respect would become an ultimate objective for the corporate risk management system and not only a driver that influences other objectives, the current architecture of ERM would only provide partial guidance for decision-making. It would need to be enhanced by a normative decision-making method that makes it possible to judge priorities when various risk management processes recommend courses of actions that are in conflict with each other. Managers would need to know how to resolve conflicts between practically incommensurable values. Instead of ultimately subjecting one objective to the other in order to make objectives commensurable (as in the case of ERM), managers would need to be able to render each corporate objective as effective as possible depending on the concrete situation, for example, by applying proportionality reasoning. For example, where a corporate decision entailed a human rights risk that scored so badly that it was deemed unacceptable, it could not be outweighed by any financial value consideration. However, the more remote or less severe human rights risks become, the more financial value is allowed to play a role. To illustrate this point, consider the following case:

Take a construction company that has secured a contract to build a tunnel. It will, among other things, conduct risk management with the objective of reducing the risk of accidents to construction workers during the construction phase, but it will also control its budget to ensure that performing the contract remains profitable to the company. It may turn out that the implementation of a recommended safety risk reduction measure produces costs that the company had not projected when it submitted its bid. In this situation, the company could forego the recommendable safety measure in order to maintain the profitability of the project. Alternatively, it could try to renegotiate the terms of the contract (if possible) or acknowledge the projection error, put up with the increased project costs and learn how to make better risk assessments before submitting contract bids in the future. A corporation that applied value considerations as its sole risk measure would determine the choice between ‘cutting corners’ on safety, renegotiating, or accepting a loss on the basis of an additional assessment of risk-related costs. One can imagine risk managers calculating the costs to the corporation of the possible consequences of endangering the safety of its employees, and comparing these costs to those incurred by implementing proper safety measures or renegotiating the terms of the contract. Decisions to act would be made on the basis of such cost optimization. This approach would be comparable to the social risk management model discussed above. However, it is also conceivable for a corporation to attribute intrinsic value to the ‘safety of the worker’, meaning that worker safety would determine the limits of maximizing value. In such a case, risk management frameworks that require a common measure of value could no longer propose a single correct course of action, but could only recommend alternatives to choose from. Once the risk assessments had been made, decision-makers would need to arbitrate conflicts between norms that realize corporate strategy. Going back to the above example, managers would need to decide how to dissolve the conflict between two norms: ‘the company ought to provide safety for its workers’ and ‘the company ought to maximize its value’. In such cases managers are hardly able to justify decisions in favour of safety at any cost, but—if the corporation intrinsically values worker safety—they cannot justify a decision that foregoes worker safety just because the cost of preventing accidents and related opportunity costs weigh too heavily. The challenge for the manager here would be to identify the course of action that, in the concrete situation, optimizes the effectiveness of each value that is in conflict with the other. Such a decision can only be made if the normative precepts that the corporation claims as part of its strategy are sufficiently clear. One possible outcome of the above example could be the following: managers will not make decisions that subject workers to illegal safety conditions and not accept any measures that, despite being legally compliant, pose intolerable threats to worker safety on the ground—no matter what the cost. However, the more tolerable worker safety risks become, the more the cost of prevention is allowed to become a decisive factor for determining the right course of action.

VII. Assessment of Human Rights Impacts Calls for Different Risk Reduction Measures

UNGP 19 suggests that human rights risk should be prevented or mitigated by taking appropriate action, which, depending on the corporation’s involvement, ranges from taking the necessary steps to cease or prevent the adverse human right impact to increasing the corporation’s leverage over problematic business partners or terminating business relationships with them. If human rights were managed as social risk to the corporation, risk reduction measures would not be congruent with the prevention and mitigation of human rights risk according to UNGP 19, as will be explained below.

Generally, risk reduction measures aim to reduce or eliminate the effect of uncertainty on objectives.Footnote 64 However, preventing or mitigating an adverse human rights impact often has nothing to do with reducing uncertainties that threaten corporate objectives. To illustrate this, if the perpetrator is a business corporation—let us say it systematically discriminates against female employees—the violation of human rights does not happen by chance but is a consequence of the corporation’s decisions and informal policies. A business corporation’s ‘social risk’ does not refer to the discrimination (there is no uncertainty about it) but to the consequences of this policy in terms of financial loss to the corporation. It could be that female employees initiate litigation resulting in the corporation having to pay damages and incur legal costs, that the corporation receives negative media coverage, possibly resulting in loss of sales, and so on. If a business corporation managed its social risk, it would have several risk reduction options: it could of course not discriminate (which would eliminate the exposure to this risk), but it could also focus on various other risk reduction strategies (for example discriminating only in countries where anti-discrimination laws are non-existent or improperly enforced) or invest in anti-discrimination measures, only when and where media exposure is expected to be high or difficult to control.

