Get in touch

Andrew Britton

CEO

Get in touch

Why you may need to re-visit your due diligence approach

False comfort? Why you may need to re-visit your due diligence approach

SUMMARY: The EU Batteries Regulation requires companies to apply risk-based due diligence in their supply chains for key battery materials, shifting focus from management system audits to identifying and addressing real risks of harm. Compliance means prioritising the most significant risks, conducting targeted on-site supplier assessments, and implementing practical mitigation measures to ensure effective supply chain compliance and protect people and the environment.

Written by Andrew Britton

At Kumi we are doing a lot of work helping companies to prepare for the forthcoming due diligence requirements of the EU Batteries Regulation. A common theme is emerging from our initial ‘diagnostic’ assessments of companies’ current practices: most companies are not yet implementing risk-based due diligence. The supply chain due diligence approach adopted by most companies in the automotive and battery supply chains does not, at present, align with the EU’s regulatory requirements. Without action, many companies are going to have a compliance problem on their hands.

The heart of the problem is this: most companies’ due diligence activities – whether through desk-based supplier assessments or site-based supplier audits – are not actually identifying and addressing risks.

The primary cause is a widespread misunderstanding about how supply chain due diligence programmes should be designed and delivered. It is important to note that this is not an issue limited to battery supply chains: the same challenges are observed across diverse industry sectors, particularly those where there is a heavy use of supplier audits. In this article we discuss what’s gone wrong with the due diligence ‘status quo’, and how this can be addressed.

First principles: the difference between risks and controls

In responsible business conduct, the term “risk” refers to the risk of an adverse impact (harm) to people or the environment. Examples of adverse impacts are things like labour abuses or environmental damage; a risk is the possibility that an adverse impact will occur. Risk significance is determined by the severity of the impact and the probability (likelihood) of the adverse impact occurring. This is explicitly defined in the OECD’s due diligence frameworks that provide the basis for regulatory due diligence requirements such as those in the EU Batteries Regulation.

A “control” refers to the process steps taken by a company to manage a risk. Examples of controls include policies and management procedures.

Why this distinction matters:

  • A missing policy or procedure is a control vulnerability, not a risk. People do not suffer harm as a direct consequence of a missing or incorrectly worded policy. It is tangible action (or inaction) that matters.
  • Fixing a control gap is not risk mitigation. If your corrective action only installs or tightens a management system (for example, improving a supplier’s policy) without taking action on the root causes of the identified risk, then you have not mitigated that risk. You have simply improved your paperwork.

Focusing on system assessments is not enough

Most supplier assessments check conformity to controls: is there a policy, a procedure, a training, a posted notice? They rarely map the real operating context, detect concealed practices, or analyse the severity and likelihood of identified social and environmental risks.

In its 2022 report on corporate disclosures, the OECD noted that “The low level of disclosure on Steps 2 [risk assessment] and 3 [risk management] is a cause for concern. It may suggest significant shortcomings in implementation…”. Our observation, based on what we see through our work, is that the OECD’s concern is entirely justified. There is a big due diligence implementation problem.

What we at Kumi see is that many companies can describe a process of setting expectations with the suppliers to uphold policy commitments; they can describe processes for issuing and collecting self-assessment questionnaires (SAQs) from suppliers; and many can describe an audit programme.

However, they cannot say what risks of harm to people or the environment have been identified through this work; they cannot explain what risks (of harm) have been prioritised and what the rationale for this prioritisation is; and they cannot describe the risk mitigation that is underway to reduce the prioritised risks of harm to people and/or the environment in their supply chain.

Whilst there is a lot of activity – both through SAQs and audits – ultimately, such companies are not doing due diligence as envisaged in the OECD’s frameworks. Due diligence is a process of investigation into risks of harm, and action based on the results of that investigation. Moreover, companies cannot pass on their responsibilities for due diligence – the OECD guidelines are explicit on this point. An example of passing on responsibilities is equating the existence of a supplier’s management policies and procedures with the fulfilment of risk-based due diligence. It is not the existence of policies and procedures that matters; it is actions that count.

Companies with established SAQ processes and supplier audit programmes should be asking themselves two hard questions:

  1. What actionable information on risks of harm to people and the environment am I receiving?
  2. What practical steps am I taking as a result of my programme that will reduce these risks of harm in my supply chain?

The role of management systems: purpose over process

It is important to be clear: management systems do have an important role in delivering due diligence. However, their value lies not in their existence, but in the effectiveness of the system’s processes that identify and mitigate risks to people or the environment. The emphasis must always be on the purpose of these systems and their appropriateness for the context in which they are applied. Investments in systems should be proportionate to the risks identified and the means by which effective risk mitigation can be achieved.

Why this matters now: the EU Batteries Regulation

The EU Batteries Regulation embeds the OECD’s risk-based due diligence principles into law for key battery raw materials (cobalt, lithium, nickel and natural graphite). In Kumi’s view, it is the most far-reaching regulatory due diligence framework currently in place, both in terms of the scope of the due diligence requirements and the number of companies impacted.

The requirements for companies are clear. Article 50 (1) of the Regulation states that in-scope companies are required to “…identify and assess the risk of adverse impacts in its supply chain…” and “…design and implement a strategy to respond to the identified risks to prevent, mitigate and otherwise address adverse impacts…”.

It does not say “…assess suppliers’ policies and procedures…” or that efforts should focus on improving those policies or procedures. If you are impacted by the EU Batteries Regulation (or by customers who are), and assessments of management systems are the focus of your supply chain programme, we would strongly recommend course correction. Fast.  

Building a due diligence approach that works

If you are currently spending money on management system-focused audits, you may want to hit pause and consider if that is really the best way to use your resources. Risk-based due diligence is not about compliance box ticking, it is about reducing or preventing real-world harm. A risk-based approach helps you focus time and resources where they matter most. Four key takeaways:

  • Prioritise – don’t try to do everything: Due diligence should start with a broad-based risk scoping but then quickly narrow down to a very small selection of prioritised risk areas.
  • Implement progressively in-depth due diligence: Distinguish between inherent and residual risk so that your time and budget are focused on the highest-impact issues, and take a dynamic approach with processes such as SAQs and supplier engagement rather than covering your supply chain with a ‘one-size-fits-all’ approach. Standardisation of SAQs and audit protocols often leads to over-complication or a lack of focus on the issues that really matter.
  • Focus on the quality, not quantity, of on-site supplier assessments: On-site assessments of the highest risk suppliers are a vital due diligence tool, but they should be carefully designed in order to target the most important risk areas and enable practical and pragmatic risk mitigation. On-site assessments must always be adapted for context.
  • Prioritise the reduction of risk: Risk mitigation measures should be guided by whatever the most effective response to the identified risk of harm to people or the environment will be. It is important that companies do not tie themselves in knots with arbitrary Corrective Action Plans (CAPs) and self-imposed CAP deadlines – especially if such CAPs are focused on management system paperwork.

If you would like to understand how Kumi can help you strengthen your due diligence and prepare for compliance with due diligence regulations, do get in touch.  

Other areas of interest

Why you may need to re-visit your due diligence approach

Kumi appointed to develop the Due Diligence Guidelines for the EU Battery Regulation

Read more
Why you may need to re-visit your due diligence approach

Case Study

EU Batteries Regulation: Alignment of electronics multinational

Read more