Login to MyACC
ACC Members

Not a Member?

The Association of Corporate Counsel (ACC) is the world's largest organization serving the professional and business interests of attorneys who practice in the legal departments of corporations, associations, nonprofits and other private-sector organizations around the globe.

Join ACC

Key Takeaways
- Understand the industry in which your company operates, as this will affect how you identify and measure risk
- Audits are useful and need to go beyond basic compliance with local law
- Map your relationships and operating context early on, and define your risk appetite

Businesses are under pressure from consumers, investors, and other stakeholders to be transparent about product traceability, and how they are performing against compliance standards across a range of social issues including human rights, labour rights, and diversity, equity and inclusion (DE&I). These aspects are critical to get right, and challenging to measure. Social performance assessments cannot be achieved without a clear understanding of risk exposure and supplier population. In this resource, we present ten steps your business can take to measure, mitigate, and monitor social risks across operations and supply chains. 

1.     Map your operational footprint and supply chain
The first step in understanding your risk exposure is to map your footprint and supply chain. Globally dispersed supply chains pose particular challenges when managing social risks. It is crucial to create a comprehensive map of your supply network to see where and how a product or service is produced, and who is involved in this process. 

Without this, it is impossible to identify, manage and mitigate risks. For example, a diversified conglomerate will face different risks driven by local market and industry factors at its corporate headquarters and within each of its business units.   

2.     Apply an industry lens
The nature and the importance of different social risks varies by industry. For example, the most significant social risks facing a construction company will likely be occupational health and safety, labour welfare, and land rights. However, a pharmaceutical retailer -- while also needing to ensure it treats its workers fairly -- may be most concerned by product safety and the protection of patient data.

Certain Environmental, Social, and Governance (ESG) frameworks can assist with applying this industry lens. For example, the Sustainability Accounting Standards Board’s (SASB) materiality map, produced in consultation with groups of industry experts, provides detailed information on how to measure and report on these risks. 

These external frameworks are useful starting points, although it is also important to pair them with your own analysis of the industries in which you operate or to which you are exposed. 

3.     Account for local context
Exposure to risks is more or less heightened in specific operating environments, and your social risk management framework should be calibrated to this. For example, common social risks like human rights and community engagement will often be magnified in emerging markets or conflict-affected settings. They are also likely to vary at a local level – the challenges facing a manufacturing facility in one area of a country may differ from those facing a management office in the country’s capital. You should account for these variances when assessing your external risk environment. 

The regulatory landscape, and your obligations, also vary by country. While most countries have at least a basic set of regulations in place governing social risks, standards will differ. For example, the legal minimum working age varies country to country; some jurisdictions require specific disclosures regarding modern slavery; and while some countries are heavily influenced by labour unions, they are proscribed in other countries. Enforcement levels also differ. In countries where transparency is low and corruption is prevalent, regulations may be ignored or deliberately circumnavigated. In countries with limited public sector capacity or government accountability, monitoring, and prosecution levels will be minimal. 

4.     Stakeholder mapping
It is important to consider who will be affected by your organisation’s operations or supply chains. Their interests and concerns will need to be reflected in the approach you choose for your business. This means identifying both internal and external stakeholders. 

Within your company, this covers everyone from your current and future employees at all levels of the organisation, and you might include your investors and shareholders. Externally, you’ll need to consider which communities your organisation encounters, either through operations on the ground or through an international consumer base. It is also worth assessing whether your organisation works in an area of interest to broader society, or the non-profit organisation (NGO) and social activist community.  

Once you have identified these stakeholders and their interests, you can take them into account in your risk review and mitigation planning.

5.     Decide on your own objectives and targets
There is no single “best practice” to follow. Companies will need to define what best practice means to them. There are several tools that can help, such as: industry associations and corresponding principles; social risk-specific organisations like the Institute for Human Rights and Business’s Dhaka Principles; reporting frameworks including the Global Reporting Initiative; and any relevant regulations. You will also need to determine your organisation’s risk appetite - many organisations find it helpful to benchmark with industry peers.

Your risk management process should reflect your definition of best practice and internal risk appetite. Suppliers and third parties may be locally compliant, but this standard may not match up to your expectations.

6.     Draw on resources you already have 
There is a misconception that gathering internal information around social risks is an onerous task that requires significant additional resources and budget. In fact, many companies routinely collect information that is relevant to understanding social risks, it just needs to be considered through a different lens. 

