The Ruggie Framework: Polycentric regulation and the implications for corporate social responsibility

Mark B. Taylor Fafo Institute, Norway mark.taylor@fafo.no The United Nations ‘Protect, Respect and Remedy’ Framework, developed by the U.N. Special Representative John Ruggie, brings together social expectations and law into an emerging policy framework of direct relevance to corporate social responsibility, CSR. The principle source of the Framework’s significance for the policy and practice of CSR is its definition of the theory of business responsibility for human rights as arising from business activities and relationships, and its deployment of due diligence for human rights risk as the core operational concept of this theory of responsibility. The article considers the responsibility to respect human rights in light of theories about polycentric regulatory regimes and draws the conclusion that the Ruggie Framework creates a regulator dynamic in which both voluntarism and law have relevant and reinforcing roles to play in governing business behavior. In the wake of the adaptation of the Framework by the UN, the challenge for the field of CSR will be to adapt to an emerging reality in which business responsibility for ‘the social’ is increasingly a question of compliance and beyond.

Two years later, when the Framework emerged in the form of Guiding Principles 1 (Ruggie 2011), it became increasingly clear that the Framework would have a lasting effect on the broader movement toward corporate social responsibility. The principle source of its impact is the Framework's definition of business responsibility for human rights as arising from business activities and relationships. The Framework does not bother to address the wellworn debates that oppose voluntarism' and binding law,' nor does it debate whether business should be concerned with public goods at all (Zerk 2006;Clapham 2006). Instead, the Framework provides a clear definition of business responsibility for human rights as the foundation for a policy framework in which both voluntarism and law have relevant and reinforcing roles to play in governing business behavior.

Ruggie's middle path
Past attempts by the U.N. to establish global norms of business responsibilitythe Global Compact in 2000 and the Draft Norms on the Responsibilities of Transnational Corporations and Other Business Enterprises in 2003had failed to grapple with business resistance to any drift toward international legislation of binding' social responsibilities. One, the Global Compact, simply avoided all mention of regulation and received widespread endorsement and government funding. The other, the U.N. Draft Norms, explicitly sought regulation at the international level and failed to get it. As a result, CSR as a policy issue evolved primarily through processes of multistakeholder policy dialogue. Governments remained largely noncommittal. Civil society organizations, on the other hand, often bemoaned the lack of new laws or legally binding rules for business with respect to human rights. There are exceptions to this characterization on all sides, of course, for there were no monolithic blocs. But the divide between voluntary and mandatory approaches to rule-making with respect to the social impacts of economic activity reflected what the main organizations on both sides seemed to see as their principle interests.
Those positions were starkly expressed in 2002 at the World Summit on Sustainable Development in Johannesburg. There, NGOs and certain government representatives held that complementary, comprehensive, and targeted regulation is needed to ensure accountability for the performance of companies in social and environmental terms (Graymore & Bunn 2002). Business interests, on the other hand, were more likely to advocate the promotion of sustainable development through so-called self-regulation, that is, through voluntary agreements and partnerships with various stakeholders (governments, NGOs, civil society groups) (WBCSD 2002). CSR is, in this sense, not about business compliance with legally binding rules, rather CSR is concerned with positive contributions by business to society above and beyond compliance with the law.
Governments did little to disabuse business of this view, 2 preferring to allow various CSR processessuch as the Global Compact, Voluntary Principles on Security and Human Rights, and a plethora of othersto pursue multistakeholder dialogue around issues of policy and practice. The effect was to paper over key differences on human rights issues and to allow the dichotomy between voluntary and regulatory approaches to fuel the policy research and debate (Kleppe 2007). Yet, out of these debates grew an increasingly prevalent view, which rejected the notion that voluntary and regulatory measures are somehow mutually exclusive (Lunde & Taylor 2005). For example, in its 2002 report Beyond Voluntarism, the Geneva-based International Council on Human Rights Policy (ICHRP 2002) argued that, while more robust legally binding regulation is required to create an incentive structure for companies to change unacceptable behavior, the two main approaches complement each other: […] neither legal nor voluntary approaches should be a substitute for the other. Both are needed, and they can be complementary. Voluntary codes will make binding regulation more likely to succeed because they have started to build consensusor at least understandingaround some core rights. Willing consent to such norms will be helpful when binding regulations are introduced in the future. As companies introduce new management practices to implement codes, they develop business expertise that will also be essential to successful implementation of binding regulations. Overall, however, we believe it is time to move beyond voluntarismnot in order to stop voluntary approaches but because a new international legal regime will become increasingly necessary. The future should hold a blend of voluntary and binding rules that together will ensure that companies respect human rights and demonstrate that they do so. (ICHRP 2002: 9) Reflecting on the state of the contemporary movement toward corporate responsibility, Professor Ralph Steinhardt described the need for a middle path, maintaining the general impetus towards corporate responsibility in the human rights field but justifying a global standard that is so grounded in international law as to offer corporations a measure of protection from aggressive or idiosyncratic approaches to human rights. (Steinhardt 2005) Having received from the HRC an evidence-based mandate, 3 Ruggie spent his first three years looking at the existing state of law and practice and at the end of it produced the Protect, Respect and Remedy' Framework. The Framework describes a policy space in which states' duties to protectthe first pillar' of the Frameworkmake them ultimately responsible for human rights, including the provision of most forms of remedy, the third pillar'. Business responsibilities were nestled within this overarching state duty as the second pillar.' The Framework established that state duties include the duty to create legally binding rules with respect to human rights and business, where they see fit within their jurisdiction and where they themselves have taken on obligations to do so. 4 All of this seemed rather sensible to governments long-used to the focus of human rights law on states as the primary duty bearers. The unanimous welcome given to the Framework by the HRC was evidence of this. But it was also evidence of the fact that, for some governments, Ruggie appeared to have done precisely what had been asked of him in spirit, namely, to describe a path out of the policy paralysis which had arisen in the small but influential community around the U.N. in Geneva concerned about business and human rights.
