John Sherman, Co-Chair, IBA Corporate Social Responsibility Committee
Assuring the existence of internal systems for effective risk management is a core component of corporate governance, embedded in best practice and the laws of many countries.1 Yet the global recession caused by the financial meltdown and the runaway Deepwater Horizon leak in the Gulf of Mexico show, yet again, that the consequences of a business failure to anticipate and plan for catastrophic risks can devastate companies, society, communities, and the environment.
In light of disasters like these, companies must take a hard look at the effectiveness of their own risk management systems. Unless they incorporate more effectively the interests of external stakeholders who may be harmed if and when the worst occurs, however, companies may still get it wrong. Building on the concept of ‘human rights due diligence’, factoring those views into company risk management requires the company to understand and address the adverse impacts of their activities on all stakeholders, internal and external to the company.
The collapse of the global banking system in 2007, and the Deepwater Horizon disaster in 2010, came as complete surprises to the companies involved. Although individual banks thought they were acting rationally in their own self-interest by selling high-risk financial instruments, they did not anticipate that these risks would combine systemically to result in a freeze of liquidity, which triggered the financial collapse and the recession.2 And while the causes of the Gulf disaster are still under investigation, it appears that BP, like other deepwater drillers, believed that the likelihood of a runaway deepwater drilling leak was too tiny to plan for.3
It does not appear that banks considered the adverse impact on people who could lose their jobs and houses caused by the industry’s marketing of toxic financial assets. Nor does it appear that BP considered the views of those whose livelihoods and health depend on the Gulf regarding the potential impact and likelihood of a runaway leak. To the contrary, Tony Hayward, the outgoing CEO of BP, told a business school audience in 2009 that when he took over the CEO job a few years earlier, he found that ‘we had too many people trying to save the world’ at a time when BP needed to focus more on its core operations.4 Yet taking into account the human rights dimension of these low-probability, high-impact risks should generate a much more robust and rigorous risk analysis that would better serve the interest of the company and society.
‘In light of disasters like [the global financial crisis and Deepwater Horizon], companies must take a hard look at the effectiveness of their own risk management systems’
Human rights due diligence
That is the lesson of ‘human rights due diligence’. Harvard Kennedy School Professor John Ruggie, the UN Special Representative of the Secretary General on Business and Human Rights (SRSG), coined that term in 2008 to describe what companies should do to meet their responsibility to respect – ie, not infringe upon – human rights, and to demonstrate to others that they do.5 Conducting due diligence in order to respect human rights is the second of the three interrelated and complementary pillars of the SRSG’s ‘Protect, Respect, Remedy Framework’ for business and human rights. The UN Human Rights Council unanimously approved this framework, and it has enjoyed wide international uptake by governments, companies and business groups, labour organisations, and NGOs. The other two pillars are the state duty to protect human rights through effective policies, regulation and adjudication, and the need for greater access to remedy – both judicial and non-judicial – by victims of company-related human rights abuse.
According to the SRSG, exercising human rights due diligence requires a company to:
- adopt a human rights policy;
- assess its human rights impacts;
- integrate its policy into its management and culture in order to manage its impacts; and
- track and monitor performance.
In order to carry out this process, the SRSG has noted that a company should engage with those who might be adversely affected by the company’s operations in order to determine those potential impacts and how best to address them. Due diligence is not a unilateral company exercise, but a two-way conversation:
‘Human rights risk management differs from commercial, technical and even political risk management in that it involves rights-holders. Therefore, it is an inherently dialogical process that involves engagement and communication, not simply calculating probabilities.’6
Ironically, BP itself was an early and successful user of human rights impact assessments, or HRIAs (for its Tangghu LNG plant in Indonesia, for example7), but did not use such a tool to assess the potential impacts of its deepwater drilling in the Gulf from the perspective of those whose rights would be violated by a runaway spill.8
Viewed wholly from a shareholder perspective, the risks of infringing on human rights can cost a company big money, and so should be included in any company risk analysis. As the SRSG noted in his 2010 report to the UN Human Rights Council, a study of the oil and gas industry found that the risks to exploration from disputes between oil explorers and external stakeholders has been growing much faster than the technical risks of getting oil out of the ground. And one oil and gas company estimated that over a two-year period, it lost US$6.5 billion in value from such ‘above ground’ disputes with communities.9 These disputes can cause disruption and delay in financing, construction, and operations, greatly distract senior leaders’ attention, swiftly ruin a company’s reputation, and lead to the loss of its legal and social licence to operate. And that list doesn’t include the obvious risk of litigation, which is hugely expensive and distracting regardless of who wins.