Or, going back to the abovementioned example of a corporation that is granted a concession to exploit a gas field by a military regime that continuously perpetrates severe human rights violations, it was argued that in order to adequately measure human rights risk, a normative assessment of corporate behaviour would be necessary. Under a social risk management model the corporation has no interest in conducting such an assessment, unless rights-holders can effectively initiate lawsuits against it. Only in this case would the corporation check the availability of jurisdiction and enforceability of judgments, and then consider the substantive question of whether a court would possibly judge that the corporation’s involvement amounts to a violation of human rights. In the absence of access to justice, the relevant uncertainty that needs to be managed is, as mentioned above, the possible reaction by stakeholders to corporate activity (violent resistance by local communities, negative public exposure with possible loss of sales and brand value etc). At most, a social risk management system would assess whether social risks increase just because stakeholders come to the normative conclusion that corporate activity has adverse human rights impacts. The corporation does not have an interest in conducting its own assessment of the human rights situation, but will instead estimate stakeholder perceptions of its involvement. Supposing there is no practical access to justice for rights-holders, the corporation would identify and then, as a risk reduction measure, influence the perceptions of those who could effectively sanction the corporation extra-legally. For example, the corporation would negotiate compensation for victims not with the victims themselves but with influential NGOs so that the latter will change their perceptions about the corporation, resulting in less animosity. Alternatively, the corporation might offer positive measures that benefit influential groups in local communities in order to offset their negative perceptions of the corporation’s presence (for example by supporting local medical coverage and education). These measures would reduce the corporation’s social risk. They may in an ancillary manner promote human rights and help rights-holders. However, these measures can be carried out without necessarily remedying the failure to respect human rights in the first place.Footnote 65

To conclude, under a social risk management model it is generally possible for a corporation to succeed in reducing social risk by managing perceptions without improving the situation for rights-holders. In other words, social risk reduction measures are not equivalent to measures that would prevent or mitigate a business enterprise’s adverse human rights impacts.Footnote 66

VIII. Different Approach to Managing Opportunities and Unacceptable Trade-Offs

The final step in a risk management process would be to establish risk costs, which are a function of losses, risk reduction costs and opportunity costs. The social risk management model implies that priorities are attributed according to the value at risk. Therefore any social risk management scheme that seeks to reduce risk costs must balance losses against risk reduction costs and opportunity costs. This means that losses are acceptable for the corporation if they are outweighed by opportunity costs and anticipated risk reduction costs.

The concept of ‘strategic risk taking’ is that risk management should encompass risk-tolerance and risk-taking to the extent that this serves the organization’s goals.Footnote 67 The ISO 31000:2009 risk management standard also clarifies that risk prevention and mitigation are only alternatives to a more positive attitude towards risk.Footnote 68 Strategic risk management approaches are usually adopted to deal with financial risk so that their application might be questionable in fields where active risk-taking is morally less tolerable, as in the human rights context. Therefore, we could assume that not all business corporations managing human rights issues as social risk will actually engage in rational behaviour that is as crude as being involved in the violation of human rights when it pays.Footnote 69 However, it is not unrealistic that business corporations willingly incur human rights risks that can hardly be managed, as long as the operation results in profitable activity. Consider a mining company that operates a high-yield gold, silver, and copper mine, in a joint-venture with a company owned by a state that is ruled by an authoritarian regime and that imposes indefinite military conscription implying forced labour of a large part of the population. Suppose the mining company has little leverage over its governmental partner and can hardly access information about forced labour actually used for the joint-venture’s operations. Under such circumstances the company is barely in a position to conduct human rights due diligence under the UNGPs. If the company continues to operate the mine, it has to put up with the fact that its activities are potentially linked to human rights violations that cannot be assessed, or still less, be prevented or mitigated. It could well be, however, that this situation does not weigh all too heavily as it neither impairs the profitability of the mine nor affects the financial performance of the company.

Moreover, to the extent that business corporations manage social risk based on cost-benefit considerations, those that excel in social risk management could—in extremis—increase risks to right-holders: when a corporation is able to minimize losses due to optimal knowledge about stakeholder reactions, its investments in projects that are controversial and may typically pose a threat to human rights eventually become less costly. This increases the likelihood that the corporation will not shy away from activities with potentially adverse human rights impacts.

Finally, expressing human rights impacts in terms of financial costs introduces trade-offs that are unacceptable for fulfilling corporate responsibility under the UNGPs. The UNGPs principally do not allow human rights to be weighed up against an economic interest for a business. According to UNGP 19, economic interests are only taken into account the more remote a corporation’s links to human rights violations become.Footnote 70

IX. Elevation of Human Rights Respect to a Corporate Goal

The main conclusion put forward in the preceding sections is that the integration of the UNGPs human rights due diligence process into corporate risk management systems, in particular ERM systems, requires an elevation of human rights respect to a corporate goal that determines a business corporation’s strategy.

Such an integration of human rights due diligence into an ERM system would become a prime embodiment of what Peter Muchlinski has named ‘constitutionalizing’ concern over human rights in the ‘corporate psyche and culture’.Footnote 71 The due diligence process would be guided by the corporate objective to respect human rights. However, to the extent that the motivation for human rights due diligence does not become clear or is lumped together with business concerns such as avoiding business disruption or improving brand reputation, business corporations may tend to conduct human rights due diligence hardly any differently than they would manage social risk. When, in addition, corporate communications translate social risks into human rights language, it becomes very difficult for the outside observer to tell the two apart. The two following examples may serve as an illustration for these points:

  1. (1) When a company hires private security forces in order to protect its employees and assets, in particular, in places where public security is poor, it is clearly mitigating its social risk. The company could moreover present the employment of security forces as a measure to prevent human rights risks of the company’s employees. Indeed, social risk and human rights risk largely overlap in this respect. However, the use of private security forces in zones where public security is inadequate, typically results in severe human rights risks for other people than employees. A diligent selection and supervision of security forces according to international standardsFootnote 72 as well as obtaining guarantees for the proportionate use of force may complicate the job to effectively protect the company’s assets and personnel on the ground. In such cases, social risk and human rights risk could well fall apart. When proper human rights due diligence results in higher costs and less efficient security, and if human rights respect is not part of corporate strategy that guides the company’s actions, the company will be inclined to lend priority to effective social risk management.

