Client Alert * Risk Assessment * C-Suite * Board of Directors * Audit & Risk Committees
EU Corporate Due Diligence & Corporate Accountability Directive
James Tunkey, Chief Operating Officer of I-OnAsia
Jonathan C Drimmer, Partner, Litigation Department, Paul Hastings
Responsible Product Usage Risk Factors
The potential for downstream risks associated with the misuse of products or services (“product misuse”), or the use of a product in a manner inconsistent with responsible business conduct (“irresponsible product usage”), is becoming increasingly prevalent in enterprise risk matrixes, board reports, and company disclosures. As we talked about in our recent post, there is a renewed focus on downstream human rights risks in light of the EU’s highly anticipated Corporate Due Diligence and Corporate Accountability directive. The anticipated directive, taking its cue from human rights norms, operates from a different risk-related premise. While traditionally companies and their boards have focused on material financial risks to the business, the anticipated directive considers salient risks to stakeholders. Whether the analysis seeks to measure materiality, salience, or both, employing a rigorous risk-identification approach is warranted. As the risk factors associated with product misuse and irresponsible product usage will differ, reliable identification and quantification can be elusive. This post provides a few thoughts.
Guidance on Risk Identification Frameworks
As our prior post explained, whereas modern slavery legislation and other domestic laws have largely focused on upstream suppliers, the EU appears poised to follow the approach of the UN Guiding Principles on Business and Human Rights (“UNGPs”) and require due diligence on both sides of company value chains. Many companies and their boards already consider product misuse and irresponsible product usage from a tort and shareholder value perspective. For instance, manufacturers sometimes can be held liable for injuries caused by a product when it is reasonably foreseeable that consumers will fail to use it as intended, resulting in injuries. For example, U.S. courts have split on whether it is reasonably foreseeable that teens will shake vending machines to get sodas without paying. They also sometimes can be held liable when it is foreseeable that consumers will use a product as intended but in a way that causes harm (e.g. tobacco labeling lawsuits, or the Agent Orange class action litigation).
While company risk analyses may appropriately consider downstream exposures from the business side – e.g., cost of litigation, product recalls, or consumer boycotts – the UNGPs and forthcoming EU directive call on companies to consider the risk of adverse impacts from the stakeholder perspective. This salience analysis is premised on four factors: (1) severity - how grave the impact to third parties might be; (2) remediability – how hard the harm would be to correct; (3) prevalence - how widespread the impact would be; and (4) likelihood - how likely it would be that the harm would occur. Understanding these factors, and the full range of human rights that could be potentially implicated by a company’s product and services, is the first step in any human rights due diligence exercise. It also is a first step for a board and senior management to begin educating themselves about the company’s salient risk profile.
In connection with a salience analysis associated with product misuse and irresponsible product usage, given the vast range of products and services that companies offer, and the geographies where they are offered, there is no single taxonomy. Among the common factors companies focus on are some combination of: (1) the specific risks associated with particular customers or resellers – e.g., do prior allegations of wrongdoing or connections to questionable actors elevate risks of misuse or irresponsible usage; (2) the risks that a product could be resold or transferred to an end-user who will use it in an undesirable way, even if the customer itself is seen as low risk; (3) past instances of product misuse/irresponsible product usage of the same or similar products or services – e.g., if they been used improperly before, it suggests they might be again; (4) the known intended use and/or purpose of the sale, and whether the understood purpose increases or decreases the potential for stakeholder harm; (5) how the product or service could create human rights harms if used irresponsibly or not as intended, including the severity, how widespread the impact would be, and whether the impact is remediable; (6) whether there is a particular group that may be especially vulnerable to adverse impacts if a product is used irresponsibly or not as intended; (7) the volume of products or services, as scale may increase or decrease the relevant risks; and (8) the geographic risks associated with the country where the product will be sold or service rendered, including respect for the rule of law, whether resale or use of the products or services are subject to regulation, the capacity for local stakeholders to understand relevant risks or warnings, institutions available to assist in providing remediation if needed, population density where the product or service may be used, and otherwise whether the geographic factors may exacerbate or ameliorate the risks of stakeholder harm.
