The Integration of Business and Human Rights Into International Regulatory Compliance: Due Diligence
By Jonathan C. Drimmer, Tara K. Giunta, Nicola Bonucci, & Renata Parras
In December 2020, we published the first of a series of posts focusing on how companies should respond to emerging business and human rights and environmental, social, and governance (“ESG”) responsibilities, including exploring the benefits/drawbacks of setting up standalone management systems, or integrating human rights and other ESG components into existing international regulatory and compliance programs. We identified six key elements of effective human rights and ESG compliance programs, which help operationalize the UN Guiding Principles on Business and Human Rights (“UNGPs”). In subsequent posts, we are addressing each of those six compliance program elements—talking not only about their key features, but also how businesses can leverage anti-corruption and other compliance programs to enhance their human rights/ESG approach.
This is the fourth post in our series, focusing on Due Diligence, and follows posts on Governance, Policies and Procedures, and Training. Company-driven due diligence, a key aspect of the UNGPs, is addressed in more than one-third of the principles in Pillar II of the UNGPs, which covers the Corporate Responsibility to Respect Human Rights. The precise nature and scope of human rights/ESG due diligence will differ depending on a range of considerations. However, there are many points of overlap with anti-corruption and related compliance programs, which can effectively be leveraged to address human rights/ESG risks.
Due diligence—essentially an inquiry to identify issues that may cause risks or harms under an applicable standard, policy, or expectation—is fundamental to any compliance program or internal control system. It is referenced explicitly and repeatedly in Chapter 8 of the U.S. Federal Sentencing Guidelines, the progenitor for modern compliance programs. The first line of §8B2.1, which addresses an “Effective Compliance and Ethics Program,” says, “To have an effective compliance program . . . [an] organization shall—(1) exercise due diligence to prevent and detect criminal conduct.” See U.S. Sentencing Guidelines (“USSG”) §8B2.1(a)(1). It also states that the organization should conduct periodic risk assessments, seek to exclude from management positions individuals who have engaged in misconduct or “other conduct inconsistent with an effective compliance and ethics program,” take reasonable steps “to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct,” and “evaluate periodically the effectiveness of the organization’s compliance and ethics program.” Id. §8B2.1(b) & (c).
These same themes are reflected and explained in leading anti-corruption resources, including the U.S. Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) FCPA Resource Guide (“FCPA Resource Guide”), DOJ’s Evaluation of Corporate Compliance Programs, the U.K.’s Bribery Act Guidance (“Bribery Act Guidance”) and Evaluating a Compliance Programme, and the Agence Francaise Anticorruption’s Guidelines (“French Guidelines”). These authorities underscore that, in addition to conducting screening of relevant personnel for negative histories and potential political exposure, certain areas of diligence are particularly germane:
- Risk Assessments. “Assessment of risk is fundamental to developing a strong compliance program,” to appropriately develop targeted mitigating processes and calibrate responses in a risk-tiered manner. As the authorities note, the “degree of appropriate due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction,” among other factors. FCPA Resource Guide, at 60. See ECCP, at 2-3; Bribery Act Guidance, at 25-28; French Guidelines, at 17, 20.
- Program Testing. To provide program effectiveness, a company “should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas,” by rolling out tools such as compliance surveys, back-end/front-end monitoring, targeted audits, and proactive testing and assessments. FCPA Resource Guide, at 62. See ECCP, at 15 (“prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale”); Bribery Act Guidance, at 31; French Guidelines, at 73-75.
- Third Parties. Given the risks and challenges that third parties bring in the anti-corruption context, risk-based due diligence is particularly important. While third party diligence may vary based on the industry, country, size, and nature of the transaction, and historical relationship with the third party, it is important to (1) understand a third party’s background, (2) monitor the relationship, exercise audit rights, provide periodic training, and request annual compliance certifications, and (3) inform third parties of “the company’s compliance program and commitment to ethical and lawful business practices” and obtain “reciprocal commitments.” FCPA Resource Guide, at 60. See ECCP, at 7-8 (“A well-designed compliance program should apply risk-based due diligence to its third party relationships.”); Bribery Act Guidance, at 27; French Guidelines, at 40.
- M&A. Companies should conduct pre-acquisition due diligence in the context of mergers to avoid inheriting a legal risk, and incorporate the acquired company into all of its internal controls, including its compliance program. That can involve “training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.” FCPA Resource Guide, at 62. See ECCP, at 9 (“A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”); Bribery Act Guidance, at 28; French Guidelines at 8, 15.
