Integrating Human Rights Impact Assessments into Enterprise Risk Management Systems

Size: px

Start display at page:

Download "Integrating Human Rights Impact Assessments into Enterprise Risk Management Systems"

Imogene Byrd
8 years ago
Views:

1 Integrating Human Rights Impact Assessments into Enterprise Risk Management Systems Good afternoon. Before I ever heard about the subject of human rights impact assessments, I spent some years designing and running an enterprise risk management system for a large company. I d like to describe that process because it has links to this panel s topic. For us, Enterprise Risk Management was a relatively new process when it was introduced in 2001, and it took us a few years before to get comfortable with it. It was a top down, bottom up, collaborative annual assessment of all of the risks that kept us up at night as an organization. This wasn t a mathematical, computer driven exercise, designed to reduce all risks to a single dollar number. Rather, it was based on face- to- face conversations and workshops throughout the company. We looked at all major risks to the company s stakeholders, internal and external including shareholders, employees, customers, suppliers, communities, regulators, and the environment, among others. These included many impacts that are covered by human rights, such as the right to life and the right to be free from discrimination. We assessed ways to mitigate the impact and likelihood of each major risk, and assigned responsibility to specific people in the organization to implement them. 1

I d like to describe that process because it has links to this panel s topic.

2 So when I first heard about human rights impact assessments a few years ago, I thought that it could be integrated with an enterprise risk management system like ours. I still think so, because the key challenge is embedding human rights impact assessments into a company s DNA. That means ensuring that the process doesn t expire shortly after the departure of the executive who initially promotes it. The insertion of foreign systems into a company s bloodstream can generate antibodies that will attack it. So if a company already has an Enterprise Risk Management System and the best- run companies do a human rights impact assessment should be integrated into it. I will therefore focus one two interrelated features of a human rights impact assessment. The first is the lens through which a human rights impact assessment should be viewed. The second is how a company prioritizes results of the assessment in order to determine its response. Then I will show how enterprise risk management systems can accommodate these features. Starting first with the proper lens, it s clear that the assessment must include the rights holder as well as the company. The commentary to Guiding Principle 17 says that: 2

That means ensuring that the process doesn t expire shortly after the departure of the executive who initially promotes it.

3 Human rights due diligence can be included within broader enterprise risk management systems, provided that it goes beyond simply identifying and managing material risks to the company itself, to include risks to rights holders. GP 17, Commentary, par. 3., p16. Moving to prioritization, the Guiding Principles focus on the importance of a human rights risk s severity as the key factor in prioritizing company action. GP 24 provides that: Where it is necessary to prioritize actions to address human rights risks and impacts, business enterprises should first seek to prevent and mitigate those that are most severe or where delayed response would make the impact irremediable. By their very nature, the severity and irreparability of impacts on life and safety are self- evident. But there is no hard and fast definition. Are enterprise risk management systems up to the task of incorporating these features? I think the answer is yes. In his 2007 book entitled Organized Uncertainty, Michael Power traces the history of modern risk management to a trio of financial, environmental, and human rights crises in 1995 the Barings Bank collapse in Singapore, the proposed sinking of the Brent Spar oil storage facility in the North Sea, and the execution of Ken Saro Wiwa and others 3

Moving to prioritization, the Guiding Principles focus on the importance of a human rights risk s severity as the key factor in prioritizing company action.

4 protesting oil exploration and production in Nigeria. Enterprise Risk Management grew in stature and power in companies in response to the need for companies to address the impact of their business on external stakeholders. Historically, therefore, Enterprise Risk Management was never focused solely on the risk to company shareholders. From the start, it has included the perspectives of all of the company s important stakeholders, both internal and external. Cotemporary enterprise risk management principles have carried this view forward. ISO 31000, entitled Risk Management Principles and Guidelines is the global risk management standard adopted by the International Standards Organization in It was created through the same international consultative process that led to the development of ISO in 2010 that s the international standard organization s Guidance on Social Responsibility, which contains a chapter on human rights due diligence inspired by the Protect, Respect, and Remedy Framework. ISO provides a solid ground in which to anchor a human rights impact assessment. It provides that companies should understand both the internal and external context in which they must manage risk, including the company s relationships with, and perceptions and values of, external stakeholders. 4

Historically, therefore, Enterprise Risk Management was never focused solely on the risk to company shareholders.

5 It provides that risk management is inherently dynamic, iterative, and responsive to change. It provides that in making risk decisions, companies should appreciate the tolerance of the risks borne by parties other than the organization that benefits from the risk. And it provides that in assessing its risks, the company should take into account social responsibility and the protection of the natural environment as well as legal and regulatory requirements. As you can see, an ongoing and dynamic human rights impact assessment that looks at impacts from the perspective of the rights holder is well within the scope of ISO Now let s turn to the prioritization of potential impacts based on severity. This is how the company determines what human rights impacts to focus on first. You might ask, what happened to likelihood? Aren t risks always a combination of impact plus likelihood? We looked at likelihood, too. Severity and likelihood are typically linked, but there are circumstances and human rights impacts are one of them in which likelihood must take a back seat to severity in determining the priority of a company s response. The reason is something called risk tolerance which is a concept that most risk managers understand. Take the old Ford Pinto case as an 5

And it provides that in assessing its risks, the company should take into account social responsibility and the protection of the natural environment as well as legal and regulatory requirements.

6 example. A company s shareholders may be able to tolerate the economic consequences of a wrongful death suit from a poorly designed gas tank that explodes in a collision. But from the perspective of the driver and her children in the car, the consequences are intolerable. And this is the perspective from which a human rights impact must be assessed. This is not as much of a conceptual hurdle for companies that recognize that the perspective of external stakeholders must be factored into their risk assessments. As I said earlier, ISO asks companies to appreciate the tolerance of risks by those external stakeholders who must bear the risk, knowingly or unknowingly. One company can agree with another company about who should bear the risks of a transaction, or they can buy insurance, in order to achieve a risk tolerance level that is comfortable. But these options are not available to those whose human rights are infringed upon by business conduct. Moreover, they may not even know that they are assuming a risk The importance of severity in prioritizing company response to human rights impacts is highlighted by a trio of recent corporate disasters the global financial liquidity crisis in 2008; the Macondo well blowout in the Gulf of Mexico in 2010; and the Fukushima nuclear power plant accident in Each had severe human rights impacts. Each was thought virtually impossible the year before they happened. 6

This is not as much of a conceptual hurdle for companies that recognize that the perspective of external stakeholders must be factored into their risk assessments.

7 Yet few are saying that the seemingly low likelihood of these disasters justified taking less than the most robust and rigorous steps to prevent them from occurring. It simply makes sense from the perspective of all stakeholders internal and external to prevent these severe impacts from happening. In conclusion, the hallmark features of a human rights impact assessment viewing impacts through the lens of the rights holder, and prioritizing company actions based on the severity of potential impacts are not at all foreign to modern enterprise risk management. Instead, they are well accepted. Thank you. 7

In conclusion, the hallmark features of a human rights impact assessment viewing impacts through the lens of the rights holder, and prioritizing company

So, What Exactly is Risk Management?

So, What Exactly is Risk Management? By Paul Wielgus, Managing Director, GDS Associates, Inc. Buyers, sellers, and others in the energy business need to understand the risks in this very uncertain environment