The importance of non-financial due diligence (its more interesting than it sounds)
We should no longer wait for people to fall off ladders – or to be killed in factory fires – before setting clear codes of behaviour, including steps to prevent the bad thing happening in the first place. Any business that does not take such steps might be found to be negligent or reckless – a criminal offence in some cases. So it is with all other business and human rights issues. Whether we support internationally binding treaties to hold businesses to account, or market-based incentives, or a mix of the two – the due diligence question is central to any discussions on accountability.
This commentary is based on conference I co-moderated in Copenhagen on 25 November with over 100 representatives from government, business, civil society and trade unions. I am grateful for the permission of the Mediation and Complaints-Handling Institution for Responsible Business Conduct (the Danish “National Contact Point”) for letting me reproduce parts of my report here. The full report is available on their website.
Non-financial due diligence is now a critical element of the major international mechanisms developed by governments to provide greater incentives and requirements for business to act responsibly. The 2011 United Nations Guiding Principles on Business and Human Rights (UNGPs) define such due diligence as:
“An on-going risk management process that a reasonable and prudent company needs to follow in order to identify, prevent, mitigate and account for how it addresses its adverse human rights impacts. It includes four key steps: assessing actual and potential human rights impacts; integrating and acting on the findings; tracking responses; and communicating about how impacts are addressed.”
The OECD takes a similar approach but spans issues beyond human rights alone. In relation to supply chains, the OECD defines due diligence as:
“A comprehensive, proactive process to identify the actual and potential negative social, environmental and economic impacts of an organizations decisions and activities, with the aim of avoiding and mitigating those impacts.”
So, it is clear that non-financial due diligence is, firstly, about understanding various types of risk and potential adverse impacts and then, secondly, developing systems of prevention and mitigation to eliminate or reduce them to acceptable levels. In addition, due diligence is also related to remedy. The ‘National Contact Point’ (NCP) system of the OECD is one of the state-based non-legal remedies that attempts to mediate grievances concerning international companies and due diligence is a central aspect in many of these cases.
Due diligence is fundamental in two ways:
- First, when harm has occurred, it needs to be established whether the business had undertaken adequate due diligence in light of the context and the salient non-financial issues it was facing?
- Second, even if a harm has not occurred, is the business undertaking adequate due diligence when there is a real risk of a harm occurring?
Although most human rights issues, for example, have yet to be codified in the way health and safety law has, the principle is the same: those responsible should not wait for the harm to occur if a business is behaving without due care and attention. The UN Guiding Principles on Business and Human Rights, upon which the revised 2011 OECD Guidelines on Multinational Enterprises are in part based, call this “knowing and showing”. And so the critical questions are: “How much knowledge is enough?” and “How transparent should a business be about having such knowledge?”
Although due diligence is not a new concept (financial due diligence has existed for generations, and anti-bribery measures have developed over the past generation), its application to social issues (i.e. human rights) is relatively new and also requires a fresh approach. National Contact Points sit at the fulcrum of a fine balance: ignore the non-financial due diligence undertaken by companies that still make mistakes then there is little incentive to undertake the due diligence in the first place; but, on the other hand, to overly reward a business for its due diligence when a harm has occurred is to undermine accountability. Getting this balance right – setting an expectation for ‘reasonable’ due diligence – is precisely where many NCPs find themselves today.
It is therefore not surprising then that due diligence is the fastest growing area of OECD NCP cases. Whilst only a minority of cases get beyond the initial assessment phase overall, due diligence related cases are more successfully resolved than others. There are also a number of trends showing that now a wide range of business relationships are being presented to NCPs for consideration well beyond direct investments: from supply chain to financing to other types of specialist services.
2. Background to the OECD Guidelines and the NCP system
The OECD Guidelines on Responsible Business Conduct is the most comprehensive, government-backed, international corporate responsibility instrument. They place a legal obligation on the 46 adhering Governments (34 OECD member states, and 12 non-OECD states) to:
- Promote the use the Guidelines as an essential component of open trade and investment policies;
- Establish National Contact Points to further the effectiveness of the Guidelines.
The revised Guidelines themselves cover a broad-range of corporate responsibility issues, in other words: Disclosure; Human Rights; Employment and Industrial Relations; Environment; Bribery, Bribe Solicitations, Extortion; Consumer interests; Science and Technology; Competition and Taxation. Since 2001, 256 complaints have been filed by NGOs and individuals, and a further 175 have been filed by Trade Unions. Of the NGOs cases: due diligence has figured highly in a significant percentage of them: 65 cases have been due diligence specific, 124 have related to business relationships (71% of which have related to due diligence) and 186 have related to human rights (of which 98% have related, at least in part, to due diligence).
The new version of the Guidelines were adopted by the 2011 OECD Ministerial Council Meeting and the then US Secretary of State, Ms. Hillary Clinton, remarked:
“If you look at these guidelines, they will be helping us determine how supply chains can be changed so that it can begin to prevent and eliminate abuses and violence. We’re going to look at new strategies that will seek to make our case to companies that due diligence, while not always easy, is absolutely essential.”