Human Rights/ESG Diligence
On a conceptual level, the principles associated with human rights/ESG and anti-corruption diligence differ but the underlying diligence goal remains the same: identify and mitigate potential risks to the company. While human rights/ESG diligence assesses risks to the business—legal/regulatory, financial, reputational, or otherwise—the primary concepts are broader. Indeed, the concepts also are broader than just ascertaining actual, potential, or even perceived risks of negative impacts on stakeholders—although that is a fundamental premise of human rights/ESG diligence, as the UNGPs make clear. See United Nations Office of the High Commissioner for Human Rights, “Connecting the business and human rights and the anticorruption agendas,” June 17, 2020, A/HRC/44/43, at 7 (“Business enterprises must respect human rights by exercising due diligence to prevent harms to people and address identified adverse impacts.”). Instead, human rights/ESG diligence is more accurately understood as a continuous process of identifying and addressing actual and potential adverse impacts on stakeholders that may be connected to the business through its activities and relationships. It consists of four steps: (1) determining actual, potential, and perceived risks of negative impacts on stakeholders, including the likelihood, scale, scope, and irremediability of those impacts; (2) taking steps to prevent and mitigate those impacts; (3) evaluating the effectiveness of those steps; and (4) reporting externally, including to potentially affected individuals and groups. See, e.g., OECD Due Diligence Guidance for Responsible Business Conduct (2018).
Although there are important and concrete distinctions between human rights/ESG and anti-corruption diligence, many of the dynamics and steps are the same, which has contributed to companies seeking to leverage internal resources and tools from anti-corruption diligence programs when implementing human rights/ESG due diligence.
Employees. Consistent with the Sentencing Guidelines, most anti-corruption programs—while abiding by applicable privacy laws—screen current and potential employees to identify whether they were involved in past investigations or legal actions for fraud or corruption, are restricted, or have government affiliations (e.g., they are government officials, are immediately related to government officials, or were referred by government officials). That process often includes questionnaires completed by the individual, and internet or subscription database searches. The process also may include verifying educational backgrounds and employment histories, performing public record searches to identify civil matters and criminal records, and obtaining reports from referees. The greater the risk the employee may pose because of their position, the greater the diligence. Thus, for gatekeepers and individuals in positions of elevated risk, such as government relations personnel, formal background checks are often pursued.
That same due diligence process can readily incorporate human rights/ESG concerns. Pre-screening questionnaires can include questions related to past issues of violence, discrimination, labor abuses, sexual harassment, or other red flags. Internet and database searches, and communications with referees, should also encompass such issues, as should public record searches. Enhanced diligence should be undertaken for potential employees in functions closely connected to a company’s salient human rights/ESG risks. For instance, if a company is considering a former public security officer for a security management role, it will be highly relevant to conduct inquiries into whether there were credible complaints for excessive force or other abuses. Further, just as anti-corruption expectations are often included in job applications, employment agreements or employment letters, human rights/ESG expectations may be added as well.
Operational Diligence: Risk Assessments and Testing. As noted above, risk assessments and program testing are fundamental to an effective anti-corruption compliance program; they identify the company’s inherent and residual risks, the degree of adherence to the company’s processes to address those risks, and the effectiveness of those processes in mitigating inherent risks. UNGPs 17 through 21 endorse a similar approach for human rights impact assessments, and the processes used to conduct anti-corruption assessments and testing can be leveraged in the human rights/ESG context. See UNGP 18 (“In order to gauge human rights risks, business enterprises should identify and assess any actual or potential adverse human rights impacts with which they may be involved either through their own activities or as a result of their business relationships.”).
The objective of human rights/ESG impact assessment exercises is, conceptually, to identify the company’s actual and potential inherent risks, the degree of adherence to the company’s processes to address those risks, the effectiveness of those processes in mitigating inherent risks, and any actual, potential, and perceived impacts on individuals and communities. Assessment exercises can include desktop research; a review of policies, procedures, and standards; and on-the-ground interviews with employees and stakeholders. While some companies conduct some or all of their anti-corruption and human rights/ESG exercises separately, companies increasingly are undertaking integrated diligence approaches, maximizing efficiencies in assessing risks and mitigating measures. That is particularly logical since corruption and human rights/ESG abuses are frequently interrelated, and identifying risks associated with one may correlate with risks for the other.
