Navigating the S in ESG: Governing Human Rights Risk

Environmental, social, and governance (ESG) risk is an increasingly complex legal arena for global companies because of the proliferation of legislation and litigation across jurisdictions. Social risk the S in ESG is particularly fraught and fluid. It captures a suite of business risks related to impacts on workers, consumers and communities.

S risks are shaped by a complex interplay of brand pressure, regulation, litigation and investor expectations. For global companies, this hybrid and dynamic risk landscape is devilishly challenging: black-and-white decisions are rare most require balancing conflicting brand, legal and investor incentives.

Human rights have emerged as the analytical framework through which S risks become legal. Rather than a niche arena of corporate risk, human rights now define the S in substance and scope: they shape due diligence and disclosure legislation, negligence standards in civil litigation, and trade sanctions and criminal liability across jurisdictions.

These developments have three broad implications for corporate risk:

Navigating these evolving expectations requires structured and nimble governance tailored to layered risk and diverse audiences.

The wellspring of all modern S law is the UN Guiding Principles on Business and Human Rights, the authoritative voluntary standard on corporate human rights responsibility. The Guiding Principles' innovation was to define corporate S responsibility with reference to a compliance-based duty of care, comprised of (i) a policy commitment, (ii) a due diligence process, and (iii) a remediation process. The core of this system is human rights due diligence, which has a broad and legally idiosyncratic meaning: The process should include assessing actual and potential human rights impacts, integrating and acting upon the findings, tracking responses, and communicating how impacts are addressed (GP 17).

The Guiding Principles were not conceived to be law. Their subject matter and scope are inherently uncertain. International human rights law does not generally apply as between private actors (UN Human Rights Committee, General Comment No 31, paragraph 8). Most internationally recognised human rights thus need to be adapted from the public to the private context to define corporate duties coherently. Moreover, the Guiding Principles' scope of responsibility across corporate value chains defined by three terms: (i) cause, (ii) contribute and (iii) directly linked does not align comfortably with legal analogues. It is therefore extremely difficult for any company to determine with legal precision whether its actions meet the Guiding Principles' expectations.

Until recently, legislation regarding corporate human rights governance has been narrower in scope and compliance expectations than the Guiding Principles. Modern slavery and child labour are frequently the substantive focus of such law, as with the California Transparency in Supply Chains Act, the US Victims of Trafficking and Violence Protection Act, the UK Modern Slavery Act and the Australia Modern Slavery Act. Disclosure has been the dominant compliance requirement. Companies have therefore been able to meet their formal legal expectations with annual reporting on discrete human rights challenges. Administrative scrutiny of compliance has been limited, largely because the substantive expectations have been shallow.

That is now rapidly changing in Europe, creating a hardening, deepening and unpredictable S risk environment for global business. Legislation mandating human rights due diligence (in the Guiding Principles' sense) spanning the full spectrum of human rights across the entire corporate value chain is increasingly the order of the day.

France was a precursor, adopting a mandatory human rights due diligence law in 2017. Germany and Norway passed their own variants in 2021, and, in February 2022, the European Commission released a draft Directive on Corporate Sustainability Due Diligence. If adopted by Parliament, as is likely, all EU member states would need to implement mandatory human rights due diligence of at least the Directive's scope.

These laws and initiatives differ materially in applicability, scope, precision and enforcement mechanisms, but they are all modelled on the Guiding Principles, with a compliance structure that emphasises best efforts and transparency. Such governance-focused laws live in uneasy complicity with (i) strict liability S legislation, such as sanctions, and (ii) tort concepts such as voluntary assumption of responsibility. Still, the collective of existing and emerging S law reveals six key trends to inform resilient, forward-looking S governance.

Human rights risks are not discrete and easily corralled. Any risk to the core interests of workers, customers, or communities ought to be considered through a human rights lens in addition to established risk protocols, such as those for product quality or health and safety and these S interests are not readily segregated from E and G risks. Both the German Supply Chain Due Diligence Act (SCDDA) and the draft European Directive weave together environmental and human rights risk management in general. The integration is also evident in litigation: climate change claims are increasingly framed as human rights breaches.

Human rights risks are not confined to the upstream supply chain. They exist across corporate functions, from human resources to public affairs, and extend downstream to product marketing and (mis)use. Global companies will frequently have well-developed compliance processes for such functions and business relationships. They will nonetheless need to add a human rights lens to existing integrity processes to ensure regulatory compliance and resilience.

One of the key implications of these new laws is to shift the perspective for risk prioritisation. Rather than materiality to the business alone, companies are increasingly expected to prioritise risks based on the severity and likelihood of risk to stakeholders, which is generally referred to as a risk's salience.The privileging of salience in law aligns with the concepts of dynamic materiality and double materiality, which are gaining increasing traction in investor literature and in disclosure legislation. This requirement could have radical implications for corporate governance of human rights risks, particularly where spend or business risk are determinative factors in assessment and/or remediation.

