Companies are under growing pressure to demonstrate that they are taking action to uncover, stamp out and remedy human rights failings in their operations and supply chains. As a result, many are considering whether they should adopt dedicated human rights policies to meet regulatory and stakeholder expectations.
Many companies have incorporated human rights as part of their environmental, social and governance (ESG) frameworks. This may be appropriate for some, but not all. Critics point out that human rights concerns tend to get lumped in with the “S” part of ESG, which is often the least understood aspect of ESG reporting and the most difficult for many companies to get adequate assurance on. Furthermore, it can be challenging for large organizations in particular to drill down into all the ESG data across multiple jurisdictions to satisfactorily monitor, manage and report on human rights compliance—and noncompliance.
Consequently, some experts believe human rights policies could provide greater visibility about the risks the organization faces and more clarity about what it is doing to monitor and mitigate them. According to Lucy Blake, partner at law firm Jenner & Block, a policy signals a better commitment to human rights both internally and externally. “It shows the company takes human rights issues seriously,” she said. While organizations can address human rights issues in broad policy documents like ESG frameworks, a separate human rights policy can help a company reinforce its commitment to respecting human rights and to make changes as stakeholder expectations evolve and grow.
Facing Regulatory Pressure
The impetus for setting up a human rights policy is that there has been significant growth in the number of laws and regulations in recent years that require companies to manage human rights risks in their operations and value chains.
For example, in the United States, the Tariff Act, the Dodd-Frank Act and California’s Transparency in Supply Chains Act all stipulate what companies are required to do with regard to protecting human rights and preventing abuses.
Across the Atlantic, a mix of domestic and pan-European laws are coming into force that will compel companies to report on how they conduct business. Under the European Union’s Corporate Sustainability Reporting Directive (CSRD), which goes into effect in 2025, nearly 12,000 large companies that meet the legislation’s threshold will have to publish information related to the environment, societal risks, the treatment of employees, human rights, and anti-corruption and bribery.
The EU’s planned Corporate Sustainability Due Diligence Directive (CSDDD) will put further pressure on companies to prioritize ESG reporting, particularly since the regulation will put a direct onus on boards to ensure compliance and will enable regulators to impose monetary sanctions (unlike the CSRD) of up to 5% of a company’s global turnover. The regulation will also apply to non-EU companies that do business in Europe if they have more than 1000 employees and worldwide turnover of €450 million or more.
Some European countries also have their own national legislation in place regarding companies' duties to report on and manage human rights-related risks. The U.K.’s 2015 Modern Slavery Act requires companies to provide a statement on whether they have assessed if there could be potential incidences of slavery in their operations and supply chains, and what steps they have taken to identify and mitigate such risks. France’s Duty of Vigilance law goes further by compelling large companies to set up a plan to check for, map and prevent possible abuses in their supply chains, while Germany’s Supply Chain Act provides a comprehensive set of rules for companies to prevent and stamp out a vast range of human rights abuses.
Committing to Compliance
Such legislation may force companies that have not prioritized human rights issues to create related policies to help meet compliance obligations. To ensure the policy is effective from the start, companies should have policy statements committing to respect human rights in terms that are clear, concise and achievable. “Over-promising and under-delivering will kill the credibility of any policy from the start, so do not be overambitious too early,” Blake said.
As the foundation of any human rights policy, she advised adapting soft law standards such as the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises. These guidelines have been endorsed by governments, stakeholders and businesses and make clear that companies are expected to have a policy statement committing to respect human rights, as well as plans to address and remedy abuses.
For a human rights policy to be effective, it should be complemented with an effective human rights impact assessment that identifies, prevents and mitigates adverse impacts. “If you want a targeted and focused policy, it is important to understand where the risks related to human rights may occur in the organization’s operations and then develop the policy to address these bespoke risks,” Blake said. If companies have a separate policy, it should not be siloed. Instead, she recommended it should still be part of the risk management framework so that “it is looked at by a range of assurance functions, including in-house legal, compliance, internal audit and risk management, and not just left to one part of the business to review and monitor.”
A human rights policy may fail if it is not designed properly, is implemented badly or is poorly led. “To ensure the policy is culturally accepted, senior and, crucially, middle management must demonstrate commitment to the policy which must be accompanied by periodic training, with noncompliance penalized,” Blake said.
To ensure that companies report incidences of noncompliance and treat them appropriately, they also need to have open and transparent lines of communication. “Having grievance mechanisms and whistleblowing programs allows for important feedback on the effectiveness of a human rights policy,” she said. “A lack of whistleblowing reports could indicate an inadequate ‘speak-up’ culture rather than a successful human rights policy.”
