What to Look for in Company Risk and Impact Assessments
A new era for just and sustainable business will emerge in the second half of this decade when various forms of company assessment of impacts on people, society, and the environment are published. These include double materiality assessments under the EU Corporate Sustainability Reporting Directive (CSRD), systematic risk assessment under the EU Digital Services Act (DSA), and the results of due diligence under the EU Corporate Sustainability Due Diligence Directive (CSDDD). What should we be looking for when these assessments[1] become public?
For the past two decades I have been moving back and forth between the worlds of those doing assessments and those calling for assessments to be done. I have probably undertaken a couple hundred materiality, human rights, and systemic risk assessments by now, and I am an advocate for regulated approaches.
However, I have often found significant gaps between what many assume assessments involve in theory and what they really involve in practice. I have also observed gaps between what actions really result in the change we want to see and what actions only create the appearance of change.
Here I offer ten qualities to look for when the world of company assessments becomes more transparent.
Authentic analysis or bureaucracy gone wild? The discipline of regulated assessment adds an essential layer of scrutiny, robustness, and consistency to company assessments. This is welcome, and one of the main reasons I support regulated approaches. However, we should ask whether the company has deployed this new discipline in service of a thoughtful, focused, and authentic analysis that improves our shared understanding, or whether the intent of the assessment has been masked by a compliance bureaucracy that checks the right boxes but is too distant from real results to matter.
Quantitative determinism or holistic analysis? There are lots of ways in which quantitative information supports assessment, including inputs (such as data illustrating the likelihood of impact) or analytical tools (such as scoring risks on a 1 – 5 scale). However, many impacts on people, society, and the environment are qualitative, nuanced, and contextual, and we should ask whether the company places quantitative information in its appropriate context and understands the limitations of numbers, or whether it takes a more deterministic approach.
Directional or false precision? Assessments of risk and impact are often about deciding which risks and impacts should be prioritized over others. However, we should ask whether the company acknowledges that the assessment is necessary directional, or whether the company implies a sense of precision that is simply not achievable. One of the flaws of the popular materiality grid is the notion that risks can be plotted precisely, which is simply not achievable. A company providing a simple list of risks with an accompanying narrative setting out their mitigation priorities may have done a better job.
Prioritization or connectivity? The emphasis on prioritization can also result in a relative ranking of issues and risks, and this is essential for setting direction, assigning resources, and achieving desired outcomes. However, achieving desired outcomes in just and sustainable business also requires us to act upon the connectivity between issues—between privacy and child rights for example, or between climate change and labor standards—and so it is important for assessments to do this too. In my experience the best assessments both prioritize and appreciate connections between issues.
EU or the whole world? It is understandable that companies will pay disproportionate attention to the EU given that most current assessment regulations originate there. However, this means prioritizing effort on the very region of the world with the lowest human rights risk—which is *precisely the opposite* of what the UN Guiding Principles guide companies to do. It is essential that companies continue to prioritize efforts where impacts on people, society, and the environment are most severe.
Static or dynamic approach to mitigation? One of the beneficial features of regulated assessment is the way in which it can formalize the identification, tracking, and communication of measures taken to address risk. However, the reality is that the world is far more messy, dynamic, and unpredictable than mitigation strategies imply. We should ask whether the company seems to formally track similar mitigations in perpetuity regardless of their continued relevance or whether the company acknowledges the reality that effective mitigations are necessarily dynamic, nimble, and responsive.
Ongoing meaningful stakeholder engagement or performative engagement for the assessment only? To borrow a phrase, an assessment does not fall out of a coconut tree but exists in the context of everything that came before and everything that will come after. For this reason, assessments should draw upon the sum of all relevant stakeholder engagement that has previously been undertaken and embed these insights into the assessment. This stands in contrast to the assumption made by some (I have seen this in both companies and civil society organizations) that only stakeholder engagement undertaken solely for the purpose of the assessment should “count”. In my experience this approach can significantly constrain the relevance of the assessment and act as a barrier to the consideration of the broadest range of voices.
Systemic analysis or “company as an island”? It is essential that the company undertaking the assessment scrutinize its own operations, identify where they are associated with adverse impacts, and determine what appropriate action should be taken. However, there is a danger that the company-specific nature of regulated assessment (i.e., each company must undertake their own assessment) shifts attention away from the highly systemic nature of most impacts on people, society, and the environment. When the results of company assessments are published it will be important to review them as a collective whole and identify connections between them, and not simply ask “who did it best”. It will also be important to ask whether the company presents their assessment appropriately in the context of the system by not inappropriately shifting responsibility (“it’s the system’s fault and we can’t do anything”) or naively ignoring the system (“we only look at what we can control”).
Company accountability or outsourcing responsibility? There is a time and place for independent assessments, and I have been involved in more than my fair share. However, there is a danger that companies hide behind the independent assessment by saying it was conducted by another entity, so “the analysis is theirs not ours”; by contrast, for these upcoming regulated assessments, it is essential that companies take full ownership over and accountability for the results. This means utilizing third parties as additional outside expertise to improve the quality of the assessment, but not as the final arbiters of what the assessment concludes.
Company accountability or performing for the auditor? Audit requirements play an important role in providing an extra level of assurance that “the right things have been included in the assessment” and that “the things in the assessment are right”. However, auditors are not necessarily the most qualified to know what the best mitigations are or how specific impacts play out in real life. Being subject to audit is an important discipline, but this should focus on the big picture of compliance and not become an endless loop of answering increasingly detailed questions designed only to catch the company out. The time and effort invested into audits needs to be proportionate to their impact, and we should avoid a world where auditors are positioned as the ultimate authority when determining the quality of the result.
Impact and risk assessments play a very important role in just and sustainable business because they provide a foundation upon which improved analysis can be undertaken, ambitious strategies can be enhanced, and company actions can be judged over time. However, it is important that our analysis of these assessments is based on a realistic view of what they can and cannot achieve. I hope the perspectives shared in this blog help with that outcome.
[1] I am using the term assessment to encompass both risk assessments and impact assessments. The common feature is that they encompass impacts on, or risks to, people, society, and / or the environment.