Insurance is also affected by the Transparency Act
On July 1st, the Norwegian Act relating to enterprises' transparency and work on fundamental human rights and decent working condition (Transparency Act) came into effect. All large and medium-sized companies that supply goods or services in Norway must report on their websites if they have identified challenges in the supply chains in relation to human rights or decent working conditions. They must also explicate how they have performed their assessment, and what they are doing with the problems they may have found. Insurance companies might at first sight be less affected by the law than manufacturing companies, but non-compliance carries a high reputational risk. What should companies do now to adapt to the new law?
Note: A shorter version of this article was previously published by Transcendent Group, part of the FCG Group.
Who is affected by the law?
The very first thing all companies in Norway should do, is to clarify whether they are covered by the law or not. This is in itself not a complicated task.
Large and medium-sized companies
The following companies are covered:
- Public limited companies and listed companies: or to put it a little more precisely and technically: Companies that are considered “large” in accordance with the Norwegian Accounting Act are covered.
- Businesses that meet 2 of the following 3 criteria on the annual balance sheet date (i.e. the last day of the business’s financial year):
- 50 or more employees, i.e. 50 full-time equivalents
- Sales revenues of 70 million NOK or more
- Balance sheet of 50 million NOK or more
Different risks
The Authorities split companies into high, medium and low risk according to their probability of experiencing supply chain issues relating to human rights or working conditions. This emerges from the impact assessment (Norwegian text) that the Ministry of Children and Family Affairs commissioned prior to the laws passing. Companies in the higher risk brackets are likely to enter the spotlight of the supervisory authorities first. These companies may also find themselves in the public limelight or as the focus of activist groups.
High-risk industries have been identified based on their import share or business dealings with countries likely to be affected by issues related to human rights or lacking working conditions. Textile imports may have a high import share of goods from regions with challenges related to human rights and working conditions. High-risk classification has also be given to industries have had such issues in the past. The hospitality and restaurant industries have a low import share, but have historically high levels of undeclared work.
In general, companies should assess their level of risk based on their industry. This is useful because it gives an indication of the extent to which the due diligence assessment can take. A starting point can be the risk classification found in the impact assessment mentioned above, but the company should independently assess its own risk.
Insurance undertakings depend on public trust
Financial companies such as insurance companies are, according to the impact assessment, in general expected to be less affected by the law than most other industries. Nevertheless, insurance undertakings are subject to the same requirements regarding transparency as all other industries. The value chain of insurers may indeed be different from manufacturing companies, but insurance undertakings do tend to have a number of business partners and often outsource considerable parts of their value chain (e.g. IT, distribution etc). In addition, settlement of non-life claims may also involve sub-contractors in industries which have a greater inherent risk of violations of labour rights in their value chain.
Transparency and accountability are important values for companies in the financial sector, as they fulfil an important function for society and depend on public trust. The industry must also generally adhere to high expectations of governance and risk management from external parties such as supervisory authorities, rating agencies and reinsurers. Insurance undertakings must take their share of the responsibility for promoting respect for fundamental human rights and decent working conditions and ensuring public access to information. The new requirements will thus make it easier for companies to find ways to contribute to this.
Requirements for compliance
The law is not a comprehensive text, and the requirements are relatively easy to explain. There are mainly three requirements to be met:
- A due diligence assessment must be carried out
- The assessment must be published on the company’s website
- The company is obliged to answer questions about this work.
Certain formal requirements must also be met. Key is the requirement to anchor these compliance obligations at the highest level.
Anchoring
A natural first step in the work is therefore to “embed responsible business conduct into the enterprise’s policies.“ This decision should be made at board level. It makes sense for the Board to adopt a plan for the due diligence assessments and how to make these public. Internal responsibilities should also be clarified and formalized.
Due Diligence
A due diligence assessment in the language of the Transparency Act is a risk assessment of the supply chain. The purpose of the Due Diligence process is to identify and assess actual or potential adverse impacts related to human rights or decent working conditions stemming from the enterprise’s operations, products or services.
The due diligence assessment shall be carried out in accordance with the OECD’s guidelines for multinational companies . The National Contact Point for Responsible Business in Norway have published guidance on how to perform the Due Diligence Process.
It is not a requirement to perform due diligence of each link or vendor in the supply chain. This will in many cases be impossible. However, in some cases it may be necessary. The company will make this decision as part of their assessment process.
This process should be risk-based. Consequently, the assessment of how far into the supply chain the investigation should go should, will be based on an assessment of risk. The company must assess where it is most likely that there are problems, and direct resources to illuminate and solve identified issues.
Examples from the impact assessment: Purchasing professional services in Norway has a low risk, here you do not need to spend a lot of resources on controlling compliance with human rights or checking working conditions. The use of factories in some Asian countries for the production of clothing may entail higher risk. This situation will require a more thorough investigation to be documented.