Desktop work. Many anti-corruption assessments start with a desktop review of industry, sectoral, and geographic risks; evaluation of the company’s applicable policies and procedures; and identification of potential higher risk third parties. This approach can readily be adjusted to include human rights/ESG considerations. On a geographic level, countries with high perceptions of corruption often have equally high perceptions of human rights/ESG abuse, which can be identified in a range of public benchmarks and reports. Weaknesses in policies and procedures designed to prevent human rights and ESG harms also may have relevance in the anti-corruption context, and thus reviews can be undertaken through both lenses. Further, just as anti-corruption program testing efforts may involve surveys and other remote evaluative processes to determine the strength of controls, the same approach can be used for a human rights/ESG program. Indeed, given the overlapping risks, corruption-focused surveys can include human rights/ESG questions and vice versa, maximizing leverage and efficiencies. A third party mapping exercise for anti-corruption, which generally focuses on government interfaces in higher risk locales, can be expanded to include third parties whose products or services create a higher risk of adverse human rights/ESG impacts to which the company may be connected.
Field work. The synergies between anti-corruption and human rights/ESG may be particularly useful for live assessments and testing, given their expense, time commitment, and operational impacts. From a process standpoint, human rights/ESG and anti-corruption assessments typically include meetings with many of the same functional units and personnel, allowing for audit protocols that cover both subjects in one interview and limiting audit fatigue and business interruption. For instance, just as anti-corruption assessments might include a review of hiring procedures and interviews with human resources personnel that interact with national labor boards, the same interviews might cover the company’s approach to modern slavery or discrimination, and an assessment of how prospective employees are screened for human rights/ESG risks. Likewise, while an anti-corruption risk assessment may involve meeting with particularly high risk third parties, the same might occur for higher risk human rights/ESG third parties as part of an assessment.
Substantively, given that corruption risks can cause human rights/ESG impacts, and vice versa, a single assessment that examines both can lead to more probing insights and effective recommendations. As an example, where an assessment identifies anomalous payments to labor inspectors, there may be related risks associated with worker safety or modern slavery. Conversely, where the assessment identifies such work safety or forced labor concerns, known security abuses that have not been investigated, or human health impacts from illegal dumping, it may mean government officials are looking the other way in exchange for an improper payment or other benefit. A joint assessment thus allows for a deepened understanding of corruption and human rights/ESG risks, their correlation with each other, and how they may impact rights holders and the company. It also may allow for responsive solutions that are more effective and sustainable.
Key differences. Of course, there are certain fundamental differences in the emphases of anti-corruption and human rights/ESG assessments. Anti-corruption assessments are geared toward bribery risks, often with an emphasis on government touchpoints; human rights/ESG assessments focus on actual, potential, and perceived impacts on third parties. In addition, human rights/ESG assessments generally involve engagement with a range of external stakeholders, while anti-corruption assessments often are limited to employees and contractors. That likely precludes a complete overlap in interviews, and thus the synergies only go so far. Nonetheless, the substantial points of overlap should allow for efficiencies and more insightful assessments, given their close interconnectedness substantively, and anti-corruption processes can be leveraged to advance human rights/ESG assessments.
In addition, unlike anti-corruption, in the human rights/ESG space it is important to understand perceived impacts, as well as actual impacts. If stakeholders wrongly believe they are being harmed by a company’s operations, they still may launch protests or boycotts, force operational shutdowns, compel government action, and file lawsuits. In other words, the impacts on the business may not differ substantially from situations where the business actually creates the harms; the tensions themselves can lead to adverse human rights/ESG impacts.
Third Parties. Similar efficiencies exist for third party diligence. For anti-corruption programs, substantial time and resources can be spent on third party diligence, which often includes baseline diligence and controls for a wide swath of suppliers, and enhanced diligence and controls for those who may pose heightened corruption risks. Those processes can be expanded to include human rights/ESG considerations at least for first-tier suppliers. See UNGP 17 (“In order to identify, prevent, mitigate, and account for how they address their adverse human rights impacts, business enterprises should carry out human rights due diligence,” which “may be directly linked to its operations, products or services by its business relationships”).
