Three Approaches for Integrating Human Rights into Corporate Risk Registers

Photo by it:utah778 on iStock

February 27, 2024

Authors

Ouida Chichester

Director, Energy, Extractives, Transport, and Industrials, BSR

Ouida Chichester

Director, Energy, Extractives, Transport, and Industrials, BSR

San Francisco

Ouida leads BSR’s Energy and Extractives practice. She applies her experience in international development to her work at BSR, where she advises global corporations across industries, but particularly extractives companies, on human rights; sustainable communities; inclusive economy; diversity, equity and inclusion; and women’s empowerment.

She also previously supported BSR's HERproject.

Prior to joining BSR, Ouida worked with the United Nations Development Programme in Belize, where she developed and contributed to projects on water governance, gender equality, and disability rights. She also has worked at Community Partners International, a nonprofit dedicated to the well-being of the people of Myanmar. Ouida helped build New Global Citizens, an organization dedicated to engaging U.S. youth in global philanthropy and activism. As a Peace Corps Volunteer in Ecuador, she worked closely with youth, women, and grassroots organizations. She is fluent in Spanish.

As a Rotary World Peace Fellow, Ouida obtained an M.A. in International Relations from the Universidad del Salvador. She also holds a B.A. in International Relations from Mount Holyoke College.
Kayla Winarsky McKenzie

Associate Director, Human Rights, BSR

Kayla Winarsky McKenzie

Associate Director, Human Rights, BSR

New York

Kayla collaborates with BSR member companies on projects centering on the corporate responsibility to respect human rights, focusing on companies within the consumer sectors industry cluster. Her areas of expertise include energy transition, anti-corruption, and gender.

Prior to joining BSR, Kayla spent several years advising multinational companies and investors on human rights as an Adviser at the Danish Institute for Human Rights, during which she also served as a Lecturer in Law at the University of Amsterdam, focusing on Business and Human Rights (BHR), international human rights, anti-corruption, and EU law. Previously, she worked on global anti-corruption investigations and cross-border white collar litigations as an Associate Attorney at the international law firm King & Spalding LLP, where she was the founding member of the firm's BHR initiative.

Kayla holds a JD and a Certificate in Global Human Rights from the University of Pennsylvania School of Law, which included course work at the Institut de hautes études internationales et du développement, and a BA, Phi Beta Kappa, Summa Cum Laude from Tulane University.
Kelly Metcalf

Manager, Human Rights, BSR

Kelly Metcalf

Manager, Human Rights, BSR

New York

Kelly works with BSR member companies to develop sustainability strategies, assess human rights impacts, and engage rightsholders. Her areas of expertise include modern slavery and anti-human trafficking and the rights of workers and communities in the energy transition. Kelly works with companies across industries, including renewable energy and extractives and consumer products.

Prior to joining BSR, Kelly worked as a consultant on various human rights projects, including issues of modern slavery and labor rights in global supply chains. Kelly has also worked extensively on women’s rights, including two years leading a women’s economic empowerment program in Surkhet, Nepal and four years working with the United Nations Foundation on international reproductive health and rights.

Kelly holds an MA in Human Rights Studies from Columbia University.

Key Points

Integrating human rights risks into a corporate risk register is a tactic that companies can use to identify human rights risks in their operations as mandated by emerging regulations.
While risk registers present an opportunity to identify human rights risks, they also present challenges due to their historical focus on risks to business.
BSR outlines three approaches—of varying levels of intensity—to ensure that risk registers effectively measure human rights risks.
Regardless of the approach selected, it is essential to evaluate risks to people, not only risks to business, in company risk management procedures, including risk registers.

As emerging regulations seek to mandate that companies implement risk-based human rights due diligence, it is increasingly critical that companies identify human rights risks in their operations. One such opportunity is through including human rights risks in Enterprise Risk Management (ERM) systems, most notably through the corporate risk register.

A risk register is a tool that is used to identify potential risks that could affect a project. While risk registers present an opportunity to ensure that human rights issues are identified and assessed—and can lead to further corporate respect for human rights—they also present some inherent challenges due to their nature and historical function.

The Challenge

A fundamental challenge to integrating human rights into both ERM broadly, and risk registers specifically, is that ERM—by definition— focuses on risks to the business rather than harms to people, which is a critical lens for assessing human rights under the UN Guiding Principles on Business and Human Rights (UNGPs). It follows that traditional risk registers are not set up to evaluate human rights risks from a ‘risks to people’ point of view.