Enterprise risk management
The use of risk management to assess a company’s external adverse impacts on society and the environment has historic roots. The development of Enterprise risk management, or ERM – as exemplified by the widely used ERM model promulgated in 2004 by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) – was driven by a trio of financial, environmental, and human rights business crises in 1995. These were the Barings Bank collapse, the proposed sinking of the Brent Spar oil storage facility in the North Sea, and the execution of Ken Saro Wiwa and others protesting Shell’s oil exploration in Nigeria. These crises helped to elevate the importance of risk management within organisations and to focus attention on the need for companies to address the impact of business on external stakeholders.10
Enterprise risk management has been characterised as a ‘moral technology’ that embodies the potentials of ‘greater efficiency and coordination on the one hand, and of greater sensitivity to social responsibility issues on the other.’11 Risk management standards requiring companies to assess the adverse impacts of their operations on external stakeholders have become embedded in various hard and soft law external corporate governance standards in such areas as fraud prevention, the accuracy of financial reporting, criminal and environmental law compliance, the fiduciary duties of directors, and the corporate governance codes of a number of countries.
Of course, governments play a major role in ensuring that companies properly consider the risks of harming others when making business decisions. Unfortunately, this does not always happen even in highly developed economies, such as the US, as seen by the creation of a US Consumer Finance Protection Agency in the wake of the financial collapse,12 and by the criticisms of lax enforcement of the Deepwater Horizon’s safe operation by the US Minerals Management Service, an agency with a history of corruption and scandal,13 and without an independent safety and environment enforcement entity.14
But inadequate or absent government regulation doesn’t justify a company’s failure to respect human rights. Under the SRSG’s Protect, Respect, Remedy framework, a company’s responsibility to respect human rights is not a legal duty; rather it is ‘a standard of expected conduct acknowledged in virtually every voluntary and soft-law instrument related to corporate responsibility.’15 The responsibility ‘exists independently of States’ human rights duties. It applies to all companies in all situations.’16 Thus, a company should conduct human rights due diligence, including talking to external stakeholders to understand and address the potential impacts of its decisions and operations on human rights, even where the law is not enforced, or does not tell the company to do so.
Integrating human rights impact assessments into existing risk management processes requires an understanding of the limitations of traditional risk management tools when applied to human rights impacts. Harvard Law Professor Elizabeth Warren, who conceived of and created the US Consumer Finance Protection Bureau mentioned earlier, urged the creation of such an agency because:
‘[i]t is impossible to buy a toaster that has a one-in-five chance of bursting into flame and burning down your house. But it is possible to refinance an existing home with a mortgage that has the same one-in-five chance of putting a family out on the street – and the mortgage won’t even carry a disclosure of that fact to the homeowner.’17
‘Inadequate or absent government regulation doesn't justify a company's failure to respect human rights’
This example highlights the need for companies to consider the potentially overlapping but different risk perspectives of their external stakeholders. Risk is a combination of the likelihood and the impact of a bad event. Companies must take risks to survive and compete. Each company identifies its own level of tolerance for risks, consistent with its business goals. There is nothing wrong with that. Capitalism cannot survive unless companies can take appropriate risks. But there have to be some reasonable limits.
