Identifying and prioritizing human rights risks is the foundation for appropriate and effective human rights risk management. It helps you focus on the most severe and most likely risks to people who may be impacted by your business activities and along your value chain.
Often, human rights risk analyses start at a high, overarching level and can therefore feel abstract and far removed from operational realities. Starting with a high-level overview is often necessary and beneficial, for instance when assessing risks across a company’s entire supply chain, where beginning with a broad scope is an important first step to prioritize areas for deeper analysis.
However, when it comes to a company’s own operations, organizations are usually in a strong position to identify risks more concretely. Companies are much closer to the risks and the people who may be affected by them. They understand how work is organized, who performs which tasks and which groups of workers may face particular challenges. This makes it possible to move much faster from abstract to concrete risk analysis, and ultimately to targeted action.
In this article, I want to share some thoughts on how companies can make use of these circumstances to approach human rights risk analysis in their own operations in a more focused, practical and action-oriented way.
How risk analysis in own operations differs from analysis in the supply chain
Human rights risk analysis in own operations can be approached differently than risk analysis in the value chain. Companies can draw on extensive internal knowledge to assess risks in a more concrete manner including insight into organisational structures, roles and responsibilities, how work is organised across the business, the composition and characteristics of the workforce; and existing processes for managing risks.
Importantly, it can also draw on an understanding of the realities of day-to-day work and include insights from engagement with affected rightsholders, who in own operations are much closer to the company.
Taken together, these factors mean that risk analysis in own operations can better reflect the concrete operational context and link more directly to targeted and effective action.
Differentiate between potentially affected groups in your workforce
When assessing risks in own operations, instead of treating all employees as one homogeneous group, companies can look at their workforce in a more differentiated way that better reflects reality. For example, employee groups may include:
- production workers
- office-based staff
- sales teams
- logistics or warehouse staff
- temporary workers
- seasonal workers
People in these roles may perform different types of work and are therefore exposed to different human rights risks. Taking this differentiation into account helps ensure that the risk analysis reflects how work is actually organized and conducted across the company.
A more differentiated approach also helps make groups in more vulnerable positions more visible, such as temporary agency workers, seasonal workers or workers with lower job security. Rather than identifying risks at the level of “the workforce” as a whole, the analysis can consider how risks may vary between roles, employment arrangements and working conditions.
Existing information can support this differentiation. For example, HR or non-financial reporting data can help map the workforce into relevant groups and avoid treating own operations as a single, uniform risk profile.
When risks are assessed with this level of differentiation, the outcome of the analysis becomes much more useful and tangible. It provides a clearer picture of which groups of employees are exposed to which risks, and why.
This, in turn, supports clearer prioritisation and the development of mitigation measures that are better aligned with the needs of those most affected, while ensuring that vulnerable groups are appropriately considered.
The appropriate level of differentiation will depend on factors such as company size, the complexity of operations and the scope of the assessment. Still, even at a global operations level, considering key differences between groups can help make the outcomes of the analysis more meaningful.
Include information on existing management measures: moving from inherent to actual risk
In own operations, companies often move more quickly from identifying inherent risks to understanding actual risks.
A useful starting point is to identify inherent risks based on factors such as country context, industry, business activities and workforce characteristics. External risk data and benchmarks can support this initial mapping.
The next step is mapping existing measures that are in place to manage these inherent risks. Most companies already have a range of processes in their own operations, often more than they initially recognise. These may include occupational health and safety measures, different standard operating procedures, HR policies and processes, recruitment practices, training programs as well as worker representation structures.
This does not mean that areas with established processes can be deprioritized entirely. The presence of a measure does not necessarily mean that it is applied consistently or that risks are mitigated in practice.
This step helps narrow the focus and identify where further inquiry is needed. Over time, engaging internal stakeholders and drawing on additional sources can help refine and validate risks and bring the analysis closer to operational realities. Thereby, moving from the abstract to the concrete in a step-by-step manner.
Involve different functions in the company in risk analysis and mitigation
Connecting to the point I’ve just made, internal engagement is crucial. A lot of relevant knowledge already exists within the organisation, but it can only be leveraged if internal stakeholders are actively involved in the risk analysis. This does not mean that every team needs to be engaged at the same time. Rather, engagement can be phased and tailored to the company’s organisational structure, operational context as well as the scope of the analysis. Internal engagement helps to understand whether identified risks reflect realities in practice.
There is also a very practical reason for this: these functions are ultimately responsible for implementing measures. If they do not understand the risks, or do not see them as relevant, implementation of mitigation measures is unlikely to succeed. Addressing human rights risks requires in shared ownership, changes in day-to-day practices and behaviors, not just new policies or processes.
Finally, being close to operations does not always mean having full visibility. When risk analysis is mainly driven from headquarters, internal blind spots can remain, especially at specific sites or in certain operational contexts. Involving teams from different functions and locations can help identify these blind spots and ensures that relevant risks are fully considered in the analysis.
Leverage proximity to potentially affected people
This is a particularly important aspect of risk analysis in own operations. Companies are relatively close to the people who may be affected by their own operational activities, and this proximity can help to ground the analysis in the perspectives of those affected and understand the risks and root causes better.
A useful starting point is often to draw on existing sources of information. Employee surveys, engagement platforms or networks, information from grievance mechanisms and dialogue with worker representatives can already provide valuable insights into where issues may exist in practice and which groups may be particularly at risk. These sources can help identify patterns, surface concerns and indicate where more in-depth engagement is needed.
Building on this, engaging directly with employees and especially with groups that may face higher risks remains essential. What looks good on paper does not always reflect how things work in practice, and direct dialogue can reveal issues that are not visible through policies, procedures or data alone.
What this looks like in practice will depend on the size of the business and the maturity of existing risk assessment processes. But if companies want to develop targeted and meaningful measures, they ultimately need to move beyond desk-based analysis, step away from their screen and engage directly with people that are most affected. This helps ensure that risks are understood in their full context, and actions to address the risks consider the perspectives of those affected.
Finally, human rights risks in a company’s own operations are not static, and risk analysis is not a one-off exercise. It is an evolving, step-by-step process that should account for the different business activities, organizational structure and workforce characteristics, with the aim to reach tangible and practical outcomes.
Changes such as organizational restructuring, entering new markets or increased use of temporary labour can all shift risk profiles. This means that human rights risk analysis needs to be revisited regularly.
If you are looking at strengthening the human rights risk analysis in your own operations through a more people-centered approach, and would like to exchange on the topic, get in touch at hello@peopleatcore.com.
We’d be happy to connect with you.
Stephanie for the CORE team
