The Transparency Act is coming

On 1 July, the Norwegian Act relating to enterprises' transparency and work on fundamental human rights and decent working condition (Transparency Act) will apply. All large and medium-sized companies that supply goods or services in Norway must report on their websites if they have identified challenges in the supply chains in relation to human rights or decent working conditions. They must also explicate how they have performed their assessment, and what they are doing with the problems they may have found. What should companies do now to adapt to the new law?

Download GRC insight – Norwegian Transparency Act

Who is affected by the law?

The very first thing all companies in Norway should do is to clarify whether they are covered by the law or not. This is in itself not a complicated task.

Large and medium-sized companies

The following criteria define whether or not companies are covered:

• Public limited companies and listed companies: or to put it a little precisely and technically: Companies that are considered “large” in accordance with the Norwegian Accounting Act are covered.
• Businesses that meet 2 of the following 3 criteria on the annual balance sheet date (i.e. the last day of the business’s financial year):
  • 50 or more employees, i.e. 50 full -time equivalents
  • Sales revenues of 70 million NOK or more
  • Balance sheet of 50 million NOK or more

Different risks

The Authorities splits companies into high, medium and low risk according to their probability of experiencing supply chain issues relating to human rights or working conditions. This emerges from the impact assessment (Norwegian Text)that the Ministry of Children and Family Affairs commissioned prior to the laws passing. Companies in the higher risk brackets are likely to enter the spotlight of the supervisory authorities first. These companies may also find themselves in the public limelight or as the focus of activist groups.

High-risk industries have been identified on the basis of their share of imports or business dealings with countries likely to see issues related to human rights or lacking working conditions. The industry itself may also have had such issues historically. The hospitality and restaurant industries have a low import share, but have historically high levels of undeclared work. Imports of clothing can have a high import share of goods from regions with challenges in relation to human rights and working conditions.

In general, companies should find out what level of risk they fall into based on the industry. This is useful because it gives an indication of the extent to which the due diligence assessment can take. A starting point can be the risk classification found in the impact assessment mentioned above. But the company should independently assess its own risk.

Requirements for compliance

The law is not a comprehensive text, and the requirements are relatively easy to explain. There are mainly three requirements to be met:

• A due diligence assessment must be carried out
• This must be published on the company’s website
• The company is obliged to answer questions about this work.

Certain formal requirements must also  be met. Key amongst these is the requirement to anchor these compliance obligations at the highest  level.

Anchoring

A natural first step in the work is therefore to “embed responsible business conduct into the enterprise’s policies.“ This decision should be made at board level. It makes sense for the Board to adopt a plan for the due diligence assessments and how to publicise these on the same occasion. Internal responsibilities should also be clarified and formalized.

Due Diligence

A due diligence assessment in the language of the Transparency Act is  a risk assessment of the supply chain. The purpose of the Due Diligence process is to identify and  assess actual or potential adverse impacts related to human rights or decent working conditions stemming from the enterprise’s operations, products or services.

The due diligence assessment shall be carried out in accordance with the OECD’s guidelines for multinational companies . The National Contact Point for Responsible Business in Norway have published guidance on how to perform the Due Diligence Process.

It is not a requirement to perform due diligence of each link or vendor in the supply chain. This is in many cases be impossible. However in some cases it may be necessary. The company will make this assessment as part of their process.

This process should be risk-based. Consequently, the assessment of how far into the supply chain the investigation should go should will be based on an assessment of risk. The company must assess where it is most likely that there are problems, and direct resources to illuminate and solve identified issues.

Examples from the impact assessment: Purchasing professional services in Norway has a low risk, here you do not need to spend a lot of resources on controlling compliance with human rights or checking working conditions. The use of factories in some Asian countries for the production of clothing may entail higher risk. This situation will require a more thorough investigation to be documented.

The due diligence assessment must be carried out at least annually. If there are significant changes in how the business is run, it must be updated. The first publication of the due diligence assessment is due on the 30 June 2023, according to the Norwegian Supervisory Authority (Forbrukertilsynet).

Measures

The Transparency Act in itself does not prohibit activities that violate human rights or involve a lack of decent working conditions. The company should nevertheless be aware that other laws and regulations most likely cover their area of operations. These laws may be both supranational and national.

