international regulatory enforcement
The Integration of Business and Human Rights into International Regulatory Compliance: Reporting and Remediation
Late last year, we began a series of posts focusing on leveraging anti-corruption compliance programs to encompass business and human rights risks and ESG risks more generally, whether by creating human rights/ESG management systems or integrating human rights/ESG into existing compliance programs. We listed six central components of human rights/ESG compliance programs, which are present in effective international regulatory compliance programs and can drive implementation of the UN Guiding Principles on Business and Human Rights (“UNGPs”). We indicated that we would provide posts concentrating on each individual element and talk about how its presence in anti-corruption and other compliance programs can be leveraged to address human rights/ESG.
This is the fifth post in our series, focusing on Reporting and Remediation (after posts on Due Diligence, Governance, Policies and Procedures, and Training). Pillar III of the UNGPs is devoted to access to remedy and grievance mechanisms and is a critical element of the corporate responsibility to respect human rights. There are also substantial similarities and key differences with other international regulatory and compliance programs, providing important parts of leverage but also critical distinctions that a human rights/ESG program should contemplate.
Anti-Corruption Hotlines and Remediation
Fundamental to any anti-corruption or other international regulatory compliance program are pathways that allow employees and other third parties to raise concerns about potential legal and policy issues directly to the organization. In fact, Section 301 of the Sarbanes-Oxley Act of 2002 mandates that U.S. public companies maintain processes for individuals and employees to report concerns, stating that board audit committees “shall establish procedures” for receiving and addressing complaints “regarding accounting, internal controls or auditing matters” … and “the confidential, anonymous submission by employees … of concerns regarding questionable accounting or auditing matters.” 15 U.S. Code § 78j–1(m)(4). The EU has adopted a similar approach, as Directive 2019/1937 (Art. 8) mandates that by the end of this year, Member States adopt laws that “ensure that legal entities in the private and public sector establish channels and procedures for internal reporting and for follow-up.” The concept of a confidential hotline for reporting concerns also appears in Chapter 8 of the U.S. Federal Sentencing Guidelines, the foundation for modern compliance programs. That section states that companies should “have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.” §8B2.1(b)(5). The EU Directive also specifies protections for whistleblowers and the importance of non-retaliation among internal reporting mechanisms, and discusses confidential reporting approaches. Directive, Art. 9, 19.
The U.S. Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) provide further details regarding approaches to hotline and ethics reporting. As DOJ explains in its Evaluation of Corporate Compliance Programs (“ECCP”), a “hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct.” ECCP, at 6-7. Among the salient questions DOJ advises its prosecutors to ask are whether the reporting mechanism is anonymous, has it been used, how is it “publicized to the company’s employees and other third parties,” and if the company assesses whether employees are comfortable using the mechanism. See DOJ and SEC FCPA Resource Guide at 66 (2020); UK’s Bribery Act Guidance (“Bribery Act Guidance”) and Evaluating a Compliance Programme; and Agence Française Anticorruption’s Guidelines (“French Guidelines”). As these authorities and others make clear, compliance programs should have systems of reporting that are publicized and transparent, trusted, actually used in practice, and available to employees and other third parties.
Of course, merely receiving concerns about legal and policy violations is not enough. These authorities make clear that companies must investigate concerns in good faith and a manner that is reliable and predictable, and then remediate program weaknesses where they find them. For instance, DOJ and SEC explain in the FCPA Resource Guide that “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken. Companies will want to consider taking ‘lessons learned’ from any reported violations and the outcome of any resulting investigation to update their internal controls and compliance program.” FCPA Resource Guide, at 66. DOJ further emphasizes the importance of independent and objective investigations, investigative “timing metrics to ensure responsiveness,” and collecting, tracking, analyzing and using information from reporting mechanisms to identify patterns. ECCP, at 7. It also focuses on the importance of properly scoped investigations by qualified personnel, monitoring the outcome of investigations and ensuring accountability for responses, and identifying and remediating the root causes of misconduct, including discipline and “the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risks.” Justice Manual, 9-47.120(3)(c). Thus, in addition to reporting mechanisms, fundamental aspects of an effective compliance program include: appropriate review of concerns, identification of root causes and lessons learned, remediation of program weaknesses to avoid repetition, and appropriate disciplinary measures.