  2. (2) Consider a coffee retailer that has been emphasizing its ‘ethical sourcing’ model in order to distinguish itself from competitors, and to attract consumers who react sensitively to how the coffee they drink is produced. To implement its sourcing model, the company uses a scorecard system that helps evaluate suppliers’ and coffee farmers’ work practices and respect for the environment. Depending on the degree of compliance with the scorecard’s policies, farmers and suppliers may gain points and become privileged partners with the retailer. Some policies, such as child labour or forced labour have so called ‘zero tolerance’ status. Non-compliance with these provisions disqualifies someone from becoming a business partner. Other policies, for example related to workplace safety, wage discrimination, maximum working hours, or freedom of association are mentioned but could not be complied with. Depending on the context, any of these issues could present severe human rights risks within the company’s value chain. Nevertheless, the company systematically treats forced labour and child labour as more important than other human rights problems. From a social risk perspective, such a priority could be justified, because occurrences of child labour and forced labour in the value chain may have a stronger negative impact on the brand’s reputation than other human rights violations. Conducting human rights due diligence, by contrast, may require that the coffee retailer considers how its sourcing activities interact with each and every human right. Priorities are made not with regard to which human right is concerned, but with regard to the likelihood that a human right will be violated and the severity of the consequences in the concrete case. If the coffee retailer shifts to strategically motivated human rights respect, it probably would have to review its sourcing policy, as commendable as it may otherwise be.

A further significant implication of elevating concern for human rights to strategic level is that human rights risks are taken into account prior to an investment in a project and not only once the investment has taken place.Footnote 73 More precisely, the recognition of human rights as a strategic issue requires an anticipation of the scenarios described in UNGP 19 with regard to risk prevention and mitigation.Footnote 74 If, when analyzing a project’s prospects, the company comes to the conclusion that it will be largely unable to prevent or mitigate human rights risks directly related to the anticipated operations, then the project should not be worth the investment in the first place. In the above mentioned example of the mining company’s joint venture that can hardly prevent forced labour being linked to its activities, strategic human rights respect would probably recommend not exploiting the mine despite its large potential.

X. Conclusions and Outlook

The first conclusion of this article is that the UNGPs human rights due diligence requirement is hardly compatible with the management of social risk. In this light it could be said that the UNGPs prescribe a very ambitious implementation program. With regard to the motivation, a reference to the business case is no sufficient basis for managers to take the UNGPs at face value. The reason for this is that a ‘business case’ would merely provide a reason for conducting social risk management, which, as has been argued here, deviates from human rights due diligence at each step of the risk management process (identifying, assessing and reducing risk). This being said, a persuasion strategy that emphasizes the notion that business-related human rights violations may represent costs to a business enterprise not yet accounted for could have some initial success, since some costs may indeed be unrevealed through greater attention paid to human rights. However, the more we have empirical certainty about discrepancies between social risk and human rights risk, the less appealing the ‘business case’ becomes. In this light, talking about the business case is a gamble on whether or not future research can confirm a convergence between social and human rights risk. Alternative motivations to conduct human rights due diligence (in the absence of legally enforceable obligations) could build on the development of empirically tested methods of assessing and measuring human rights risk. If these methods were readily available and practicable, business corporations would have to defend their decision not to use them.Footnote 75 The underlying consideration here would be ‘moral’ rather than a ‘business case’ for human rights respect. In this sense a moral justification for corporate responsibility to respect human rights could prove to be more robust than one based on enlightened value maximization.Footnote 76

The second conclusion is that if business corporations managed human rights risk in order to serve the goal of respecting human rights and not to address possible repercussions of human rights violations on the corporation’s value, they would effectively alter the corporate purpose, or at least place the sole objective of value maximization within the confines of adequate human rights respect.Footnote 77 Value maximization would become subject to the responsibility to respect human rights and not vice versa.

While this article has argued that proper implementation of human rights due diligence requires a modification of goals and strategy, the costs and risks of such human rights due diligence for the business corporation may create impediments that most business corporations are presumably not willing to surmount: human rights impact assessments would require burdensome data collection and, likewise, could recommend financially onerous reduction measures. If business corporations apply available analysis tools thoroughly and attempt to provide satisfactory answers to the questions these tools raise (instead of box-ticking selected issues), they might need to make considerable investigative efforts. Many corporations already deal with processes that require a profound investigation into the effects of corporate activity, for example in the field of combating corruption, money-laundering or securities fraud. Since human rights issues, supposedly, are not less intricate than these matters, we could assume that human rights assessment efforts, taken seriously, would impose uncomfortable decisions and be as costly as anti-corruption measures. Further, the investigation into facts that are relevant for the assessment of a corporation’s adverse human rights impacts could produce or uncover sensitive information that a corporation would prefer to keep confidential. For example, identifying and assessing risk could lead to the creation of an information record that third parties could use against the corporation in litigation.Footnote 78

Under these obvious constraints, without a strong moral commitment from the corporation and its agents to properly conduct effective human rights due diligence, there might be a tendency to implement the process only to the extent that it can be plausibly documented and disclosed in order to satisfy an audience that is content with disclosures containing plausible but essentially unverified information. In this light, it is not fanciful to suppose that some business corporations feel tempted to mount a façade of implementing human rights due diligence, when serious human rights due diligence is too costly, produces an information record that could be used against the corporation, or imposes decisions that conflict with its financial objectives. If voluntary human rights due diligence remained impractical for these reasons, the alternative to make human rights due diligence effective would be to artificially increase the social risk of business-related human rights violations.

