Risks and Rights

In the wake of the global financial crisis and Deepwater Horizon, John Ruggie, the UN Secretary General's Special Representative for Business and Human Rights, has made an intriguing contribution to the debate over how companies factor the interests of the rest of society into their business decisions. Ruggie's blog post to the Harvard Law School Forum squarely places a business' obligations to support human rights within the context of managing enterprise risk. At first glance, talk about human rights might seem to exaggerate how the risks taken by businesses can affect the rest of the world. But does it?

Ruggie's post is based on an article by John Sherman of the International Bar Association. Both men argue that compliance with specific laws is not sufficient to guarantee respect for human rights. Ruggie puts it thus:

"...inadequate or absent government regulation doesn’t justify a company’s failure to respect human rights."

Ruggie cites his own April 2010 report to the UN Human Rights Council, in which he writes:

"The corporate responsibility to respect human rights means avoiding the infringement of the rights of others and addressing adverse impacts that may occur. This responsibility exists independently of States’ human rights duties. It applies to all companies in all situations."

"Because companies can affect virtually the entire spectrum of internationally recognized rights, the corporate responsibility to respect applies to all such rights. In practice, some rights will be more relevant than others in particular industries and circumstances and will be the focus of heightened company attention. However, situations may change, so broader periodic assessments are necessary to ensure that no significant issue is overlooked."

Ruggie argues the responsibility for addressing these impacts must fall within the remit of Enterprise Risk Management, and that to consider the wider impacts is still in the selfish interest of the enterprise.

"Viewed wholly from a shareholder perspective, the risks of infringing on human rights can cost a company big money, and so should be included in any company risk analysis."

Though the benefits for mitigating the risk to human rights can be measured in terms of shareholder value, Ruggie emphasizes that effective quantification and mitigation of the external-facing risks requires a stakeholder approach. As Ruggie puts it:

"A company should engage with those who might be adversely affected by the company's operations in order to determine the potential impacts and how best to address them. Due diligence is not a unilateral company exercise, but a two-way conversation."

For me, that is the biggest slap in the face for how most businesses, and consultants, go about identifying and quantifying risk. The vast majority of risk gathering exercises are exclusively performed by looking inwards, and talking to the executives and employees of the company. It is rare for a business to ask the wider community about how an adverse impact would hurt them.

The case made by Ruggie, and by Sherman before him, tends to draw on dramatic examples of risk, and these may be hard to relate to the realities of running a business like a communication provider. The chaos caused by the collapse of banks, the damage done by oil spills, the temptation for political and economic abuse when businesses engage in large infrastructure projects in poor countries... it is easy to understand why these scenarios lend themselves to an externalization of risk. Perhaps it is not so easy to find examples for communications providers. Whilst Tony Poulos has humourously commented on the potential link between bill shocks and heart attacks, I thought it best to sit down and come up with a shortlist of serious examples of how CSP risk can lead to a human right impact. In doing so, I divided the risks into two types:

• the risk that something the CSP does will have a bad consequence for human rights; and
• the risk that something the CSP does not do will have a bad consequence for human rights.

I will refer to the former as 'positive' risk, because the harmful impact is a positive consequence of something that occurs because of the CSP. In contrast, the latter risk is 'negative' because the impact is caused by the failure to do something the CSP should normally do.

Usually, it is easier to think of risks that are positive, because we can visualize the bad thing that happens - like an oil spill. However, I could not think of many positive risks where CSPs would affect the rights of people outside their company. The two genuine examples I could think of were:

• the hypothetical health risk posed by mobile phones; and
• the health and environmental risk posed by unsafe disposal of equipment and materials, and of consumer handsets in particular.

In both cases I am glad to say the industry appears to be genuinely proactive at managing risk. It is supportive of medical research and is active in promoting recycling schemes. Both are good and sensible forms of risk management.

Turning my attention to negative risks, I was able to find more risks that have a human rights impact:

• the risk stemming from a failure to connect a consumer with emergency services;
• the risk of disaster and the ability to recover, in the context of maintaining a resilient network that will continue to operate at a time when people most need it;
• the economic and social risks if some customers are excluded from the provision of communication services; and
• the security, economic and social risks if customer privacy is violated.

In general, these risks are also well-addressed by CSPs, not least because there are strong compliance inducements that drive CSPs to take them seriously. For example, many regulators have been keen to ensure customers know VoIP cannot be used to contact emergency services, and regulators tend to identify vulnerable and disabled customers as groups that need to be especially catered for. However, CSPs still sometimes fall short. Some years ago I blogged about UK's Virgin Media being investigated for how they met their emergency services obligations. As Ruggie points out, even when CSPs do comply with formal obligations, that may not be enough. It is the responsibility of the company to think of the potential consequences of its actions, at least as much as it is the responsibility of the regulator. With the latter two risks I identified - exclusion and loss of privacy - the fast pace of change opens up the greatest potential for CSPs to fail the wider community. Addressing these risks may also have very significant cost implications. Whilst regulators get heavily involved in such topics as the appropriate level of rural connectivity, they may sometimes lag behind with topics like how to implement strong defences to protect privacy. Examples like this best illustrate how Ruggie's call to keep reviewing risk has a real relevance to communication providers.