The traditional ways for companies to address risk are to bear the risk, to avoid it, to reduce it, to share it, to shift it, to pool it, to hedge it, or to diversify it away.18 Choosing among these tools raises few ethical implications for voluntary transactions, like contracts between businesses. However, such concerns may arise when companies lead others to assume risks that they aren’t aware of and haven’t agreed to bear.19 Selling toasters that can to burst into flame, selling toxic financial assets whose failure can trigger a global recession, and drilling in deepwater with no capacity to deal with the consequences of a runaway leak, are examples of subjecting others to risks without their knowledge or consent. By taking into account the human rights dimension of such risks, and engaging with those who may be harmed by such risks, companies can address this potential ethical problem.
Moreover, the level of risk that a company can tolerate will not be the same as – and is likely to be much higher than – the risk tolerance of individuals whose rights might be harmed by the company’s operations. A car company might conclude, for example, that it can tolerate the risks of the cost of wrongful death suits, if the total cost of those claims are less than the costs saved by designing a cheaper gas tank that is more likely to explode in an accident. That of course is the Ford Pinto case, taught in business school ethics classes as an example of why it is unethical for a company to equate its own saved costs with someone else’s violated rights.20 Companies naturally have a higher tolerance for risks that produce an immediate benefit for it than those whose right may be violated by such risks. Assessing human rights impacts as part of business risk management and taking them into account corrects for this ethical problem as well.
The risk perspectives of a company and its external rights-holders are therefore likely to overlap, but also be in tension. Understanding and addressing those differences is critical, however. Doing so may help to counteract the natural tendency of individuals – confirmed by experiments and empirical studies – to overestimate their ability to accurately predict risk.21 For example, this bias might lead a driver to assume, after driving a thousand miles on nearly bald tires that having gotten so far without incident, there’s no real danger driving another thousand, whereas the likelihood of a tire blowout increases with each mile. Similarly, the absence of any major spill from a deep-water oil-drilling platform in US waters, may have led BP, the industry and regulators to believe that such a disaster was virtually impossible.
That bias can lead to false and dangerous overconfidence, particularly when anticipating and planning for catastrophes that may involve complex and interdependent systems. As Douglas Hubbard points out in his recent book describing the failure of risk management, many managers typically view events that haven't happened in the last 20 years as virtually impossible. These include major business catastrophes, such as major industrial accidents, economic depressions, nuclear power plant failures, and lengthy power outages, all of which were thought impossible in the years immediately preceding the event.22 The likelihood of catastrophic failures in such systems does not tend to fall on the tail of the symmetric, bell-shaped distribution curve that occurs when tallying the results of thousands of coin tosses. Such distribution curves rarely apply to failures of complex, interdependent systems in which stress can cause a cascade of multiple failures.23
Considering the impacts of company actions on external stakeholders – through direct dialogue, where feasible – will likely reveal different risk tolerances, and may increase the sensitivity of risk company managers as to the potential impacts of such events on the community. Given the tendency of individuals and companies to overestimate their ability to predict disaster, this conversation is beneficial for both companies and communities. It will hopefully lead those risk managers to re-examine their analyses and predict more accurately the true impact on individuals, the community and their companies. Raymond Brown, a white-collar criminal defence and international lawyer, put it well when he said that a human rights impact assessment, or HRIA:
‘. . . necessarily makes explicit tensions between parties like BP and inhabitants, but the process allows coexistence based on the evaluation of worst-case scenarios (eg, ‘What if the rig explodes?’) and the rank ordering of rights combined with substantive remediation plans and processes. An HRIA would have erased the widening gap between BP's business interests and the destruction of industries, livelihoods and the environment.’24
If we have learned nothing else from business catastrophes, it is that their effects are not limited to corporate shareholders. It is to everyone’s benefit that businesses understand the impact of their decisions on the lives and livelihoods of others, in order to make better decisions about risk.