Ruggie's definition of a «corporate responsibility to respect human rights» as the second pillar of the Framework was the basis for this middle path. The two key elementsresponsibility and respectwere defined in simple and intuitive ways. Responsibility was defined as arising from a business's activities and relationships «across a business enterprise's activities and through its relationships with third parties associated with those activities» ( Ruggie 2011). In this way, responsibility was delimited to the adverse impacts of business agency, either directly or through its relationship to others.
The definition of responsibility as deriving from acts and relationships is distinct from the previously dominant notion of sphere of influence,' which had been the concept used to delimit business responsibility both by the Global Compact and the U.N. Draft Norms. The effect of those efforts had been to delimit a business responsibility using the analogy of the spatial boundaries of a state (sphere) and then marrying this to a concept which, like sovereignty, implied that responsibility arises from power (influence). It did not seem to work in practice. 5 In part, this was because it defined responsibility as arising out of power without explaining what kind of power. The problem is that business impacts may occur far from the physical space it occupies. Business power, while often great, is different from the power of a state, both in its concrete manifestations and in its more symbolic effects. A company could be said to have direct economic and legal power over its employees, and the responsibilities which derived from this power would be defined by international and domestic labor laws. But did this imply a limit to its responsibilities, for example, where health and safety laws were absent? If an individual business had impacts but little effective influence would it not be responsible? This was a particularly salient challenge in light of contemporary value chains and the diverse and networked form of large business groups. Large consumer goods companies can be said to have huge influence over the cost structures of their suppliers, but the nature of influence further down the supply chain is different in each sector. In fact, by driving prices down, businesses are acting to affect the entire supply chain. Their pricing has impacts. Their economic power in the chain makes these pricing decisions effective. But it is the act of pricing from which responsibility arises, not the influence which comes from economic power. Thus, where companies might be perceived to have little influence, for example, over nearby communities, they in reality had potentially significant effects: some of the most notorious cases of alleged human rights violations involve impacts of a company on the environment and health and lives and livelihoods of local communitieseffects that would not have been detected under a theory of a sphere of influence. If corporate influence was intended to mean influence over the host state, it was still unclear what responsibilities were implied by this power.
Just as business responsibility for human rights was delimited by the notion of activities and relationships, it was also clarified through a definition of what it means to respect human rights. The Framework defined respect as «to avoid infringing on the human rights of others and to address adverse human rights impacts they may cause or contribute to» (Ruggie 2011). This negative obligation to do no harm' is at first sight a minimalist approach compared to expansive notions of CSR in which all kinds of public goods may be provided by business, from charity and philanthropy to for-profit public service provision. But on closer examination, the notion of respect embodied in this principle of business responsibility is an appropriate response to a rights-based problem: if the assumption is that the normal course of business can do harm or infringe on the rights of others, then whether or not business should deliver public goods or contribute to the realization or fulfillment of rights should be secondary to its responsibility to do no harm or respect those rights in the first place. There is nothing preventing business doing more to «support and promote human rights» ( Ruggie 2011), but the Framework is based on the rights-based notion that a negative obligation is the starting point, a «baseline expectation» in which «a company cannot compensate for human rights harm by performing good deeds» (Ruggie 2008b).
In other words, a business's responsibility for human rights arises when one of its activities or relationships gives rise to a human rights abuse. This definition of responsibility has several implications. The first is that, although a negative obligation, the Framework's definition of respect as doing no harm' is far from passive in practice. Under the Framework, respecting human rights entails active implementation by a business: 15. In order to meet their responsibility to respect human rights, business enterprises should have in place policies and processes appropriate to their size and circumstances, including: a. A policy commitment to meet their responsibility to respect human rights b. A human rights due-diligence process to identify, prevent, mitigate, and account for how they address their impacts on human rights; c. Processes to enable the remediation of any adverse human rights impacts they cause or to which they contribute. (Ruggie 2011) The second implication is that international human rights norms constitute the standard against which business behavior will be measured. After studying over three hundred reports of alleged business human rights abuses, Ruggie came to the conclusion that «there are few if any internationally recognized rights business cannot impactor be perceived to impactin some manner» (Ruggie 2008b), and that «(b)ecause companies can affect virtually all internationally recognized rights, they should consider the responsibility to respect in relation to all such rights, although some may require greater attention in particular contexts» (Ruggie 2008b).