According to Tom Plotkin, special counsel at law firm Covington, a human rights policy is often just one piece of a broader human rights compliance program. “The policy serves the purpose of articulating the company’s commitment to respecting human rights, but it should be accompanied by defined procedures that help reinforce those commitments both within the company’s own operations and throughout its value chains,” he said.
This process consists of several steps, which can be included or summarized in the human rights policy itself, he said. At the outset, it is important to inform employees and business partners of the company’s human rights standards and obtain their agreement to abide by those expectations. It is also helpful to have oversight processes in place to identify actual or potential human rights risks. Ideally, those oversight processes will be ongoing, meaning that the company actively seeks to identify human rights risks as a condition of entering into a relationship and part of the normal course of business. Defined procedures are also important for responding to, mitigating and remediating adverse human rights impacts when they are identified. Furthermore, since companies are increasingly being asked or required to disclose information about their human rights performance, it is also helpful to track due diligence efforts and be prepared to describe them and their effectiveness to an external audience.
“Human rights is a relatively new and somewhat unique form of compliance for businesses,” Plotkin said. Unlike other areas of the law with clear regulatory guidance, strict compliance standards and detailed expectations regarding confidentiality, corporate human rights compliance can follow a slightly different path. For example, if a supplier breaches a human rights standard, simply cutting ties with that supplier is often not the best approach. Instead, regulators increasingly expect businesses to work with the supplier to correct the issue.
There are also expectations from stakeholders and regulators that companies will report in detail about their compliance efforts, even if those efforts are imperfect or identify potential or actual human rights abuses. Additionally, companies are often expected to collaborate with external stakeholders like governments, business associations and civil society to address human rights risks. “A human rights policy that fails to capture these nuances may be viewed as immature or potentially non-compliant,” he said.
Drafting an Effective Human Rights Policy
Companies need to tailor their policies to their individual circumstances since “human rights policy is not a one-size-fits-all issue,” said Irina Tsukerman, president of business advisory firm Scarab Rising. There are three main points to consider including when drafting a policy, she said. First, companies should pay attention to the relevant statutory labor rights provisions in the countries where they either operate or are based. Second, companies should factor in known human rights concerns in the type of industry or the regions in which they operate. Third, the company should consider specific provisions it can deliver on for groups of potential employees and clientele that might have more vulnerabilities—for example, women, persecuted minorities and underprivileged youth.
“A solid human rights mechanism will be proactive, not reactive, adding value to engagement with underprivileged or vulnerable segments of society, clientele, or employees, and provide them with basic protections, opportunities or options beyond merely following the letter of the law and the bare minimum needed to avoid scrutiny,” she said.
Companies should also conduct thorough due diligence on their own record regarding human rights and engage with “diverse voices” to help form a policy that “makes sense,” Tsukerman said. This could include involving community leaders from affected groups, subject-matter experts, lawyers with experience in the industry and region, local officials, and reputation risk experts. Companies should educate themselves on the best practices in the industry and among similarly situated companies, while also exploring cases of “what not to do.”
Tsukerman recommended looking up known scandals involving human rights abuses, litigation precedents and media investigations concerning business malpractice, as well as consulting compliance regulators on a regular basis to ensure that the company’s understanding of various types of regulation and legislation is up to date. Furthermore, the policy's wording should always be clear regarding definitions, standards, commitments, objectives and accountability.
Companies are likely to have relevant data regarding human rights issues even though the information may not always be labeled as such. For example, country reports prepared by regional offices may contain relevant information on the nation’s human rights situation and its connection to the business, while internal audit processes will already include relevant indicators of present and emerging human rights risks in many companies.
Employee surveys can also be a useful source of information as they often contain valuable human rights-related information like experiences of discrimination, perceptions of employee engagement, and the listening capacity of management. In addition, grievance mechanisms such as reports from whistleblower hotlines, complaint boxes or feedback from trade union representatives can reveal pertinent indicators such as allegations of worker harassment, excessive overtime, and environmental or health and safety lapses.
Choosing the Right Metrics
Companies should take time to develop appropriate company-specific metrics, Tsukerman said. This can include reviewing the number of human rights impact assessments; tracking instances of reported violations and negative outcomes; monitoring the long-term impact of the company’s activities on issues such as wage levels and the health and safety of nearby communities; the percentage of workers trained on the company’s code of conduct regarding human rights; and the frequency of meetings or dialogues with trade unions representing the company's immediate workforce or workers in the supply chain. Staff turnover levels can also be good indicators of poor corporate culture.
