One year after the adoption of the law on surveillance plans (Plans de vigilance), Convergences proposed a review of the actions conducted in terms of risk prevention by major French companies during the 2018 Convergences World Forum. Indeed, despite the ever-increasing awareness about human rights violations, they persist, notably in developing countries. According to the OECD, about 40% of contracts were terminated as a result of this law, not fulfilling the de facto objective of allowing an audit and encouraging suppliers to adopt better practices. The notion of human rights (HR) must be understood here in the broadest sense by including an environmental dimension, and not only working conditions: it is a question of having a 360° vision of all the impacts of the company on human beings. A trend is emerging in so-called developed countries to integrate human rights concerns into the strategies of large companies. Although the measures implemented in companies are a first step towards convergence between ethical and economic requirements, there are still many initiatives and good practices to be implemented in this area.

Here are the feedbacks on the sharing of experiences at the Forum on this subject.

Legislation still not sufficiently assimilated by companies

This recent legislation requires a high level of adaptability from companies and that is why some of them are still struggling with its implementation. The business environment is not yet familiar enough with the surveillance plan, not everything has yet been assimilated, particularly with regard to the delimitation of objectives. Indeed, the documents required to be produced are often considered too formal and legal, and the idea of proposing templates more suitable for the general public in order to better communicate is regularly put forward. Nevertheless, in order to facilitate the appropriation of these practices, a certain number of companies use the sharing of experiences and their research to progress and respect the law. First, internally so that the objectives are shared by all the employees, then externally with a pedagogical role towards partners and subcontractors. Some companies have not yet grasped the importance of transparency in relation to the plan. They must understand that this legislation also intends to defend them in the event of a dispute and to be clear about the actions taken, therefor there is a real legal interest for the company.

Review of surveillance plans after one year of application of the Law

The mapping of risks and potential negative impacts related to the activity of the company, its subsidiaries or suppliers is the fundamental point of the law on the due diligence because it justifies the content of the surveillance plan. The implementation of such a plan requires awareness raising among all the company’s stakeholders at all levels so that everyone has a shared internal perception of risks and the business units communicate their risks. In addition, it is important to take into account in this mapping that the risks listed and assessed do not depend on the size of the company. Finally, it is sometimes difficult to establish clear causal links in order to develop an action plan.

Beyond the mapping, the question of risks and challenges arises: companies that need to implement a compliance plan cannot define and address all the issues related to the due diligence at the same time. The drafting of the surveillance plan may be part of a reactive or proactive approach to risks. Two options are available to them: (1) put aside certain risks, ignoring them; (2) adopt a discourse of truth by emphasizing what is being done in the present while admitting that they cannot foresee everything. The question then arises as to how to audit and control what seems most important.  If it is impossible to verify everything, the responsibility of companies is therefore to PRIORITIZE, which is why it is necessary to effectively evaluate what is a priority in terms of Human Rights while pre-constituting proof of activity.

Actors present to support and control practices

Although for the time being only France has legislated on surveillance plans, the ecosystem of respect for human rights in companies goes far beyond the framework of French companies. This is reflected in the various structures designed to guide and control the social, environmental and governance risks of companies on an international scale. Indeed, CSR pushes innovation and gives rise to attitudes such as exchange and alliances between companies rather than competition. However, CSR can give way to deviations such as market development due to consumer awareness; for example, the added value for products thanks to labelling. This control cannot be done alone. This is why it is essential to create a cooperative game because of the interdependence at the heart of which CSR is central.

As mentioned above, it is first necessary to support companies in their ethical approaches and the implementation of their surveillance plans. It is under these conditions that the United Nations, through its Global Compact programme, offers a dialogue with companies on CSR and support in its implementation. This action does not hide its ambitions by bringing together 11,000 companies and covering no less than 70 countries.

Secondly, to ensure the effectiveness of progress in terms of respect for human rights, it is essential to denounce the bad practices of companiesaround the world. Structures such as Human Rights Watch (HRW) provide a legal and moral basis through their targeted investigations and advocacy activities. When companies do not respond to completed surveys, HRW is able to put in place forms of pressure to challenge them. Indeed, the international NGO is able to expose them to strong repercussions such as denunciations in the press but also direct awareness among consumers.