Given the scope of market-based activity globally and the sheer diversity in business activity, this is hardly a surprising conclusion. But the finding was an important empirical reinforcement of the notion that business could in principle be responsible for all rights, depending on its activities and relationships. As a result, the Framework sets up the main human rights provisions, including labor rights, as the minimum standards of respect against which businesses should be assessed: 12. The responsibility of business enterprises to respect human rights refers to internationally-recognized human rights -understood, at a minimum, as those expressed in the International Bill of Human Rights and the principles concerning fundamental rights set out in the International Labor Organization's Declaration on Fundamental Principles and Rights at Work. (Ruggie 2011) This in no way precludes a business doing more or adopting policiesand the relevant implementation systemsthat commit the company to, for example, the Voluntary Principles on Security and Human Rights (VPs), the Extractive Industries Transparency Initiative (EITI), the Global Compact (GC), the OECD Guidelines for Multinational Enterprises, the IFC Performance Standards, or other similar principles and standards.
Finally, the Framework assumes that context matters: the human rights context of the environment in which the business is operating, and the size and nature of the business activities themselves, will be crucial for determining what it really means for the business to respect human rights in practice, i.e. what rights a business is infringing, or might infringe, and what actions can be taken to remedy the situation. The Guiding Principles are cast at a high level of generality, so as to be applicable to all business. Having reached the limits of generalization, the Framework then assigns the concept of due diligence the task of getting to the specifics of what it means for a particular business to respect human rights in its particular context. While the Ruggie Framework's definition of a responsibility to respect' constructs a middle path between competing interests of human rights campaigners and business, it is through the introduction of the concept of due diligenceand its corollary human rights risk'that the Framework lays the foundation for the further development of business responsibility.

Due diligence and human rights risk
Guiding Principles 11 through 24 describe the principle of responsibility to respect in detail. In addition to outlining what a corporate human rights policy should cover, much of the section on the responsibility to respect is based on two key concepts: due diligence and human rights risk. Due diligence is a process found in commercial law legislation in a number of countries and the Framework adopts it into the human rights context (Sherman & Lehr 2010)   Briefly put, the Guiding Principles set out a due diligence framework which requires a company to assess its activities and relationships in their social, political, and economic context, act on the findings and report on actions taken. Due diligence is defined as follows (Ruggie 2011): 17. In order to identify, prevent, mitigate and account for how they address their adverse human rights impacts, and to account for their performance, business enterprises should carry out human rights due diligence. The process should include assessing actual and potential human rights impacts, integrating and acting upon the findings, tracking responses, and communicating how impacts are addressed. Human rights due diligence: a. Should cover adverse human rights impacts that the business enterprise may cause of contribute to through its own activities, or which may be directly linked to its operations, products or services by its business relationships; Will vary in scope and complexity with the size of the business enterprise, the risk of severe human rights impacts, and the nature and context of its operations; b. Should be on-going, recognizing that the human rights risks may change over time as the business enterprise's operations and operating context evolve; c. Should extend beyond a business enterprise's own activities to include relationships with business partners, suppliers, and other non-State and State entities that are associated with the enterprise's activities.
The crucial first step is the assessment, which should be conducted continuously. The due diligence assessment processwhich can involve field work and other forms of investigation, supply chain auditing, other activities depending on the nature of the business (Morrison & Vermijs 2010)generates a picture of what have been called «human rights risks» ). Although barely referred to in the Protect, Respect and Remedy' report of 2008, which first laid out the Framework, Ruggie uses the concept of human rights risk throughout the Guiding Principles and provides a definition: «Human rights risks are understood to be the business enterprise's potential adverse human rights impacts. Potential impacts should be addressed through prevention or mitigation, while actual impactsthose that have already occurredshould be a subject for remediation.» (Ruggie 2011). In other words, human rights risks are harms to people, or the potential for harms to people, where those harms constitute a violation of internationally proclaimed human rights.
The notion that responsibility arises out of activities and relationships is a bottom-up translation into human rights violations of the empirically detected harms (or potential harms), which makes for human rights risk. This is distinct from a normative, top-down application of human rights norms and obligations on companies which had characterized previous attempts to obligate business entities under international law. The Framework's approach makes the obligation to do no harm, or not infringe on the rights of others, the core obligation, rendering the act of respecting international human rights law a corollary of the primary obligation. Ultimately, the intended result is the same: respect for human rights.
Human rights lawyers tend to distinguish between human rights abuses and human rights violations; while an abuse is a harm against a person, a violation refers to an abuse that breaches a provision of a human rights instrument, such as those set out in human rights treaties. The due diligence process implies that businesses should be less concerned about identifying whether an act involves a technical violation of a human rights provision or not, and rather look first for actual or potential harms to people that would also constitute a violation of human rights. At the same time, businesses can use the human rights instruments as guidance for the practical work of looking for actual or potential harms ). Put another way, a due diligence assessment looks for harms to people (impacts) that arise, or could arise, from business operations (activities and relationships) in a particular context and interprets these facts in light of international human rights standards (the existing body of national and international human rights law). In this way, harms or the risk of harms can be understood by companies as human rights risks or, where they have already occurred, human rights violations.
