Fifteen years ago today, the UN Human Rights Council endorsed the Guiding Principles on Business and Human Rights (UNGPs). A lot has been written about what they’ve achieved – establishing that companies, not just states, now carry responsibility for respecting human rights, and that a soft-law instrument has gone on to shape an evolving generation of hard law. Both are true, and well discussed before today.
The part I find more interesting is how the framework does its work. Strip it back and what’s underneath isn’t just a list of obligations. It’s a reading of how power moves through a supply chain, with a responsible business methodology built to follow it. That approach is the most original thing about the UNGPs, and fifteen years on, it’s still the part that makes the UNGPS innovative, operable and enduring.
Before the UNGPs, the model was compliance – but it had a blind spot
The dominant method of social responsibility before 2011 was compliance-based (and arguably still is): codes of conduct, supplier audits, a pass-or-fail checklist administered down the chain. This approach assumes three things, mostly without saying so:
- that harm sits with the direct employer;
- that the goal is zero non-compliance findings; and
- that the buyer placing the order is a customer, standing outside the problem rather than shaping it.
Those assumptions are why decades of social auditing coexisted with the same violations turning up year after year. The model is good at detection and weak at correction. On the buyer’s side, it doubles as a liability shield. A signed code of conduct lets a company treat compliance as transferred: the supplier has agreed to the standards, so a violation is the supplier’s failure, not the buyer’s problem. An audit surfaces certain kinds of problem – it finds the locked fire exit, the unpaid overtime, the underage worker, and writes it into a report. The knowing happens. What the model has little mechanism for is making anyone act on the finding in a way that changes the conditions that produced it. The finding gets logged, a corrective action plan gets filed, the action hopefully gets closed – and even when it does, that’s a one-off fix to a single instance, not a change to the system that generated it. Knowledge accumulates; the underlying conditions don’t move.
What are the UN Guiding Principles on Business and Human Rights?
The UNGPs are now the authoritative global standard for preventing and addressing human rights harms connected to business activity. Endorsed by the UN Human Rights Council in 2011 and authored by the late Professor John Ruggie, they rest on three distinct but connected pillars: the state duty to protect human rights, the corporate responsibility to respect human rights, and access to remedy when they are harmed. The UNGPs are soft law — not a treaty — but they are the reference point from which subsequent hard law has been developed in jurisdictions around the globe.
The phrase doing the quiet work there is responsibility to respect. According to the UNGPs, the corporate responsibility runs independently of the state’s duty to protect, and it doesn’t weaken where the state is weak — if anything it matters more there, because a company can’t treat a weak or absent legal system as if it lets it off the hook.
The framework also provides a method for meeting that responsibility. Guiding Principles 17 – 21 set out human rights due diligence as an ongoing process: identifying and assessing impacts, integrating and acting on what you find, tracking whether the response actually works, and communicating how impacts are being addressed — with remediation (Principle 22) sitting alongside where harm has already occurred. The steps are familiar enough now to feel procedural, but the logic underneath them is the part that matters, and it’s where the rest of this piece goes.
The real innovation: responsibility follows power, not an employment contract
The compliance-based approach asks who employs the affected worker(s). The UNGPs ask who holds the power that influences the conditions of employment – and build their whole framework around the answer. That sounds abstract, but it has a precise operational meaning. The same logic of power runs through the framework in three places: in how responsibility for harm is assigned; in whose knowledge counts when you go looking for harm; and in whose experience decides how serious that harm is. Through each of these, the UNGPs seek to acknowledge power dynamics and to integrate mechanisms for countering some of the power imbalances inherent in supply chains. Each is worth taking in turn:
How the UNGPs assign responsibility: cause, contribute, directly linked
The strength of the whole framework (IMO) turns on three phrases: cause, contribute, and directly linked. The UNGPs sort a company’s relationship to the identified harm (whether a risk or a materialised impact) into three levels — cause, contribute, or directly linked — and attach different expectations of proportionate, appropriate response for each level. Read as an operational test, it’s a way of working out what you owe. Read more closely, it’s a power analysis: the levels track how much influence a company has over a harm, and scale the obligation to match.
What it says is that responsibility doesn’t sit only with whoever signed the affected worker/s contract. It sits wherever influence sits; meaning it’s more likely a shared responsibility – distributed proportionally across several actors rather than transferred from one to another. A buyer who never employed anyone, never set foot in the factory, and broke no law can still be on the hook, because of how close they are to the cause of the harm rather than to the harmed worker themselves. Compliance-based approaches located responsibility at the point of employment; the UNGPs put it at the point(s) of power.
What turns this from a classification into something with teeth is leverage. Where a company lacks the leverage to address a harm, it isn’t let off; it’s expected to work at building the leverage it doesn’t yet have. That reverses the most common corporate sentence in the room. “We’re only a small buyer, we can’t influence this supplier” is, underneath, a way of diffusing responsibility — locating agency anywhere but with oneself. The UNGPs turn it from a defence into a description of the problem the company is now expected to act on. The assumption they replace is one compliance never grasped: power in a supply chain isn’t a fixed property you either have or you don’t. It’s relational and largely constructed, through typical commercial decisions such as on price, volume, and how long a relationship is allowed to last.