In order to be able to apply such measures at the international level, it is necessary to refer to institutions that act as arbitrators in these conflicts of interest between ethical and economic requirements. According to Cyril Cosme, Director of the International Labour Organization (ILO) Office for France, it is possible to explain the functioning of the value chain by referring to the globalization of production. Indeed, as the economist David Ricardo rightly pointed out, we operate in a fragmented production network where the specialization of regions in the execution of tasks and the functions of each seems to be increasingly evident. The most obvious example is that of labour-emitting countries and countries hosting head offices. In the previous phases of globalization, the State remained the driving force, today new actors are in place, made possible in part by liberalization: companies. Thanks to their purchasing and production policies, they can now influence the market laws. All these issues are a challenge for the ILO: the regularization of globalization. All its action is based on the possibility of making international treaties ratified and adopted by national judges. The objective is to create a dialogue between rules and the world economic order. From a local point of view, the problem of the effectiveness of the law in some countries, particularly in relation to ILO standards, is due to the fact that local companies are better able to enforce them than the State. For example, with regard to respect for freedom of association (USA, Asia, etc.), the company can open the way to initiatives.

While there are currently no tools to support the implementation of an existing “turnkey” surveillance plan (http://www.vigilance-societale.com/guide/), companies must take ownership of each tool and adapt it to the challenges and risks of their sector and activity, based on the common points with other companies in their sector.

Influence of surveillance plans through the creation of value chains – Example of telecoms

With the objective of going even further in its corporate ethics approach, the Orange Group has taken the initiative to create a value chain involving all stakeholders in its ecosystem in its risk prevention policy. It is thanks to its position as a leader in its market that the firm has had the opportunity to orient its development plan around its activity as a lever for change, while being efficient and responsible. The company has instituted regular stakeholder dialogues (between employees, representatives but also external parties, funders, NGOs and the press). In total, the group has over 45 stakeholder dialogues over the past 10 years. Initially and from a methodological point of view, the approach of these meetings is carried out on a national scale and then ends up focusing on a vertical issue such as agriculture in certain geographical areas. For the past two years, these thematic dialogues in the countries concerned have been part of a sustainable performance. With the aim of better understanding the expectations of stakeholders, Orange has launched the “Digital society program”, which provides an opportunity to meet experts and sociologists.

Today, the group adopts a perspective of respect and defense of Human Rights because it considers it has a duty towards its employees. From there, Orange took its CSR objectives outside the walls in order to maintain consistency in its actions; it is from this observation that Orange’s value chain began.

[Focus] The challenge of alerting and remediation systems for companies

“Gates”, “Leaks” or “Papers” are all names that express all these cases resulting from informal alert systems in companies. In recent years, many scandals have come to light, whether financial, environmental or even related to the respect of Human Rights. All these investigations are now school cases for specialists because the focus is on the sustainability of remediation models in order to generalize these practices, which are still too rare in the corporate world.

It is therefore the Sapin II law that establishes the first legal framework in France for the treatment of alert mechanisms in companies. There are two articles in particular in terms of surveillance procedure:

• – Article 3.3: Appropriate procedures are in place for Institutions and companies with more than 50 employees. They must make it possible to reveal illegal and legal procedures that would pose a serious risk to the common good.

• – Article 17: Provides for the detection of corruption in companies with more than 100 million turnover or more than 500 employees, it also concerns serious violations of human rights, the environment and health. (Obligation to create a code of conduct, an alert system, a risk mapping, etc.)

Sanctions may be up to 200,000 € for natural persons and up to 1 million € for legal persons. Obstructing the alert can even lead to up to 1 year’s imprisonment and a fine of 30,000 €. Similarly, there are now sanctions if there is no warning system. The panelists pointed out that if the principles of surveillance applied to the NSA, it should have protected Edward Snowden on many points.

The premises of European legislation in this area are more recent with the draft law tabled on 23 January 2018. The objective is to harmonise the protection of whistleblowers at European level. This law will probably not go as far as the Sapin II law or the surveillance system, but there will be a standardisation of illegal behaviour in Europe. This draft European directive provides, for companies or public entities with more than 50 employees and more than 10 million turnover, for the establishment of internal structures dedicated to the reception of testimonies under cover of total confidentiality. In order to be able to establish alerts to external structures, States will have to establish a national authority. The press and civil society can therefore be considered as levers of last resort. From now on, there will be a response time of 3 months for the notification of an employee, subcontractor, consultant or trainee. This is an improvement on the Sapin II law, which only indicated a “reasonable time limit”.

It is essential to have confidence in the alert system and the sanctions it provides for (example of UBS where sanctions have deterred employees). We must therefore discuss flexibility, transparency and trust and draw up a procedural charter, as Aéroports de Paris (ADP) has done, for example, with the establishment of a partnership with  Transparency International France between 2008 and 2013.

