Client Alert

Integrating Human Rights and ESG into International Regulatory Compliance: Policies and Procedures

February 28, 2021

By Jonathan C. Drimmer,Tara K. Giunta,

Nicola Bonucci,

& Renata Parras

In December 2020, we began the first in a series of posts discussing how risks associated with business and human rights, and ESG more generally, have led companies to increasingly create human rights/ESG management systems or to integrate human rights/ESG into existing compliance programs. We identified six core elements of human rights/ESG compliance programs, which also are found in effective international regulatory compliance programs, and help operationalize compliance principles in the UN Guiding Principles on Business and Human Rights (“UNGPs”). We promised detailed posts regarding each individual element, addressing key components and how its presence in anti-corruption and other compliance programs can be leveraged for human rights/ESG.

Last month, we addressed the first core element of a human rights/ESG compliance program, Governance, including the role of the board, the responsibilities and accountabilities of management, metrics, and key performance indicators to help track a program’s robustness and effectiveness. This month we will address Policies and Procedures, a critical component of any effective compliance program. While specific policies and procedures will necessarily differ between companies, and often between operations within a company depending on the nature of the salient risks presented, there are several bedrock concepts from the UNGPs and anti-corruption and other international regulatory programs that can also provide learnings and be leveraged to address human rights/ESG risks.

Code of Conduct

Anti-corruption and other international regulatory compliance policy frameworks generally include a code of conduct that clearly and succinctly identifies and expresses the company’s ethical commitments. Included within those commitments are stated positions on bribery, corruption, and other international regulatory areas. As the U.S. Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) have made clear in their FCPA Resource Guide (“FCPA Resource Guide”),

A company’s code of conduct is often the foundation upon which an effective compliance program is built. . . . [T]he most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.

Resource Guide, at 59; see DOJ, Evaluation of Corporate Compliance Programs (“ECCP”), at 4 (“As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.”). Similar positions are taken by the U.K. Serious Fraud Office in its U.K. Bribery Act Guidance and the Agence Francaise Anticorruption’s guidelines. Accordingly, codes that are well received by enforcement authorities are: (1) readily available to employees, (2) translated into relevant local languages, (3) written in a manner that is easy to grasp and understood by employees, (4) applicable to employees and others doing business on a company’s behalf, and (5) periodically reviewed and updated.

That code should include a brief but clear position regarding human rights/ESG. The company’s human rights/ESG position as reflected in the code need not be particularly detailed, but should include a commitment to respecting the human rights of stakeholders that may be impacted by the company’s business, such as employees, suppliers, local communities and community members, and/or customers. They also frequently reference additional ESG-related positions, such as climate, diversity, and workplace treatment. Good codes often include a clear statement that the company does not tolerate human rights abuses or violations, and sometimes note that the company tries to improve human rights within its spheres of influence, to prevent negative human rights impacts from occurring, and to provide or assist in providing a remedy when the company is connected to negative impacts that do occur. They often include similar positions regarding other ESG areas. Besides declarative positions, many codes also reference standalone company policies, such as human rights, environmental, or workplace policies, particularly with regard to diversity and non-discrimination, and make clear the company’s expectation that they will be followed by employees, directors, suppliers, contractors and others.

Human Rights Policy & Supporting Procedures

Anti-Corruption and other International Regulatory Policy Frameworks

As with codes, there is no “right” way to draft an anti-corruption or human rights/ESG policy or supporting procedures that form a fulsome policy framework. At its most basic level, the U.S. Federal Sentencing Guidelines, which have helped shape the contours of regulatory compliance programs, reference organizations establishing “standards and procedures to prevent and detect criminal conduct.” U.S. Sentencing Guidelines (“USSG”), § 8B2.1(b)(6). Most companies today have addressed bribery and corruption in their policies and procedures—and those systems and controls can be leveraged to address human rights/ESG risks and compliance.

Focusing first on anti-corruption and other international regulatory policies, companies fulfill that requirement with divergent approaches, from lengthy and highly detailed to brief and values-driven. However, most include a clear policy statement reflecting the company’s prohibition of corruption and bribery, which are adopted by the board of directors. They also often reference that the FCPA, the U.K. Bribery Act, and other laws, apply on their face throughout the company and to third parties, and sometimes incorporate “industry practice or standards.” USSG § 8B2.1 Commentary. DOJ has further elaborated that anti-corruption policies and supporting procedures should help ensure that the compliance program and culture of compliance are integrated into the company’s operations and workforce. See ECCP, at 2, 4. On a more granular basis, DOJ focuses on whether business units and others have been involved in the design of policies and procedures, how the policies and procedures address the spectrum of risks the company faces, and whether the policies and procedures are easy to understand and access and translated into relevant local languages. See ECCP, at 4-5. DOJ and the SEC both note the importance of policies outlining responsibilities for compliance, detailing proper internal controls, and setting forth disciplinary procedures. See FCPA Resource Guide, at 59.

Among the relevant considerations in developing specific procedures are the nature of the company’s products and services, the role of third-party agents and other intermediaries, customers, the extent of government interactions, and industry and geographic risks. As DOJ and the SEC explain, “The risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” FCPA Resource Guide at 59. In addition to such higher risk relationships and payments, anti-corruption, and other international regulatory policy frameworks typically include protocols related to immediate reporting of risks or concerns (e.g., escalation policies), internal investigations, employee hiring and onboarding, third-party retention and vetting, engagement with government auditors or inspectors, and other such areas.

