#7: An ounce of due diligence is worth a pound of remediation.
Due diligence is all about prevention – the actions that a reasonably prudent person (or business) should take under a particular set of circumstances to avoid an unintended risk. Conversely, remediation is all about cure – the actions that have to be taken to rectify an impact arising out of inadequate due diligence. Hence the adage "an ounce of prevention is worth a pound of cure."
The priority of the UNGPs is prevention of human rights risks and impacts. Pillars I and II set out the recommended due diligence that States and companies, respectively, should take to avoid potential or actual human rights impacts. Pillar III sets out the recommended actions that States and companies should take when that due diligence fails or fails to be taken.
But there is another truism about risk management: risk can't be eliminated, just minimized. Because of the direct relationship between risk and reward, trying to accommodate a low risk tolerance can consume all of the potential rewards of an activity. Therefore, risk management is more art than science – the art is in finding the right balance between potential rewards and justifiable risk - so-called "smart risk-taking", a highly subjective exercise.
The UNGPs recommend that companies take a "risk-based" human rights due diligence approach: that is, to prioritize due diligence efforts on those risks that could cause the most severe impacts to rights-holders. Severity is determined by how serious an impact might be if its occurs (i.e. scale), the number of people potentially impacted (i.e. scope), and the difficulty of remedying the impact (i.e. irremediability). In my experience, this is a largely "artistic" exercise, requiring a high degree of qualitative professional judgement. And while there is an implicit undercurrent in the UNGPs that risks to rights-holders, as opposed to business, are never acceptable, the reality of a risk-based approach is that lower severity risks will receive significantly less attention, if any at all. Perhaps this is where the risk-based approach and smart risk-taking converge.
#8: A fish stinks from the head: the right tone from the top is not enough.
A supportive tone from "the top" is absolutely essential for functions, such as human rights management, that are typically considered cost, as opposed to profit, centres, to be taken seriously in a company.
Under the UNGPs, the "right tone from the top" is considered to be a policy setting out a company's commitment to respect human rights, approved at the most senior level of the business enterprise, generally the CEO. While it's true that having such a commitment is essential for mobilizing the resources necessary for operational execution, a commitment on paper doesn't guarantee implementation on the ground. Studies consistently show that while a significant number of large MNEs have human rights policies, implementation of adequate human rights due diligence lags far behind. 
To address this gap, advocates have recently begun calling for increased directors' duties to ensure implementation of human rights due diligence. This requirement is included in the EU Parliament's proposal for a mandatory human rights and environmental due diligence law. However, none other than Professor John Ruggie, the architect of the UNGPs, has criticized this approach. One of his main criticisms is that directors are not the main driver of the "short-termism" that is impeding companies' implementation of long-term sustainability strategies (such as human rights due diligence) and therefore increased directors' duties will not address the root cause. 
I'm not just working for [shareholders] ... Slavery was abolished a long time ago. – Paul Polman, former CEO Unilever
In Professor Ruggie's view, it is investors who are to blame for preventing corporate directors and executives from implementing a long-term sustainability vision. But this may be letting corporate leadership off the hook a little too easily. Professor Ruggie points to Paul Polman, former CEO of Unilever, to support the view that investors, rather than directors, are the root cause of short-termism. But Mr. Polman also makes the case for the need for courageous leadership to defend a company's sustainability values and vision against the "quarterly reporting rat race" driven by short-term, speculative investors. And without calling it "stakeholder capitalism", he emphasizes that a CEO has responsibilities towards multiple stakeholders, not just shareholders: "I'm not just working for them ... Slavery was abolished a long time ago."  and 
Courageous leadership requires taking risks. And while many companies want to be sustainability leaders, few want to take the risk of making the long-term commitment required without there being a clear short-term business case. One of the easiest ways still to get a company to take a risk is to point to competitors who have already done so – but that's not leadership, that's following the leader. And the obvious problem with such an approach is that if no-one takes the risk necessary to become the leader, there will be no-one for the others to follow.
As they say, no pain, no gain – no risk, no reward.
 Corporate Human Rights Benchmark 2020 Report investor reaction.
 In a recent commentary by the Institute for Human Rights and Business, Responsibility from the top down: Why human rights due diligence must be a mandated concern of corporate boards, John Morrison argues that Mr. Ruggie's view is more nuanced than this and hat he would support enhanced directors' duties under certain circumstances.
#9: Corporate ends don't (necessarily) justify corporate means: don't confuse "purpose" with "responsibility".
In a free society…there is one and only one social responsibility of business – to use its resources and engage in activities designed to increase its profits so long as it stays within the rules of the game… 
Back in the 1970s when Milton Friedman famously uttered these words, the concept of responsible business conduct was simply to maximize shareholder value while not breaking the law.
Thankfully, the understanding of corporate "social responsibility" has evolved since then: mere compliance with the law is a hygiene factor, not one that most stakeholders will give companies much credit for. Investors, in particular, are increasingly viewing a company's "environmental, social and governance (ESG) performance as a key component of business sustainability”. This is a clear recognition that shareholders are no longer the only stakeholders that companies are expected to serve.
In parallel with this development, there has also been an evolution in the understanding of what a company's "purpose" is. Even for "for-profit" companies, it's no longer just to maximize profit. In order to motivate employees, and more importantly, to earn a "social licence to operate", companies increasingly seek to articulate their raison d'être, the higher purpose for their existence, or, why they do what they do.
