• Introduction

    For multinational companies, the management of business integrity risk is a complex, rapidly evolving and increasingly multifaceted exercise. New types of integrity risks recently have emerged, especially in relation to human rights.

    These risks can have reputational, financial and political consequences—but they are also increasingly legal in nature. An emerging web of human rights regulations, mandatory disclosure requirements, soft law instruments (most notably, the UN Guiding Principles on Business and Human Rights (the “UNGPs”)) and industry standards exposes businesses to potential government sanctions, lawsuits under domestic tort and securities laws, contract claims and investor pressure.

    A systemic approach to integrity risk can help prevent potential adverse human rights impacts, demonstrate compliance with applicable regulatory requirements, mitigate litigation risk and help meet stakeholder expectations.

    The Debevoise Business Integrity Screen provides in-house counsel, sustainability leaders and compliance departments with a tool aimed at navigating this increasingly complex area and its many legal dimensions. The Screen includes a series of questions and practice points designed to guide business enterprises in addressing the UNGP’s three pillars for demonstrating respect for human rights. Such organizations should have in place:

    A policy commitment to meet their responsibility;

    A due diligence process to identify, prevent and mitigate potential adverse human rights impacts; and

    A process to enable remediation of human rights impacts they cause or to which they contribute.

    Each company ultimately will require a bespoke, context-specific and commercially reasonable solution to mitigate the particular integrity risks that it faces. A comprehensive and integrated approach to business risk may be the most efficient and effective option. This includes possibly capitalizing on existing compliance systems, such as leveraging and supplementing established anti-corruption and anti-money-laundering policies and procedures to cover emerging human rights risks.

    It is likewise imperative that related policies, processes and public statements do not inadvertently create litigation risk. When tending to these risk areas, it is important to consult appropriately with in-house lawyers and external counsel, including in developing policies, drafting disclosure materials, conducting due diligence and designing remediation programs. In doing so, companies should make sure to take proper steps to safeguard attorney-client privilege and related protections that properly shield certain materials from external disclosure.

  • Developing Appropriate Business Integrity Policies

    Public policies and internal codes of conduct should set out the company’s commitment to assessing, mitigating and remediating adverse human rights impacts.

    Does the company have an appropriate process in place for developing internal and external business integrity policies?

    Consult internal and external stakeholders and outside counsel with particular expertise in human rights law to identify risks.

    Avoid system fatigue by leveraging existing policies, such as anti-corruption policies.

    Review internal policies and codes of conduct and external documents (e.g., supply chain contracts, vendor codes of conduct, periodic reports) for potential gaps and consistency.

    Maintain a dynamic process by periodically updating policies to reflect risk assessment and due diligence findings.

    Is the content of the relevant policies appropriate?

    Express the company’s commitment to assess, mitigate and remediate adverse human rights impacts.

    Tailor policies to the relevant risks faced by the business.

    Address adverse human rights impacts that the business may cause or to which it may contribute through its own activities, or which may be directly linked to its operations, products or services.

    Stipulate the company’s expectations of personnel, business partners and other relevant parties.

    Include accountability systems and appropriate training for employees on identifying, addressing and reporting adverse human rights impacts.

    Is the scope of application of the relevant policies appropriate?

    Consider how internal and external policies and codes of conduct will be developed and implemented (i) for subsidiary companies and (ii) throughout the value chain.

    Have the relevant policies been appropriately disseminated?

    Consider how to publicize the company’s human rights commitment.

    Ensure that internal and external policies and codes of conduct are actively communicated to personnel, business partners and other relevant parties.

    Is there visible high-level management support for the business integrity policy?

    Set the “tone from the top” by demonstrating that relevant Board and senior management members understand key concepts and exercise reasonable oversight.

  • Developing An Appropriate Due Diligence Process

    Due diligence processes should be implemented to identify, prevent and mitigate the company’s potential adverse human rights impacts.

    Does the company engage in appropriate human rights due diligence before entering into new activities, investments, mergers and acquisitions, partnerships or other business relationships or contracting with other entities in its value chain?

    Initiate human rights due diligence as early as possible.

    Consult with internal and external experts and relevant stakeholders, including potentially affected rights holders, to identify actual or potential adverse human rights impacts.

    Align the due diligence process with the requirements of the company’s policies.

    Calibrate the due diligence process to the size of the business enterprise, the risk of human rights impacts and the nature and context of the company’s operations.

    If necessary, prioritize human rights impacts that are most severe or that may become irremediable if the response is delayed.

    Does the company monitor its human rights impacts at regular intervals by undertaking periodic due diligence?

    Assessments of human rights impacts should take place periodically throughout the life of an activity or relationship and in anticipation of major operational and policy decisions and changes in the operative environment.