For example, a security team may have access to site information that shows excessive working hours, or human resources teams may be able to define employee welfare metrics. Many companies also choose to draw on their ethics and compliance teams’ expertise in reviewing third parties from an anti-bribery and corruption perspective; they have the relevant skillset to identify and assess risks and develop mitigation plans.

7.     Risk screening and due diligence 
The key to effective due diligence is adopting a risk-based approach. Having mapped your third party and supply chain population and reviewed the overall risk context in which you operate, you should be well placed to assess where your greatest risk lies, and focus your resources and attention accordingly

This will include considerations around the country and industry risk, the criticality and value of services or goods provided, and whether there are any known red-flags with the company’s own profile. For most organisations, the vast majority of your supply-chain and third-party base will be low-enough risk to conduct a basic screening to ensure there are no major red flags. As the social risk increases, so will the level of due diligence required, and you may want to call on an external provider with specialist knowledge and access. 

8.     Audits and monitoring 
Audits are useful if they go under the surface. There is an ongoing debate around the efficacy of audits and monitoring of social risks within supply chains, with one side claiming that audits do not prevent ongoing problems, and the other side saying that audits are the only way to identify problems. 

As is often the case, the truth lies somewhere in the middle. Audits should, if done correctly, find examples of non-compliance with local legislation or best practice – these are present in every company. But an audit needs to be sensitive to the factors listed above (local context, industry risks, etc.), in order to get to the root cause and provide you with the insight you need to remediate an issue or risk exposure. When audit findings are used to tackle underlying causes, they will have a far greater impact. 

9.     Capacity building 
Compliance won’t change unless suppliers and partners are able to address these root causes. This is where capacity building has become an essential tool. Your first instinct might be to think about training, but that is only one aspect of capacity building. Effective capacity building depends on understanding the internal and external factors that affect a supplier’s ability or incentive to comply, and supporting that supplier’s compliance transition. You can use capacity building to strengthen relationships with suppliers and peers and have a real-world impact that can be demonstrated to all stakeholders.  

10.     Set clear expectations and be transparent with your suppliers about how performance is measured and monitored
Companies’ supplier codes of conduct are a standard part of any risk and compliance toolkit. They are typically used to confirm a supplier’s understanding of a company’s policies and values. However, such codes often only require a tick-box response during the onboarding process. This means they are not always effective, particularly if applied when a supplier is incentivised to sign to secure work. 

Supplier codes can be effective when suppliers are compelled to show how they are meeting them. This should be pre- and post-contract, with the supplier evidencing how it is meeting key requirements of the code. Leading companies will link this to contract performance and provide training and support to suppliers to address any root causes of non-compliance.   

That said, an increasing number of companies are moving beyond codes of conduct and instead asking suppliers to take responsibility for identifying and mitigating their social risks. This shift requires the supplier to understand risk exposure in their supply chain and to provide you with documentary evidence to show they are managing these risks. 

In summary, social risk comprises a myriad of different and changing factors that can be complex to approach. It can help to break it down. The first step is to map your relationships and operating context, and define your risk appetite. From there you can devise an appropriate response, building on your internal toolbox and capitalising on the resources already available to you. With a step-by-step approach, social risk management doesn’t have to be a burden, and can be a business enhancer bringing greater overall value to your stakeholders. 

Authors: Emily Morgan, Associate Director, Clare Morton, Associate Director, Kathryn Fletcher, Director, and James Lewry, Director, from Control Risks

Check Out Additional ACC Resources:
- “Environmental, Social, and Governance (“ESG”) issues pose risks to companies. Can Chief Legal Officers help drive solutions?”, by Veena Ramani. Senior Program Director, Capital Market Systems, Ceres, November 6, 2019, ACC Resource Library
- “Environmental, Social and Governance (ESG) from an In-house Counsel Perspective (United States Focus)”, by Alexander D. Gonzalez, Esq. and Richard Reich, Esq., May 26, 2021, ACC Resource Library
- Join ACC Networks: Compliance & Ethics; Corporate & Securities Law Network; Law department Management Network (ACC members only)

Not a member? Join Today!

Region: Middle East, United Arab Emirates, Global
Interest Area: Commercial and Contracts
The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.

This site uses cookies to store information on your computer. Some are essential to make our site work properly; others help us improve the user experience.

By using the site, you consent to the placement of these cookies. For more information, read our cookies policy and our privacy policy.