Skip to main content

S1E8 – We talk to Jonathan Drimmer, a Partner at Paul Hastings law firm and Strategic Advisor with the Voluntary Principles on Security and Human Rights to find out why companies should care about human rights and the risks they face if they ignore these risks. Jonathan shares his insights on the challenges organizations face in ensuring human rights compliance throughout their global operations and supply chains. So why is private security so central to this, and what trends should we look out for in the years ahead? 


This podcast was originally published October 26, 2020

Welcome to the eighth episode in ICoCA’s podcast series Future Security Trends, Implications for Human Rights. I’m Chris Galvin and I’ll be in conversation today with Jonathan Drimmer, a partner at Paul Hastings law firm in Washington, DC, and strategic advisor with the Voluntary Principles on Security and Human Rights to discuss the future of compliance and why clients count.

Jonathan, you’re a lawyer with extensive compliance and litigation experience, which includes working for a large multinational extractive company. So, can you tell us why companies should care about human rights compliance and what risks they face if they ignore human rights risks?

Thank you for having me. So, the risks to companies are myriad, and I really like to separate them into two different categories. First and most important are the risks to stakeholders, the risks to potential victims, individuals, communities, and human rights risks manifest in a way that can be life-altering. It can cause permanent physical injury, it can change the topography of a landscape, and it can alter the perception between a company and a community, not just for this generation, but for subsequent generations. And human rights violations can perpetuate cycles of violence and contribute to conflict and conflict-affected areas, both in the immediate locale where the incident occurs and through the larger region. So, the risk to stakeholders is first and foremost and primary and really quite substantial. And that’s to some extent where the human rights lens tends to focus on the risk to victims. But the risk to companies is also tremendous as well, and you can look to a number of different areas where it comes about in the most prominent ways. First, you certainly can lose your license to operate. The loss of local support creating a situation where there’s tension and divisiveness between the company and its and local communities, its workers, family members of workers, and others who are in the immediate vicinity of your operation. You can lose home country support from the government, local government as well and national government, and that can be hugely impactful when you go to renew a license, or seek an extension of a license, or try to get a subsequent permit. So, it can really cause you huge operational harm and frankly, when we talk about loss of support and operational harm, license to operate also can lead to protests and shutdowns. Internally it’s a killer when it comes to recruiting new employees, young workers, top workers, top folks coming out of school do not want to work for human rights violators. It creates lousy morale among your existing workforce. It creates tension between your senior management and boards. And so internally, it’s really incredibly difficult and challenging as well. And then finally,  it can lead to all kinds of legal problems. It can lead to costly civil lawsuits, it can lead to criminal investigations against employees and companies, it can lead to shareholder proxy fights, and other challenges with shareholders and investors. And so the legal component that’s associated with human rights violations is also should be a tremendous deterrent to companies in terms of engaging in anything that might lead to this. So, the way to address this and as we segue from the harms into ways that you look to address it, management systems are the lifeblood of companies, managing risks, managing issues, managing opportunities, it all comes into management systems or compliance programs if you’re approaching this from the legal end. So, addressing human rights in a coherent, cohesive, and systematic way through a management system, through a compliance program with policies and procedures organized with the governance system, training, audits, investigations, with reporting, all of these being handled in a systematic and organized way is the best method of avoiding human rights problems, the risks to stakeholders and the risks to companies that that just identified.


Now, I mean, some of these companies are huge. Obviously, multinationals with staff all over the world, big management structures. So, what are the challenges in a company like that from both the management perspective, but also with employers based all over the world in the field?