In the case of Supply Chain Due Diligence, the OECD has developed a five-step approach for how businesses should conduct due diligence:
Step 1 – Establish strong management systems: Policy, internal capacity, supplier engagement, internal controls over supply chain
Step 2 – Identify, assess and prioritise risks in the enterprise supply chain: map supply chain, prioritize based on severity of harm (sector, counterparty, and site for high-risk issues), use existing networks
Step 3 – Manage risks in the supply chain: inform senior management, fix internal systems, build leverage, use existing supply chain networks, workers reps, non-traditional partnerships, build capacity
Step 4 – Verify supply chain due diligence: where relevance, monitor, audit assurance, etc.
Step 5 – Communicate and report on supply chain due diligence: with due regard for commercial confidentiality and competitive concerns.
A number of observations can be made about how due diligence should be understood in relation to these Steps:
- First, the nature & extent of due diligence depends on the size, context and severity of the impact. This is highly context specific but having said this, there need to be comparatives – so NCPs need to look for benchmarks for what could reasonably be expected of a company in such a context in due diligence terms. Sometimes law itself codifies the due diligence requirement, other times it might be multi-stakeholder approaches, guidance published by authoritative bodies (such as the EU, OECD or UN), other NCP cases, export credit requirements and so on. Obviously, the due diligence expectation is heightened in countries of particular human rights concern, or where the business sector itself is hazardous. Whilst the due diligence expectation on small companies might be less generally, this will not always be the case. For example, the law does not exempt small companies from being racist or sexist in their recruitment practices, and so it is on issues such as fundamental health, safety and discrimination issues. It is also the case that small companies in some business sectors can have a very high human rights impact (such as internet applications that impinge on the right to privacy or freedom of expression, or private security firms, for example).
- Second, prioritizing of risks by business is acceptable and in fact essential, as due diligence costs time and money – but the prioritization must be based on the risks to rights-holders and not to the business itself. In the UNGPs, this is what is meant by “saliency” – the issues that are most relevant to the potential risks and negative impacts faced by rights-holders. This is a human-centric approach, which might be different from classic materiality tests required by existing national law. Whilst no issue or human right should be dismissed a priori, business can focus in on salient issues for most of their due diligence. What is important is that rights-holders and other stake-holders are involved in the verification of what these salient issues are, and that the process is reviewed periodically, as the nature of a business, or its external operating environment, is subject to change.
- Third, there is no ‘zero tolerance’ requirement – it is about working with suppliers, and other business partners, in order to best prevent and mitigate risks. If a supplier, customer, contractor or other business partner is found to be impacting negatively on human rights, or operating below reasonable due diligence standards itself, then the company in question should engage in remedial activities – the scale and urgency of which are determined by the risks posed by the other business. Businesses should never be in a position where they are causing or contributing to the abuse of human rights, or impacting negatively on other requirements of the OECD Guidelines.
- Fourth, it is not just ‘one layer deep’ – depending on the severity of the impact, due diligence might need to extend multiple steps down a supply chain. Just as the size of the company is in itself no exemption from due diligence, nor is the position of a supplier within a complex supply chain. Companies might expect first tier suppliers to take full responsibility for the second tier and so on, but in reality it is about the severity of the impacts themselves and the nature of the relationship along the value chain. For example, it might be, for commodities with extremely high human rights impact, that it does not matter if the brand at the end of the chain is ten or twelve steps removed – it is still expected to prevent and mitigate the risk.
- Finally, business must use its own leverage and build additional leverage by working with others wherever possible, including with competitors. The greater part of non-financial due diligence should be a “pre-competitive” issue as leverage is greater when industries come together, sometimes also with other stakeholders, to act. Companies are required to “know and show” and therefore some level of transparency is necessary – whether this be full public disclosure, or sometimes sharing within multi-stakeholder contexts in ways that are clearly not violating anti-trust requirements.
3. Some of the challenges
One business reflection was that human rights language can be too abstract and the use of the term ‘due diligence’ can also be ambiguous. It is often not tangible enough for the business manager not educated in human rights, and therefore mapping human rights onto management language was seen to be essential. One example is the language of risks. Many in business will assume that “risk” means “enterprise risk” and not “the human risk to individual people”. It is also not always useful to frame human rights risks as reputational risks – as sometimes they are not, or the reputational risk is too small to maintain the attention of senior business managers. Another perspective was that there is now serious legal risk for those businesses failing to undertake due diligence on issues relating to human trafficking or forced labour, for example, and the withdrawal of ‘social licence’ by communities or customers can hit the bottom line of many major companies.