Exiting works the same way. Cutting and running from a problem supplier is about the purest exercise of buyer power there is, and the UNGPs treat it as a last resort precisely because it tends to push the harm onto workers rather than end it. Treating disengagement as itself a use of power, with consequences to weigh, is a long way from the old reflex of terminating the non-compliant supplier and filing it as diligence.
Rightsholder primacy corrects a power imbalance — and it’s how you actually know
The UNGPs require companies to engage affected rightsholders and their legitimate representatives, and to treat that perspective as central rather than supplementary. It’s easy to file this under participatory good manners; a courtesy. It’s something sharper: a mechanism for correcting a power imbalance.
A supply chain routes around the people with the least power in it. Their experience is the thing most easily left unrecorded, precisely because they’re least able to insist on being heard. Requiring engagement – and giving affected rightsholders primacy, not just a seat among other stakeholders – forces those voices into a process that would otherwise pass them by. The role of legitimate representatives matters here for the same reason: collective representation is itself a way of rebalancing power that individual workers, especially those who fear retaliation, rarely hold on their own.
And the correction does double work, because the voices a supply chain silences are also the ones holding knowledge it can’t otherwise reach. A buyer’s management system can tell you what the supplier reported; it can’t tell you what it was like to be the worker who didn’t dare report. That information asymmetry is the whole problem — which is why engagement isn’t the company being decent or charitable, it’s the only reliable way to see the impact at all. Correcting the power imbalance and seeing the harm clearly turn out to be the same act.
This is also why the line between a rightsholder and a stakeholder is worth keeping sharp. Affected rightsholders aren’t one interest group among several to be balanced against shareholders and customers; they’re the people whose rights are at stake, and the framework puts them first because that’s where both the moral claim and the reliable knowledge actually sit.
Severity is measured from where the worker stands
The same standpoint that reveals the harm also sets how seriously to take it. Once a company has found its impacts, the UNGPs ask it to prioritise by severity (i.e. scale, scope, and how irremediable a harm is) and to let likelihood order the response only among the severe risks. The reference point is the affected person, not the company’s balance sheet.
A conventional risk model would multiply probability by impact and let a rare but catastrophic harm to a worker drop out of view because it’s unlikely. The UNGPs won’t take that trade. Severity leads, because the alternative is letting statistical comfort deprioritise the people least able to absorb the harm in the first place. The rightsholder, in other words, is both the source of the evidence and the measure of how serious it is — which is what makes this a single, coherent reading of power rather than a list of separate rules.
The pragmatism is the strength
All of this can seem like a softening: a framework that meets business halfway. It doesn’t demand zero issues, it lets you prioritise, it scales what’s required to how close you are to the harm. Next to a pass-or-fail audit, that can look like a relaxation of the standard.
It’s actually closer to the reverse. The realism is what makes the standard operable, and a standard that can be operated is one that can actually bite. A demand for zero findings produces theatre – clean audit reports sitting on top of unchanged conditions – because an impossible target displaces the goal it was meant to serve: people stop pursuing the outcome and start performing the metric. Asking a company to find its gravest risks, show its working, and act in proportion to its influence is asking for something it can genuinely do, which is precisely what makes a failure to do it visible. The pragmatism isn’t a softening of the rigour. It’s the thing that strengthens it.
The end of “but we didn’t know”
Overall, one of the sharpest things the UNGPs did was quiet: they changed what a company is presumed to know. The shift is from “we didn’t happen to know” to “we should have known”. Ignorance stops being a defence. A company is expected to have looked, and not looking is itself the failure. That’s set as a standard of conduct now, a responsibility to know rather than a guarantee of outcomes. And it’s the part that has travelled furthest into law: attaching legal liability to the failure to know is exactly what the binding regimes built on the UNGPs have been doing since — the French Duty of Vigilance law, the German Supply Chain Act, the EU’s new CSDDD and forced labour regulation, import bans like US withhold release orders. The standard came first; a widening body of law now gives it teeth.
The UNGPs are a triumph. Undoubtedly. Now the “anniversary” line everyone seems to be reaching for is that they are a radical idea made mainstream, and that’s fair. But I think it doesn’t go far enough. I think Ruggie’s idea wasn’t just to make clear that business is responsible for respecting human rights – it was to answer a harder question about how that responsibility is to be met if we are to truly implement the spirit of the UNGPS – honestly acknowledging whose experiences – of power, vulnerability and harm – set the terms. Fifteen years on, that answer is what makes the framework enduring.
Read this way – as a piece of power analysis and behaviour change rather than a compliance instrument – the UNGPs stop being a document to comply with and start being an explanation of why compliance alone was never going to move anything. At CLC, that’s the position we work from with out clients. In practice it means:
- starting your HRDD by asking where power actually sits, not starting from your lawyer says liability ends;
- centring affected workers and their representatives as the people who can actually tell you what’s happening in your supply chain; and
- building impact measurement in from the start, so what a company does can be shown to actually change conditions rather than just document them.
The UNGPs set a new standard – expecting the business community to move beyond compliance to something more pragmatic, more honest and more effective. Staying true to the vision of the UNGPs makes the difference between a HRDD programme that exists for the sake of existing, and one that actually works.
Come back for Part 2 in this anniversary series: The UNGPs at 15: How are we holding up in practice? What does HRDD look like now.