I think if you’re looking globally, it’s really quite hard to have a single management system with very specific rules that govern all of your operations. To some extent, you do need to have an umbrella program and you are going to need to have certain baseline requirements that apply everywhere, such as the use of force and other standards that are universal in nature. But as you point out, the risks are different from place to place, not only from country to country but even within a country from community to community; so, one giant, very prescriptive system tends not to work globally. Local geographies, local governments, local cultures, past histories and incidents, local perceptions, all of these things end up coming into play. And so ultimately, as a company, it’s critical to define a global program with certain foundational elements like a use of force policy, like human rights training. Ultimately how it gets applied and interpreted is something that is going to require a high degree of local expertise and local nuance. Risks all come from on-the-ground implementation and understanding your operating environment in a thorough and complete way, and applying your global system in a manner that truly works on a local level. That’s the name of the game, really taking a global system, translating it, and applying it in a way that is effective given the local operating situation.


Now, having your own internal policies, management systems, and processes in place is one thing, but how should a company do its due diligence on its suppliers to ensure that they’re also human rights compliant? And again, we’re talking about suppliers that are going to be based all over the world whose operations don’t fall under the purview of their clients’ management and oversight functions.

Yeah, dealing with suppliers is maybe the most difficult aspect of any human rights management system or compliance program, depending on what you may call it as a company. Due diligence is hard, monitoring is hard, you don’t control suppliers, you’ve got a lot of suppliers to deal with and companies can have tens and sometimes hundreds of thousands of first-tier suppliers who can create really serious human rights risks and challenges. So, most good approaches break this down into two different tiers, there’s a baseline approach and then an enhanced approach.

You start with some kind of a baseline process that applies to maybe not all of your suppliers, but most of your suppliers and certainly all suppliers who on paper could theoretically create some kind of risk. And it really starts with some kind of information gathering, questionnaires that go to the suppliers about their work history, expertise, problems that have arisen, their policies and procedures, etcetera. So, information that is filled out by suppliers in an information-gathering, self-certification kind of way. That’s also supported at the same time by a light level of diligence, Internet searches, or maybe a subscription database search to identify if there is a public report of a past history involving a negative human rights impact or something that could create a risk of a negative human rights impact. But that’s also then something that you would couple with the nature of the service and activity that’s being provided to see whether it in and of itself creates a higher risk. So for instance, if you’re sourcing specific goods from an area where the risk of a human rights violation is high, let’s say you’re buying bricks from Afghanistan, which has numerous public reports of forced labor associated with brickmaking in Afghanistan, you’ll ultimately want to elevate that up to a higher risk. But there’s light diligence effort that is going to look at history as well as the nature of the service or the product that you’re buying and I should point out that there are plenty of lists like the US Department of Labor or the Department of State that does help connect high-risk goods, high-risk activities, high-risk areas, walk free, and NGO has that information that’s publicly available as well.

So, that diligence is looking to try to identify whether there is some kind of known and public risk associated with the activity. When that activity concludes, assuming there isn’t a higher risk that’s identified, light controls are typically put into place contract terms to respect human rights, some kind of oversight and monitoring, but it is much lighter than in the second category, which involves enhanced risks. And those can come from either the very nature of the service that’s being provided or with the light due diligence, the baseline diligence ultimately identifies increased risks. And, these involve risks of negative human rights impacts and the second category that would warrant enhanced diligence. That involves a more in-depth approach, so you might have interviews with your supplier, you might order a screening report where you’re getting a due diligence provider to ultimately give you information on potential public risks associated with the supplier, you might check references, you might do a litigation check, you might do a criminal record check, you might ask the supplier more about their policies and procedures, as well as how they’re implemented. At the end of that process, if you decide that the risk isn’t too high to proceed, you’re going to put into place elevated or enhanced controls. So, that could ensure training, you might not only insist on training but also look at the nature of the training to make sure you’re comfortable with the substance of what’s being provided. The closer oversight, and closer monitoring, you might ask for certificates of compliance. You might conduct assessments or inspections or ask someone else to do it. But it’s hard, managing suppliers on a global basis is really hard and whether you’re dealing with baseline diligence or enhanced diligence, it requires a lot of time attention, and operational devotion. And when you have a lot of suppliers around the world you just multiply, you multiply that exponentially.


