Authors:
Tara Skadegaard Thorsen, Oliver Norman, Emma Blomström, Alessia Boni, Sune Skadegaard Thorsen

We often encounter statements like this from our colleagues or NGOs: “The objective of value chain mapping is very practical — to take action on the most severe human rights risks a company is involved with.” This paper questions the need for, the sensibility of, and not least the challenges to the often-proposed activity of mapping the value chains.

Mapping the value chain does not prevent human rights impacts.

According to late Prof. John Ruggie, when he presented the United Nations Guiding Principles on Business and Human Rights (UNGPs), the intention with the management standard was to move the business and human rights agenda from ‘naming and shaming’ to ‘knowing and showing’. The latter never meant ‘know your business relationships and disclose their names and addresses’. There is plenty evidence that knowing of a business, does not mean knowing how a business manages its risks of adverse impacts on human rights. The news continues to be full of stories of severe impacts involving well-known businesses.

‘Knowing and showing’ refers to human rights due diligence, whereby companies get to know their risks of impacts and to show how they manage such risks. This is what companies, in the name of responsible business conduct, shall require from their business relationships: That they know their human rights risks, and can show us, and any other business relationship, how they manage them. When business relationships disclose risks of severe human rights impacts to us, we can escalate information on this risk and its management to our business relationships. This can be considered transparency in value chains. Not to be conflated with transparent value chains.

Challenges with the proposition of mapping value chains

Unfortunately, many businesses are of the belief that it is a ‘must’ to map the value chain to meet the requirements from the United Nations Guiding Principles on Business and Human Rights (UNGPs). It should be emphasized that this is NOT the case. Indeed, we would advise our clients not to start such never-ending, time consuming, and highly intrusive undertaking. It is not pragmatic. ‘Principled pragmatism’ is the hallmark of the UNGPs, as often highlighted by late Prof. John Ruggie, the author of the UNGPs.

Imagine that all companies in the world started mapping their value chains. It would become a gigantic undertaking. Every company would have to confront its suppliers and customers and ask for the identity of their suppliers and customers.

Are SMEs at risk?

Already at this stage problems arise. Many businesses are completely dependent on their unique relationships with their suppliers and customers and would categorise such information as business confidential. Indeed, many large businesses invest in their value chains as part of their corporate strategy to increase profit margins. Should all the SMEs in the value chains now become prey for their large customers or indeed competitors in the name of Responsible Business Conduct?

Such development would become detrimental to the survival of SMEs in any market; hence, detrimental to sustainable economic development. It would hit emerging economies, that rely on the development of the SMEs sector, particularly hard.

Are NDAs a solution?

We have encountered die-hard “value chain disclosurists” that would argue to use ‘non-disclosure agreements’ (NDAs), when a business relationship finds the request too intrusive. Attorneys would welcome such an amazing income stream; negotiating NDAs regarding business sensitive information is very costly. Imagine that all companies towards all their business relationships at any time would need this service. Not only the largest companies that can invest in their value chains would profit greatly from ‘value chain mapping’; lawyers would too. Add to this perspective that lawyers often experience that their clients find that breaching the NDAs is less costly than the profits to be gained.

Merely second tier – what about the remaining tiers?

And mind you; we are at this point merely moving from tier one to tier two business relationships. Many products have several tiers before they end up at the consumer. Additional challenges to the above appear the further you move across the chains. No contractual relationships, huge queues of requests from other parts of the value chain, overworked lawyers, to mention a few.

Intentions are good – but is the tool adequate?

We are empathetic to the intentions behind the push for transparent value chains. Most businesses would like to know, if they are linked to known severe impacts through their value chains, to act on such impacts. They may assume that such information can be attained by demanding disclosure of business entities throughout the value chain. However, mapping their value chains will not deliver on the wished outcome. Knowing your full value chain does not mean knowing all risks that you are linked to.

What is the intention of the UNGPs?

But what could the intention of the UNGPs be? They make it explicit that companies are responsible, not liable, for adverse impacts in their full value chain. However, foundational principle 13 clearly indicates that the responsibility consists of two management streams: (a) where the company may cause or contribute to adverse impacts on human rights, it shall act to prevent or mitigate such impacts, and (b) where the company is merely linked to adverse impacts through its business relationships, it shall seek to prevent or mitigate the impacts.

UNGPs foundational principle 13 (a)

Litra (a) is relatively straight forward, although not easy to meet. The regular operational-level impact assessments that the company undertakes as part of its own due diligence will reveal the risks for that concrete part of the company; it is advised to go by geographic locations considering that risk patterns differ from one location to the next.

The company needs to outline what it does to prevent or mitigate and how it measures effectiveness of its actions. According to the UNGPs the company, at a minimum, shall be able to disclose this assessment to persons, who may experience impacts, and to its business relationships. This requirement is the core of transparency in the UNGPs.

All businesses should be able to disclose to all its business relationships:

1. Risks of and actual impacts identified
2. Who are the potentially or actually impacted stakeholders?
3. Actions to prevent or mitigate
4. How impacted stakeholders are engaged
5. Indicators to measure effectiveness
6. Who is responsible for carrying through the actions, and
7. Resources set aside

all as outlined by the UNGPs.

It should be noted that the exemption clause in principle 24, where companies can prioritise actions to prevent or mitigate to address the most severe impacts, rarely applies for this part of the company’s due diligence activity. We have not yet conducted a human rights impact assessment for a company where the company had to refrain from acting on identified impacts due to resource restraints.