In relation to measures, the specific legal order entails the company to identify and implement “suitable measures to cease, prevent or mitigate adverse impacts based on the enterprise’s prioritisations and assessments”, as well as “track the implementation and results of measures”.

These measures can be of several types depending on the role of the company in bringing about the adverse effects that have been identified.

If the company in question alone causes the negative impact or damage they have a large degree of responsibility to resolve the issue. This may, for example, be that there is a lack of decent working conditions at a factory owned by the company in or outside Norway. This should be rectified by the company itself.

If the company’s combination is directly related to the problem that has been identified, the company will have a special responsibility to prevent or minimize this. An example could be that the company buys goods from a supplier that offer unsafe working conditions for their employees. The company should take measures by, for example, updating purchasing contracts, in addition to entering into dialogue with the supplier to change conditions.

If the business is indirectly associated with human rights violations or unfortunate working conditions, the business should still try to minimize the impact. There may not be a direct relationship between the company itself and the link in the supply chain where challenges exist. An example could be that the company is one of several small buyers of metals from an area where there is a suspicion of child labour, and where the company enters into an industry collaboration to improve working conditions.

Publication and communication

A key provision of the Transparency Law is the duty to publish an account of due diligence. The report must be on the website of the company and cover:

1. General information about the business and how this affect its risk for causing adverse effects, how the work with working conditions and human rights is organized and embedded in governing documents as well as routines that have been established.
2. Information regarding actual negative consequences that have been identified
3. Information on what measures the company has implemented or planned in order to stop or limit adverse impacts

The communication about the company’s policy and what measures are taken should be communicated broadly amongst stakeholders, and not just posted on the website. The company’s subcontractors can greatly benefit from being informed about this, in addition to other stakeholders such as employee organizations.

Right to information

Any interested party can request additional information beyond what is already available on the company’s website. The law requires the company to respond to such inquiries provided the request satisfies certain requirements. There are formal obligations regulating deadlines and the decline of information requests.

Challenges

A key challenge for all companies now establishing compliance procedures related to the Transparency Act is coordination with their other compliance obligations and activities. This is important for two reasons in particular:

• Other legislation will affect how the Transparency Act compliance plan can and should be designed
• There may be significant synergy effects to be gained from other compliance activities, or even other business activities. An example could be that information is obtained about possible suppliers based on considerations other than the Transparency Act, which can nevertheless be utilized in connection with the design of the due diligence assessment.

Privacy

Of particular importance for compliance are privacy considerations. It is important to ensure that the company’s privacy policy is coordinated with the process of gathering information for due diligence assessments. Otherwise, the company risks requesting and processing data without having the legal basis for processing these data.

A holistic view

Many companies carry out activities that affect and are affected by the Transparency Act, and which should be included when setting up a plan for how to ensure compliance with the Transparency Act. Processes for assessing the supply quality of potential vendors can be expanded to take into account the Transparency Act. Privacy has already been mentioned, but there may also be other compliance or business activities that can be used or modified to make the establishment of compliance with the Transparency Act more efficient.

Reputational risk

A central purpose of the law is to bring the efforts (or lack thereof) of individual companies into the public sphere. This may expose companies to reputational risk.

When establishing a plan for due diligence assessments in accordance with the Transparency Act, companies should therefore include an assessment of what kind of reputational risk the company may be exposed to. The business should be cognizant about interest groups that are active in their market environment, and of any public discourse which may affect them.

Consideration of reputational risk will be more relevant for a company assumed to have a higher risk of issues related to human rights and working conditions than others. Other factors that increase the reputation risk are how conscious customers and end users are,  as well as how strongly the company has profiled itself in relation to ESG.

Businesses that are believed to have low risk should also carry out this assessment.

Further development of the law in the future

Transparency Act comes as a response to a European legal development with the https://sdgs.un.org/goalsUN  Sustainability Goals at the centre. Transcendent Group has previously written about this development. Germany , France , UK and the Netherlands is among the countries that have established legislation in the field. An EU Directive in the field has been drafted and sent for consultation. The OECD’s guidelines for multinational companies already cover most of the sustainability goals.

One area that the law will cover in the future is consideration for the environment. This is expressed by in the review published by the Norwegian Justice department prior to the adoption of the law. The EU Directive currently in consultation also includes this provision as well as several other considerations.