international regulatory enforcement
Responsible Product Usage Risk Factors Ahead of the EU Corporate Accountability and Due Diligence Directive
By Jonathan Drimmer and James Tunkey, I-OnAsia
Recognition of potential downstream risks associated with the misuse of products or services (“product misuse”), or the use of a product in a manner inconsistent with responsible business conduct (“irresponsible product usage”), is becoming increasingly prevalent in enterprise risk matrixes, board reports, and company disclosures. As we talked about in our recent post, there is a renewed focus on these downstream human rights risks in light of the EU’s highly anticipated Corporate Due Diligence and Corporate Accountability directive (the “Directive”).
Taking a cue from human rights norms, the Directive pushes companies toward a different risk-related premise. While traditionally companies and their boards have focused on whether a risk is financially “material” to the business, the Directive requires companies to consider whether a risk is “salient” to potentially affected “third parties.” Whether a firm seeks to measure materiality, salience, or both, a rigorous risk-identification approach is warranted. As the risk factors associated with product misuse and irresponsible product usage will differ, reliable identification and quantification can be elusive. This post provides a few thoughts on how to approach these challenges.
Guidance on Risk Identification Frameworks
As our earlier post explained, whereas modern slavery legislation and related domestic laws have largely focused on upstream suppliers, with the Directive the EU appears poised to follow the approach of the UN Guiding Principles on Business and Human Rights (“UNGPs”) by requiring due diligence on both sides of company value chains. Looking downstream, many companies and their boards already consider product misuse and irresponsible product usage from a tort and shareholder value perspective. In the United States, tort liability already extends to injuries caused by a product when it is reasonably foreseeable that consumers will fail to use it as intended (e.g., U.S. courts have split on whether it is reasonably foreseeable that teens will shake vending machines to get sodas without paying), as well as irresponsible product use, where consumers foreseeably use a product as intended but in a way that causes harm (e.g. tobacco labeling lawsuits, or the Agent Orange class action litigation).
While company risk analyses may therefore already consider certain aspects of downstream exposures from the business side – e.g., cost of litigation, product recalls, or consumer boycotts – the UNGPs and forthcoming Directive call on companies to consider adverse impacts from a broader stakeholder salience perspective. This salience analysis is premised on four factors: (1) severity (how grave the impact to third parties might be); (2) remediability (how hard the harm would be to correct); (3) prevalence (how widespread the impact would be); and (4) likelihood (how likely it would be that the harm would occur). Understanding these factors, and the full range of human rights that could be potentially implicated by a company’s product and services, is the first step in any human rights due diligence exercise. It also is a first step for a board and senior management to begin educating themselves about the company’s salient risk profile.
Given the vast range of products and services that companies offer and geographies where they may be offered, there is no single taxonomy for product misuse and irresponsible product use salience analysis. However, there are a number of common factors on which the analysis may focus, in varying combinations:
- Customer Risk: risks specific to particular customers or resellers – e.g., whether prior allegations of wrongdoing or connections to questionable actors elevate risks of misuse or irresponsible usage;
- Product Risk: the risk that a product could be resold or transferred to a different end-user who will use it in an undesirable way, even if the customer itself is seen as low risk;
- Past Misuses: past instances of misuse or irresponsible use of the same or similar products or services that could recur;
- Intended Use: information about the intended use and/or purpose of the sale, and whether the understood purpose increases or decreases the potential for stakeholder harm;
- Potential Harms: whether the product or service could create human rights harms if used irresponsibly or not as intended, including the severity, how widespread the impact would be, and whether the impact is remediable;
- Vulnerable Groups: whether a particular group that may be especially vulnerable to adverse impacts if a product is used irresponsibly or not as intended;
- Volume: the volume of products or services to be sold, to the extent these may increase or decrease the relevant risks; and
- Country Risk: risks particular to the country where the product will be sold or service rendered. These may include respect for the rule of law, local regulatory environment, the capacity for local stakeholders to understand relevant risks or warnings, availability of institutions to assist in remediation if needed, population density where the product or service may be used, and any other geographic factors that may exacerbate or ameliorate the risks of stakeholder harm.
These downstream salience exercises can be tricky, and present an array of challenges for companies and their boards. We address two of them here, by way of example: (1) selling to government customers and (2) selling to diverse consumer markets.