The achievement of optimal effectiveness of warning systems is mainly based on two criteria:

• Good communication on efficiency
• Data management: It is essential to ensure the independence of the person processing the data, and the presumption of innocence must not be ignored.

In an organization, it is generally the responsibility of the compliance department to handle the implementation of alert systems. Nevertheless, it is recommended for more effectiveness to stay in touch with the operational side and to be supported by management and CSR. It is important to simply process reports, avoid multiplying processes, a single alert line is often more effective.

The implementation of these systems can be done internally thanks to the implementation of tools by the company itself. This is the choice made by Paris Airport when it switched to a single platform that allows exchanges. If the whistleblower connects, he only has access to the last message so that his history is not accessible in case of hacking. Following this report, a committee is set up to deal with alerts, it can be legal, CSR and sometimes HR. If alerts do not naturally go up thanks to the tools put in place, it is important to set up an alternative survey system with a control level in order to understand where the system fails to collect information. Indeed, it is often necessary to ensure that the system is well understood by all stakeholders, which is not always the case. The figures presented by the French Ethical Bar show this :

• 46% of employees in large companies are aware of the systems because of their notoriety and only 19% of these 46% really know the alert system
• 60% trust the company to protect them
• 75% fear a risk to their career

In view of these figures it is also possible to ask how to protect an employee and a supplier in the same way; it should be known that conceptually a whistleblower should be protected in the same way as if he were reporting a crime or misdemeanour. Nevertheless, it turns out that there is a problem of trust on the part of the employee and it is this first level of communication with the company that is lacking. This first obstacle can harm the company’s interests; as Yves Nissim, Director of Transformation and CSR Operations at Orange, indicates, it is necessary for some employees to be aware of the alert in order to be aware of the risk of accusations against the company. For an employee to understand that it is normal to first communicate his or her concerns with his or her supervisor, he or she must be made aware, which is why it is essential to communicate in large groups. It should not be forgotten that even the local management of an international group, not located in France, are also affected by this law.

Beyond the façade structure, companies also have their own means to report complaints, 3 examples below:

For an information system with so many stakeholders to be efficient, it must meet a number of criteria:

• Accessibility: A mechanism that must be widely known with easy access for all target populations
• Predictability: Once the process is triggered by the whistleblower, what will happen?
• Legitimacy: People often use it and trust it. The populations concerned are consulted in the implementation, there should be few restrictions on complaints

Example: If those who set up are only men, it will be more difficult to report sexual harassment

• Equity: Education of all parties
• Transparency: Do not withhold or filter information
• Compatible with the law: Respect confidentiality rules
• Continuous improvement: Upgrading through feedback, implementation of an interactive improvement system
• Direction to the right person: Ensure that the information arrives in the right hands in order to be processed with the most relevance possible

Example of Ulula, present at the Convergence Global Forum, who works to connect businesses, workers, communities and governments to reduce risks and create value. This platform measures and responds to Human Rights risks in supply chains through basic mobile phones. It sets up surveys to measure the social impact, collects information and complaints from stakeholders and engages in two-way dialogue (Company, employees, suppliers, subcontractors, etc.).

The key to these compliance plans lies in communication between all stakeholders and the protection of everyone. In France, it should not be forgotten that the majority of employees love their company and do not really want to harm it. For the moment, despite the lack of hindsight, it is possible to say that there is no explosion of reports in companies.

Two examples are given by Veolia and BSR. At Veolia, NGOs and international institutions already provide a great deal of information and data for risk mapping. However, the intervention of these NGOs and institutions is only at the local level of each risk, so their intervention when designing the overall surveillance strategy does not seem relevant. For BSR, it is difficult to integrate stakeholders at the corporate level to build the surveillance plan; however, it becomes mandatory to rely on stakeholders when going into the details of a predefined risk because they have expertise that does not exist at the corporate level. Trade unions and civil society now play the role of whistleblowers rather than real stakeholders in risk mapping and the drafting of the surveillance plan.

Two visions of the role of stakeholders therefore emerge:

1. External stakeholders would not a priori have a place in the mapping of risks at the global level (especially in internal surveillance committees) but would have a role to play in local risk assessment.
2. Nevertheless, the role of NGOs and external stakeholders could also include a dialogue throughout the development of the surveillance plan so that they can give their opinion on the overall strategy put in place (for example with critical friends committees). External stakeholders would not a priori have a place in the mapping of risks at the global level (especially in internal surveillance committees) but would have a role to play in local risk assessment.