Footnotes

*

Professor of Law, EDHEC Business School, LegalEdhec Research Center, [bjorn.fasterling@edhec.edu].

References

1 For the sake of clarity, this article understands the term ‘business corporation’ to refer to a business enterprise whose commanding entity takes the legal form of a corporation or company limited by shares, and which pays dividends to its shareholders based on net profits. Responsibilities to respect human rights transcend the controlling entity and can be applied throughout the entire group. The wider term ‘business enterprise’ could cover any kind of commercially motivated operation, for example non-dividend-paying social businesses, commercial networks, or sole proprietorships. For various ways of organizing a business enterprise, see Orts, Eric W, Business Persons - A Legal Theory of the Firm (Oxford: Oxford University Press Oxford, 2013) 175 CrossRefGoogle Scholar; see also Ruggie, John, Just Business - Multinational Corporations and Human Rights (New York: W.W. Norton & Company, 2013) 9798 Google Scholar, who writes that in the case of a multinational corporation the notion ‘enterprise’ would include the ‘entire corporate group, however it is structured’.

2 Human Rights Council, ‘Guiding Principles on Business and Human Rights: Implementing the United Nations “Protect, Respect and Remedy” Framework’, A/HRC/17/31 (21 March 2011).

3 The International Council on Mining and Metals recommends ‘stand-alone human rights impact assessments’ in certain situations, in particular where a ‘range of human rights issues merit or require in-depth/discrete analysis’; see International Council on Mining and Metals (ICMM), ‘Human rights in the mining and metals industry - Integrating human rights due diligence into corporate risk management processes’, (March 2012), https://www.icmm.com/page/75929/integrating-human-rights-due-diligence-into-corporate-risk-management-processes (accessed 25 July 2016). For an example of a non-integrative approach to managing human rights risk, see Baab, Mike and Jungk, Margaret, ‘The Arc of Human Rights Priorities: A New Model for Managing Business Risk’, (2011) Danish Institute for Human Rights Google Scholar (the subheading ‘a new model for managing business risk’ could be misleading, since the model deals with human rights risks and not business risk).

4 The official commentary to UNGP 17, note 2, 18–19, says that, ‘Human rights due diligence can be included within broader enterprise risk management systems, provided that it goes beyond simply identifying and managing material risks to the company itself, to include risks to rights-holders.’ In an ongoing survey performed by the Business & Human Rights Resource Centre, it is possible to view responses of business corporations to the question of how they manage human rights. At the time of writing this article, most business corporations that offered information on the issue explained that human rights would be integrated into their risk management frameworks, cf the survey at http://business-humanrights.org/en/company-action-platform (accessed 25 July 2016). See also, Désirée Abrahams and Yann Wyss, ‘Guide to Human Rights Impact Assessment and Management (HRIAM)’ (2010) guide endorsed by The International Business Leaders Forum (IBLF) and the International Finance Corporation (IFC), in association with the UN Global Compact for the global oil and gas industry see Ngyuen, Tam et al, ‘Management Systems Approach to Managing Human Rights Issues’ (2012) Society of Petroleum Engineers, doi:10.2118/158123-MS Google Scholar.

5 Human Rights Council, note 2, 16, commentary to UNGP 17; see also the definition of ‘human rights risk’ at United Nations Office of the High Commissioner, ‘The Corporate Responsibility to Respect Human Rights - An Interpretative Guide’, HR/PUB/12/02 (2012), 6–7. Under such a definition of risk, the UNGPs due diligence concept differs from approaches to human rights due diligence that are expressed exclusively in terms of preventing and mitigating the business and legal risks facing business corporations, as proposed by Sherman, John F III and KLehr, Amy, ‘Human Rights Due Diligence: Is It Too Risky?’, Corporate Social Responsibility Initiative Working Paper No. 55. (Cambridge, MA: John F. Kennedy School of Government, Harvard University, 2010)Google Scholar, http://www.hks.harvard.edu/m-rcbg/CSRI/publications/workingpaper_55_shermanlehr.pdf (accessed 25 July 2016).

6 Early on the Human Rights Council emphasized fundamental differences between social risk management and human rights due diligence. On this point see, e.g., Human Rights Council, ‘Human Rights Impact Assessments - Resolving Key Methodological Questions’, A/HRC/4/74 (5 February 2007). However, this article proposes that human rights due diligence not only requires a different risk management approach as suggested by the Human Rights Council (HRC), but that such a different approach implies different analyses to be made at each step of the risk management process.

7 It is acknowledged that business corporations do not conduct risk management homogenously. Existing risk management standards give management much leeway in designing risk management processes. Geographical, cultural, organizational and market contexts account for varying and complex approaches. Therefore, the arguments presented here are conceptual rather than empirical in nature.

8 There is no agreed upon definition of ‘enterprise risk management’ (ERM). ERM commonly refers to an integrative approach to risk management that is informed by an organization’s highest level goals and strategies. For example, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as ‘a process, effected by an entity’s board of directors, management or other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives’ (see, Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management – Integrated Framework, Executive Summary, (COSO, 2004) 2 Google Scholar).

9 See, for example, Human Rights Council, ‘Report of the Special Representative of the Secretary-General on the Issue of Human Rights and Transnational Corporations and Other Business Enterprises’, A/HRC/11/13 (22 April 2009), para 51: ‘Businesses routinely employ due diligence to assess exposure to risks beyond their control and develop mitigation strategies for them, such as changes in government policy, shifts in consumer preferences, and even weather patterns. Controllable or not, human rights challenges arising from the business context, its impacts and its relationships can pose material risks to the corporation and its stakeholders, and generate outright abuses that may be linked to the corporation in perception or reality. Therefore, they merit a similar level of due diligence as any other risk.’

