#4: Supply chains are like icebergs - the big part below the surface that you can't see is what sinks you.
Most companies focus their supply chain due diligence efforts on Tier1 (a.k.a. direct) suppliers. It's understandable why they do this - this is where the contractual nexus, the greatest visibility and the greatest leverage to influence behaviour exists. But the first tier is just the tip of the supply chain iceberg, and the tip is not the part that can cause the most serious damage.
But this approach is also based on a misinterpretation, perhaps intentional, of the scope of the corporate responsibility to respect human rights. The concept of "sphere of influence" has been misinterpreted as meaning that a company only has responsibility for risks or impacts over which it has "leverage" to influence, i.e. those within its own operations and the first tier of its supply chain. However, the UNGPs make it clear that it is a company's "sphere of impact" that determines its responsibility. This means that if a company is connected to risks or impacts through causation, contribution or direct linkage anywhere in its value chain, then its leverage to influence them is only relevant for determining the nature and scope of its response, not its responsibility.
The UNGPs recommend that companies take a risk-based due diligence approach, i.e. to prioritize and focus efforts on those human rights risks in their value chains that could result in the most severe impacts. In most cases in supply chains, that's going to be in Tier2+. However, the current "generally-accepted" approach to supply chain risk management is introduction of a contractually-binding supplier code of conduct . But, aside from U.S. "litigation-leery" companies and high-profile global suppliers with their own well-established due diligence systems, many suppliers will sign anything, including a supplier code, with little ability or intention to change their current behaviour.
This approach is only applicable to and barely works at Tier1, let alone Tier2 and beyond. It is essentially a game of "whack-a-mole": for every non-compliance that is identified, two or three more pop up that companies don't even see. For global MNEs, their tens of thousands of Tier1 suppliers know that, at most, they will be audited once every several years. Further down the chain, for their hundreds of thousands of "nameless" lower tier suppliers [3), the risks of being found in non-compliance are even less likely.
A new approach is needed.
Options such as supplier rationalization, blockchain verification and worker voice can all help. But ultimately what is required is getting to a place of true partnership, based on mutual respect and trust, where supplier self-enforcement through enlightened self-interest is the norm. We have a long way to go.
#5: You get what you pay for – or at least you won't get what you don't pay for.
Many supplier relationships are primarily transactional, and based on lowest-cost commercial and technical merits. The lifespan of the relationship is guaranteed only as long as, and until, a better value-for-money option comes along. This discourages "doing something for nothing" by either side, and/or investment in a long-term relationship unless it can be demonstrably justified by a clear business case.
Responsible business conduct, on the other hand, is never free and rarely cheap. A company can’t keep beating its suppliers down on price and then be surprised they are violating workers’ human or labor rights or polluting surrounding communities. Ethical behaviour is what you do even when it hurts your short-term bottom line.
The most effective law is one that doesn't need to be enforced.
The current cat and mouse approach to due diligence doesn't work in complex global supply chains. Emerging national/regional initiatives to legislate mandatory supply chain due diligence will help drive compliance, but won't solve the issue of effectiveness. And, as the saying goes, "the most effective law is one that doesn't need to be enforced." While legislation may be necessary, it's not sufficient to drive the "enlightened self-interest" supplier behaviour that is required for sustainable and effective risk management. This requires going beyond the purely transactional nature of most supplier relationships, to creating relationships where suppliers have some real "skin in the game" in the risks and rewards tied to their customers' ESG performance.
If a company's relationship with its suppliers is purely transactional, it can't seriously expect to get something for nothing. It's time for companies to put their money where their mouths are when they say their suppliers are "partners". If suppliers are expected to support achievement of their customers' ESG targets, maybe its time to reward them for improvements in ESG performance.
#6: A journey of a thousand miles begins with the first step - beginning is often the hardest part.
Due diligence is not rocket science – companies do it all the time, as part of a variety of risk management processes. Human rights due diligence under the UNGPs is basically the same: plan-do-check-act. In recognition that companies won't necessarily get it right overnight, the UNGPs process incorporates a feedback loop to drive continuous improvement.
The UNGPs are the current "global standard of expected business conduct" regarding human rights due diligence. The fact that the UNGPs are not legally-enforceable and are based on a standard of conduct (rather than result) means the bar for compliance is still relatively low. Therefore there is no time to delay in beginning the "human rights journey". Companies that hesitate because they're not sure how to start, or because they are striving for perfection, will miss a closing window of opportunity to future-proof themselves for the mandatory human rights due diligence legislation that is coming in the next 3 to 5 years.
Despite the UNGPs turning 10 years old this June, various studies show that uptake has been disappointing: less than 20% of a small subset of the companies to whom the UNGPs apply are seriously implementing due diligence. Rather than seeking perfection by the few, scaling up basic human rights due diligence by the many may be most effective strategy for the UNGPs10+/NextdecadeBHR.
 The concept first appeared in the UN Global Compact, and while it was included in the Ruggie "Protect, Respect and Remedy Framework", it was replaced in the UNGPs by an impact-based, rather than influence-based, approach.
 This may include a right to conduct periodic on-site audits and maybe a responsibility by Tier1 suppliers to cascade similar requirements to lower tiers.
 Few companies even know the names of their Tier2+ suppliers, let alone the services or goods they provide, making due diligence beyond Tier1 virtually impossible.