Dashboards and data: selecting the right tools for supply chain due diligence

For many businesses, the proposed European Union’s Corporate Sustainability Due Diligence Direct (CS3D) looks daunting. With legislation like the German Supply Chain Act (LkSG) already requiring companies to map and identify risks from all direct suppliers, if adopted, the CS3D proposes to go further and requires this at all tiers of the up and downstream. Businesses that we talk to are concerned with how this can be done practically given their supply chain’s complexity and their limited resources. Understandably, they are looking to technology platforms to help.

But with the sheer scale of systems available, covering everything from ESG data sets, third-party risk management, supply chain mapping and more, selecting the right tools to support a company’s responsible sourcing programme can be challenging. Worse, using the wrong tools, or poorly implementing these, can lead to risks being overlooked and a false sense of assurance.

Based on common challenges that we see our clients facing, James Lewry (Director) and Timothy Perkin (Senior Consultant) outline three ways technology solutions can help companies with due diligence:

1. Who are our suppliers?

The proposed European due diligence regulations require a focus on all suppliers, rather than just suppliers of a company’s core product or tier one. But when looking at current requirements, such as LkSG, for many companies this activity has not been done in a systematic or coherent way even for direct suppliers. Companies often lack sufficient knowledge, information, or tools to understand the upstream supply chain where risks are typically heightened. Supply chain data can also be siloed in different departments, making it difficult to map a company’s whole supply chain.

It’s understandable then that businesses turn to technology to assist. Technology platforms provide companies with the ability to map suppliers and to develop visibility over the whole supply chain rather than just pockets of it. For supply chain mapping, technology can aid workflows by helping to organise supplier data and/or automate the discovery of suppliers within the business. Here are three things that companies should consider when using mapping software:

• Start with your most important suppliers: You don’t need to map your entire supply chain all at once. Start with your most important suppliers, such as those that supply critical raw materials or components. But beware prioritising just on spend; highest spend doesn’t equal highest risk.
• Use a variety of sources: Whether your tool automates supplier discovery or simply helps organise your data, don’t rely on just one source of information to map your supply chain. Use a variety of internal and external sources, such as supplier questionnaires, open-source information, websites, invoices, contracts, forums etc.
• Validate the data: Supply chain mapping tools and platforms are advancing at pace, including those using machine learning to identify and map supplier relationships. But regardless of the tech used, you will still need to validate the data and relationships you’ve mapped. This requires feedback from those in your business who hold supplier relationships and your suppliers themselves to ensure that the information is accurate and complete.

Don’t forget that supply chains are constantly changing, so it’s important to establish a process, triggers and sources to keep information up to date as this is critical to managing supplier risks.

2. Where are our risks?

A critical step in identifying adverse environmental and human rights impacts is to understand the inherent risks in the sector and country of operation of suppliers, then to prioritise due diligence activity to identify the actual risks posed. Technology can play a useful role here in providing the data to rate these risk factors and in supporting ongoing due diligence activity through a third-party risk management platform.

Such a platform acts as a ‘triage’ to help companies focus on those suppliers who present a heightened risk of adverse impacts. It should also support ongoing performance monitoring, remediation, and capacity building to identify any new or emerging risks. The platform will typically take inputs from supplier questionnaires, desk-based activity, and enhanced/ongoing due diligence such as audits, third party assessments and other engagement activity.

The market is awash with solutions to support supplier risk management, built to manage legacy compliance needs such as sanctions, anti-bribery and corruption, and other risk types. While these systems may be adapted for sustainability due diligence, social risks, such as human rights and labour rights impacts, have unique requirements, such as stakeholder engagement, that will need to be considered.

We often find that companies lack coherent risk management processes to identify and manage their exposure to sustainability risks. Therefore, before any budget is spent on technology, it is essential to develop these processes within a responsible sourcing programme and then consider the following when selecting a technology solution to support the programme: 

• Data quality and consistency: Country and sector risk data can vary in quality and consistency from provider to provider, so it is important to choose a provider with a good track record of accurate and reliable data and covers all countries and sectors that are relevant to your business. Ensure that the provider keeps this data updated and is transparent about the sources used. One solution here is to select multiple providers to ensure you are receiving a range of reliable information.
• Existing systems: Most organisations have several existing systems in place for vendor management, third-party compliance, and enterprise risk management. A good starting point is to determine whether an existing system may support due diligence requirements without the need for additional investment. Where this is not possible, select a platform that can integrate with these systems to reduce the complexity and cost of implementation.
• Using the platform effectively: A software platform is only as effective as the process behind it. Invest in developing an effective due diligence workflow by consulting stakeholders across your business. Ensure that everyone knows their role within the workflow, such as procurement teams who may administer it, subject matter advisors who will play a role in enhanced due diligence, and compliance teams who may audit suppliers and manage corrective actions. Provide training to your employees on how to use the software effectively.