Human Rights/ESG Policy Frameworks

Human rights/ESG policy frameworks should follow a similar systematic approach, potentially leveraging—or at least learning from—anti-corruption and other international regulatory approaches. Structurally, similar to the anti-corruption context, frameworks generally should consist of a public facing policy commitment, supported by operational policies and procedures that “are typically not public, are more detailed in nature and help translate the high-level commitment into operational terms.” Office of the High Commissioner for Human Rights, The Corporate Responsibility to Respect Human Rights: An Interpretive Guide (“UNGPs Interpretive Guide”), at 26; see UNGP 15(a) (businesses should have a policy commitment to respect human rights).

Following this advice, akin to stand-alone anti-corruption policies, hundreds of companies now have adopted distinct human rights/ESG policies, which cover human rights, climate change, diversity, and other relevant ESG areas. See Company Policy Statement on Human Rights, Business and Human Rights Resource Centre. Those policies should be informed by a risk assessment identifying the human rights/ESG areas of most risk to stakeholders, as well as the company. More specifically, as with expectations identified by DOJ and the SEC for anti-corruption policies, UNGP 16 and its Commentary states that human rights policies should be approved at the “most senior level” of the organization “embedded from the top of the business enterprise through all its functions” set forth human rights expectations of personnel and third parties directly linked to the business’s operations, products, or services, and be publicly available and communicated to all personnel and third parties. Consistent with DOJ’s focus on whether policies have been designed with input by business units and others, UNGP 16(b) and its relevant commentary suggests that policies are “informed by relevant internal and/or external expertise,” which “can be drawn from various sources, ranging from credible online or written resources to consultation with recognized experts.” Translating human rights/ESG policies into relevant local languages so that they can be read and understood, drafting them in a manner that is easily grasped by internal and external stakeholders, publishing them in locations that make them readily available, and identifying the range of disciplinary actions for violations—all fundamental for anti-corruption policies—are equally so for human rights/ESG policies.

Similar to the approach from DOJ and the SEC that anti-corruption policies should integrate the company’s culture of compliance, human rights/ESG policies often begin with an introduction referencing the company’s core values, how they correlate to human rights/ESG, and the scope of coverage for the policy. Increasingly, companies include at the outset of their policies a discussion of how the company may contribute to the positive realization of human rights/ESG, referencing—or using language that may allude to—the UN Sustainable Development Goals. After the introduction, policies then discuss the key principles that guide the company’s human rights/ESG approach, such as supporting diversity and a lack of tolerance for discrimination or human rights abuses. That is followed by specific steps the company takes to fulfill its commitments, such as training, communication, due diligence and assessments, stakeholder engagement, audits, and other steps. Finally, policies commonly conclude with references to policies and procedures in other relevant areas.

Within that structure, there are several substantive elements found in good policies. First, like the frequent references to the FCPA and other laws that appear in anti-corruption and other international regulatory policies, human rights/ESG policies generally include a definitional component. For instance, “human rights” should be defined to include the International Bill of Human Rights and International Labor Organization’s core conventions. UNGPs Interpretive Guide, at 28. Second, most companies identify other key instruments and principles the company follows, including the UNGPs, the OECD Guidelines for Multinational Enterprises and the related due diligence guidance, or the UN Global Compact’s 10 principles, and key instruments and conventions that correlate to salient risks. On a related note, and consistent with anti-corruption policies, some companies also refer to industry-related initiatives or soft law frameworks, such as the Voluntary Principles on Security and Human Rights (extractive sector), the Global Network Initiative (telecommunications and social media), or the Kimberley Process (diamonds). Third, many companies also identify, at a high level, the salient human rights/ESG risk areas the company may face, such as modern slavery and child labor, living wage, discrimination and Equal Pay, right to join a union and bargain collectively, working conditions such as hours, health and safety or environmental issues, or attacks on human rights defenders. See UNGPs Interpretive Guide, at 28. Fourth, some companies also identify stakeholder groups that may be particularly impacted by the company and their value chains, and reference how the company addresses conflicts between international standards and local laws. Finally, a good policy should reference grievances and remedies, and how the company should consider and mitigate negative impacts when they might occur.

Regarding supporting procedures to implement human rights/ESG policies, similar to anti-corruption and other international regulatory approaches, companies with more mature human rights/ESG programs seek to integrate human rights/ESG into management systems to help “operationalize” the approach. UNGPs Interpretive Guide, at 29. In some cases where a company has significant interaction with a potentially vulnerable group, it may decide to prepare and refer to a separate, dedicated policy, such as a children’s rights or indigenous peoples’ policy. Procedures focusing on operational level grievance mechanisms and how grievances are considered and addressed are also important. While some of these procedures may not be leveraged between human rights/ESG and other areas, other procedures can, such as supplier codes of conduct, requirements for the immediate escalation and reporting of concerns coupled with a non-retaliation commitment, investigative protocols that incorporate expertise and independence into inquiries regarding human rights/ESG concerns, and other processes.

Finally, while each company will have a different approach to effective implementation of a human rights/ESG policy framework, key points to consider include: assessing the company’s human rights impacts and risk areas, including how they may change, and incorporating into the policy framework any changes to the risk profile; tracking performance through quantifiable metrics and key performance indicators; and communicating publicly on risks, impacts, how they are addressed, and the effectiveness of those processes.


Similar to other international regulatory and compliance areas, there is no right way to create a robust and effective human rights/ESG policy framework. However, as with other areas, a code that reflects a high-level commitment, a more detailed public-facing policy that is accessible in form and content, and a range of supporting procedures is becoming standard fare in the human rights/ESG context. Our next post will tackle training, and how anti-corruption and other international regulatory training can be leveraged for human rights/ESG

Click here for a PDF of the full text

Get In Touch With Us

Contact Us