Helping directors test approaches and identify risks 8 min read
As a key part of the ‘S’ in ESG, business human rights impacts are increasingly recognised as material to corporate performance, reputation and compliance, and the topic is on board agendas.
To exercise effective oversight on human rights issues, boards need clarity on what to ask and where to focus. That's why we've put together this Q&A, which provides six practical questions to guide directors in testing management’s approach and identifying areas of heightened risk for human rights impacts (including where it intersects with other risk areas, such as climate change, First Nations engagement, and the use of AI).
The Australian position
In Australia, there are numerous domestic laws that in some form require businesses to respect human rights (ie modern slavery reporting, discrimination laws, harassment laws, privacy laws, cultural heritage laws). There is also a range of voluntary and soft law frameworks and guidelines that either companies have committed to adopt or align with in some way, or which otherwise underpin the expectations of stakeholders (ie financiers, insurers, investors, shareholders) in this area.
The clear trajectory is that, over time, even further legal obligations will be imposed on companies in Australia in relation to human rights risk management for their own operations and those of their business partners and suppliers. This is in addition to clear public commitments to proactively manage human rights risk already made by many businesses.
Why boards need to be asking questions about human rights
There are a number of reasons why boards should be asking questions about, and proactively monitoring, how their company is managing human rights risk:
1. Following UN Guiding Principles
The UN Guiding Principles on Business and Human Rights (UNGPs) expect companies to demonstrate a commitment to respecting human rights from the very top. Many organisations have committed to align with these principles, and boards in those companies should be asking how that commitment is being put into practice. The UNGPs outline three core expectations for companies: a clear policy commitment, a process for human rights due diligence, and processes to remediate adverse impacts, including effective grievance mechanisms. Even where a company has not formally committed to the UNGPs, as the global benchmark for responsible business conduct they remain a relevant touchpoint, and are increasingly viewed as a reasonable standard of care to be exercised by business. For boards, they provide a practical reference point to assess whether management is taking a structured, credible approach to managing this growing area of risk.
2. Meeting legal obligations
Asking these questions helps boards meet legal obligations that directly or indirectly require consideration of human rights risks and/or impacts and commitments. Directors’ duties have not yet been tested in the human rights context, but the legal opinions on climate change and directors duties provide a clear template for similar arguments to be made. Boards are also required under the Modern Slavery Act 2018 to approve the company’s modern slavery statement, and there is growing exposure to 'bluewashing' risk, where misleading or deceptive conduct laws are applied to human rights commitments the company has made. Also, increasingly, director responsibilities are being referenced in stakeholder engagement and disputes involving human rights.
3. Creating less risk for misalignment
Perceived or actual misalignment with a company’s human rights commitments can trigger a range of risks, such as stakeholder activism, regulatory action, litigation, and reputational harm. Sustained board oversight of how these commitments are implemented assists to manage and mitigate these risks.
4. Proactive approaches creates clear advantages
Boards that take a proactive approach to human rights oversight gain clear advantages. They stay ahead of emerging issues such as the intersection of climate change and human rights, and the potential human rights risks linked to AI development and use. They are also better positioned to engage constructively with stakeholders on the company’s actions, while reducing the likelihood of human rights harm by the company —minimising legal exposure, protecting reputation and supporting long‑term value.
Key questions boards should ask regarding their business' human rights compliance program
Strong governance is the foundation of any successful and defensible human rights program. Boards should look for clear accountability at senior leadership level, supported by defined responsibilities throughout the organisation. Reporting lines must ensure that information on risks, incidents and program implementation reaches the right decision‑makers, including the board. Human rights risks should be integrated into the company’s broader risk framework and managed under the same disciplines (eg the three lines of defence model) that apply to other material risks.
Boards should be asking:
- Is there clear accountability and responsibility within the business for management of human rights risk, and is management of human rights risks adequately embedded and resourced across the business?
- Is there adequate and regular reporting to management and the board on the implementation of human rights commitments and the human rights compliance program?
Many companies have committed publicly (in policies or other public-facing documents) to a range of human rights-related international or soft law standards and frameworks, based on relevance to the company and sector. This includes the UNGPs, the ILO Declaration on Fundamental Principles and Rights at Work, and the Global Reporting Initiative standards (amongst others).
Embedding these commitments into business operations can create a range of opportunities and positive impacts for companies. On the flipside, once these public commitments are made, management must understand the scope and content of each commitment and translate them into practical action and implementation across the business. For example, if a company has committed to the principle of Free, Prior and Informed Consent (FPIC) with respect to First Nations people, what is the scope of this principle and how does it apply to the company's activities? If a company has committed to exercising leverage in its relationships with business partners in relation to potential human rights impacts, what does this require? Failure to do so invites risk—stakeholder activism, regulatory action, private litigation, scrutiny from partners and suppliers, and reputational harm.