10 Human Rights Council, ‘Report of the Special Representative of the Secretary-General on the Issue of Human Rights and Transnational Corporations and Other Business Enterprises, John Ruggie’, A/HRC/17/31/Add.2 (23 May 2011) 8.

11 Ruggie, John, ‘Global Governance and “New Governance Theory”: Lessons from Business and Human Rights’ (2014) 20 Global Governance 5 Google Scholar, 14. However, a forward-looking management standard can be useful in informing the contents of a due diligence liability standard – see, e.g., Bonnitcha, Jonathan and McCorquodale, Robert, ‘Is the Concept of “Due Diligence” in the Guiding Principles Coherent?’ (2013)Google Scholar, http://ssrn.com/abstract=2208588 or http://dx.doi.org/10.2139/ssrn.2208588 (accessed 25 July 2016).

12 The fourth EU money laundering directive, EU Directive 2015/849, could serve as an example for such an enhanced risk-based regulatory approach. Art 8 of the directive provides that member state laws impose certain risk management and compliance processes on financial and credit institutions as well as other entities that could be targeted by money laundering. Such companies are to have controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing. For an overview of risk-based regulation see, e.g., Black, Julia, ‘Risk-based Regulation: Choices, Practices and Lessons Being Learnt’ in OECD, Risk and Regulatory Policy - Improving the Governance of Risk (Paris: OECD Publishing, 2010) 185224 CrossRefGoogle Scholar, and, more generally, the research of the Centre for Analysis of Risk and Regulation (CARR) and the London School of Economics, http://www.lse.ac.uk/accounting/CARR/home.aspx (accessed 25 July 2016).

13 Michael Power describes the regulatory focus on a regulated entity’s internal controls as turning organizations ‘inside out’, see Power, Michael, The Risk Management of Everything: Rethinking the Politics of Uncertainty (London: Demos, 2004) 2425 Google Scholar.

14 International Standards Organization ISO-31000, Risk Management (2009) ISO, Guide ISO 79 (2009).

15 Cf, for example, Purdy, Grant, ‘ISO 31000:2009—Setting a New Standard for Risk Management’ (2010) 30:6 Risk Analysis, 881886 CrossRefGoogle ScholarPubMed; Aven, Terje, Renn, Ortwin and Rosa, Eugene A, ‘On the Ontological Status of the Concept of Risk’ (2011) 49:8–9 Safety Science, 10741079 CrossRefGoogle Scholar.

16 Taylor, Mark B, Zandvliet, Luc and Forouhar, Mitra, ‘Due Diligence for Human Rights: A Risk-based Approach’, Corporate Social Responsibility Initiative, Working Paper No. 53, (Cambridge, MA: John F. Kennedy School of Government, Harvard University, 2009)Google Scholar, http://www.hks.harvard.edu/m-rcbg/CSRI/publications/workingpaper_53_taylor_etal.pdf (accessed 25 July 2016); see also United Nations Office of the High Commissioner (2012), note 5, which uses the catchphrase describing human rights due diligence as ‘knowing and showing’ that a business respects human rights.

17 Ruggie, note 1, 99.

18 Cf, note 8.

19 Cf Boatright, John, ‘Risk Management and the Responsible Corporation: How Sweeping the Invisible Hand?’ (2011) 116:1 Business and Society Review, 145170 CrossRefGoogle Scholar; Hubbard, Douglas W, The Failure of Risk Management: Why It’s Broken and How to Fix It (New York: John Wiley & Sons, 2009) 457458 Google Scholar.

20 For these techniques see in particular Loch, Christopher H, DeMeyer, Arnoud and Pich, Michael T, Managing the Unknown: A New Approach to Managing High Uncertainty and Risk in Projects (New York: John Wiley & Sons, 2006)CrossRefGoogle Scholar; Andersen, Torben J and Schroder, Peter W, Strategic Risk Management Practice (Cambridge: Cambridge University Press, 2010)CrossRefGoogle Scholar.

21 Cf Kytle, Beth and Ruggie, John, ‘Corporate Social Responsibility as Risk Management: A Model for Multinationals’, Corporate Social Responsibility Initiative Working Paper No. 10 (Cambridge, MA: John F. Kennedy School of Government, Harvard University, 2005)Google Scholar; Jeffery, Neil, ‘Stakeholder Engagement: A Road Map to Meaningful Engagement’, Doughty Centre ‘How to do Corporate Responsibility’ Series No 2, (2009), 26 Google Scholar, 35.

22 Ruggie, note 1, 99–100.

23 This is not the place to engage in a discussion of the moral and policy implications of formulating problems and solutions in terms of risk. That any risk assessment does not merely require an empirical analysis of objective facts but at least also an appreciation of risk as a social construct with a normative basis is broadly accepted throughout the literature on risk and society. See, e.g., Beck, Ulrich, ‘Living in the World Risk Society’ (2006) 35:3 Economy and Society, 329345 CrossRefGoogle Scholar; Renn, Ortwin, Risk Governance: Coping with Uncertainty in a Complex World (London: Earthscan, 2008)Google Scholar; Rendtorff, Jacob D, ‘Risk Management, Banality of Evil and Moral Blindness in Organizations and Corporations’ in Christoph Luetge and Johanna Jauernig (eds.), Business Ethics and Risk Management (Dordrecht: Springer, 2014)Google Scholar.