    Does the company have appropriate processes in place to identify actual adverse human rights impacts?

    Consider how best to deploy confidential reporting systems, incentives, disciplinary actions and internal investigations.

  • Developing An Appropriate Remediation Program

    Remediation programs are required where the company has caused, contributed to or is directly linked to adverse human rights impacts.

    Does the company have an appropriate process in place for ceasing, preventing and mitigating actual and potential human rights impacts?

    Assign responsibility for addressing human rights impacts to the appropriate personnel within the company.

    Ensure that internal decision-making, budget allocations and processes enable effective responses to human rights impacts.

    Consider whether and how best to consult with internal and external experts.

    Base priorities for response on severity of the human rights impact and strength of existing governance.

    Is the company causing an adverse human rights impact?

    Take the necessary steps to cease or prevent the impact.

    Provide for or cooperate in remediation through legitimate processes.

    Is the company contributing to an adverse human rights impact?

    Take the necessary steps to cease or prevent the company’s contribution to the impact.

    Use leverage to mitigate any remaining impact to the greatest extent possible.

    Provide for or cooperate in remediation through legitimate processes.

    Is the company directly linked to an adverse human rights impact through its business relationships with other entities?

    Develop a remediation program that takes into account the company’s leverage over the other entity, the importance of the business relationship and the severity of the abuse.

    Consider ending the relationship if the company does not have leverage to prevent or mitigate adverse impacts and cannot increase its leverage.

    Consider whether terminating the relationship with the entity itself would have adverse human rights consequences.

    Does the company have an appropriate process in place for evaluating, communicating and tracking the effectiveness of its responses to actual and potential human rights impacts?

    Consider formal and informal reporting mechanisms tailored to the company’s intended audiences, such as potentially affected rights holders and investors.

    Employ appropriate qualitative and quantitative indicators.

    Seek feedback from internal and external sources, including affected stakeholders, and ensure that their confidentiality is protected.

    Consider how to leverage existing processes such as performance reviews, surveys, risk assessments and audits.

    If the company decides to implement an operational-level grievance mechanism…

    Consult with internal and external experts and relevant stakeholders, including potentially affected rights-holders, to develop an appropriate process and to monitor performance.

    Focus on dialogue as the means to address and resolve grievances.

    Ensure that any grievance mechanism is:

    Legitimate

    Accessible

    Predictable

    Equitable

    Transparent

    Rights-compatible

    A source of continuous learning

    Avoid undermining access to judicial or other nonjudicial grievance mechanisms.