Baseline diligence. For baseline diligence, the onboarding questionnaires commonly completed by third parties to identify anti-corruption concerns can easily be expanded to include human rights/ESG-related questions. These might include, for instance, past accusations of forced labor, discrimination, or sexual harassment, previous incidents of use of force by security contractors, or litigation or controversies with a human rights/ESG component. Similarly, internet and subscription database searches, as with employee diligence exercises, might be expanded to include human rights/ESG elements. Indeed, an increasing number of databases now address at least some human rights/ESG risks.
Enhanced diligence. Similar points of consistency exist for enhanced diligence. As with anti-corruption, in the human rights/ESG arena, elevated risks may be identified during baseline diligence, or arise from goods or services procured in certain places. For example, some goods produced in specific locales, such as bricks from Afghanistan or cotton from Azerbaijan, have been identified as having a high correlation to modern slavery. Some service providers in specific locales, such as security providers in Zimbabwe or Sierra Leone, may pose heightened risks of abuse. When higher human rights/ESG risks are present, many of the same processes used for anti-corruption enhanced diligence can be employed. These include interviews of the third party or others, audits, reference checks, a review of policies and procedures, embassy checks, litigation checks, and additional public records searches. Given the potential legal, reputational, operational, and stakeholder risks associated with human rights/ESG abuses, heightened internal approvals for higher-risk third parties—as with anti-corruption—may also be appropriate.
Assuming the company believes that human rights/ESG red flags can be remediated and the relationship can proceed, controls employed in the anti-corruption context may also be leveraged for human rights/ESG concerns. Most obviously, companies can add human rights/ESG language to contracts and purchase orders that already have anti-corruption provisions. Companies also might closely monitor and document performance, conduct post-engagement third party assessments, conduct third party training, periodically refresh diligence, obtain third party certifications, and conduct other steps similar to those used in the anti-corruption context.
M&A. Similarly, many of the same processes used to conduct due diligence in the M&A context can be leveraged for human rights/ESG to identify potential risks associated with acquisitions. See UNGP 17, Commentary (“Human rights due diligence should be initiated as early as possible in the development of a new activity or relationship, given that human rights risks . . . may be inherited through mergers or acquisitions.”). Anti-corruption M&A diligence generally involves public information searches for stories or reports related to potential fraud, corruption, or business integrity concerns; document and information requests to management; and interviews with key personnel.
Acquisitions. Those same diligence steps can integrate human rights/ESG components. Public information searches can seek litigation, company disclosures, news reports, and other information that may indicate whether the target has been involved in significant human rights/ESG issues that you may inherit. Document requests can seek germane policies and procedures (such as a human rights policy, anti-discrimination or harassment policy, child labor policy, or environmental or climate policies), human rights/ESG training materials and plans, reports reflecting human rights/ESG assessments and audits, and a list of human rights/ESG related investigations and disputes, among other matters. Interviews with management can specifically seek information related to the public information learned and the documents received, as well as how the company identifies and addresses its salient human rights/ESG issues, incorporates human rights/ESG into employment practices (e.g., incentives, promotions, performance evaluations), and resource programs related to human rights/ESG.
Integration. Likewise, post-acquisition, just as authorities expect that an acquired company will be integrated into the acquiring company’s anti-corruption program, the same is true of human rights/ESG. That will include ensuring the acquired company receives human rights/ESG training, adopts the company’s policies and procedures, has an operational grievance mechanism in place, and implements other core features of the acquiring company’s human rights/ESG program.
Dispositions. Finally, it is also important to note that due diligence may be appropriate in the anti-corruption space associated with an asset sale, such as where approval from a local government agency is required. Asset dispositions can also generate human rights/ESG risks and controversies. For example, a sale might lead to a loss of local jobs, a reduction in local community programs, or reduced attention to certain practices. It also may result in foreign ownership that is viewed controversially by local stakeholders, causing latent tensions to become manifest. With increasing frequency, responsible companies are conducting due diligence of the potential human rights/ESG impacts associated with asset sales, just as they may consider and address potential corruption risks.
Obviously, despite the synergies between anti-corruption and human rights/ESG diligence exercises, there are limits. As commentators have observed, it is important not to substantively dilute either anti-corruption or human rights/ESG diligence by seeking to integrate the two. Further, different sets of knowledge are required to identify anti-corruption and human rights/ESG risks. Nonetheless, there are clear points of overlap between anti-corruption and human rights/ESG diligence, and anti-corruption processes can be effectively leveraged in many respects. Considering them alongside each other can create practical efficiencies, enhanced analyses, and better outcomes overall.