The due diligence assessment must be carried out at least annually. If there are significant changes in how the business is run, it must be updated. The first publication of the due diligence assessment is due on the 30 June 2023, according to the Norwegian Consumer Protection Authority (Forbrukertilsynet).
Measures
The Transparency Act does not in itself prohibit activities that violate human rights or involve a lack of decent working conditions. The company should nevertheless be aware that other laws and regulations most likely cover their area of operations. These laws may be both supranational and national.
In relation to measures, the specific legal order entails the company to identify and implement “suitable measures to cease, prevent or mitigate adverse impacts based on the enterprise’s prioritisations and assessments”, as well as to “track the implementation and results of measures”.
These measures can vary depending on the role of the company in bringing about the adverse effects that have been identified.
If the company in question alone causes the negative impact or damage, they have a large degree of responsibility to resolve the issue. This may, for example, be that there is a lack of decent working conditions at a factory owned by the company in or outside Norway. This should be rectified by the company itself.
If the company’s combination is directly related to the problem that has been identified, the company will have a special responsibility to prevent or minimize this. An example could be that the company buys goods from a supplier that offer unsafe working conditions for their employees. The company should take measures by, for example, updating purchasing contracts, in addition to entering into dialogue with the supplier to address the working conditions.
If the business is indirectly associated with human rights violations or unfortunate working conditions, the business should still try to minimize the impact. There may not be a direct relationship between the company itself and the link in the supply chain where challenges exist. An example could be that the company is one of several small buyers of supplies from an area where there is a suspicion of child labour, and where the company enters into an industry collaboration to improve working conditions.
Publication and communication
A key provision of the Transparency Law is the duty to publish an account of due diligence. The report must be available on the website of the company and cover:
- General information about the business and the risk for causing adverse effects, how the work with working conditions and human rights is organized and embedded in governing documents as well as routines that have been established.
- Information regarding actual negative consequences that have been identified
- Information on what measures the company has implemented or planned in order to stop or limit adverse impacts
The communication about the company’s policy and what measures are taken should be communicated broadly amongst stakeholders, and not just posted on the website. The company’s subcontractors can greatly benefit from being informed about this, in addition to other stakeholders such as employee organizations.
Right to information
Any interested party can request additional information beyond what is already available on the company’s website. The law requires the company to respond to such inquiries provided the request satisfies certain requirements. There are formal obligations regulating deadlines and the decline of information requests.
Challenges
A key challenge for all companies now establishing compliance procedures related to the Transparency Act, is incorporation these new obligations into their other compliance obligations and activities. This is important for two reasons in particular:
- Other legislation will affect how the Transparency Act compliance plan can and should be designed
- There may be significant synergy effects to be gained from other compliance activities, or even other business activities. An example could be that information is obtained about possible suppliers based on considerations other than the Transparency Act, which can nevertheless be utilized in connection with the design of the due diligence assessment.
Privacy
Of particular importance for compliance are privacy considerations. It is important to ensure that the company’s privacy policy is coordinated with the process of gathering information for due diligence assessments. Otherwise, the company risks requesting and processing data without having the legal basis for processing these data.
A holistic view
Many companies carry out activities that affect and are affected by the Transparency Act, and which should be included when setting up a plan for how to ensure compliance with the Transparency Act. Processes for assessing the supply quality of potential vendors can be expanded to take into account the issues raised by the Transparency Act. Privacy has already been mentioned, but there may also be other compliance or business activities that can be used or modified to make the compliance with the Transparency Act more efficient.
Reputational risk
A principal intention of the law is to bring the efforts (or lack thereof) of individual companies into the public sphere. This may expose companies to reputational risk.
When establishing a plan for due diligence assessments in accordance with the Transparency Act, companies should therefore include an assessment of what kind of reputational risk the company may be exposed to. The business should be cognizant about interest groups that are active in their market environment, and of any public discourse which may affect them.
Consideration of reputational risk will be more relevant for a company assumed to have a higher risk of issues related to human rights and working conditions than others. Other factors that increase the reputation risk are the degree of conscious customers and end users, as well as how strongly the company has profiled itself in relation to ESG.
Businesses that are believed to have low risk should also carry out this assessment.
Further development of the law in the future
Transparency Act comes as a response to a European legal development with the UN Sustainability Goals at the centre. Germany , France , UK and the Netherlands are among the countries that have established legislation in the field. An EU Directive in the field has been out for consultation. The OECD’s guidelines for multinational companies already cover most of the sustainability goals.
In the future the law will cover consideration for the environment. This is expressed in the review published by the Norwegian Justice department prior to the adoption of the law. The future EU Directive also includes this provision as well as several other considerations.