Other issues to consider include mechanisms to track the performance of suppliers, agents and other third parties. Most audit-based approaches in this regard operate on a “policing” basis, which assumes that the suppliers and third parties are unable or unwilling to engage on human rights and impose top-down codes of conduct that require monitoring and enforcement through audits. However, in many cases, suppliers are willing, but they lack the capacity to engage in costly mechanisms and practices due to a shortage of staff, experience or tools. As such, it makes more sense for companies to partner with their suppliers to help identify and root out any violations rather than to punish them, thereby creating an incentive for compliance.
There are several ways companies try to ensure suppliers adhere to their codes of conduct. A common tool is for companies to compel third parties to sign a non-financial letter of representation, which provides them with assurance that business is being conducted in line with company principles. Another strategy is for companies to be part of multi-stakeholder initiatives that have verification processes whereby they commit to a set of standards against which their own operations, and often those of their suppliers or other business partners, are measured. Typically centered around specific industries, these initiatives may also conduct or commission assessments of suppliers on behalf of their member companies. Verification by an external assurance provider is also becoming a popular option.
“There is no ideal gold standard for the best human rights policy,” Tsukerman said. “Falling short in one particular area due to a lack of experience or resources or [experiencing] difficulties in implementation or engagement does not mean that company is a human rights failure. That is why it is helpful to look at various measurement areas and to track different issues, which helps to understand where there is measurable success and where more resources or a different approach is needed.”
The key point is to have a dedicated human rights policy that reflects a true commitment to the issues. Otherwise, stakeholders will “tune out” if the organization “simply creates policies for the sake of being fashionable and to follow trends,” said Jan Stappers, director of regulatory solutions at governance, risk and compliance software provider NAVEX.
“Some companies love putting statements and logos on their websites to say they are in favor of issues that are very much in vogue, such as using rainbows to signify their support of the LGBTQ+ community,” he said. “But in reality, their public statements do not match their actions, or their sentiments do not translate into proper, working policies. Many companies simply produce a ‘tick-box’ policy if they think people want a policy to address a particular issue.”
To mitigate this risk, companies must ask themselves why they should create a human rights policy. “Is it to map human rights-related risks to the business, or is it because they believe in human rights and want to ensure they understand the impact their operations might have on communities and the environment?” Stappers said. “Many of the early corporate human rights policies were more about limiting the damage to the business than to people.”
Expectations are rising regarding transparency and accountability over human rights, and it is only set to grow, and it is important for companies to accept that they will need to do more to satisfy stakeholders and regulators. Having a dedicated policy that outlines and underpins the company’s approach to identifying, preventing and remedying human rights abuses can help bring clarity to an often-ignored area of corporate behavior.
What Should a Human Rights Policy Include?
According to experts, a strong human rights policy typically includes the following features:
- A clear explanation of what is required of people and third parties.
- Concrete and specific goals, principles and actions that the company commits to adopt and take.
- A clearly defined scope of its application to the company’s activities, operations, and supply and value chains.
- A risk assessment process that allows the policy to be tailored to the risks the company faces to ensure it properly addresses issues that are likely to come up. There is little point including provisions that do not apply to the company’s activities just to make it appear that the organization is dealing effectively with issues that were not present in the first place or likely to occur.
- Integration with other relevant company policies and processes (for example, a Code of Ethics, Corporate Code of Conduct, and/or CSR Standard).
- A basis in widely accepted, well-established standards that provide a clearly defined framework to guide corporate action. The UN’s Guiding Principles, the OECD’s Guidelines for Multinational Enterprises and the ILO’s Tripartite Declaration of Principles concerning Multinational Enterprises and Social Policy (ILO MNE Declaration) are good models to base policies on, especially since they are internationally recognized and afford companies with a fair degree of flexibility to tailor policies suited to their needs, circumstances and aspirations.
- An endorsement from at the most senior-level members of the company and the establishment of who is accountable for implementation and monitoring.
- Requirements for the company to disclose information about its human rights performance, as well as report in detail about its compliance efforts—even if those efforts are imperfect or identify potential or actual human rights abuses.
- Reporting and grievance mechanisms so employees and third parties can call out instances of noncompliance and whether the policy is ineffective.
- Alignment with metrics that enable effective monitoring, reviewing and tracking.