To a certain extent, this will appear to many as mere semantics. In this case, however, the semantics matter. Businesses are not often staffed by human rights lawyers. Talking about risk, harms, abuses and violations is a necessary part of ensuring that human rights due diligence can be integrated to company management systems, many of which are structured around existing risk-based due diligence frameworks. To that end, it is important to understand that human rights and risk were, until recently, not terms often used in the same sentence. Each has its own provenance and normative content.
Human rights are universal freedoms and protections for human beings provided under international law and enshrined in several international covenants. As such human rights are normative standards for the dignified treatment of people by states and other organs of society. Risk is a functional concept applied across a range of disciplines, from finance to human development, which seeks to identify and mitigate a threat, or the potential for harm or damage.  Risk in the business world has a distinctly cost-driven logic (e.g. technical risks to the implementation of projects, political risks arising from the politics or laws of host countries, and financial risks found in markets). For a business, the concept of risk is not first and foremost concerned with threats to people, but about managing the potential harms to a business's profitability. Yet, the concept of risk is also deployed by business (and by legislation) toward meeting other ethical standards in commercial life, such as in the field of anticorruption or in social and environmental impact assessments. In both cases, once risks are identified, they trigger actions from businesses to ensure the company respectsi.e. does not violatea standard of care. Business measures under securities law, anticorruption, and other commercial legislation rely on empirical assessment as a first step in the due diligence process. In this way, the concepts of human rights and risk find common ground, although in their individual specific roles: human rights is the standard and risk-based due diligence is a means to ensure respect for that standard.
In practice, a risk-based approach to human rights due diligence is a scientific method: it draws conclusions, and suggests further steps, based on the evidence gathered. Taylor, Zandvliet, and Forouhar (2009) outline an approach that begins with a basic question: What is the actual, potential or perceived risk of company participation in human rights abuse in the country? By breaking down this question into its various parts, human rights due diligence deploys a kind of lens in order to identify and assess the key human rights risks from the data gathered. The lens' consists of four basic sets of questions… Company Operations: What is company activity or relationship in question? What is the company actually doing in country? In procurement? What are its business relationships? What projects are in place or in development?… Context: What does the record of human rights in country tell us about existing violations/abuses in general?… Involvement: What company acts or relationships might result in company involvement in a human rights violations or abuse?… Association: What set of abuses might reasonably be associated with the company? What are the perceived impacts of company operations on people?
In practice, due diligence investigation involves monitoring and assessing project activities and relationships, supply chain relationships, business development activities, etc., beginning with core activities, and expanding the scope of monitoring and assessment as internal systems are developed. The investigation looks for those places or events where business activity is most likely to harm people (e.g. employees and workers, vulnerable members of society) or breach standards and laws, and sets out options for remediation from the resulting analysis. Investigation assumes that involvement can be direct (through the actions of the business itself) or indirect (through the actions of contractors, joint venture partners, government agencies, and others with whom the company is associated through its business activities) and can include material, logistical, or other forms of support to a second party who commits a violation or abuse. It should also be assumed that stakeholder perceptions will affect their behavior toward the company. Looking for signs of the association of the company to human rights abuse is one way to identify the potential for conflicts that can simultaneously pose a risk to the company as well as to human rights ).
In this risk-based approach to human rights due diligence, the risks in question are first and foremost risks to people. However, where these risks result from a business's activities or relationships, the risks to people become synonymous with business risk, within the category of what businesses would call nonfinancial risk. At the very least, such human rights risks trigger potential risks to the business as well: risk of labor disputes, conflict with local communities, reputational risk in consumer markets, or regulatory action. Existing risk management systems in larger businessessuch as integrity due diligence, country risk analysis, security monitoring, environmental health and safety systems, etc.can both aid and be supported by human rights risk assessments. Due diligence for human rights risk enables a business to both respect human rights and minimize the threat to company interests from nonfinancial risks. In this way, due diligence assessments for human rights risk provide businesses with the empirical information necessary in attempting to reconcile the market-driven demands of doing business with the social expectations for respecting human rights.