Now I want to focus on one particular service, which is private security. And, I’d really like to kind of ask why is security so central to this, especially when we’re talking about human rights risks?

I do think it’s central and it’s central both operationally in terms of protecting people and property and assets and local communities, but also in terms of the human rights side. But just to stick with the first piece of it, the role of security is really fundamental. Employees want to be protected and feel protected. Management wants their property, their assets ultimately to be protected from theft, vandalism, riots, from destruction and local communities want to feel safe as well, physical safety is one of the fundamental things that we all can expect as a human right. And so, the role of security is fundamental and pivotal for all of the relevant stakeholders and their own safety, well-being, and that of their property.

But the risks that are associated with security are really quite substantial and it’s more substantial in some places than others and in some sectors than others. But when you have individuals who are looking to protect assets, protect individuals from physical harm, often armed with hard munitions or even non-lethal, confrontation is part of what happens in the provision of this critical function and so the risk of human rights violations is really quite high. And we can separate out private security from public security and a lot of human rights issues are typically associated with public security, which we can certainly talk about, but on the private side, which is often meant to supplement what public security can provide, you also have risks as well. And those risks may depend, again, on the nature of whether the private security is armed and the geography and the inherent risks that ultimately exist. But I do think we are going to see private security increasing. I think we are going to be digging out from the pandemic for many years. And public security is going to continue to be strained. And so the role of private security in helping ensure this fundamental right that we all can expect, life, liberty, and the protection of our property, is going to fall increasingly on private security and again, with it, varying levels of human rights risk. So, I think it’s really important, it’s incredibly important in any human rights program to have a serious process along the lines that I was talking about. About diligence controls to help identify, prevent, and mitigate those risks. And that’s really what I know ICoCA is deeply focused on, but it’s also companies ought to be focused on themselves.

And given the risk is really quite substantial with this sector, are there any particular initiatives you’ve mentioned ICoCA being one, I know you’re an advisor to the Voluntary Principles Initiative. If you could tell us a little bit about how that works and how it’s fared in this regard. That would be great. And also, is there an opportunity here for these initiatives that really operate in parallel to perhaps work more closely together?

We’ve been talking for years about VPs and ICoCA working more closely together and I think they have been working more closely together undertaking really good joint initiatives around things like gender-based violence and other critical areas that exist in the security space. But, let’s talk about the voluntary principles on security and human rights for a minute, I mean, it really is the leading security and human rights initiative and the world, the principles themselves have been in existence for more than two decades, they are embedded not only throughout the extractive sector, which is how they were originally created but by companies in a multiplicity of sectors and increasingly are incorporated into other soft law standards that may have a sector-specific focus. So, when you think about security and human rights and structures that exist to help mitigate relevant risks, the VPs are the thing that ultimately comes to mind.

There are three parts to the voluntary principles, it’s separated into three areas, there’s risk assessments, there’s public security, there’s private security. Risk assessments, which is kind of akin to what we talk about in terms of due diligence Under the UN Guiding Principles on Business and Human Rights, has six different areas that you focus on, everything from the history of violence to weapons transfers to other areas. Public and private security have a large overlap, but they do focus on vetting, they focus on contract terms, they do focus on weapons transfers, they focus on investigations and issues when they arise. So, they’re fairly thorough and fairly detailed. But part of their genius is they leave a lot of room for individual practice within those fairly specific areas and companies really can take these much in the way we talked about before in terms of having a global standard but applying it locally. The VPs are a really good example of identifying the relevant practices, but it isn’t so prescriptive as to say how they should how each one should ultimately be carried out. So, it really is a very helpful framework in terms of security and human rights and then the Voluntary Principles Initiative is composed of give or take 50 different NGOs, companies leading governments, external observers like the World Bank and the Red Cross, and others, and they get together to talk about best practices and engage on how VPs can be most successfully implemented. And it’s within that framework that ICoCA, which is an observer to the VPs, has had such a helpful role not only in its core function – setting the standards for private security, defining good practice, giving confidence that performance is ultimately appropriate – but in working with the VPs and VPs members to try to identify more in-depth practices on specific areas like vulnerable populations where problems really come up. So, I do think the relationship with ICoCA and VPs is growing and getting better and there’s a lot of mutual respect that goes back and forth both serve incredibly important roles in this area of human rights and security and I do think that is going to continue and increase for some time.