24 Power, Michael, ‘Risk, Social Theories and Organizations’, in Paul Adler et al (eds.), The Oxford Handbook of Sociology, Social Theory, and Organization Studies (Oxford: Oxford University Press, 2014) 370392 Google Scholar.

25 Definitions of ‘social risk’ vary but have in common the focus on the business’s interests. For example, Kytle and Ruggie, note 21, define social risk as occurring ‘when an empowered stakeholder takes up a social issue area and applies pressure on a corporation (exploiting a vulnerability in the earnings drivers – e.g. reputation, corporate image), so that the company will change policies or approaches in the marketplace’. Thus understood, pressure points on a business enterprise constitute social risk. See also Robert Holzmann, Lynne Sherburne-Benz and Emil Tesliuc, Social Risk Management: The World Bank Approach to Social Protection in a Globalizing World World Bank (May 2003) DC: World Bank (2003); Tamara Bekefi, Beth Jenkins and Beth Kytle, ‘Social Risk as Strategic Risk’, Corporate Social Responsibility Initiative, Working Paper No. 30 (Cambridge, MA: John F. Kennedy School of Government, Harvard University, 2006), present social risk as a factor for stakeholders or groups of people who, regarding a certain issue, have a negative perception of the company and may do damage to it.

26 See, for a discussion of the SLO and its relationship to academic concepts such as legitimacy, social contract and stakeholder theory Morrison, John, The Social License to Operate: How to Keep your Organization Legitimate (New York: Palgrave MacMillan, 2014)Google Scholar; Demuijnck, Geert and Fasterling, Björn, ‘The Social License to Operate’ (2016) 136:4 Journal of Business Ethics, 675685 CrossRefGoogle Scholar.

27 United Nations Office of the High Commissioner, note 5, 5.

28 ISO (2009), note 14.

29 Fraser, Ian and Henry, William, ‘Embedding Risk Management, Structures and Approaches’ (2007) 22:4 Managerial Auditing Journal, 392409 CrossRefGoogle Scholar; Jondle, Douglas et al, ‘Modern Risk Management Through the Lens of the Ethical Organizational Culture’ (2013) 15:1 Risk Management, 3249 CrossRefGoogle Scholar.

30 COSO, note 8.

31 See, e.g., Boatright, note 19.

32 For the expression ‘human rights respect as a necessary cost of doing business’, see Arnold, Denis G, ‘Transnational Corporations and the Duty to Respect Basic Human Rights’ (2010) 20:3 Business Ethics Quarterly, 371399 CrossRefGoogle Scholar.

33 Fiduciary or similar managerial duties owed to the corporation would probably not impede such an approach. See, for example, Human Rights Council, note 10. Peter Muchlinski takes this notion a step further by saying that duties of care may evolve in a way that they are also owed to foreseeable potential victims of business-related human rights infringements; see Muchlinski, Peter, ‘Implementing the New UN Corporate Human Rights Framework: Implications for Corporate Law, Governance, and Regulation’ (2012) 22:1 Business Ethics Quarterly, 145 CrossRefGoogle Scholar, 157 et seq.

34 The ‘business case’ is understood here as a notion that is justified by value maximization, or simply put, ‘the bottom line’ for the business corporation. Occasionally, a different understanding of ‘business case’ becomes promulgated, for example by The global oil and gas industry association for environmental and social issues (IPIECA) that writes, ‘it is good business practice to understand the potential human rights issues and impacts associated with business operations, and to factor them into management plans.’, IPIECA, Human Rights Due Diligence Process: A Practical Guide to Implementation for Oil and Gas Companies (London: IPIECA, 2012)Google Scholar. For a demonstration of the conceptual weaknesses of ‘business case’ thinking with regard to the human rights responsibilities of business enterprises see Wettstein, Florian, ‘Human Rights as a Critique of Instrumental CSR: Corporate Responsibility Beyond the Business Case’ (2012) XXVIII(106) Notizie di Politeia, 1833 Google Scholar.

35 Institute for Human Rights and Business, From Red to Green Flags - The Corporate Responsibility to Respect Human Rights in High-risk Countries (London: IHRB, 2011)Google Scholar.

36 See, e.g., Business Leaders Initiative on Human Rights (BLIHR), ‘A Guide for Integrating Human Rights into Business Management’ (2009), http://www.integrating-humanrights.org/ (accessed 21 December 2015).

37 Human Rights Reporting and Assurance Frameworks Initiative (RAFI), ‘UN Guiding Principles Reporting Framework’ (2015), http://www.ungpreporting.org/reporting-framework/ (accessed 25 July 2016).

38 Spedding, Linda and Rose, Adam, Business Risk Management Handbook - A Sustainable Approach (Oxford: Elsevier, 2011) 313366 Google Scholar.

39 Taylor et al, note 16.

40 Cf Graetz, Geordan and Franks, Daniel M, ‘Incorporating Human Rights into the Corporate Domain: Due Diligence, Impact Assessment and Integrated Risk Management’ (2013) 31:2 Impact Assessment & Project Appraisal, 97106 CrossRefGoogle Scholar; Abrahams and Wyss 2010, note 4, 20.

41 Business for Social Responsibility (BSR) Conducting an Effective Human Rights Impact Assessment - Guidelines, Steps, and Examples (BSR, 2013) 6.