A new regulatory dynamic
Ruggie's middle path was not uncontroversial with the human rights community. In 2006, he told participants in a consultation in Johannesburg that he could not see what «theory of attribution» could explain the obligations on business under international human rights law. By 2008, he had come to the conclusion that responsibility needed a clearer definition: When it comes to the role companies themselves must play, the main focus in the debate has been on identifying a limited set of rights for which they may bear responsibility. For example, the draft norms on the responsibilities of transnational corporations and other business enterprises with regard to human rights generated intense discussions about whether its list of rights was too long or too short, and why some rights were included and others not. At the same time, the norms would have extended to companies essentially the entire range of duties that States have, separated only by the undefined concepts of «primary» versus «secondary» obligations and «corporate sphere of influence». This formula emphasizes precisely the wrong side of the equation: defining a limited list of rights linked to imprecise and expansive responsibilities, rather than defining the specific responsibilities of companies with regard to all rights. (Ruggie 2008b) While the vast majority of human rights organizations supported Ruggie's view that business in general may potentially infringe the entire set of human rights though their activities, and accepted the notion of due diligence as the core method for implementing responsibilities in this regard, they pushed for Ruggie to use stronger language to obligate companies under the Framework. They also objected to the interpretation that international human rights law does not apply directly to business entities. This view of international law was contested by several organizations throughout the period of Ruggie's mandate. In its comments on the Guiding Principles, EarthRights International argued that […] the SRSG [Special Representative of the Secretary General, John Ruggie] has too categorically drawn the line between the legal obligations of States and companies… [the Guiding Principles are] mostly correct when it points out that the International Bill of Rights and the core ILO Conventions do not impose direct legal obligations on business enterprises. (The Universal Declaration is the exception: its preamble states that «every individual and every organ of society» should respect the rights enumerated, and Article 30 makes clear that no «State, group or person» may violate the rights set forth.) Nonetheless, this statement may give the misleading impression that business entities are exempted from legal obligations that apply to other non-state actors; in fact, these instruments generally do not impose direct legal obligations on any non-State entity. Yet some of the standards enshrined in these instruments correspond to conduct that is proscribed under norms of customary international law that apply directly to non-State actors, such as genocide, war crimes, crimes against humanity, slavery and slavery-like practices, and complicity with State-sponsored abuses. These are not controversial propositions; rather they are well settled principles of international law. It is crucial that SRSG recognize that in none of these cases does customary international law distinguish acts committed by natural persons from those committed by legal persons, although it is left to states to craft the legal remedies that define the form and scope of liability for these actions. (EarthRights International 2011) The Guiding Principles make no attempt to argue that the responsibility to respect or due diligence is a legally binding obligation. Ruggie had no mandate to suggest binding international law, nor would the Human Rights Council have welcomed and attempt to do so. The text of the Guiding Principles is also silent on the issue of whether states, either individually or collectively, could use due diligence for human rights as a legal standard. The Commentary of the Guiding Principles notes that the responsibility to respect «exists independently of States' abilities and/or willingness to fulfill their human rights obligations, and does not diminish those obligations» (Ruggie 2010). But the Commentary couches this characterization of the responsibility to respect as being independent' of what states might do in carefully crafted language: These [human rights] are benchmarks against which other social actors assess the human rights impacts of business enterprises. The responsibility of business enterprises to respect human rights is distinct from issues of legal liability and enforcement, which remain defined largely by national law provisions in relevant jurisdictions. (Ruggie 2011) For some international human rights jurists, the «largely» here will be grist to their mill for some years to come, as they argue for or against the direct applicability of international law to business enterprises. It is possible that the evolution of international law will see the creation of some sort of direct applicability to business entities beyond the international crimes outlined above (Clapham 2006;Zerk 2006). However, for the CSR movementboth business and those seeking greater accountabilitythe significance of the Guiding Principles is not that they make no demand for liability for the failure to respect human rights, but that they do not attempt to foreclose the possibility of such liability. Rather, the Guiding Principles re-state the obligation of states to regulate to protect human rights and point out that legal liabilities for such violations would normally arise at the national level. The creation of liability or regulation is, after all, well within the purview of states, not international organizations such as the Human Rights Council (liability arises under the jurisdiction of the International Criminal Court but for natural persons only). Liabilities or rules are a far more effective regulatory measure when enforced by national jurisdictions.
Of course, one of the challenges to national regulation is that businesses often move operations to places that have lower human rights standards, or structure their relationships so as to ensure their contractors or subsidiaries with lower human rights standards do the dirty work. To address this, the Guiding Principles make clear that state responsibilities to protect, ensure, respect, and provide remedy do not stop at their borders, yet neither are they made universal. «States should set out clearly the expectation that all business enterprises domiciled in their territory and/or jurisdiction respect human rights throughout their operations.» (Ruggie 2011).
In fact, the Framework is based not so much on extraterritorial jurisdiction (except where it already exists, such as for international crimes or corruption) than it is on extraterritorial effect of national jurisdiction. This a far more restricted form of extraterritorial jurisdiction than, for example, the U.S. Foreign Corrupt Practices Act or legislation combating child sex tourism in some countries, or the obligations to prosecute international crimes which countries that signed up the Rome State of the International Criminal Court assume. Even the International Chamber of Commerce has accepted that business should adhere to international human rights standards in the absence of effective state regulation (ICC et al. 2008). In their final form, the Guiding Principles narrowed the scope of responsibility of a business for its contributions to human rights violations by others, dropping language from earlier drafts that had referred to subsidiaries and referring to state or non-state entities «directly linked to its business operations, products or services» (Ruggie, 2011). In this light, the Guiding Principles capture a somewhat conservative reading of the present state practice, albeit one that states nervous about intrusions of their sovereignty will probably find acceptable. Nonetheless, the Guiding Principles draw a clear line in the ethical sand: it is not an option to allow the absence of effective host state jurisdiction to stand in the way of ensuring respect for human rights.