Now this series is titled Future Security Trends. And so I want to end with just a small question, and that’s really looking at trends in human rights litigation. If you could just summarize quickly what you think the trends have been over the last decade and where you see the trends going in the coming decade?

So, human rights legislation and litigation, both are snowballing. The entire legal framework around human rights is gaining momentum with every year and if you look back over time, you’ll see fairly light activity until about 2015, and then from 2015 on, we’ve seen a tremendous amount on the legislation side. Litigation, we’ve had 20-plus years of active human rights litigation, and that continues to expand as well. So, what are the trends that we’re ultimately seeing? And I would say as an overlay, there’s no way it’s going to slow down. If anything, it’s going to increase tremendously. So one of the things we’re really seeing right now is a focus on parent liability, and this is particularly the case throughout the EU, but also in Canada as well, I would say the US, but I think those cases have really established the rules around parent liability in the US under the Alien Tort Statute.

Parent liability basically is focused on companies where a human rights issue or incident occurs on the ground involving a local subsidiary or affiliate. The parent itself is looked at as being responsible. And so, for instance, there’s a major case going on right now in the UK, it involves acts on the ground in Zambia by the affiliate of a major global mining company. The lawsuit is being brought against the parent company in London. And so, there’s a real focus on making parent companies, the head office, liable for the activities of their subsidiaries and their affiliates all around the world. So, that’s a major focus right now. It’s been a focus in Canada, it’s been a focus in the UK, it’s a big focus in Europe right now.

We’re seeing a big focus right now in particularly in the US on potential liability for directors of companies, and boards of directors for failing to adequately oversee material compliance-related risks of their enterprises. This is something that’s been ticking up fairly slowly. But if you couple that with some of the requirements in the Modern Slavery Act, which we see in the UK and Australia and proposed elsewhere, they are requiring directors ultimately to approve or sign those Modern Slavery Act statements. So we’re seeing this increasing responsibility and potential liability of directors that go around the world in different jurisdictions. We’re seeing a lot of legislation that is contemplating specific kinds of civil cases for human rights issues. For instance, in the United States, there’s the Trafficking Victims Protection Reauthorization Act, TVPRA, that focuses on issues related to trafficking and forced labor and allows for civil litigation as well as criminal litigation in cases where companies are knowingly benefiting from a venture that involves forced labor.

We’ve seen in the last few years more cases being brought not only in home jurisdictions involving parent liability but also in host jurisdictions where the incident actually occurs, including with some very big judgments. Right now, the two biggest ticket items that are being kicked around are a draft UN business and human rights treaty that has a lot of liability and a lot of potential civil exposure that’s associated with it. We’re probably several years from that being ratified, more immediately, in the EU, there’s a human rights due diligence initiative that is being debated and is going to be introduced at some point next year. That also contemplates a potential exposure associated with human rights diligence and failing to adequately undertake steps in connection with the diligence; so, it would cover both negative impacts as well as a procedural component.

So, we’re seeing a lot from a lot of different angles in in the human rights legal legislation and litigation space. It’s an area that each year it’s just doubling, tripling in terms of the amount that we’re seeing. And I think we can predict in the next five, ten years it’s just going to be far more expansive even than it is now, which is far more expansive than it was five years ago.




The views and opinions presented in this article belong solely to the author(s) and do not necessarily represent the stance of the International Code of Conduct Association (ICoCA).