Grievance Mechanisms, Remediation and Remedy
Similarities with Anti-Corruption and Other Compliance Programs
Several of these elements are highly similar to key human rights/ESG reporting mechanisms and remediation approaches, and indeed allow for key points of leverage. The last section of the UNGPs, the “Third Pillar,” is titled “Access to Remedy” and consists of seven principles (UNGPs 25-31) that identify the concept of human rights “grievances” and how they are addressed. It covers reporting concerns through “operational-level grievance mechanisms,” defined as “a formalized means through which individuals or groups can raise concerns about the impact an enterprise has on them” – The Corporate Responsibility to Respect Human Rights, An Interpretive Guide, at 68 – as well as the remediation of impacts and remedies to individuals. UNGP 31 also includes eight criteria governing the effectiveness of company grievance mechanisms and remedy more generally, stating that grievance mechanisms should be:
(a) Legitimate: enabling trust from the stakeholder groups for whose use they are intended, and being accountable for the fair conduct of grievance processes;
(b) Accessible: being known to all stakeholder groups for whose use they are intended, and providing adequate assistance for those who may face particular barriers to access;
(c) Predictable: providing a clear and known procedure with an indicative timeframe for each stage, and clarity on the types of process and outcome available and means of monitoring implementation;
(d) Equitable: seeking to ensure that aggrieved parties have reasonable access to sources of information, advice and expertise necessary to engage in a grievance process on fair, informed and respectful terms;
(e) Transparent: keeping parties to a grievance informed about its progress, and providing sufficient information about the mechanism’s performance to build confidence in its effectiveness and meet any public interest at stake;
(f) Rights-compatible: ensuring that outcomes and remedies accord with internationally recognized human rights;
(g) A source of continuous learning: drawing on relevant measures to identify lessons for improving the mechanism and future grievances and harms … ; [and]
(h) Based on engagement and dialogue: consulting the stakeholder groups for whose use they are intended on their design and performance, and focusing on dialogue as the means to address and resolve grievances.
Many of these criteria -- stemming from a desire to encourage stakeholders to raise concerns -- are equally applicable for anti-corruption reporting mechanisms. For both anti-corruption and human rights/ESG programs, reporting mechanisms should be:
- Trusted by stakeholders. Hotlines and grievance mechanisms should have fair and objective processes for considering concerns. They should actively promote reporting a variety of issues, encourage stakeholders to seek clarification on company processes and activities, and not just report perceived problems. They also should take active steps to prevent retaliation for reporting concerns, including a policy prohibiting retaliation, steps to ensure the safety and security of individuals who access the mechanism, and monitoring and assessing whether retaliation or retribution may have occurred. Well-run reporting platforms also take steps to include elements of accountability, preventing parties to a concern or grievance from interfering with its fair conduct. In addition, individuals reviewing and processing concerns should have an appropriate basis of knowledge and expertise, particularly around local cultural nuances. Periodic engagement with stakeholders – whether through employee surveys or meetings with external stakeholders – about the reporting mechanisms can offer important perspectives about its perceived fairness and ability to deliver effective remedy, build trust, and lead to improvements.
- Transparent. Hotlines and grievance mechanisms should be well-publicized and accessible to stakeholders who wish to use them. They should be transmitted through different mediums where they are most likely to be received and written in plain language most likely to be understood. For grievance mechanisms, publication among workforces, throughout local communities, and among third party stakeholders who may be impacted by company operations is particularly imperative. It is also prudent for companies to offer multiple pathways of reporting, including drop boxes, anonymous telephone numbers and email addresses, and means of reporting after working hours (if not 24 hours), affording individuals different options for raising issues in a manner most amenable to them. Publicizing the results of assessments, and including metrics reflecting the number and demography of grievances raised along with the ranges of outcomes, also can help build confidence in the mechanisms (although it is always prudent to subject these publications to legal review, to avoid creating unnecessary and unintended legal risks). Further, for grievance mechanisms, being transparent about alternative pathways to raise concerns outside of company processes is often worth considering.
- Guided by open processes and timeframes. The processes for considering concerns should be clear, transparent and auditable. There should be indicative timeframes for the consideration of concerns that are followed and tracked. Adequate resourcing, permitting adherence to those indicative timeframes, also is important. Once concerns have been reported, keeping affected individuals apprised of the progress and timing also may be appropriate. Hotlines and grievance mechanisms also should identify a predicable range of outcomes when concerns are raised, which should be tracked and assessed to ensure alignment.
