Three Approaches for Integrating Human Rights into Corporate Risk Registers

Integrating human rights risks into a corporate risk register is a tactic that companies can use to identify human rights risks in their operations as mandated by emerging regulations. BSR outlines three approaches—of varying levels of intensity—to ensure that risk registers effectively measure human rights risks.

Foto: Photo by it:utah778 on iStock

18.04.2024

Sponseret

Ouida Chichester, Kayla Winarsky McKenzie, and Kelly Metcalf, BSR

Key Points

  • Integrating human rights risks into a corporate risk register is a tactic that companies can use to identify human rights risks in their operations as mandated by emerging regulations.
  • While risk registers present an opportunity to identify human rights risks, they also present challenges due to their historical focus on risks to business.
  • BSR outlines three approaches—of varying levels of intensity—to ensure that risk registers effectively measure human rights risks.
  • Regardless of the approach selected, it is essential to evaluate risks to people, not only risks to business, in company risk management procedures, including risk registers.

As emerging regulations seek to mandate that companies implement risk-based human rights due diligence, it is increasingly critical that companies identify human rights risks in their operations. One such opportunity is through including human rights risks in Enterprise Risk Management (ERM) systems, most notably through the corporate risk register.

A risk register is a tool that is used to identify potential risks that could affect a project. While risk registers present an opportunity to ensure that human rights issues are identified and assessed—and can lead to further corporate respect for human rights—they also present some inherent challenges due to their nature and historical function.

The Challenge 

A fundamental challenge to integrating human rights into both ERM broadly, and risk registers specifically, is that ERM—by definition— focuses on risks to the business rather than harms to people, which is a critical lens for assessing human rights under the UN Guiding Principles on Business and Human Rights (UNGPs). It follows that traditional risk registers are not set up to evaluate human rights risks from a ‘risks to people’ point of view.

Given this focus on risks to business, leveraging traditional risk register criteria (e.g. legal risks, economic risks, etc.) is not the most effective way to measure risks to people. Rather, further action must be taken to ensure that human rights risks are being captured from a ‘risks to people perspective’ and not only when and if those risks also pose a risk to the business. 

Three Approaches 

To begin ensuring that risk registers effectively measure risks to people and that human rights risks can emerge with adequate gravitas, BSR outlines three potential approaches: 

1) Maintain a traditional risk register but strengthen language on impacts to people in the risk and consequence descriptions. 

This approach is largely consistent with a traditional risk register but allows for the integration of human rights risk and impact through lighter touch edits. It will entail ensuring that each relevant category provides context on how it impacts people, and that consequences are framed to clearly capture these impacts, not just risk to business, when considering the severity of a topic or risk.

2) Update a traditional risk register to include a new category dedicated specifically to risks and impacts to people. 

This approach requires more significant edits to the traditional risk register. In addition to the edits in approach one, this will also entail creating a new category of risks to people. While traditional risk registers often include a column for stakeholders that assesses how risks to stakeholders emerge as business risks, this new column would focus specifically on how each risk will impact people outside of business impacts. If a risk comes up low across business consequence categories, like financial or legal risk, it still has an opportunity to come up high when considering how it impacts people.

This approach will also involve creating new consequence descriptions focused on impacts to people/human rights. In alignment with the UNGPs, this should consider how many people may be impacted (scope), how severe the impact may be (scale), and if the impact is remediable.

3) Create a second risk register to capture risks and impacts to people and develop a process to ensure that both the traditional risk register and the human rights risk register are considered together and weighted equally.

This approach involves creating a second risk register to effectively capture human rights risks and impacts to people and developing a process to integrate the two registers. Consistent with approach two, the new register should include criteria on scope, scale, remediability, and likelihood of occurrence. Leveraging these criteria, the register can prioritize the greatest risks to people and their enjoyment of human rights.

Integrating the two registers would entail developing a process to ensure that both the traditional risk register, with its focus on risk to business, and the human rights risk register, with its focus on risks to people, are considered together. This may include integration within the tools themselves, a separate dashboard that captures the high risks and actionable items from both registers or a matrix that captures both risks to business and risks to people.

BSR’s Analysis & Recommendations 

As the lightest touch, approach one is likely to be the easiest option to action and implement. However, several issues remain. Primarily, traditional risk registers likely already cover some impacts to people, so updating the language may not be enough to ensure that human rights risks rise to the top. In addition, business and human rights experts advise against full integration of these impacts in risk registers, instead suggesting that risks to business and risk to people be kept separate to maintain focus on people.

Building on approach one, approach two goes a step further to help site-level staff better understand impacts on people and gives them a place on the matrix to consider the severity of these risks outside of the business context. Adding a category dedicated to impacts to people could also help to ensure that risks that have high consequences for people may be elevated even if it does not have immediate impacts on the business. 

Ultimately, however, while this does go a step further in integrating human rights principles into the risk register, impacts to people are still largely evaluated through criteria that was designed to measure risks to the business. Important aspects of how to assess risks to people, including how many people may be impacted, the severity of the impact, and the possibility of remediating impacts, as outlined by international human rights standards, may not be fully captured in this approach.

Though approach three can rightly be considered the most intensive and resource-heavy option, it is also the best option to ensure that human rights issues are captured and that they rise to the top.

A second risk register will allow site-level staff to evaluate impacts to people in alignment with international human rights standards and principles and follow leading practices as outlined by business and human rights experts. Following these principles, the register will be able to more accurately capture high risk areas for human rights impacts. This approach is also aligned with the latest requirements for Double Materiality, including assessing internal impacts (risks to the business) as well as external impacts (risks to people), and plotting both these risks on one matrix or dashboard. 

As long as practitioners are diligent to ensure that the human rights risk register is treated with the same weight as the existing business risk register and that the human rights risk register has a clear process for non-human rights staff to successfully leverage the tool, this will be the best and most robust option to making a risk register an essential and useful tool in any company’s arsenal for respecting human rights.

Regardless of the approach selected, it is essential to evaluate risks to people, not only risks to business, in company risk management procedures, including risk registers. At BSR we recognize that these changes may need to be made gradually and call on companies to start somewhere. Even if it is not currently possible to go as far as creating a second human rights risk register, centering human rights in risk management is an important first step to capturing risks to people. 

23.05.2024BSR

Sponseret

The EU AI Act: 11 Recommendations for Business

23.05.2024BSR

Sponseret

The Elephant in the Sustainability Room

09.05.2024BSR

Sponseret

Driving Forward Human Rights in Transport & Logistics

06.05.2024BSR

Sponseret

CSDDD: A Pragmatic Approach to Managing Human Rights and Environmental Impacts

02.05.2024BSR

Sponseret

Building an Effective Supply Chain Data Ecosystem to Prevent Forced Labor

29.04.2024BSR

Sponseret

The EU AI Act: What it Means for Your Business