These downstream salience exercises can be tricky, and present an array of challenges for companies and their boards. We address two of them here, by way of example. For instance, sales to customers who are governments, government agencies and state-owned entities often present due diligence challenges. Government customers can be associated with a range of human rights impacts, only some of which may be reported, making an assessment of the specific “foreseeability” of any potential improper product use more difficult. Further, gaining insights into how a government intends to use a product may be more elusive than for a commercial customer. While companies commonly use questionnaires to elicit information from customers around intended uses and other factors, governments may be less forthcoming than others, or bound by internal rules in terms of providing meaningful information. Government entities in countries where the rule of law is applied inconsistently also may not feel compelled to provide information that is wholly accurate, or which they have fully vetted before providing. In those countries, the legal and regulatory environments, and in particular judicial action against government-affiliated entities for misuses, also may not operate as effective constraints. Nor may they provide appropriate remedies for affected stakeholders.
Addressing the challenges presented by government customers requires tailored strategies. For instance, to gain insights into the government’s intentions and potential information gaps, it may be appropriate to place a greater emphasis on public information sources, obtained through in-depth searches, as a predictor of future behaviors than on representations from the government-affiliated entity itself. Analyses that are specific to the government entity and product at issue are important to help create a more complete “foreseeability” picture. Further, conversations with country-level experts about the government entity can be highly informative, corroborating information the government-affiliated entity provides beyond what might normally be done with commercial customers is a good idea. Benchmarking the government’s rule of law reputation is another worthwhile step, and can be gleaned from public indices, such as the Fund for Peace Fragile State Index, the World Bank Governance Indicators (Rule of Law), or Freedom House’s Freedom in the World report. It also is particularly important to document and retain whatever diligence is conducted, to the extent the company’s questions and motives are later questioned.
A second challenge can lie where companies sell commercially available products or services to millions of customers spread around the world. For some companies, it might be the right time to seek advice from colleagues at major financial institutions, which invest between 2% and 8% of their annual revenues in know-your-customer (KYC) compliance programs. Gaining insights into effective strategies, and the best returns on investment, may be worthwhile.
For others, lessons can be gleaned from the “other” side of the value chain, where they may have tens of thousands of suppliers. Companies commonly employ third party due diligence platforms with suppliers, agents and other third parties to risk-rank engagements and transactions based on publicly available information, including news stories, relationships, geographies, transaction size and other factors. They may be able to leverage this approach by connecting to their customer relationship management systems (CRMs), which manage relationships with customers and potential customers, and the architecture, usage and maintenance tradeoffs, real-world user habits and workarounds, and data quality. CRM systems can be trained to automatically identify red flags and risk-rank transactions based on a variety of factors, just as with supply chain due diligence systems regarding upstream activities. Of course, responsible product usage programs are likely to be highly individualized, and many companies may find there are limits to what the tech can do today to scale a solution to the expected EU rules, particularly if a company’s responsible product usage challenges involve low frequency events where no scale tech solution has been developed. For example, an analytics tool recently had to be custom built to ingest the data from one company’s CRM system and other sources and generate risk analysis to address a very specific risk involving hidden sales to high-risk customers.
Image: I-OnAsia & Desilian analytics workbench snapshot.
Get Ready for Change
Government customers and mass scale are just two of the many challenges that companies will face in conducting downstream salient risk analyses, consistent with the forthcoming EU rules.
Teams assisting boards and senior management understand downstream salient risks will be expected to consider cost implications, too. An effective downstream process may require significant fresh investments in customer due diligence, instituting more robust controls, and engaging in meaningful post-engagement monitoring. There also may be additional investments needed in creating enhanced contract terms, additional approval processes, limiting the volume of products provided or shortening the duration of the contract, obtaining certifications, seeking audits and running regular information searches, and other steps that we likely will address in a future post. There will be personnel costs, technology costs, and expert assistance costs. While there can be significant cost savings associated with adverse impact avoidance, as material risks and salient risks overlap for most companies, boards and management should be prepared for the initial operational expense.
One key leadership challenge will likely quickly become whether this hard work and expense can be translated into a competitive advantage. Fortunately, there are plenty of case studies about companies who lost their competitive edge and suffered existential losses after choosing to wait-and-see or take hide-your-head-from-the-risks approaches.