The balancing act performed by the Guiding Principles is an attempt to respond to the need mentioned above for complimentarity between voluntary and mandatory approaches to the challenge of business violations of human rights. The Guiding Principles establish a theory of regulation in which the general duty to regulate falls under the first pillar of the Framework (the state duty to protect human rights), the specific theory of attribution to business entities is set out under the second pillar (the business responsibility to respect human rights), and the issue of business liability is dealt with under the third pillar on remedies. This polycentric regulatory approach of the Guiding Principles suggests the need for a more subtle analysis than the traditional dichotomy affords. Lessig (1998) proposed a theoretical and methodological development of the Chicago School approach to law and economics. One of the arguments of the Chicago School had been that state regulation of markets should be minimal because social norms often regulated markets better or more effectively than law did. Lessig argued that while it was true that norms were an effective regulator, it was wrong to conclude from this that less law was needed. Instead, the challenge was to understand how norms, law, and markets regulated effectively (and how they did not) and draw on this understanding to design law that enhanced the regulatory power of those norms.
Social norms are «those normative constraints imposed not through the organized or centralized actions of a state, but through the many slight and sometimes forceful sanctions that members of a community impose on each other […] a norm governs socially salient behavior, deviation from which makes you socially abnormal» (Lessig 1999b). Like the sanction of law, the sanction of social norms is imposed after the fact (ex post) but, unlike law, social norms are «imposed by a community, not a state.» From this perspective, it is possible to argue that, by contributing to norm building, voluntary initiatives such as the Global Compact of the Voluntary Principles on Security and Human Rights contribute to the regulation of company behavior (Nordal 2009: 61, citing Hardin 1996. Not only do they create standards of behavior and communities of peers to whom companies must relate, but they create spaces in which the broader community can assess the distribution of rights and responsibilities between states and businesses (Selvik forthcoming). Crucially, for Lessig, those assessments have both direct and indirect effects, for example, directly by naming and shaming and indirectly by affecting markets (e.g. investor decisions, market access, consumer preferences). Thus, purely voluntaryi.e. non-legally bindingcompany self-regulation can be forms of regulation directly as social norms and indirectly as influences on market forces or as sources of law.
All regulatory regimes are in some sense polycentric (Black 2008), that is, they have various centers or modes that regulate behavior. Markets, social norms, law, and materiality or the built nature of an activity, are all regulators in their own right (Lessig 1999a). Each of these categories of constraint regulate directly and indirectly, that is, through the other modes of regulation, to form a decentered regulatory movement. Thus, the elaboration of social norms, by accident or design, can act in ways that support, and are supported by, coercive regulation which is legally binding on companies and backed by enforcement sanctions. Both are constraints on company behavior, that is, both are modes of regulation (Lessig 1999b). Just as it cannot be assumed that the sanctions underpinning mandatory regulations are always implemented or always effective in deterring violations, it is inaccurate to suggest that, in practice, all voluntary measures lack the power to promote compliance. The regulatory reality is more complex and the modes of regulation varied.
But will the concepts elaborated in the Framework, have a constraining effect? Will the modes of regulation deployed by the Guiding Principles result in the emergence of a regulatory framework? There is initial evidence that this is already happening, both in practice and in policy. After surveying twenty four companies in early 2010, Morrison and Vermisj (2010) concluded that human rights due diligence has quickly gained acceptance in the business and human rights community: […] though challenging, it is eminently possible for companies to conduct human rights due diligence as part of their corporate responsibility efforts […] (of the) 24 companies who participated in the research for this report….(a)All have begun the journey of integrating concern for human rights into their business operations. Each has developed human rights policy statements and many are still experimenting with the most effective methods of assessing risks and impacts. None of the companies has fully integrated human rights across its business, and progress in tracking performance remains limited. But based on the level of commitment demonstrated, it seems safe to assume that over the next five years, these companies will have deepened integration, and their experience will have inspired many others to start their own efforts to understand and respect human rights. (Morrison & Vermijs 2010) Whether in five years from now this prediction will appear optimistic or not depends to some extent on whether or not legislation promotes and enforces the normative trend. In 2010, it appeared there was evidence that due diligence was becoming central to the design of regulatory responses to some of the worst forms of business-related human rights abuse. For example, multilateral organizations, business associations, governments, and NGOs latched on to the concept of due diligence as the solution to one of the more vexing issues of corporate responsibility, that of companies sourcing metals and minerals from war zones where serious human rights abuses and armed conflict were rampant. In late 2010, the OECD Secretariat completed work on the OECD Due Diligence Guidance for Responsible Supply Chains of Minerals (OECD 2010) based on a due diligence framework very similar to the one outlined by Ruggie, although elaborated in much greater detail. At the end of 2010, the Secretariat reported that «the Guidance was approved by the OECD Investment Committee and the OECD Development Assistance Committee and was endorsed by the eleven member states of the International Conference on the Great Lakes Region (ICGLR)» (OECD 2010). The ICGLR member states met in Lusaka in December and called on business sourcing minerals from the Great Lakes Region «to comply with the Guidance and […] instructed the ICGLR Secretariat to integrate the standards and processes of the Guidance into tools of the ICGLR Regional Initiative against the Illegal Exploitation of Natural Resources.» 6 Around the same time, the United Nations Security Council accepted the recommendations of the final report of the United Nations Group of Experts on the Democratic Republic of the Congo concerning due diligence recommendations based in part on the OECD Due Diligence Guidance (OECD 2010).