1 Eg, United States – the 2004 Enterprise Risk Management Framework of the of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), available at: www.coso.org; Institute of Internal Auditors, Sarbanes-Oxley Section 404: The US Sentencing Guidelines for Organizational Defendants, USSG, §8B2.1 (Effective Compliance and Ethics Program), available at:
www.ussc.gov/2005guid/8b2_1.htm; In re Caremark Int’l, Inc Derivative Litig, 698 A 2d 959, 970 (Del Ch 1996); A Guide for Management by Internal Controls Practitioners, (2008); France – Recommendations of the Autorite´ des Marche´s Financiers on the ‘Internal control: Reference Framework’ (2007), available in English at: www.amf-france.org/documents/general/7620_1.pdf; The Netherlands – The Dutch Corporate Governance Code of 2009; Corporate Governance Code Monitoring Committee, Dutch corporate governance code: Principles of good corporate governance and best practice provisions (2009), available at: http://corpgov.nl/page/downloads/DEC_2008_UK_Code_DEF__uk_.pdf; UK – Financial Reporting Council, Internal Control-Revised Guidance for Directors on the Combined Code, (2005), available at: http://www.frc.org.uk/images/uploaded/documents/Revised%20Turnbull%20Guidance%20October%202005.pdf.
2 John Boatright, ‘The Ethics of Risk Management in the Information Age’, Bentley University Center for Business Ethics, Verizon Series Lecture, 8 February 2010, (‘Boatright’).
3 David Leonhardt, ‘Spillonomics: Underestimating Risk’, New York Times Magazine, 31 May 2010, (‘Leonhardt’), available at: www.nytimes.com/2010/06/06/magazine/06fob-wwln-t.html.
5 John Ruggie, Business and Human Rights: Further steps toward the operationalization of the ‘protect, respect and remedy’ framework, A/HRC/14/27 (9 April 2010) (‘SRSG Report’), available at: www.reports-and-materials.org/Ruggie-report-2010.pdf.
6 SRSG Report, paragraph 85.
7 Human Rights Security Monitoring Assessment and Peer Review of the Tangguh LNG Project (5 August 2005), available at: http://tinyurl.com/bp-tangguhdoc.
8 Raymond Brown, BP Executives' Human-Rights Miscalculation: Have They Bet the Company?, DiversityInc, available at: www.diversityinc.com/article/7922/BP-Executives-HumanRights-Miscalculation-Have-They-Bet-the-Company/.
9 SRSG Report, paragraphs 70-71.
10 Michael Power, Organized Uncertainty: Designing a World of Risk Management, (Oxford University Press, 2007) (‘Power’).
11 Ibid, p 40.
12 Elizabeth Warren, ‘Unsafe at Any Rate: If it’s good enough for microwaves, it’s good enough for mortgages. Why we need a Financial Product Safety Commission’, Democracy: A Journal of Ideas, Issue No 5 (Summer 2007) (‘Warren’), available at: www.democracyjournal.org/article.php?ID=6528.
13 ‘MMS’s troubled past’, Washington Post (29 May 2010), available at: www.washingtonpost.com/wp-dyn/content/article/2010/05/28/AR2010052804599.html?hpid=topnews.
14 US Department of the Interior Press Release, Salazar Launches Safety and Environmental Protection Reforms to Toughen Oversight of Offshore Oil and Gas Operations, 11 May 2010, available at: www.doi.gov/news/pressreleases/Salazar-Launches-Safety-and-Environmental-Protection-Reforms-to-Toughen-Oversight-of-Offshore-Oil-and-Gas-Operations.cfm.
15 SRSG Report, paragraph 55.
16 Ibid, paragraph 57.
17 Warren, see note 12 above.
18 Boatright, see note 2 above.
20 Lynn Sharp Paine, Value Shift: Why Companies Must Merge Social and Financial Imperatives to Achieve Superior Performance, (McGraw Hill, 2003), pp 221-222.
21 Douglas Hubbard, The Failure of Risk Management: Why It’s Broken and How to Fix It, (John Wiley & Sons, Inc, 2009) (‘Hubbard’), Kindle ed, pp 457-459; Fagone, ‘Masters of Disaster: At Wharton’s Risk Management and Decision Processes Center, researchers are investigating why humans to such a poor job planning for, and learning from, catastrophes’, Wharton Magazine (Summer 2010), available at: www.whartonmagazine.com/issues/815.php.
22 Hubbard, pp 968-987.
23 Ibid, pp3,290-295.
24 See note 8 above.