The Guiding Principles were structured to encourage due diligence, in part by defining corporate responsibility for human rights independently of knowledge: Even with the best policies and practices, a business enterprise may cause or contribute to an adverse human rights impact that it has not foreseen or been able to prevent (GP 22). Under emerging legislation, however, knowledge can itself increase liability. The SCDDA provides that a company's responsibility for impacts on indirect suppliers increases based on knowledge (SCDDA paragraph 9(3)). The draft European Directive anticipates corporate liability related to impacts that have been, or should have been, identified (Draft Directive, Article 7) that is, best-in-class due diligence may create most-in-class liability. Companies may thus need to calibrate diligence to the remedial and disclosure implications of additional knowledge, particularly in their sub-tier supply chains.

The Guiding Principles' inherent uncertainty is manageable because the expectations are voluntary. The situation changes markedly when legal sanctions including administrative, civil and director liability attach to purported non-compliance with a legal duty of care. It will be particularly challenging to anticipate the precise contours of laws that incorporate voluntary standards by reference, such as Norway's Transparency Act. But lacunae will likely exist even with more precise laws like the SCDDA because of their breadth. The uncertainty is likely to create opportunities for stakeholder criticism and regulatory oversight that will require particular attention by companies to tame pre-emptively for instance, through credible internal definitions of rights and potential involvement.

A uniting thread in each of these emerging pieces of legislation is the aim of leveraging disclosure to drive better corporate behaviour. Beyond the reputational and investor pressures disclosure requirements create, disclosure can also create risks under various legal regimes, from voluntary assumption of parent responsibility in transnational tort cases, to material misrepresentation claims by investors or consumers, to trade sanctions. It will therefore be critical for companies to ensure that compliance in one jurisdiction, notably with disclosure requirements, does not create material risk in another.

Against the backdrop of proliferating and materially distinct legislation across jurisdictions, global companies risk misdirecting attention by focusing only on achieving perfect compliance with existing legislation. Rather, an effective risk-management programme will ideally be nimble and resilient with a view to emerging trends, to enable rapid adaptation to shifting requirements. This end can be reasonably pursued in many ways to align with corporate organisation and culture.

We suggest three key practical governance considerations for long-term management of a fluid and evolving legal landscape.

Meeting the compliance requirements of emerging regulations will require risk management measures to be embedded across all functions and business divisions, from procurement to human resources, marketing and sales, and government relations. It would be impractical for any one function or team exclusively to bear all legal S responsibilities.

Such responsibilities can be divided into four broad categories:

The precise way these responsibilities are distributed is not defined in any voluntary standards or law. Companies will have discretion to tailor the risk-management approach to their organisational structure. However, while the locus of human rights strategy can be centralised, efficient and resilient governance will require that S risks are properly embedded in enterprise risk management and in functional codes of conduct.

No matter the precise organisational structure, legal advice will become increasingly essential in managing human rights risk.

First, the inherent uncertainty in emerging legislation will require proactive management through coherent definitions of core terms, drawing on national and international law.

Second, the risk of regulatory sanction will mean that decisions on human rights risk identification and response will need to be increasingly precise particularly where regulators do not afford deference to business judgement. Legal advice will be important to manage the human rights process flow and decision structure to ensure internal consistency and external coherence with regulatory requirements.

Third, counsel will be essential to manage information flow securely to navigate the potentially conflicting incentives of distinct regimes. That role includes preserving privilege over sensitive due diligence and balancing the benefits of rigorous assessments against the additional responsibility for knowledge.

Corporate human rights strategy cannot be tailored just to navigate legal risks specific to particular laws and regulations. S governance is particularly complex because material issues span legal, brand, investor and operational risks. These risk dimensions are interdependent: litigation spawns headlines that shape ESG ratings, customer enquiries and civil society campaigns.

Viewed in isolation, distinct risks may incentivise conflicting responses. The ideal strategy for regulatory compliance may inflame brand or investor risks, and vice versa. Moreover, the counterpoint of many human rights risks is opportunity to strengthen the brand or relations with investors and clients.

Effective S strategy and governance will constantly pay heed to and weigh each of these elements of business risk and opportunity. To that end, the locus of human rights strategy should incorporate subject matter, legal, investor and public relations expertise to limit the risk of technocratic and formalistic approaches to S risk management.

S risk for global companies is increasingly expansive and dynamic. In the wake of recent legislation and litigation, it is also indisputably legal. As the risks have hardened, however, so have the contours of effective strategy crystallised: corporate management of S is a governance challenge.

Effective S governance is structured and nimble. It is designed to anticipate trends, not to master compliance. It is embedded in the organisational subconscious. Most importantly, it is carefully calibrated to the array of material business risks and opportunities.