Unfortunately, purpose can sometimes trump responsibility. A company's "ends", i.e. its purpose, can sometimes be seen internally as justifying its “means”, i.e. the risks or impacts connected to its business activities. This is particularly the case for companies whose core business is intrinsically connected to advancing fundamental human rights, such as free speech or the right to health.
Take social media platforms, for example. The stated purpose of companies such as Facebook and Twitter is to connect people, to enable the sharing of information, to facilitate freedom of opinion and expression. These are laudable purposes in support of fundamental human rights such as freedom of thought, opinion and speech.
But, when such a higher purpose as advancing human rights is at the heart of what you do, it's easy to lose sight of the adverse impacts you might be having in the pursuit of your purpose, or worse yet, to arrogantly view your positive impacts as justifying any negative ones.
But, when such a higher purpose as advancing human rights is at the heart of what you do, it's easy to lose sight of the adverse impacts you might be having in the pursuit of your purpose, or worse yet, to arrogantly view your positive impacts as justifying any negative ones (meaning, to let your end justify your means). Until quite recently, social media platforms seemed genuinely shocked to learn that, without adequate due diligence such as content moderation to prevent hate speech or sexual exploitation, or enforcement of data sharing protocols to ensure protection of user privacy, pursuit of their purpose came with significant adverse human rights risks/impacts.
Another sector whose core purpose is intrinsically linked to advancing the realization of human rights, but that has long flown under the radar in term of social and environmental impacts, is the pharmaceutical sector. Improving people's health or saving people's lives is all about respecting and protecting the human rights to life and health. But, if your priority stakeholders are patients, and your measurement of performance is the number that have been reached by your products, there is a risk that nothing else may matter.
Governance-related risks in the pharmaceutical sector, such as corruption and bribery, and anti-competitive behaviour, are notorious. Until recently, however, these have been seen as largely victimless crimes. Less well-known are the sector's environmental and social risks/impacts. Due to the increased offshoring of drug manufacturing to weaker rule of law jurisdictions, these include impacts on the quality and quantity of community water supplies from the discharge of untreated wastewater effluents or excessive industrial consumption in water-stressed locations; as well as anti-microbial resistance to antibiotic drugs due to increased pharmaceuticals in the environment from over-prescription and improper disposal (among others). On the social side, especially in the lower tiers of developing country supply chains, risks include labor rights violations, such as inadequate wages, excessive working hours and unsafe working conditions.
The UNGPs are clear: companies are expected to respect human rights throughout their value chains. And going beyond this baseline expectation in one aspect of their business activities does not "offset" adverse impacts in others.
Maybe Google's original ethical code is one that all companies should live by: " Don't be evil".
 Milton Friedman, The New York Times Magazine, September 13, 1970. Mr. Friedman acknowledges that corporations may be established to pursue “eleemosynary”, or non-profit objectives. But the corporation managers’ responsibility is still to maximize value to its shareholders, as defined by the shareholders.
#10: To embed human rights, managers need to think like rights-holders: do unto others as you would have others do unto you.
Why do companies find it so hard to respect human rights in their operations and supply chains? After all, human rights due diligence (HRDD) isn't exactly rocket science – companies conduct effective due diligence on other equally challenging issues, such as political and financial risk, bribery and corruption, etc. Is it just that HRDD is voluntary, whereas other due diligence activities are legally required? Or is there something else going on?
Under the UNGPs, managers have a dual persona: as a company representative, they are a "duty-bearer" with a responsibility to avoid infringing the human rights of others in carrying our their job responsibilities. Conversely, as an employee, they are also a "rights-holder" with an entitlement to have their human rights respected in all aspects of a company's value chain.
This puts them in a somewhat contradictory position. And this can be compounded when a company's priorities or incentives put business or personal interests in direct conflict with respecting human rights. For example, you can only drive costs down and profits up so much before there is a risk or impact on human rights.
However, the UNGPs make it clear that human rights due diligence must be conducted from a "risk to rights-holders" perspective, and not simply from a risk to business one – this is why stakeholder engagement is such a indispensable element of effective human rights due diligence. 
A 2015, but still relevant, report by the Economist Intelligence Unit  identifies the biggest barriers faced by companies in addressing human rights. The top three are:
lack of understanding of human rights responsibilities
lack of resources
lack of training and education of company employees
To these I would add a fourth, which is both a cause and effect of the first three: failure of company managers to think like rights-holders. Without the ability or willingness to understand the rights-holder perspective, managers will not be effective advocates for improving a company's understanding of its human rights responsibilities, securing the necessary resources or ensuring the necessary training – and vice versa. It'll be a vicious circle.
This brings me to the golden rule: do unto others as you would have them do unto you. Companies can be both customers and suppliers – so as a customer, treat your suppliers (and indirectly their workers) how you'd like your customers to treat you. Similarly, employees can be both rights-holders and duty-bearers – so as a manager, treat those who may be affected by your decisions in the same manner that you'd like to be treated.
Human rights management is not a spectator sport. In a company, rights-holders are simultaneously duty-bearers – this is particularly so for managers. In order to embed respect for human rights in the DNA of a company, everyone needs to think like a rights-holder, but act like a duty-bearer.
 See my blogpost on the BP Deepwater Horizon disaster for what can happen when risk to business trumps risk to rights-holders.