UNGPs foundational principle 13 (b)

A different reality meets a company when it must establish its due diligence system in business relationships, confer UNGPs foundational principle 13 (b). The company can rest assured that any of its business relationships would identify risks of adverse impacts on at least 15 of the 48 human rights from the International Bill Human Rights. Deciding where to direct the company’s resources to meet the requirement to “seek to prevent or mitigate adverse human rights impacts” will require the company to prioritise its activities as outlined in principle 24.

Applying the UNGPs in business relationships

In 2013 GLOBAL CSR had the opportunity to outline how the UNGPs could be applied as part of ‘responsible supply chain management’ in a report prepared for the Danish Ministry of Industry, Business and Financial Affairs and Danish Shipowners, the industry association. Prof. John Ruggie graciously reviewed the draft report and added valuable insights to the proposed application of the UNGPs to this activity. At that time responsible supply chain management had enjoyed major focus from many companies around the world already since the mid-nineties. Very briefly the globally unanimously endorsed minimum standard for responsible conduct, the UNGPs, require that all companies:

1. Require from their corporate relationships, that they meet the minimum standard (Policy Commitment, Due Diligence, Access to Remedy).
2. Engage with known severe impacts anywhere in the value chain, where necessary.
   1. Engagement with potential severe impacts will be relatively rare insofar that the company’s businessrelationships are required to implement the UNGPs and hence officially communicate, how they address risks of severe impacts. Where a company is – or should be – aware of certain risks of severe impacts, e.g. the risk of buying conflict minerals; the risk of forced labour, child labour or other rights in a certain country at a certain time (as was the case with: cotton from Uzbekistan; poor construction of buildings in Bangladesh; exploitative child labour in the cocoa industry; palm oil industry; coal mining in Colombia; privacy and political affairs for SoMe platforms, etc.) the company should raise the need for increased due diligence in relation to such impacts in the relevant parts of the value chain.
   2. Engagement with actual severe impacts in the value chains may require more resources. A company may face criticism for such impacts that suddenly arise even though the company has required due diligence to take place, and therefore should expect that this requirement has moved down or up the chain to cover all business entities in the chain. Such impacts would clearly indicate that the chain has broken. The causing entity has obviously failed to prevent or mitigate the impact. According to the UNGPs, and here in particular the response that Prof. John Ruggie forwarded to the OECD, outlining what to do in these situations, engagement will be in the form of using the company’s leverage over the causing entity. This is done to make the entity stop the impact, and make sure it does not re-occur, i.e., that the entity in question will conduct proper due diligence. If the company has no leverage over the entity the company is expected to build its leverage. The company could for this purpose engage other business relationships, business associations or even governments. The company could also seek to incentivise the causing entity, e.g., by assisting or promising a long-term business relationship. Historically, investors call this activity ‘active ownership’.

The key: Documenting Due Diligence in value chains

As mentioned, the key to transparency and accountability is embedded in the UNGPs due diligence requirements. Every company should be able to disclose to any other business relationship the results of the company’s internal human rights due diligence.

This requirement also holds the key to rapid global scaling up of ‘respect for human rights’, as intended by the UNGPs. From the perspective of traditional responsible supply chain management, companies will no longer require their suppliers to live up to some pre-defined indicators on a few labour rights; they will require suppliers to do their own due diligence in alignment with the UNGPs and to push this requirement to the suppliers’ business relationships. Every buyer company would be able to share its most recent impact assessment with its suppliers, and thereby inspire and enable such suppliers to make their own impact assessments, covering where they may cause or contribute to adverse impacts.

Where all concerned used to rely on audits – even third-party – the requirements for self-declaration embedded in the UNGPs due diligence requirements may considerably reduce the need for such practice. Proper implementation of UNGPs and the scaling up of respect for human rights holds the promise of bringing an end to ‘audit fatigue’. With upcoming regulation on mandatory human rights due diligence, companies in the future will also need to be able to document due diligence to the relevant authorities.

The UNGPs are the minimum – not the ambition

The UNGPs are not too ambitious, nor a nice vision; they are the minimum expected from every business on the globe. They contain requirements that are relative to size and risks; small businesses may not need to document their due diligence apart from giving an oral account of how they manage their risks, unless they are at risk of causing severe impacts. However, it is our experience that many SMEs are keen to conduct due diligence enabling them to document the result, as it will save them a lot of time explaining, that they are responsible, and efficiently meet all sorts of individual requirements from various customers and investors.

One proposal for a solution

In absence of UNGPs aligned online assistance to conduct and document due diligence, GLOBAL CSR has spent a few years developing a cloud-based platform, csrCloud.com. Based on the request of beta-version users, we expanded the solution to cover not only human rights, or social, due diligence, but environmental and economic due diligence in alignment with the OECD Guidelines as well. The platform includes guidance to the users both on the understanding of the 48 human rights and the individual requirements from the UNGPs.

The platform solution is completely scalable and may assist every company ranging from small businesses to conglomerates to document their due diligence through machine-validated impact assessments. Similarly, the platform can be used in business relationships enabling companies to share their assessments with their business relationships and receive theirs; also excluding the impacts that, according to the UNGPs, can be exempt from disclosure to external parties.

With mandatory human rights due diligence becoming law the practices envisioned by the UNGPs become the norm rather than the exemption. Having implemented due diligence with a large variety of businesses, we experience that the management system adds value, security, and predictability; and it makes a difference for the impacted stakeholders.