WEBINAR: Mastering risk-based due diligence in global supply chains 

My key advice to in-house practitioners is to stay grounded in the core principle that human rights due diligence is about identifying and addressing risks to people (i.e. the likelihood and severity of adverse impacts on rights-holders). This focus is not just a moral imperative; it is also embedded in international standards such as the UN Guiding Principles and OECD Guidelines, and increasingly reflected in legal requirements. That means that even from a business perspective, failing to prioritise risks to people ultimately becomes a risk to the company, whether through non-compliance, failing to meet stakeholder expectations, reputational harm, or loss of market access. For practitioners, it’s essential to build internal understanding, especially among senior leadership, around the distinction between risks to the business and risks to people, and to emphasise that responsible sourcing efforts should prioritise the most severe risks to rights-holders. That’s where the company’s biggest long-term exposure often lies. At the same time, where severe risks to the business arise from relatively minor human rights issues, such as those that might cause disruption or media scrutiny, they should still be addressed, but through appropriate risk management channels like Enterprise Risk Management (ERM) or business continuity systems. The key is to treat these as complementary processes. Risks to people remain the basis for prioritisation in due diligence, while business risks are managed in parallel, without overriding the fundamental focus on human rights.

Industry initiatives provide valuable tools for assessing risks and streamlining supplier engagement through standardised SAQ templates and shared standards among industry peers. They also offer a platform for collaborating on best practices and leveraging collective influence to drive positive changes in supply chains. However, these initiatives do not inherently mitigate risks themselves; they merely provide the framework for assessing them and structuring supplier engagement and corrective actions. Regardless of participation in industry initiatives, the responsibility for risk mitigation remains with the company. Certification schemes, while valuable for recognising supplier maturity, do not mitigate risks on their own. Misuse of certifications can occur when they are seen as a substitute for effective risk management or when suppliers are prematurely pushed towards certification without readiness. To effectively mitigate risks, companies should prioritise which risks to address, determine how SAQ responses trigger actions, and establish clear engagement strategies with suppliers. This involves identifying areas for improvement, agreeing on realistic timelines with measurable milestones, and ensuring suppliers are adequately prepared before pursuing certification. This approach prevents the pitfalls of rushing into certifications that suppliers may not be ready to meet, thereby fostering more effective risk management and supplier engagement.

It is acceptable to use criteria such as spend or sales volume to define the scope of suppliers included in a risk-based due diligence process, particularly when it comes to setting practical thresholds. For instance, if spend is very low, it may indicate limited leverage, making meaningful engagement difficult and reducing the potential for impact. However, such criteria should be used as scoping thresholds rather than as factors within the actual risk prioritisation itself. If factors like spend or volume are fully integrated into risk scoring, there is a risk that high-volume suppliers are always prioritised, even when mid-tier suppliers may present more severe risks, despite still representing a meaningful portion of procurement. To stay aligned with the core principles of risk-based due diligence, these thresholds should be used conservatively and only to exclude relationships that are truly marginal or insignificant in the broader business context. Ultimately, risk-based due diligence requires that prioritisation be guided by the likelihood and severity of adverse impacts, specifically on rights-holders, not on the company. Severity should carry more weight than likelihood, in line with international standards. Since criteria such as spend, volume, or supplier reputation do not directly influence the likelihood or severity of human rights or environmental risks, they should not be factored into the risk prioritisation itself.

From a lender’s point of view, applying a risk-based approach means assessing and prioritising risks based on their severity and likelihood of adverse impacts linked to a specific investment project. Even when leverage is limited, either because of the nature of the investment or the client’s position in the value chain, the lender still has a responsibility to identify and respond to risks in a way that is proportionate and aligned with international standards. In practice, this means going beyond simply asking whether a client has leverage and instead assessing what actions are feasible given the context. If direct mitigation is not possible, a lender can still use its influence, through dialogue, technical assistance, conditionalities, or expectations set during project approval, to encourage the client to take appropriate action. Where risks cannot be fully addressed, they should still be transparently recorded, and their severity should be acknowledged in decision-making processes. It’s important to remember that the objective of risk-based due diligence is not to eliminate all risks, but to demonstrate a credible and proactive approach to identifying, prioritising, and seeking to address them. Even in complex projects with limited influence, a lender can have an impact by clearly documenting risks, maintaining pressure on clients to make progress, and building leverage over time through ongoing engagement and collaboration.

To prioritise risks in risk-based due diligence, companies should focus on the severity and likelihood of the potential or actual harm to people, which is the core principle of the UN Guiding Principles and OECD Guidelines. Severity refers to how serious, widespread, or irreversible the harm is, while likelihood considers how probable or imminent the risk is in a given context. The business is responsible for making these judgements, but the process should be evidence-based, transparent, and informed by stakeholder input where possible. This ensures that the most significant human rights risks are addressed first, rather than just those that pose reputational or legal risks to the company.