Responsible Sourcing Programmes: overcoming common challenges

As the regulatory landscape for due diligence grows, we are seeing an increase in companies developing Responsible Sourcing Programmes. James Lewry (Director) and Timothy Perkin (Senior Consultant) summarise some common challenges that we see companies face when complying with the requirements.

At this point, most businesses are aware that there are growing regulatory requirements for responsible sourcing.These include the German Supply Chain Due Diligence Act (LkSG), the EU Corporate Sustainability Due Diligence Directive (CS3D) and the EU Conflict Minerals Regulation. The regulations impact on companies operating in, and supplying to, companies in Europe.

We’ve been working a lot with businesses to prepare for due diligence regulation and have seen some common themes in our initial assessments. Whilst awareness of these regulations is increasing, we’re finding that companies do not fully understand the practical requirements and are missing systems or activities required to comply.

Below we pick out three important areas of a responsible sourcing management system, describe challenges that we often see during implementation and show how the companies we’ve worked with have progressed towards compliance.


The people in the businesses that we work with have a lot of interest in what we do and in understanding the human rights issues in supply chains. Our discussions typically lead clients to ask themselves the same questions: what are we doing and who in our business should be responsible for this?

At the heart of an effective responsible sourcing programme are clear roles and activities through which risks can be identified, escalated, and managed. However, we find that companies often lack both the understanding and the resources to undertake day-to-day responsible sourcing activities and haven’t secured buy-in from senior management to support a programme. Put simply, not everyone in the business is on the same page and there is often a knowledge gap on why a system is needed and what is required to implement it.

Having adequate resources in place is critical to meeting the requirements of both CS3D and LkSG. CS3D extends due diligence obligations beyond direct suppliers to include indirect business partners along the value chain. Not only does this increase the complexity of due diligence activities, but it also means that additional resources will be needed to ensure compliance.

If a company does not have the right people to conduct due diligence, or there is a lack of understanding and buy-in, then any responsible sourcing system will be ineffective and serious supplier risks will go undetected. This could have significant ramifications on the company’s reputation if the supplier risks are identified by external stakeholders, such as NGOs or the media, or could result in spending large sums of money on crisis management. Resourcing due diligence activities may seem expensive, but it is significantly cheaper than responding to a crisis.

To address this, it is important to identify exactly where responsibility sits and to develop clear accountabilities for human rights due diligence. Education is also a vital step to ensure that business leaders understand not just the requirement for due diligence, but also the potential impact on the business if it is not conducted effectively. Once these accountabilities and impacts are understood, then resource gaps can be filled and activities planned.

Kumi developed a Responsible Sourcing Programme for a global Fortune 500 company, which included establishing clear roles, accountabilities and responsibilities. Read more here.


Risk assessment is the area where we typically see the most challenges, and it can often compromise the effectiveness of a Responsible Sourcing Programme when done poorly. In many cases, businesses are onboarding suppliers without screening beyond basic compliance and sanctions checks. Companies may apply additional checks of a vendor for quality purposes, but this may not include considerations for social issues, such as labour and human rights performance, beyond requiring the vendor to agree to a Code of Conduct that covers these areas. There can also often be a focus solely on direct suppliers while ignoring lower-tier suppliers, which can lead to a blind spot in identifying human rights risks.

We also see a huge over reliance on self-assessment questionnaires (SAQs) as the sole activity for assessing supplier risks. This can result in biased or incomplete information, particularly where SAQs are administered by a technology solution without appropriate scrutiny of the results. Given the scale and complexity of some supply chains, the idea of only using automated SAQs can be tempting, particularly if the alternative is seen as an expensive, clip-board wielding army of auditors to review every supplier.

But it doesn’t have to be like this! The key to effective risk assessment is to break the process down into stages that help to prioritise those suppliers who may pose the greatest risk of negative impacts. A start point is to understand the country, region and sector of where the goods will be sourced from or where the services will be provided. This helps to provide an initial prioritisation of where high-risk suppliers may be located. In this stage, the vast majority of suppliers will then receive a self-assessment questionnaire and any decisions about risks posed will be made on their response.

For those suppliers where a higher level of risk is identified, or are deemed strategic or critical to the business, then the next step is to apply some form of enhanced due diligence. This can include reviewing NGO reports and adverse media, an audit or review by subject matter specialists within the business, or a visit to a supplier location. Finally, where there is a significant concern or red flag raised regarding human rights performance, or where goods or services are relied on in a high-risk country or CAHRA (conflict-affected high-risk area), then a third party may be called on to conduct a human rights risk or impact assessment, which will include stakeholder engagement to truly understand potential adverse impacts.

Think of this as a continual process of filtering suppliers until you expose those who may pose the greatest risk to your business and the rights-holders that it interacts with. Technology can be used to get you much of the way, but risk assessment also requires stakeholder perspectives and engagement.

We developed a tool for a luxury fashion brand that was based on data from publicly available indicators and Kumi’s own knowledge of risks within the fashion sector. Prior to our engagement, the company did not have a coherent risk assessment process, but now has a clear process for identifying supplier risks. Read more here.


Finally, it should come as no surprise that a company that lacks appropriate risk assessment processes, typically lacks adequate systems for risk management.

Many fall short in allocating adequate resources to managing risks and ensuring a thorough understanding of human rights issues among their personnel, which is the initial step towards effective risk management. This can also lead to poor communication of human rights policies to suppliers and other stakeholders, which can in turn lead to non-compliance and misunderstanding.

An often-overlooked area of risk management is the need to engage with suppliers to build their capacity for managing human rights risks to avoid issues recurring. This can be made worse by ineffective monitoring and auditing, where audits are seen as a box-checking exercise rather than a means for continuous improvement. The next time you read a company’s sustainability report, if it reports the number of suppliers it has audited to date and there is no additional context to this, ask what this number means in terms of risk management.

Inadequate engagement with affected communities and other stakeholders can often lead to a trust deficit and heightened reputational risks. Linked to this, the lack of accessible, transparent, and responsive grievance mechanisms can also hinder the identification and redressal of human rights abuses.

All these elements should be considered when developing a risk management process, otherwise responses to risk will be ad hoc and the opportunity to build stronger relationships with suppliers will be missed.

Companies can start by prioritising risks identified in their risk assessment(s) to focus on areas where the risk of adverse human rights impacts is most significant. This can be used to develop and implement action plans to address identified human rights risks, which might include capacity-building, changes in operations, and continual engagement with suppliers or other stakeholders. This process can help to build long-lasting partnerships with suppliers and may also be an opportunity to engage with local communities, and those impacted by operations, to have lasting developmental impacts.

We worked with a global aluminium company to develop clear processes to identify and manage risks, enabling it to commit to reduce the social and environmental impacts of its own and suppliers’ operations. Through having these systems implemented, the company closed non-conformances that had been identified during a responsible sourcing audit, passed the subsequent audit and is now able to demonstrate its commitment to responsible sourcing to its customers, many of whom are preparing for the European due diligence requirements and cascading the requirements down the supply chain. Read more here.

Implementing a Responsible Sourcing Programme can be difficult, but the need for companies to establish them is ever-growing. We work with companies at all stages of global supply chains to build responsible sourcing management systems. This is just a handful of examples of challenges that companies we work with face. If you would like support, please get in touch with us.