In the United States, advocacy organisations such as Enough and Global Witness had managed to raise attention to the issue of conflict minerals with legislators. As a result, a provision for declarations to the Securities and Exchange Commission (SEC) by companies sourcing minerals from the DRC was included in the Dodd-Frank Wall Street Reform Act passed in July 2010. The SEC promulgated draft regulations, which included a requirement for companies to disclose in the body of its annual report whether its conflict minerals originated in the Democratic Republic of the Congo or an adjoining country. If so, that issuer would be required to furnish a separate report as an exhibit to its annual report that includes, among other matters, a description of the measures taken by the issuer to exercise due diligence on the source and chain of custody of its conflict minerals. These due diligence measures would include, but would not be limited to, an independent private sector audit of the issuer's report […]. (SEC 2010) Thus, even before the Guiding Principles was addressed by the U.N. Human Rights Council in June 2011, core elements of the business responsibility to respect human rights were being integrated into national and international legislation.
At the same time, there was the risk that due diligence itself may be interpreted by some businesses as a disincentive to respect human rights. The argument made was that although due diligencewhat Ruggie has called «knowing and showing»is intended to help companies to avoid human rights abuse, the structure of existing law is such that implementing due diligence actually makes companies more likely to be successfully prosecuted for association with human rights violations that are also crimes. This argument rests on the notion of a business being complicitor aiding and abettinghuman rights abuses committed by third parties. To make a case against a company, a plaintiff lawyer or a state prosecutor would normally have to show intent or knowledge (mens rea) of the abuse on the part of the company. A cynical corporate counsel might argue that it would be far better to have done no due diligence, thereby avoiding knowing about the risks and ensuring there is no evidence of such knowledge in the company records or the public domain.
Of course, the fear that due diligence could create evidence of «knowing» assumes that due diligence is a legal standard. At present, it is not. But even as laws evolve, there are a number of reasons why the argument that due diligence itself presents a liability risk is unlikely to convince law makers.
First, where it has entered law, there is nothing in the evolution of due diligence that indicates that companies will be penalized for good faith attempts to prevent harm. On the contrary, the very notion of due diligence is based on the idea that a company should not be punished for acts that were carried out in good faith and when taking due care ). The implication would appear to be that if a violation is detected and remediated by the company, any regulatory action would have to take that into account (Sherman & Lehr 2010).
Second, where business ethics have been the subject of legislation, lawmakers have anticipated the argument of the so-called willful ignorance,' the practice of purposefully avoiding knowledge of violations in situations in which responsibility can reasonably be expected to be applied. As anticorruption law has evolved over the past two decades, not least in the U.S., willful ignorance has become increasingly problematic. In 2010, the U.K. Bribery Act (2010) moved toward a strict liability approach based on due diligence precisely because of the lessons from anticorruption cases. 7 It is unlikely that the lessons from anticorruption lawwhich applies directly to businesswould be lost on the courts or legislators seeking to control business responsibility for human rights.
Third, with respect to human rights, the Guiding Principles are largely silent on the issue of complicity. The Commentary does address complicity, defining complicity as «knowingly providing practical assistance or encouragement that has a substantial effect on the commission of a crime.» This is based on significant research conducted by Ruggie's team and others on this issue. There is ambiguity in the definition, principally in that the Commentary does not make clear what is meant by «knowingly.» Surveys of various jurisdictions make clear that a single international definition would be hard to formulate without running into problems of diversity of mens rea across a number of jurisdictions (Thompson et al. 2009). Differences in the mental element or mens rea also constitute a key source of diversity in the laws governing accomplice liability, e.g., between aiding and abetting, conspiracy, joint criminal enterprise, etc. In effect, the Guiding Principles leave space for different courts or legislatures to determine what form of mens rea suits their legal tradition best, while at the same time signaling that whatever standard of complicity is used it should be a standard that is workable and not one that creates a get out of jail free' card for business.
In addition to businesses «knowing» through conducting due diligence, the «showing» of due diligence also faces challenges, in particular with respect to transparency of reporting. The Dodd-Frank provisions not only require due diligence, but they also require disclosure. Reporting alternatives, such as the Global Reporting Initiative and ISO 26 000 offer companies the possibility to prove the negative,' in other words to issue annual reports which show they are in compliance and do not infringe on the rights of others. This will respond to some extent to the demands of those investors and shareholders interested in seeing that companies in which they invest have human rights policies and due diligence procedures in place. But these forms of CSR reporting are not well suited for reporting on where violations were encountered and how they were dealt with. In this sense, they are too superficial to secure real changes in the business practices that result in violations.
