Assessing Human Rights Risk in Company Supply Chains: What to look for

Anna Triponel | September 2020

Companies are expected—by soft law, hard law in some jurisdictions, their investors and their consumers—to build their understanding of where there could be negative impacts on people occurring in their value chain. Where could the company inadvertently be relying on child labour? Forced labour? Workers who face reprisals for speaking up? And the list goes on. 

Mapping potential human rights risks throughout complex value chains and across multiple countries can be daunting for companies. The process first entails building awareness of a company’s supply chain, beyond tier one, before being able to evaluate the most severe risks to people and planet within it. 

A number of companies in recent years have made significant progress in this mapping exercise, and the process is helping them focus on a select number of the most important, most severe – also known as the most ‘salient’ – human rights issues within their supply chains.

But, what is it then that companies are looking for? What factors are helping them assess human rights risks in their supply chains?

It will come as no surprise to you that the authoritative framework for business on human rights – the UN Guiding Principles on Business and Human Rights – and documents that build on it – such as the OHCHR’s Interpretive Guide and the UN Guiding Principles Reporting Framework – help provide guidance to companies on what to look for.

The assessment of human rights risk across an entire value chain depends on a number of factors. It will be helpful for companies to gain a sense of the risks inherent in four main buckets:

  1. The operating context (the country and/or region where a company or supplier sources raw materials, manufactures products, or has other operations);
  2. A specific business activity (such as a resource extraction, refining and processing raw materials, manufacturing, etc.); 
  3. Relationships with specific business partners (who will have human rights risks in their own operations and supply chains and different levels of policies and processes to manage these risks); and
  4. The presence of vulnerable groups in operations or supply chains (such as children, women, LGBTQ+ individuals, indigenous peoples, ethnic minorities and other marginalized groups, migrant workers, etc.) 

This article provides further information for companies seeking to assess human rights risks in their value chains, based on lessons learned from companies undertaking this process. The table below elaborates further on the four risk factors of operating context, business activity, business relationships and the presence of vulnerable groups.

Risk factorWhat does this risk factor mean in practice?
The operating context (the country/ region)

In some operating contexts, there is a much higher likelihood that human rights impacts will occur – and if they do, they can lead to much more severe harm on people than in other operating contexts.

Looking into the operating context entails considering questions such as:

  • Are existing laws compatible with international standards? Are they adequately enforced? For example, a country may institute laws criminalizing homosexuality or preventing same-sex marriage, which may in turn put LGBTQ+ employees at greater risk of harm. 
  • Is rule of law weak? Are judicial systems effective? For example, workers or project-affected communities may face barriers to receiving a fair judicial hearing, or to accessing remedy.Are there local sociocultural dynamics that increase human rights risks? For example, this could relate to non-acceptance of a particular ethnic or religious group, or to treatment of women.Is freedom of association prohibited? Is worker voice routinely repressed? Are human rights and environmental defenders subject to retaliation for speaking out? Where governments place restrictions on voice, this significantly increases the risks of human rights impacts occurring. For example, a government may repress civil and political rights by arbitrarily detaining human rights defenders and labour organisers, by censoring local media, criminalising the formation of labour unions, or imposing barriers to creating civil society organisations.
  • Is corruption present? For example, a company may receive preferential contracts in a way that bypasses the right to prior consultation with neighbouring communities or negatively impacts land tenure and the environment. 
  • Is conflict present? Is there a legacy of conflict? For example, a company that hires security to protect its operations, in a context of ongoing armed conflict, increases its risk of impacts on neighbouring communities.
This assessment of the operating context can be initiated on a desktop basis. 

Because human rights risks evolve constantly, and desktop resources may quickly be out of date in some contexts, it can be particularly helpful to complement this assessment with conversations and interviews with key stakeholders. This can include civil society and trade unions operating in the area, as well as confidential lesson-sharing conversations with peers that have been exploring similar questions in the same operating context.

For further information on country risk, see Assessing Country Risk in Company Supply Chains: Publicly available indices and lessons learned. 
An activity

Some activities carry higher risks that human rights impacts will occur – and if they do, they can lead to much more severe harm on people than in other activities


Looking into risks inherent to business activities entails assessing which activities are more prone to human rights risks than others. For instance:

  • Activities that rely on workers needing to work at height increases the risks of accidents
  • Activities that rely on hand-picking of crops on smallholder farms increases the risks of child labour
  • Activities that rely on low-income migrant workers increases the risk of exploitation and modern slavery
  • Activities that rely on significant quantities of land increases the risk of impacts on neighbouring communities and indigenous communities
Similar to above, this assessment can also be initiated on a desktop basis, complemented by internal and external conversations. 

Colleagues in the business will typically have some level of insights into the risks involved with the activities the company undertakes or outsources. Even if they are looking at risks from a risk to business standpoint (e.g. this kind of work is prone to accidents and increases the company’s potential legal liability; this mining activity may trigger community protests and increases the company’s security risk), these remain helpful insights to bring in to the assessment. 

It can be helpful to bring professionals with deep understanding of what an activity entails together with the sustainability/ human rights expertise (in-house or external to the company) who can help pull out the risks to people involved with a specific activity. Corroborating the findings with a few external partners who are close to the activities in question can provide further insights into activity risk that the company may not have considered.

Business partners

Some business partners will have weaker mitigation measures in place to manage human rights risks than others.

Looking into this area includes determining whether certain business partners carry certain risks by virtue of:

  • their labour composition (e.g. a company that relies primarily on migrant workforce, contractors or self-employed workers that may not benefit from a number of labour protections)
  • their ownership (e.g. a state-owned company that may have less room for manoeuvre when faced with national standards that conflict with international standards)
  • their past (e.g. a company that has been the subject of numerous fines for non-compliance with labour regulations)
  • their existing culture and risk management processes (e.g. a newly established company that may lack a strong safety culture and has not yet taken the steps to create it)
  • the structure of their supply chains (e.g. a company with opaque supply chains, with multiple processing steps conducted by different supply chain actors, and/or with suppliers scattered across many different geographies) 
This kind of assessment cannot readily be undertaken on a desktop basis since it is specific to the company’s own business partners. There can be some helpful ‘rules of thumb’ the company can use to make this process easier. For instance, the company can look into identifying which of its business partners have policies related to human rights in place and can demonstrate evidence of a rights-respecting culture.

There are some pitfalls to keep in mind here. For instance, some companies assume that large well-established business partners have processes in place and carry less human rights risk. In practice, the reverse can be true – since smaller companies may have a strong working culture based on respect, while large companies may be relying disproportionately on policies on paper.
The presence of vulnerable groups

Where some vulnerable groups are present in the company’s value chain, this increases the likelihood that human rights harm could take place – and it also increases the severity of this harm. These groups can be, for instance, children, women, LGBTQ+ individuals, indigenous peoples, ethnic minorities and other marginalized groups, or migrant workers. Examples are:

  • Where there are migrant workers, this increases the chances that they have paid a fee for their work and can be in a situation of modern slavery
  • Where there are poorer smallholder farmers, this increases the likelihood that children are asked to support their families in the farm
  • Where there are women working on low-income salaries, this increases the likelihood that they be subject to harassment. 

This kind of assessment can be initiated on desktop basis. 

At the same time, the assessment of the presence of these stakeholders will depend on the company’s unique value chain and therefore the inputs into this assessment are to be created by the company itself (e.g. requesting its business partners to disclose where it uses labour brokers and migrant workers; requesting business partners for gender data points).

Leave a Reply