42 Studies on links between business success and ‘corporate social responsibility’ are far more common. However, even such studies must be read with caution as regards the evidence for a ‘business case’, see in particular Rost, Katja and Ehrmann, Thomas, ‘Reporting Biases in Empirical Management Research: The Example of Win-Win Corporate Social Responsibility’ (2015) Business & Society, 149 Google Scholar.

43 Davis, Rachel and Franks, Daniel, ‘Costs of Company-Community Conflict in the Extractive Sector’, Corporate Social Responsibility Initiative Report No. 66 (Cambridge, MA: Harvard Kennedy School, 2014)Google Scholar.

44 The problematic two-sidedness of the supposed ‘business case’ for human rights respect finds a parallel in the more general discussion about a business corporation’s interest in obtaining a ‘social license to operate’. For more on this, see Demuijnck and Fasterling, note 26.

45 See for example Kytle and Ruggie, note 21.

46 See in a wider context Paine, Lynn Sharp, ‘Does Ethics Pay?’ (2000) 10:1 Business Ethics Quarterly, 319330 CrossRefGoogle Scholar, who puts forward that the business case for ethical behavior of companies is rather highly dependent on context and situation than generally given.

47 For a parallel argument that calls into question Michael Porter and Mark Kramer’s ‘Creating shared value’ concept, see Crane, Andrew et al, ‘Contesting the Value of Creating Shared Value ’ (2014) 56(2) California Management Review, 130 CrossRefGoogle Scholar, 136–8.

48 Condamin, Laurent, Louisot, Jean-Paul and Naïm, Patrick, Risk Quantification: Management, Diagnosis and Hedging (Hoboken: Wiley & Sons, 2006) 14 Google Scholar et seq.

49 A further illustration of the point could be made by making reference to the IPIECA, note 34, 4. The organization puts forward several business drivers for improving human rights due diligence, among which: ‘help prevent disruptions to construction and future disruptions to operations, and improve business continuity, including providing reliable energy and managing budgets and schedules’. Disruptions indeed expose a business’s assets. However, for assessing risks to the business’s assets it does not matter if a business disruption could be linked to corporate activity that has been qualified as having an adverse human rights impact or not. A business corporation could perfectly manage risks of business disruption, prioritizing its factual causes according to their probability and severity without undertaking any kind of normative assessment.

50 To the extent that risk management is conducted through establishing correlations between adverse human rights impacts and losses, the indirect nature of causality might be less relevant. However, establishing correlations between adverse human rights impacts and losses (to value) has been limited to date, because adverse human rights impacts can only be identified when taking into account normative assessments of the individual case, which has so far excluded the existence of large datasets offering comparable data for establishing reliable correlations.

51 According to mainstream stakeholder theory as it is defended by Edward Freeman and others, stakeholder interests are taken into account instrumentally, i.e., with a view to maximizing the value of the firm. See for example Phillips, Robert, Edward Freeman, R and Wicks, Andrew C, 2003, ‘What Stakeholder Theory is not’ (2003) 13:4 Business Ethics Quarterly, 479 CrossRefGoogle Scholar, 486 et seq. For the notion of instrumental stakeholder theory, see Jones, Thomas M, ‘Instrumental Stakeholder Theory: A Synthesis of Ethics and Economics’ (1995) 20:2 Academy of Management Review, 404437 Google Scholar. People who have no leverage over the business’s operations and whose lives are negatively affected by business activities would only be taken into account as ‘stakeholders’ under a normative perspective on stakeholder theory that emphasizes the need to consider those with legitimate (moral) claims on the company rather than just those with significant stakes in it. On this point, see Waxenberger, Bernhard and Spence, Laura J, ‘Reinterpretation of a Metaphor: From Stakes to Claims’ (2003) 12:5 Strategic Change, 239249 CrossRefGoogle Scholar.

52 In a similar vein, Florian Wettstein argues that an instrumental account of corporate responsibility would motivate companies to prioritize stakeholders with a high potential impact on the business rather than paying attention to those who have little power to make their own claims heard, see Wettstein, note 34, 27.

53 Ruggie, note 1, 99–100.

54 Cf United Nations Office of the High Commissioner (2012), note 5, 7, where it is noted that human rights risk is prioritized according to severity of impact.

The commentary to UNGP 14 defines ‘severe human rights impact’ with reference to its scale, scope and irremediable character; see Human Rights Council, note 2, 16.

55 Condamin, Louisot and Naïm, note 48, 28 et seq.

56 Some risk management advisors appear to have developed methodologies for measuring adverse human rights impacts. For example, on its website Verisk Maplecroft claims that its ‘Human Rights Risk Atlas 2015’ would ‘help business, investors and international organisations assess, compare and mitigate human rights risk across all countries.’; see https://maplecroft.com/themes/hr/ (accessed 25 July 2016). However, to the extent that the details of their methodologies are held confidential, they cannot be satisfactorily appraised by academic research. The same applies to corporations that communicate assessments of human rights risk, but do not disclose how it is quantified.

57 See ‘The Corporate Human Rights Benchmark – Pilot Methodology 2016’, jointly developed by Aviva Investors, Business & Human Rights Resource Centre, Calvert Investments, Institute for Human Rights and Business, VBDO and Vigeo Eiris, available at https://business-humanrights.org/en/corporate-human-rights-benchmark (accessed 25 July 2016). Damiano de Felice demonstrates the prospects but also the shortcomings and pitfalls of human rights performance indicators; see de Felice, Damiano, ‘Business and Human Rights Indicators to Measure the Corporate Responsibility to Respect: Challenges and Opportunities’ (2015) 37 Human Rights Quarterly, 511555 CrossRefGoogle Scholar.