  • Our Business Integrity Group Team

    Jonathan Adler

    Investment Management

    Partner, New York
    +1 212 909 6032
    jadler@debevoise.com

    Catherine Amirfar

    International Dispute Resolution

    Partner, New York
    +1 212 909 7423
    camirfar@debevoise.com

    Ezra Borut

    Mergers & Acquisitions

    Partner, New York
    +1 212 909 7271
    eborut@debevoise.com

    William Y. Chua

    Private Equity

    Partner, Hong Kong
    +852 2160 9813
    wychua@debevoise.com

    Luke Dembosky

    Cybersecurity & Data Privacy

    Partner, Washington, D.C.
    +1 202 383 8020
    ldembosky@debevoise.com

    Lord Goldsmith QC

    International Dispute Resolution

    Partner, London/Paris
    +44 20 7786 9088
    +33 1 40 73 12 12

    phgoldsmith@debevoise.com

    Mark Johnson

    White Collar and Regulatory Defense

    Partner, Hong Kong
    +852 2160 9861
    mdjohnson@debevoise.com

    Andrew M. Levine

    White Collar & Regulatory Defense

    Partner, New York
    +1 212 909 6069
    amlevine@debevoise.com

    Natalie L. Reid

    International Dispute Resolution

    Partner, New York
    +1 212 909 6154
    nlreid@debevoise.com

    David W. Rivkin

    International Dispute Resolution

    Partner, New York/London
    +1 212 909 6671
    +44 20 7786 9171

    dwrivkin@debevoise.com

    Paul M. Rodel

    Capital Markets

    Partner, New York
    +1 212 909 6478
    pmrodel@debevoise.com

    Samantha J. Rowe

    International Dispute Resolution

    Partner, London/Paris
    +44 20 7786 3033
    +33 1 40 73 12 12

    sjrowe@debevoise.com

    Dr. Thomas Schürrle

    Mergers & Acquisitions

    Partner, Frankfurt
    +49 69 2097 5000
    tschuerrle@debevoise.com

    Karolos Seeger

    White Collar & Regulatory Defense

    Partner, London
    +44 20 7786 9042
    kseeger@debevoise.com

    Jane Shvets

    White Collar & Regulatory Defense

    Partner, London/New York
    +44 20 7786 9163
    +1 212 909 6573

    jshvets@debevoise.com

    Patrick Taylor

    International Dispute Resolution

    Partner, London/Paris
    +44 20 7786 9033
    +33 1 40 73 12 12

    ptaylor@debevoise.com

    Bruce E. Yannett

    White Collar & Regulatory Defense

    Partner, New York
    +1 212 909 6495
    beyannett@debevoise.com

    Conway Blake

    International Dispute Resolution

    International Counsel, London
    +44 20 7786 5403
    cblake@debevoise.com

    Stuart Hammer

    Environmental

    Counsel, New York
    +1 212 909 6257
    shammer@debevoise.com

    Carl Micarelli

    Sanctions

    Counsel, New York
    +1 212 909 6813
    cmicarelli@debevoise.com

    Elizabeth Nielsen

    International Dispute Resolution

    Counsel, New York
    +1 212 909 6948
    enielsen@debevoise.com

    Sarah Wolf

    International Dispute Resolution

    Counsel, New York
    +1 212 909 6334
    swolf@debevoise.com

    Merryl Lawry-White

    International Dispute Resolution

    Associate, London
    +44 20 7786 3042
    mlawrywh@debevoise.com

    Ashika Singh

    International Dispute Resolution

    Associate, New York
    +1 212 909 6205
    asingh@debevoise.com

    New York

    919 Third Avenue
    New York, NY 10022
    +1 212 909 6000

    Moscow

    Business Center Mokhovaya
    Ulitsa Vozdvizhenka, 4/7
    Stroyeniye 2
    Moscow, 125009
    +7 495 956 3858

    Washington, D.C.

    801 Pennsylvania Avenue N.W.
    Washington, D.C. 20004
    +1 202 383 8000

    Hong Kong

    21/F AIA Central
    1 Connaught Road Central
    Hong Kong
    +852 2160 9800

    London

    65 Gresham Street
    London
    EC2V 7NQ
    +44 20 7786 9000

    Shanghai

    13/F, Tower 1
    Jing’an Kerry Centre
    1515 Nanjing Road West
    Shanghai 200040
    +86 21 5047 1800

    Paris

    4 place de l’Opéra
    75002 Paris
    +33 1 40 73 12 12

    Tokyo

    Shin Marunouchi Bldg. 11F
    1-5-1 Marunouchi, Chiyoda-ku
    Tokyo 100-6511
    +81 3 4570 6680

    Frankfurt

    Taunustor 1 (TaunusTurm)
    60310 Frankfurt am Main
    +49 69 2097 5000

Practice Point

In identifying integrity risks, it is important to consider such questions as:

  • What legal and regulatory regimes apply to the company’s operations (e.g., UK Modern Slavery Act, French Loi de Vigilance, U.S. Anti-Terrorism Act)?
  • What industry standards apply to the company’s operations?
  • What aspects of the company’s operations (lines of business, geographic regions) are most vulnerable to human rights risks?

The UNGPs provide businesses broad discretion to frame their policies, so a proper definition of the risks appropriate to the business is important to creating and implementing the policies and processes and can provide useful protection when issues subsequently arise.

Practice Point

Companies should take care in drafting policies not to overstate their goals or their practices in order to avoid the risk that they will not be followed and create a potential hook for future litigation.

Practice Point

Companies should draft policies to provide guidance throughout the business but leave sufficient flexibility and implementation within the scope of their subsidiaries in order to avoid arguments that the policies are a basis to pierce the corporate veil.

Practice Point

Companies should consider how to leverage existing due diligence processes and risk-management systems, such as those designed to prevent bribery and money laundering.

Practice Point

Ongoing due diligence may be tailored to focus on the operations that may pose the most substantial risks. The UNGPs permit appropriate balancing of risks and costs.

Practice Point

In the words of the UNGPs, the appropriate response will vary according to whether the company “causes or contributes to an adverse impact, or whether it is involved solely because the impact is directly linked to its operations, products or services by a business relationship” and the extent of its leverage. There is no official definition of these terms, which require a fact-specific assessment.

Practice Point

When engaging with in-house and external counsel, be mindful of protections afforded by applicable legal privileges.

Practice Point

Consistent with the UNGPs, companies should consider how to increase their leverage by, for example, offering capacity-building or other incentives to the related entity, or collaborating with other actors.

Practice Point

The UNGPs recognize that, where the business relationship is “crucial” to the company, ending it may raise further challenges. Here, the company should consider the severity of the impact and any consequences—reputational, financial or legal—of the continuing connection.

Practice Point

Companies should consider a range of processes to find the one best suited to the company and the situation, including negotiation, mediation, conciliation, facilitation and mediation/arbitration.