Government customers can be associated with a range of human rights impacts, only some of which may be reported, making an assessment of the specific “foreseeability” of any potential improper product use more difficult. Further, gaining insights into how a government intends to use a product may be more elusive than for a commercial customer, as governments may be less willing to provide information in response to questionnaires used for commercial buyers or bound by internal rules in terms of providing meaningful information. In countries where the rule of law is applied inconsistently, government entities also may not feel compelled to provide information that is wholly accurate or that has been adequately vetted before providing. The legal and regulatory environments in those countries, and in particular the likelihood of judicial action to address misuse by government-affiliated entities, may not operate as effective constraints or provide appropriate remedies for affected stakeholders.
Addressing these challenges requires tailored strategies. For instance, to gain insights into the government’s intentions and potential information gaps, it may be appropriate to place a greater emphasis on public information sources, obtained through in-depth searches, as a predictor of future behaviors than on representations from the government-affiliated entity itself. Analyses that are specific to the government entity and product at issue are important to help create a more complete “foreseeability” assessment. Conversations with country-level experts about the government entity can also be highly informative, as a way of corroborating information provided beyond what might normally be done with commercial customers. Benchmarking the government’s rule of law reputation through use of public indices, such as the Fund for Peace Fragile State Index, the World Bank Governance Indicators (Rule of Law), or Freedom House’s Freedom in the World report, is another worthwhile step. It also is particularly important to document and retain whatever diligence is conducted, in case the company’s processes are later questioned.
A different set of challenges can arise when companies sell commercially available products or services to millions of customers spread around the world. For companies in this kind of market, it might be beneficial to seek advice from colleagues at major financial institutions, which invest between 2% and 8% of their annual revenues in know-your-customer (KYC) compliance programs. Gaining insights into effective strategies, and the best returns on investment for large-scale diligence tools, may be worthwhile.
Alternatively, lessons can be gleaned from the “other” side of the value chain, where the company may already have processes in place to deal with tens of thousands of suppliers. Companies commonly employ third party due diligence platforms to risk-rank engagements and transactions with suppliers, agents and other third parties based on publicly available information, including news stories, relationships, geographies, transaction size, and other factors. They may be able to leverage these supplier diligence platforms by connecting them to existing customer relationship management systems (CRMs), which typically manage relationships with customers and potential customers, along with a variety of relevant customer-related details. CRM systems can thereby be trained to automatically identify red flags and risk-rank transactions based on a variety of factors, just as supply chain due diligence systems do for upstream activities. Of course, responsible product usage programs are likely to be highly individualized, and companies may find there are limits to what the present technology can do to scale a solution to the expected EU rules, particularly if a company’s product usage challenges involve low frequency events for which no scalable solution has previously been developed. For example, in one recent case, a company had to build a custom analytics tool to combine data from its CRM system with other sources to address a very specific risk involving problematic sales to high-risk customers.
Image: I-OnAsia & Desilian problematic sales analytics workbench snapshot.
Get Ready for Change
Government customers and mass scale are just two of the many challenges that companies will face in conducting downstream salient risk analyses, consistent with the forthcoming EU Directive.
Teams assisting boards and senior management assess downstream salient risks will be expected to consider cost implications, too. An effective downstream process may require significant fresh investments in customer due diligence, instituting more robust controls, and meaningful post-engagement monitoring. Investments may also be needed for enhancing contract terms, bolstering approval processes, obtaining certifications, performing audits and diligence refresh exercises, and other steps that we likely will address in a future post. Risk-mitigating changes in commercial practices, such as limiting the volume of products provided or shortening the duration of contracts, might also be considered. These step may entail personnel costs, technology costs, and expert assistance costs. While there can also be significant cost savings associated with adverse impact avoidance, as material risks and salient risks overlap for most companies, boards and management should be prepared for the initial operational expense.
One key leadership challenge will likely quickly become whether this hard work and expense can be translated into a competitive advantage. Fortunately, there are plenty of case studies about companies who suffered existential losses after choosing to wait-and-see or take hide-your-head-from-the-risks approaches. Helping quantify the impact and value of loss-avoidance, in addition to explaining regulatory requirements, may be the first step toward guiding and motivating the company’s approach in this area.