58 Cf United Nations Office of the High Commissioner, note 5, 7.

59 Hoyt, Robert E and Liebenberg, Andre P, ‘The Value of Enterprise Risk Management’ (2011) 78:4 Journal of Risk and Insurance, 795822 CrossRefGoogle Scholar.

60 The prerequisite of having an available common measure for assessing risk has led to ERM being questioned as a basis for rational decision-making. See in particular Schiller, Frank and Prpich, George, ‘Learning to Organise Risk Management in Organisations: What Future for Enterprise Risk Management’ (2014) 17:8 Journal of Risk Research, 9991017 CrossRefGoogle Scholar.

61 Spedding and Rose, note 38.

62 Note that in their book Spedding and Rose do not explain in detail how they reached these estimations.

63 See on this point Schiller and Prpich, note 60.

64 The ISO 31000:2009 standard recommends several risk reduction measures:

- (1) ‘Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk’

- (2) ‘Accepting or increasing the risk in order to pursue an opportunity’

- (3) ‘Removing the risk source’

- (4) ‘Changing the likelihood’

- (5) ‘Changing the consequences’

- (6) ‘Sharing the risk with another party or parties (including contracts and risk financing)’

- (7) ‘Retaining the risk by informed decision’.

65 Note that the official commentary to UNGP 11 deems that such positive measures do not offset failure to respect human rights, see Human Rights Council, note 1, 14.

66 Catherine Coumans reports a case that provides an extreme example of the point made here. In this case the corporation’s social risk reduction measures may even have intensified human rights risk. A mining corporation had engaged with consultants, development agencies and socially responsible investment firms, and it was precisely this engagement that may have facilitated the continuation of harmful practices. According to Coumans, such situations can arise when the intermediaries in question fail to advance the claims being made by rights-holders against the corporation, when they lend legitimacy to corporate strategies, and, being bound by confidentiality agreements, remain silent about the human rights abuses which they are able to observe. See Coumans, Catherine, ‘Occupying Spaces Created by Conflict: Anthropologists, Development NGOs, Responsible Investment, and Mining: with CA comment by Stuart Kirsch’ (2011) 52(S3) Current Anthropology, Corporate Lives: New Perspectives on the Social Life of the Corporate Form, 2943 CrossRefGoogle Scholar.

67 See, for example, Damodaran, Aswath, Strategic Risk Taking – A Framework for Risk Management (New Jersey: Pearson / Wharton School Publishing, 2007)Google Scholar.

68 See above, note 64.

69 Joseph Heath cautions against assuming perfectly rational behavior of companies. He suggests that agency theory and other economic theories based on rational behavior models would be helpful analysis tools as they operationalize ‘a certain form of moral scepticism’ and show ‘what the consequences of generalized immorality would be’—rather than tools to predict actual behavior. See Joseph Heath ‘The Uses and Abuses of Agency Theory’ (2009) 19:4 Business Ethics Quarterly, 497–528.

70 However, popular ‘business case’ thinking that underwrites the view that it might be profitable to respect human rights is implicitly suggesting that it is a consideration to take into account. A parallel argument with regard to the corporate responsibility to respect human rights as being moral duty has been presented by Fasterling, Björn and Demuijnck, Geert, ‘Human Rights in the Void? Due Diligence in the UN Guiding Principles on Business and Human Rights’ (2013) 116 Journal of Business Ethics, 799814 CrossRefGoogle Scholar.

71 Muchlinski, note 33.

72 In the field of private security, reference could be made to the Voluntary Principles on Security and Human Rights, see: http://www.voluntaryprinciples.org (accessed 20 June 2016). For a case study on the implementation of the Principles and the problems associated with their use on the ground see, e.g., EarthRights International &The Centre for Environment, Human Rights and Development, ‘Assessing and Improving the Voluntary Principles on Security & Human Rights: Lessons from the Nigerian Experience’ (May 2013), https://www.earthrights.org/publication/assessing-and-improving-voluntary-principles-security-human-rights (accessed 20 June 2016).

73 See above, Section IV.

74 Cf United Nations Office of the High Commissioner, note 5, 51, that recommends not entering into a business relationship, when it is unlikely that the business enterprise can use its leverage to prevent or mitigate the risk of human rights abuses by the other party.

75 Fasterling, Björn, ‘UN Guiding Principles on Business and Human Rights – Implications for Human Rights Risk Management’ (2015) 27 Revue Internationale de la Compliance et de l’Ethique des Affaires, 2023 Google Scholar.

76 Cf Wesley Cragg, who argues that the respect of human rights as an explicit ethical obligation would provide the responsibility to respect with a stronger justificatory foundation. Cragg, Wesley, ‘Ethics, Enlightened Self-Interest, and the Corporate Responsibility to Respect Human Rights: A Critical Look at the Justificatory Foundations of the UN Framework’ (2012) 22:1 Business Ethics Quarterly 936 CrossRefGoogle Scholar. Björn Fasterling and Geert Demuijnck hold that corporate responsibility to respect human rights would need a ‘moral commitment’ by corporate agents to be effective, Fasterling and Demuijnck, note 70.

77 Denis G Arnold has argued that human rights respect should be interpreted in a moral sense, meaning that human rights should be considered as minimal ethical requirements that are universally valid, which implies that the moral duty to respect them would be an absolute side-constraint of doing business. See Arnold, note 32.

78 For this argument, cf Sherman and Lehr, note 5.