- A basis for learning. The mechanism should be designed to allow for a continuing capture of information, sufficient to identify patterns and trends, as to the nature of the concerns raised and the outcomes reached. Those patterns and trends should be reviewed regularly to enhance the program, remediate potential weaknesses, and prevent recurrence through stronger policies and procedures, increased oversight, tailored training, and other steps. The information gathered also should allow for measurement against other key performance indicators (KPIs), which in turn should be made transparent.
Indeed, companies often utilize existing reporting mechanisms – such as hotlines, email drop boxes, periodic certifications, and outreach to legal or compliance personnel – to raise both anti-corruption and human rights/ESG concerns. Further, as with anti-corruption reporting mechanisms, in evaluating and investigating concerns that are raised, human rights/ESG mechanisms also should have sufficient independence to “avoid any conflicts of interest.” Interpretive Guide, at 71 and 72. That has led many companies to conduct investigations through separate investigative units, corporate legal, compliance or audit groups, or external resources.
Differences from Anti-Corruption Compliance Programs
While there are certain similarities and points of advantage between anti-corruption reporting mechanisms and operational-level grievance mechanisms, several areas are distinct, reflecting additional and more ambitious goals associated with human rights/ESG reporting. In general, anti-corruption hotlines are designed to encourage reports related to company legal and policy violations. While legal and policy violations are contemplated by grievance mechanisms, the UNGPs specifically discuss remedy for affected individuals that “accord with internationally recognized human rights.” UNGP 31(f). The object of providing such remedy is to restore affected individuals to their pre-harm state – e.g., to “counteract or make good any human rights harms that have occurred.” UNGP 25, Commentary. The UNGPs note that remedy can take many different forms, including “apologies, restitution, rehabilitation, financial or non-financial compensation.” To be clear, no similar victim remedy concept is identified by regulators in the anti-corruption space regarding compliance programs (although the U.S. Mandatory Victims Restitution Act (18 U.S.C. §3663A) does require that those convicted of certain federal crimes, such as the FCPA, make payments to victims as part of their sentences).
In addition, regarding the design of the reporting systems themselves, the UNGPs advise that companies engage with affected stakeholders about mechanism “design and performance” to “help to ensure that it meets their needs, that they will use it in practice, and that there is a shared interest in ensuring its success.” UNGP 31(h) and Commentary. While anti-corruption guidance contemplates assessing awareness of and comfort levels in hotlines, it does not consider collaborative and participatory approaches to reporting mechanism design or performance. In that sense, a grievance mechanism is more active – it is not just an internal administrative process for handling concerns, waiting for problems to arise in a passive sense. Rather, it aims to facilitate the identification of grievances and address them as early as possible by ensuring it is known to, and trusted by, those stakeholders for whom it is intended. Interpretive Guide, at 65. In fact, the UNGPs contemplate grievance mechanisms as a tool to avoid human rights problems, as they are intended to help reduce tensions early, “preventing harms from compounding and grievances from escalating” into disputes that can lead to negative impacts. UNGP 29, Commentary.
Finally, whereas regulator guidance for anti-corruption programs focuses on reporting concerns internally, because the UNGPs are concerned with a right to effective remedy more generally, they contemplate grievance mechanisms as part of a larger ecosystem. These include state-based judicial and non-judicial approaches, collaboration between businesses and “relevant stakeholders,” and mechanisms administered through an “external expert or body” and multi-stakeholder and other collaborative initiatives. UNGP 29, Commentary; UNGP 30. While anti-corruption concerns certainly can be and often are reported to regulators, internal hotlines generally are not treated as part of a larger network of reporting systems designed to encourage affected individuals to come forward so that a remedial right is recognized.
As with other areas of human rights programs, certain aspects and learnings from ethics and compliance hotlines for anti-corruption and other international regulatory programs can be leveraged for human rights/ESG grievance mechanisms. That is particularly true around processes for encouraging potentially affected stakeholders to report concerns. However, perhaps more than most other areas in human rights/ESG programs, there are certain fundamental distinctions, and ultimately companies are wise to consider developing separate pathways for human rights/ESG grievances in collaboration with key stakeholders, and processes to address remedy.