Rush hour

How to address the ‘S’ in ESG

This is Part 2 in the Forensics ‘S’ in ESG series — human rights risk assessment.

In brief

  • By performing a risk assessment for human rights issues, companies can identify gaps to mitigate these risks.
  • After formulating the results of the risk assessment, organizations should rank the gaps based on their severity and potential impact.
  • Companies can then create a comprehensive action plan to address each identified gap.


As discussed in the first article of our series on the “S” in environmental, social and governance (ESG) issues, the evolution of companies’ social strategies calls for the evaluation of several elements, including human capital management, human rights, diversity, health and safety and/or forced labor. While many companies have assessed quantifiable areas of their social programs, such as diversity, equity and inclusiveness, pay transparency and employee engagement, other risk areas may be harder to evaluate. These risks include forced labor and other human rights violations targeted for enforcement under a wide array of regulatory schemes and guidance, such as the Uyghur Forced Labor Prevention Act (US) and the German Supply Chain Act, among others.

    Download full article on Part 2 in the Forensics ‘S’ in ESG series – human rights risk assessment

    For example, in October 2022, U.S. Customs and Border Protection discussed the need for companies to evaluate such risks in its Customs Trade Partnership Against Terrorism Trade Compliance Handbook. According to the agency, companies’ social compliance programs should include a risk-based approach to “ensure the supply chain is free from the use of forced labor.”


    We recommend that companies perform a risk assessment for human rights issues as they do with other regulatory risks. By doing this, they can identify gaps to mitigate these risks to an acceptable level, as determined by the company’s risk appetite, and enable relevant parts of the organization to make informed decisions and set the company’s expectations in its communications with both external and internal stakeholders.


    It is important to start with your own operations and then develop a thoughtful plan on how to assess your supply chain human rights risk. Begin with mapping your supply chain; this includes evaluating key suppliers and distributors, the countries and regions in which they operate and the local labor practices and labor laws. For more service-oriented operations, take a critical look at your vendors and other third-party relationships by exercising contractual rights such as audit and reporting provisions.


    Considering the risk factors that contribute to human rights violations (see sample list below), evaluate your company’s own operations and engage with your highest-risk suppliers to evaluate how they are addressing the risk of forced labor. This should cover their efforts both in their workforce and with the suppliers they engage with for your products and services.


    The first step in your human rights risk assessment is to determine who should conduct it given the complexity of the issues and geographic span of your operations. After determining if internal audit, legal, compliance or an outside consultant has the needed skill set, you can follow the general framework your company uses for compliance risk assessments to evaluate your human rights risk.


    The next step is to consider the applicable US and international regulations that apply to your business. This may require in-country expertise to understand key requirements and guidance from enforcement authorities. After that, identify risks by analyzing applicable policies and processes and conducting interviews, surveys and/or data analytics. Determine the types of individual resources each of your businesses uses and how the types may differ by geography, engagement method (e.g., contractors vs. full-time employees) or nature of business. This will help prepare or update a risk mapping of your supply chain.


    For the human rights risk assessment, consider the following risk factors, including some identified as red flag risks in our first article, and related issues.


    After formulating the results of the risk assessment, what you do with those results is an important next step. Begin by ranking the identified gaps based on their severity and potential impact on the organization. Focus on high-risk areas that require immediate attention. For example, consider the need for greater training or communication with the workforce in high-risk countries. Another outcome could include the use of analytics to help monitor and identify risk areas. This will likely require strong partnership between business leaders, compliance, risk, IT and legal, among other functions, to assign an accurate risk ranking and actionable next steps.

    To establish accountability and timing to address the gaps, create a comprehensive action plan to address each identified gap, including specific steps, responsible parties, timelines and resources needed for each control enhancement. From our experience, assigning the right team members and tracking progress results in accountability and action-oriented results. We have noted that assigning higher-level resources to have overall responsibility and executive sponsorship of the action plan’s outcomes helps to keep the work on track with the timetable established. Consider action plan sponsorship by an existing board committee or other special management oversight function to provide crucial direction and support your risk profile.

    An important outcome of the risk assessment includes the control enhancements recommended by the action plan. This may involve updating policies and procedures based on newly promulgated local and global anti-forced labor regulations and providing training to employees on new policies and processes. Even after the control enhancements, residual risks will likely still exist. For example, third-party staffing agencies may still use local labor in international manufacturing operations, but the key is to mitigate the risks around the activity to an acceptable level. Even after evaluating the control environment for onboarding and retaining the third-party staffing organizations, you may want to consider additional diligence and monitoring of these third parties, including the treatment and payment of individuals by the third party.

    As part of the action plan, establish your communication plan for key stakeholders. Also consider ongoing monitoring to evaluate the effectiveness of your action plan.


    As you continue to evaluate the risk of human rights violations in your workforce and supply chain, we will be discussing additional ways to address your risks. Future articles will consider how we see more companies performing “social audits” to address the risks emerging from the supply chain risk assessment — and the CTPAT Trade Compliance Handbook sets an expectation that companies display evidence of the social compliance efforts, including audit reports as an example. We will also be discussing how to use data analytics to monitor the risks. Additionally, we will consider how to incorporate human rights due diligence into a proposed acquisition or joint venture plan.


    Companies can perform risk assessments for human rights issues. The assessment will then help organizations establish an action plan to address the gaps.

    Related articles

    What leaders can do to address the “S” in ESG

    Companies’ “S” focus largely appears to be on DEI metrics. This focus is certainly important, but other social issues also need attention. Learn more.

    19 Jun 2023 Amanda Massucci + 1
      Contact us
      Like what you’ve seen? Get in touch to learn more.