Boards should be asking:
- What analysis has been done of the scope of the commitments made by the company, and what those commitments mean and require the company to do in practice across all relevant areas of the business?
- For information on the level of implementation of the commitments.
- Whether there is sufficient reporting to, and ongoing monitoring by, the executive and the board in relation to the implementation of the commitments across the business.
An important underpinning of a strong human rights program starts with a clear view of salient human rights risks, being the actual or potential risks that pose the greatest threat of severe negative impacts to people as a result of the company's activities (eg if a company's salient human rights risks are labour rights, First Nations peoples' rights, and human rights issues arising from environmental impacts, then those are the areas that the company would focus its efforts across its compliance program).
Identifying these risks and having a whole of company view of human rights risks allows management to prioritise effort and compliance resources where they matter mostThis is one of the expectations set out in the UNGPs and is increasingly reflected in domestic laws.
Boards should be asking:
- Has the company done an enterprise-wide risk assessment to identify its salient human rights risks, and if so, does it need to be refreshed?
- Are the results of the risk assessment being used to inform the company's approach to managing and prioritising human rights risks, and have they been shared with the board?
Human rights due diligence is an ongoing, risk‑based process to identify actual and potential impacts across operations and the value chain; integrate and act on findings to prevent, cease or mitigate harm; track and test effectiveness; and communicate how impacts are addressed. Done well, it surfaces issues early, protects business continuity, meets regulatory requirements and policy commitments, reduces legal and commercial exposure, and meets stakeholder expectations.
Human rights due diligence should be done across a company's activities and operations – eg, supplier onboarding and renewals, business partner engagements, new projects and products, market entry, investments and M&A – on a proportionate and risk-based approach, informed by the risk assessment discussed above. It will often require a cross‑functional approach (eg legal, employee relations, community engagement, sustainability, procurement and compliance).
Boards should be asking:
- Is the company taking a risk-based approach to conducting human rights due diligence?
- Is human rights due diligence being done on high-risk business partners, when new activities, products or projects are being considered, or upon new country entry, and are significant identified human rights risks or impacts being escalated to the board?
Grievance mechanisms provide a channel for employees, contractors, communities and other stakeholders to raise concerns, including those related to human rights, connected to the business. Grievance mechanisms can take a variety of forms, such as speak up and whistleblower programs, asset or project level grievance mechanisms, or issue or incident-specific grievance mechanisms (eg relating to systemic sexual harassment concerns). They make good business sense because they facilitate early identification of issues, before they escalate or become systemic. What matters is whether the mechanism is designed and implemented in a way that aligns with human rights principles: accessible, trusted, transparent, and capable of delivering timely and fair outcomes. This not only reduces legal and reputational risk but also strengthens stakeholder confidence and operational resilience.
Boards should be asking:
- Is the company's existing grievance mechanism designed in such a way that it (i) meets any domestic law requirements including whistleblower laws; and (ii) aligns with the effectiveness criteria for grievance mechanisms in the UNGPs, meaning the people it is intended to serve know about it, trust it and are able to use it?
- Are the human rights issues arising through the mechanism being identified and assessed in such as a way as to (i) allow impacts to be remediated early and directly before issues compound or escalate; and (ii) provide insight into any systemic issues, such that those can then be addressed more broadly?
Effective management of a company's human rights risks and impacts requires ongoing engagement with those who can be affected or who influence outcomes. This includes suppliers, contractors, other business partners and communities—both to identify and assess risks and to collaborate on mitigation. It also requires clear communication of expectations in relation to human rights risk management.
Beyond operational stakeholders, companies may need to engage with investors, financiers, insurers and shareholders, who increasingly expect transparency on human rights governance, salient risks and performance. These conversations can shape access to capital, influence reputation and can determine licence to operate.
Boards should be asking:
- Is the company engaging sufficiently with its business partners—ie joint venture partners, suppliers, customers, contractors and others—and other stakeholders (such as investors and financiers) about its approach to, and expectations in relation to, managing human rights risks?
- How is the company including a human rights-based approach in its engagement with communities?
- Is the company adequately considering how human rights risks and impacts may intersect with other risk and compliance and subject-matter areas (such as climate change, AI and privacy, renewable energy and water, First Nations rights and vulnerable customers) and are these links being incorporated into stakeholder engagement strategies?