It is clear from the discussion that non-financial due diligence, particularly that not codified in law, can be hard to quantify in a company. It is hard to put a value on prevention, on the valued added of measures that to ensure that something does not happen. The cost to a company due to industrial action, or a community blocking access roads to a mine for example, can be calculated, but it is much harder to set against this the value of mitigations that have reduced the likelihood of negative impacts on rights holders. This suggests that a “cost-driven” business case for non-financial due diligence can be the wrong way to look at it, as it will almost always be impossible to measure the effectiveness of due diligence in such a way. Due diligence might be an issue of legal compliance, or a compliance with internal codes but the business case beyond this is better set in “social licence” terms – that it maintains long-term relationships between a company’s activity and the society in which it operates. In other words, the business case for non-financial due diligence needs to be made in societal terms – the loss of trust and legitimacy that will be made if it is not employed, as well as the reputational and legal consequences of acting in a reckless or irresponsible manner.
Several at the event reflected that the full array of incentives needed for the level playing field are not yet in place, and that some companies will continue to ignore requirements that are not legally binding. Due diligence regulation is emerging in relation to particular issues (such as corruption, conflict minerals, human trafficking or high risk countries) but NCPs themselves should operate as if the knowledge requirement is clear and well stated. In other words, the threshold for “known” and “should have known” should be regarded as being equal. Wilful ignorance should never be a defence when it comes to not carrying out adequate levels of due diligence.
4. Lessons learned
NCPs seem to have a relatively high number of cases on due diligence for what is a relatively new issue. This is particularly complex in relation to supply chain management and contractual partners. One of the main problems is to identify and get closer to understanding of when a company is directly linked to what goes on in its supply chain. Given the company needs to focus of the scale of the abuse, and its relationship to it, sometimes it means attempting to manage issues that are twelve layers down the supply chain.
A key reason for the rejection of many cases by NCPs is insufficient documentation to demonstrate the direct linkage to the company. However, paperwork should not become the standard here – cases should focus less on whether the company had the knowledge or not and more on whether the company should have had it within that specific (high risk) context. Then it is up to the company to demonstrate whether or not its own due diligence procedures were adequate for the challenges its affected stakeholders faced.
There are a number of external benchmarks that NCPs can use when assessing whether a company had done enough due diligence:
- The law. Direct legal liability is beyond the jurisdiction of NCPs, but other laws – particularly those that mandate disclosure – increasingly incentivise due diligence. Sometimes governments have issued specific due diligence guidance relating to this legislation that represents a clear benchmark.
- Other due diligence requirements from government. Increasingly Export Credit Agencies (ECAs) are employing non-financial due diligence which might well inform similar contexts to the company in question, or possibly the company itself has already undergone due diligence by an ECA. Similarly, a number of governments are developing their own due diligence requirements for public procurement which might well be relevant (sometimes this relates to specific issues such as human trafficking or forced labour).
- Multi-stakeholder initiatives and approaches can also set pre-competitive due diligence requirements that represent a relevant benchmark for NCPs to refer to, even if the company in question is not a member. The Bangladesh Accord, below, is an example of this.
- Publicly available specific due diligence guidance developed by authoritative international bodies might be relevant, such as that produced by the OECD (e.g. Textiles, Finance, Conflict Minerals), European Union (e.g. ICT, Oil and Gas, Recruitment Agencies), and national governments (e.g. the UK government’s guidance on Cyber Security companies), National Human Rights Institutions or Multi-government-backed regional centres (e.g. the Sector-Wide Impact Assessments in Myanmar on Oil and Gas, Tourism and ICT).
The OECD Guidelines and UNGPs have become the building blocks for much international thinking on responsible business conduct through other bodies such as the EU, ISO, ILO, G7 and now even a number of global sports federations. But the whole “Protect, Respect, Remedy” project of recent years will only be successful if “knowing and showing” becomes commonplace, in other words expectations of knowledge of non-financial risks and impacts become clearer and that not knowing ceases to be a defence (the gap between “known” and “should have known” disappears). This is a fundamental shift from thinking of many corporate lawyers for decades, when it has been assumed that knowledge over non-financial risks, particularly those that sit outside the direct control of the company, is not in the interest of senior managers. Over the past five years, governments have started to send the opposite message – that they expect businesses to actively seek such knowledge and act on it.
Therefore, more work on non-financial due diligence is essential, and NCPs have a significant role to play – not least because their statements do not just set retrospective expectations on individual companies, but begin to set expectations for other companies in similar contexts.
The question: “how much due diligence is required?” can only be fully answered in relation to the specific context of the specific business relationship or investment. NCPs and other decision-makers will be looking to benchmarks from other similar contexts. Given that there are an increasingly number of publicly available resources from credible sources (i.e. from government-backed organizations with multi-stakeholder involvement) relating to specific high-risk markets, products/services or high-impact issues, these need to be mapped and fully available to all NCPs. So the answer to the due diligence question will always be different for each company in each context, but comparisons will be made between contexts also. Non-financial due diligence is becoming a pre-competitive issue for all businesses and there is now a business case to sit down with governments, competitors and other stakeholders to agree what represents adequate due diligence looks like before complaints arise.