Page 601 - COSO Guidance
P. 601

3. Performance for ESG-related risks





              The particular case of business impacts on human rights
              Responsible companies analyze their potential impact on the human rights of their stakeholders. The process
              of identifying, preventing, mitigating and accounting for potential human rights impacts is generally informed
              by the UN Guiding Principles on Business and Human Rights,  a document unanimously endorsed by the
                                                                 20
              Human Rights Council in 2011 following rigorous consultation with business, governments and civil society.
              The UN Guiding Principles (UNGP) set out the content of the corporate responsibility to respect human
              rights - a responsibility that exists regardless of governments’ ability or willingness to uphold their own duty to
              protect citizens from corporate human rights impacts. In other words, today’s stakeholders expect
              companies to go beyond domestic law when necessary to uphold international standards of human rights.
              The process for managing human rights impacts is referred to as “human rights due diligence” (HRDD). Under
              the UNGP, companies should develop and communicate a commitment to respect human rights, undertake
              human rights due diligence, embed the results of the due diligence across their operations and track results,
              communicate on their efforts and have in place operational-level grievance mechanisms to remedy impacts.
              There are, however, key differences in the approach to risk assessment in the human rights context:
              1. In HRDD, risk is assessed on the basis of likelihood and severity, but the perspective from which severity
               is assessed differs. In more familiar risk management processes, severity of risk is most often assessed in
               whole or in part from the perspective of risk to the organization, whether financial, reputational or
               otherwise. However, HRDD assesses risk from the perspective of the affected stakeholders only, that is,
               from the perspective of those who may be adversely impacted. This is a subtle yet crucial distinction: an
               organization may consider, for example, the risk of a certain indigenous group successfully protesting
               aspects of its operations as very low and the risk of reputational or other damage as unlikely; however,
               if that group is facing a human rights impact from the operations, HRDD would assess the risk as severe.
               Severity is also weighted slightly higher than likelihood, such that potentially severe events with low
               likelihood of occurrence may still be prioritized for
               management.                                      Human rights risk map for prioritizing action
              2. Stakeholder engagement is crucial in HRDD, and
               findings of a risk assessment should be tested with
               stakeholders. It is difficult for an organization to
               assess severity of risk from the perspective
               of potentially affected stakeholders unless it
               proactively engages with them to understand their
               vulnerabilities and potential to be impacted by the
               company’s activities.
              Key resources offer further guidance on risk    Severity
              assessment in a human rights context as set out in
              the next table.
                                                                Likelihood
              Resources for human rights-related risk

               Resource                 Description
               UN Guiding Principles on    Outlines principles on the corporate responsibility to respect human rights
                                                                                         21
               Business and Human Rights
               Shift and Mazars’ UN Guiding    Provides implementation and assurance guidance on the UN Guiding Principles on Business
                                                    22
               Principles Reporting Framework    and Human Rights
               Shift’s “Assess” guidance  Provides guidance on how a company’s operations and business relationships can pose risks to
                                        human rights
                                                 23
               Shift’s Business and Human    Reflects learning from a workshop with 12 Dutch companies together with expert
               Rights Impacts: Identifying and   stakeholders, hosted by the Social and Economic Rights Council of the Netherlands,
               Prioritizing Human Rights Risks     about how companies can identify and prioritize human rights risks and test their findings
                                        through stakeholder engagement 24
               Global Compact and EY’s Business  Includes examples and provides guidance on human rights due diligence
                                                                                        25
               and Human Rights: Corporate
               Japan Rises to the Challenge
               IFC Performance Standards  Focuses on the identification of relevant links between environmental and social
                                        considerations and human rights to support many important human rights, such as labor
                                        rights, rights of indigenous peoples and the right to health (through a clean environment) 26





        54                             Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks  •  October 2018
   596   597   598   599   600   601   602   603   604   605   606