3. How do stakeholders tell us about risk?

Once suppliers are onboarded by a company and incorporated within a responsible sourcing programme, a company needs to continuously monitor supplier performance. Audits are typically thought of as the primary method of monitoring, but continual stakeholder engagement and grievance mechanisms are important, much-overlooked processes for doing this. For example, the Corporate Human Rights Benchmark (CHRB), found that less than 5% of companies involve affected stakeholders when addressing human rights risks and impacts.

A grievance mechanism is a formalised procedure that allows individuals and communities to raise, address, and seek redress for grievances concerning adverse human rights impacts linked to business activities. We often find that companies see their existing whistleblowing facility as a grievance mechanism that they might retool, or use as-is, to identify adverse impacts in their supply chains. But these are typically built around only one reporting channel, such as a phone line and webform, and are aimed at direct, ‘white collar’ employees to address governance risks. They are not designed to be accessed by multiple external stakeholder groups with different language, cultural and accessibility needs. But most importantly, we find that many businesses are lacking the capability, capacity, organisation, and skills needed to process and remediate a grievance, which can have big consequences.

Case Study

In 2021, a group of children who had been working in cobalt mines in the DRC filed a lawsuit against a US automotive manufacturer, alleging that they had been subjected to forced labour and other human rights abuses. The company had a grievance mechanism in place for workers in its supply chain but was limited by the reporting channels and technology used. It only allowed workers to report human rights abuses through its website meaning that workers who did not have access to the internet were unable to report human rights abuses. Additionally, the grievance mechanism relied on the company to investigate and resolve cases, fuelling concerns about potential bias and conflicts of interest.

This mechanism was not in line with the UN Guiding Principles effectiveness criteria for grievance mechanisms. It was not accessible to all workers, as it only allowed workers to report human rights abuses through the company’s website. It was not legitimate, as it relied on the company to investigate and resolve issues, it was not predictable, equitable or transparent, as there was no clear information on resolution or timeframes, how workers could challenge decisions made, or information on the outcomes of grievances.

When considering a technology solution as part of your grievance process, think about the following:

• It’s about the system, not the platform: A grievance mechanism does not just provide the means of reporting an issue, it should allow the grievance to be managed through to remediation and continual improvement. Design a mechanism in line with the UN Guiding Principles effectiveness criteria and then apply technology to support the mechanism, not the other way round.
• Design a system around stakeholder needs: Build on your stakeholder mapping to think about the rightsholders that may use your grievance mechanism and therefore what their unique needs will be. Then use technology to provide different channels such as apps, phone lines and websites, and case management software to support those needs. Also include offline channels, such as community liaison, interviews, and others to ensure complete accessibility.
• Tell people about it: Once your grievance mechanism is developed, and reporting channels established, tell people about them. Not receiving grievance reports is not a sign that everything is ok in the supply chain, it is more likely a sign that the mechanism is not working. The most likely cause of this is that no one knows about it. Communicate widely with stakeholders about the channels they can use to raise a grievance and provide training to those who will respond to cases.

Summing it all up

In an ever-growing marketplace for sustainability-related technology solutions, it is easy to get lost in the features and promises of various systems. Technology can play a vital part in the workflow and application of a responsible sourcing system that meets both current and future supply chain due diligence requirements. However, as we see time and again, the effectiveness of this technology in managing risks to rightsholders and businesses alike relies on the human processes behind it.

Due diligence and monitoring systems should not be built to support a particular technology or tool, rather this technology should be selected to support a due diligence system – no matter what quick fixes a software provider promises!

If you’d like to understand more about our technology providers and how we can support you, please get in touch. We partner with several technology providers that share our vision and values. They are:

Enables companies to map suppliers, rate suppliers against ESG data, communicate with suppliers and manage supplier data such as corrective action plans. Origin is also designed to integrate with company’s existing processes and IT systems.

Provides supply chain traceability through AI and Blockchain technology, enabling companies to trace materials back to the source.

A leading provider of a case-managed, ethics hotline and online reporting system that provides safe, confidential and accessible channels for reporting grievances.