Five steps to effective human rights risk assessment

Ten years on from the publication of the United Nations (UN) Guiding Principles on Business and Human Rights accounts of human rights abuses such as child labour, exploitation, enslavement and habitat destruction are still all too familiar. Despite the introduction of tougher human rights legislation in multiple jurisdictions, it would seem that assessing and mitigating human rights risks effectively is still proving problematic.

In addition to greater regulatory obligations, we are also seeing growing pressure from investors on businesses to demonstrate appropriate governance of issues such as human rights.

For any business seeking to manage its human rights impacts, whether for regulatory compliance, investor relations or simply to manage ethical and reputational risk, the first step is to understand the human rights risks associated with your company’s activities and business relationships.

In analysing operations, businesses need to be cognisant of the many adverse human rights impacts that can occur and consider all that may apply anywhere in their operations, including the supply chain. Labour conditions, freedom of association, bullying and harassment, discrimination and exploitation are some of the more routinely understood human rights risks in the workplace. Certain industries and sectors carry risks of child or bonded labour, human trafficking or forced labour in their supply chain. For others, the risks may be to local communities resulting from environmental damage, security abuses, displacement, or resettlement. A carefully conducted risk assessment will ensure that all risks, including salient human rights issues, are properly identified, and acted upon.

GoodCorporation has worked with companies for over 20 years to help them understand and manage their human rights impacts. Based on our experience in this area, we have identified the following five key steps that any organisation can take to ensure that an effective human rights risk assessment is undertaken.

Step 1: Identify the human rights risks to people, not the company

Too many companies start by assessing the risks to the business rather than the risk of harm to people. Focussing primarily on the risks to the business will fail to provide a comprehensive analysis of the human rights impacts that a business might cause or to which it might contribute. However, beginning with the risk to people enables a company both to understand fully all the human rights impacts the business might cause and also assess the adverse impact on the business that result from such abuses.

A human rights risk mapping exercise must therefore begin by considering how the human rights of people, be they workers, communities, or consumers, might be adversely impacted by business activities. It is only by properly understanding when, where and how business operations might infringe on human rights that abuses can be effectively mitigated. This will vary considerably according to the nature of the business activities, its location, its operating units, and its business relationships. This process will need to be repeated periodically to reflect any changes in operations that might create or increase risks.

Step 2. Meaningful stakeholder engagement

While identifying the risks, it is vital to obtain extensive and detailed stakeholder feedback at both the corporate and operational level, possibly including trade union consultation where the biggest risks may be linked to labour issues. Stakeholders in key affiliates and business partners should be included in this process, taking care to ensure that those selected are representative of the full range of businesses with which the organisation is involved.

There are different ways of gathering stakeholder feedback, such as interviews (face-to-face or online) or workshops. Online questionnaires may also be used to gather information although it is important to create an opportunity for challenge. For this reason, it is also important to work with an external expert who has in-depth knowledge of human rights risks and how they can manifest themselves on the ground. This will ensure an appropriate level of challenge and scrutiny which will lead to an accurate understanding of the risks. This is essential as the outcome of these interviews will provide the critical information for the development of the company’s risk register.

Step 3. Document analysis of the risk management system

As part of this process, a thorough review of the risk management system in place should also be conducted to identify any gaps in policies and procedures and ensure best practice is being followed.

Any previous human rights audits, surveys or risk assessments should be included in this review to take account of the current levels of understanding and management of the risks. It may also be appropriate to consult with country risk indices, based on internationally recognised sources. This can help ensure that the human rights risks by geography are properly captured and that this informs both the risk register and the road map for improvement.

Step 4. Development of a human rights risk register

Using the information gathered from stakeholder interviews and document analysis, a human rights risk register can be produced. This should include all risks identified, their severity and probability of occurrence, the level of risk appreciation within the organisation, existing mitigation measures and areas for improvement.

Going one step further, GoodCorporation builds scenarios into the register to illustrate ways in which the risks might manifest themselves in the business and its various operations. Together the risk scenarios, and human rights risk mapping process overall provide a powerful tool to raise awareness among employees of the organisation’s salient human rights issues.

Step 5. Development of a road map for improvement

Based on this work, businesses will be able to define their overall strategy for managing and mitigating human rights impacts. This will involve recognising the human rights risks within their operations and business relationships, prioritising these based on their severity – not necessarily taking into account the company’s leverage – and ensuring appropriate mitigation measures are in place.

The human rights risk assessment will lead to the identification of all the necessary steps to address the risks, and this will form a tailored road map for improvement. This road map should include overarching objectives supported by concrete recommendations and achievable solutions with a timeline for implementation.

Human rights best practice is rapidly emerging, so any road map should be informed by the latest guidance for mitigating risk and managing any adverse impacts that may be caused by business activities or to which businesses may contribute.


Few businesses, if any, can afford to ignore the impact of their activities on human rights. Yet too often businesses have failed to act, falsely believing that the risk to reputation from human rights abuses was low. In today’s world, any and every human rights abuse is a tragedy as well as a potential scandal. It is therefore imperative that proactive steps are taken to properly identify all human rights risks and ensure effective mitigation measures are firmly in place throughout the entire value chain.  Getting the risk assessment right could not be more important.