Given this focus on risks to business, leveraging traditional risk register criteria (e.g. legal risks, economic risks, etc.) is not the most effective way to measure risks to people. Rather, further action must be taken to ensure that human rights risks are being captured from a ‘risks to people perspective’ and not only when and if those risks also pose a risk to the business.

Three Approaches

To begin ensuring that risk registers effectively measure risks to people and that human rights risks can emerge with adequate gravitas, BSR outlines three potential approaches:

1) Maintain a traditional risk register but strengthen language on impacts to people in the risk and consequence descriptions.

This approach is largely consistent with a traditional risk register but allows for the integration of human rights risk and impact through lighter touch edits. It will entail ensuring that each relevant category provides context on how it impacts people, and that consequences are framed to clearly capture these impacts, not just risk to business, when considering the severity of a topic or risk.

2) Update a traditional risk register to include a new category dedicated specifically to risks and impacts to people.

This approach requires more significant edits to the traditional risk register. In addition to the edits in approach one, this will also entail creating a new category of risks to people. While traditional risk registers often include a column for stakeholders that assesses how risks to stakeholders emerge as business risks, this new column would focus specifically on how each risk will impact people outside of business impacts. If a risk comes up low across business consequence categories, like financial or legal risk, it still has an opportunity to come up high when considering how it impacts people.

This approach will also involve creating new consequence descriptions focused on impacts to people/human rights. In alignment with the UNGPs, this should consider how many people may be impacted (scope), how severe the impact may be (scale), and if the impact is remediable.

3) Create a second risk register to capture risks and impacts to people and develop a process to ensure that both the traditional risk register and the human rights risk register are considered together and weighted equally.

This approach involves creating a second risk register to effectively capture human rights risks and impacts to people and developing a process to integrate the two registers. Consistent with approach two, the new register should include criteria on scope, scale, remediability, and likelihood of occurrence. Leveraging these criteria, the register can prioritize the greatest risks to people and their enjoyment of human rights.

Integrating the two registers would entail developing a process to ensure that both the traditional risk register, with its focus on risk to business, and the human rights risk register, with its focus on risks to people, are considered together. This may include integration within the tools themselves, a separate dashboard that captures the high risks and actionable items from both registers or a matrix that captures both risks to business and risks to people.

BSR’s Analysis & Recommendations

As the lightest touch, approach one is likely to be the easiest option to action and implement. However, several issues remain. Primarily, traditional risk registers likely already cover some impacts to people, so updating the language may not be enough to ensure that human rights risks rise to the top. In addition, business and human rights experts advise against full integration of these impacts in risk registers, instead suggesting that risks to business and risk to people be kept separate to maintain focus on people.

Building on approach one, approach two goes a step further to help site-level staff better understand impacts on people and gives them a place on the matrix to consider the severity of these risks outside of the business context. Adding a category dedicated to impacts to people could also help to ensure that risks that have high consequences for people may be elevated even if it does not have immediate impacts on the business.

Ultimately, however, while this does go a step further in integrating human rights principles into the risk register, impacts to people are still largely evaluated through criteria that was designed to measure risks to the business. Important aspects of how to assess risks to people, including how many people may be impacted, the severity of the impact, and the possibility of remediating impacts, as outlined by international human rights standards, may not be fully captured in this approach.

Though approach three can rightly be considered the most intensive and resource-heavy option, it is also the best option to ensure that human rights issues are captured and that they rise to the top.

A second risk register will allow site-level staff to evaluate impacts to people in alignment with international human rights standards and principles and follow leading practices as outlined by business and human rights experts. Following these principles, the register will be able to more accurately capture high risk areas for human rights impacts. This approach is also aligned with the latest requirements for Double Materiality, including assessing internal impacts (risks to the business) as well as external impacts (risks to people), and plotting both these risks on one matrix or dashboard.

As long as practitioners are diligent to ensure that the human rights risk register is treated with the same weight as the existing business risk register and that the human rights risk register has a clear process for non-human rights staff to successfully leverage the tool, this will be the best and most robust option to making a risk register an essential and useful tool in any company’s arsenal for respecting human rights.

Regardless of the approach selected, it is essential to evaluate risks to people, not only risks to business, in company risk management procedures, including risk registers. At BSR we recognize that these changes may need to be made gradually and call on companies to start somewhere. Even if it is not currently possible to go as far as creating a second human rights risk register, centering human rights in risk management is an important first step to capturing risks to people.