Multistakeholder initiatives at the heart of the CSR movement have yet to grapple meaningfully with the problem of disclosure. Take the U.N. Global Compact as an example. More and more businesses are joining the Global Compact, which encourages them «to ensure that they do not contribute to human rights breaches,» or to work «to abolish all forms of forced labour.» However, few of these companies involved in the Global Compact disclose cases in which they have identified problems. After more than a decade, the Global Compact experiment demonstrates that talking to companies about risks is possible and getting companies to talk about what they do to assess those risks is also possible (IHRB 2010). But simply encouraging companies themselves to talk openly about actual cases of human rights violations stemming from their own activities or relationships is not effective. An open policy space in which companies could safely discuss these issues would no doubt help to improve company performance, but today most companies do not see such talk as a part of building a strong brand.
Nevertheless, a few multistakeholder initiativesfor example, the Fair Labor Association established by clothing and textile companies, NGOs, and trade unions concerned about sweatshop labor and other problems in the garment industryhave sought to create such a space. The objective has been to use transparency for their own benefit and for the benefit of the workers who manufacture their products. The FLA has not been without controversy, in particular, with respect to the best ways to ensure the protection of labor rights (Compa 2004). But the successes and failures of the FLA will have important lessons about reporting transparency for the design of due diligence disclosure.
The most important lesson is that voluntary reporting or reporting the attempts to prove the negative' is a step in the right direction but it will not lead to verifiable improvements in company performance. The existing incentive structure means that few businesses will want to publish information about the risks they run of violating human rights. That reluctance will make oversight very difficult. One conclusion is that the problem of human rights reporting requires a public policy solution to secure the transparency required for any system governing business and human rights to be effective. For this, national legislation will be needed, in addition to the existing reporting models, to ensure access to information in specific cases in which businesses are alleged to have caused human rights breaches. Just as legislation permits citizens to demand information from their governments, a statutory right of access to information about the business sector's participation in specific human rights breaches would be an important and necessary supplement to the standardized CSR reporting many businesses are now starting to introduce (Taylor 2011).

Conclusion
The Ruggie Framework places a clear definition of business responsibility at the center of the policy and practice concerning CSR. Due diligence assessments for human rights risk are intended to provide businesses with the empirical information necessary to reconcile the market-driven demands of doing business with the social expectations driving the demand for respecting human rights. In so doing, the Framework has constructed a middle path between the competing interests of business and human rights campaigners: on the one hand, delivering an approach that is intuitive to business and on the other opening up for regulatory responses should business fail to meet expectations. Those regulations are yet to be put in place, although there are encouraging signs that, for the worst forms of human rights abuse, governments may take up their duties and legislate.
The middle path struck by the Ruggie Framework is evidence that the movement for business responsibility is generating a new regulatory regime. Yet, the Framework is not law or a form of corporate accountability, at least not mostly. It is safe to say that while no company will end up in court this year on the grounds of a failure to meet its responsibility to respect, it is equally true that the Framework in no way constrains governments from putting those responsibilities into legislation, or the courts from drawing on them in specific cases.
This suggests the emergence of more clearly defined policy space, one shaped by a regulatory dynamic. This might be compared to the area of anticorruption ten years ago. The interaction of law and social norms constrained business responses to corruption over time, moving from a standard under which companies could deduct bribery payments from their taxable income to one under which such payments were rendered a criminal offence. The Guiding Principles will not cause such radical change overnight, but already they are moving things forwards more quickly than might have been expected. To the extent that they are successful in changing behavior, it will be because they have been able to resonate with and help shape the norms and laws that constrain business activity.
In the wake of the Ruggie mandate, CSR work that is concerned with only those things that are beyond compliance' will no longer be relevant to the core business challenges in the area of non-financial risk. The Ruggie Framework brings together social expectations and law into an emerging regulatory framework for business and government that in effect defines the nature of business compliance with human rights standards. In so doing, the Framework lays the foundation for the further development of business responsibility, as a coherent area of policy and regulation in its own right. As an arena of activity and debate, CSR has contributed to this regulatory dynamic. The challenge for the field of CSR will be to adapt to an emerging reality in which business responsibility for the social' is increasingly a question of both compliance and beyond. Literature 2 «CSR is behaviour by businesses over and above legal requirements, voluntarily adopted because businesses deem it to be in their long-term interest.» (The European Commission 2002). 3 The original mandate was issued by the then Human Rights Commission, Resolution 2005/69, 20 April 2005. It included the following tasks: (a) To identify and clarify standards of corporate responsibility and accountability for transnational corporations and other business enterprises with regard to human rights; (b) To elaborate on the role of States in effectively regulating and adjudicating the role of transnational corporations and other business enterprises with regard to human rights, including through international cooperation; (c) To research and clarify the implications of concepts such as «complicity» and «sphere of influence» for transnational corporations and other business enterprises; (d) To develop materials and methodologies for undertaking human rights impact assessments of the activities of transnational corporations and other business enterprises; (e) To compile a compendium of best practices of States and transnational corporations and other business enterprises.» The subsequent mandate, from 2008 to 2011, was issued by the Human Rights Council, and called on the SRSG to operationalize the Framework.