Making Supply Chain Due Diligence Practical

by Craig Moss and Patrick Neyts.

The number of supply chain due diligence laws is growing rapidly. Some have been around for years (the first since 2010 – California Supply Chain Transparency Act), and some are new. The pace of new supply chain laws is increasing. The EU’s approval of the Corporate Sustainability Due Diligence Directive (CSDDD) will lead to new laws in each EU country as the directive is transposed into national legislation.

To make it harder, the laws cover environmental and social risks in your supply chain. On the environmental side, they cover everything from carbon output (currently a high-profile topic) to water conservation, air pollution, disposal of hazardous materials, and beyond. On the social side, they cover forced labor, child labor, working hours, discrimination, and more.

A Tip For Managing Supply Chain Due Diligence

It is neither practical nor efficient for you to react law by law and jurisdiction by jurisdiction. We’ll give you a tip: All the laws are based on the OECD Due Diligence Guidance For Responsible Business Conduct (RBC). The practical (and smart) thing to do is to develop a supply chain due diligence program aligned with the structure and management system approach recommended by the OECD. Easy to say. Harder to do. It is even harder because your program needs to manage your environmental and social risks and those of your suppliers.

It does not matter if you have 100 or 100,000 suppliers; the laws require you to consider all their environmental and social risks – to a certain extent. That doesn’t sound too practical. Especially when considering the wide range of risks impacting environmental and social performance.

Not to make it more difficult, but the OECD and the derivative CSDDD have a comprehensive view of what they consider due diligence. Pre-contract background checks or social audits during the commercial relationship are only a small part of the overall management system requirements. The CSDDD, like the OECD Due Diligence Guidance for RBC, has six interrelated elements.

1.    Integrate due diligence into company policies

2.    Identify potential or actual adverse impacts – social and environmental

3.    Prevent, end, and mitigate potential impacts and bring actual impacts to an end

4.    Engage external stakeholders as part of the due diligence process

5.    Establish a grievance mechanism

6.    Monitor the effectiveness of the system using qualitative and quantitative KPIs

How to Make Managing Supply Chain Due Diligence Practical

As you can see, this goes way beyond the check-the-box compliance approach. So, what are supply chain due diligence best practices, and how do you make it practical? You make it practical by taking a breadth and depth approach. You take reasonable steps to cover the breadth of your supply chain and then focus on the residual risk of the most critical or highest-risk suppliers.

• First, you need to have a good idea of who your suppliers are. Based on our experience, this alone challenges many large organizations.
• Second, most legislations refer to “Primary” Supply Chain actors. Primary means they are important or material from a business as well as from an environmental and social risk point of view. It is possible that your Primary Supplier is not a direct supplier but one or two levels down in the supply chain.
• Third, the most important thing beyond the mapping is establishing a reasonable and scalable risk assessment process.

We recommend starting your process by having a logic for determining where to go in-depth. This logic may be a combination of basic inherent risk factors (where they are located, what they do) coupled with how important they are to you (amount of spend, criticality to business continuity, etc.).

Once you’ve narrowed your suppliers down from 100 to 10 or 10,000 to 100, it’s time to focus on residual risk.

Start by taking a more sophisticated look at inherent risk. To what extent do they use hazardous materials in their manufacturing? Do they use migrant labor through employment agencies? Next look at the maturity of their control processes to manage risk. Your “ important” suppliers should have similar management systems to yours. Of course, they should scale their controls to their size and the nature of their business.

Compliance DOJ ECCP GUIDANCE

Get access to Expert Insights and Fortune 500 Program Templates and Examples for today’s top risk areas.

Request Guest Access⟶

11 Supply Chain Due Diligence Best Practices

So what does a good supply chain due diligence program look like? Here’s another tip: It has eleven interrelated categories. To understand residual risk, you need to understand your maturity and that of your key suppliers in each category.

1. Supply Chain Mapping: The first step in establishing a supply chain due diligence program is to identify and map the organization’s supply chain partners, looking at who provides services or materials and where they are located. 
2.  Risk Assessment: An effective program is risk-based. It is important to have a process for evaluating the likelihood and potential impact of supply chain risks and prioritize them across the environmental and human rights spectrum.
3. Strategy & Goals: Supply chain due diligence should be aligned with the overall business strategy and ESG goals. The due diligence process should provide data needed for tracking progress and public reporting.
4. Policies, Procedures & Records: The due diligence program should be defined in a reasonable number of policies and procedures, shaped by the risk assessment and the relevant laws.
5. Responsible Supply Chain Engagement: ESG expectations should be communicated to suppliers frequently and through a Supplier Code of Conduct. A process should exist for vetting, approving, and onboarding new suppliers, along with considerations for disengaging from a supplier when necessary.
6. Governance and Oversight: Senior leadership’s level of involvement is important in embedding responsible supply chain engagement practices and mitigating potential supply chain risks. Part of an effective program is having trusted grievance reporting channels for employees, suppliers, and other stakeholders to access.
7. Training & Communication: Effective training and communication is critical to building awareness of the ESG expectations and gaining commitment internally and with suppliers. You should also communicate information on the actions to take to meet legal requirements. 
8. Monitoring: An ongoing process is needed for assessing the supplier’s ability to adhere to the supply chain due diligence expectations for mitigating potential risks. 
9. Corrective Action & Collaborative Remediation: Define the corrective actions required of suppliers or to be conducted in collaboration with suppliers. This includes assessing the roles and responsibilities in the remediation efforts, as well as assessing the effectiveness of remediation efforts. 
10. Stakeholder Engagement: Engage with external stakeholders (including workers of suppliers) to establish and monitor the ongoing effectiveness of the supply chain due diligence strategy and related goals. This includes how the organization considers the potential impacts its supply chain has on the communities of its suppliers.
11. Reporting & Disclosure: Reporting is a critical requirement in meeting the supply chain due diligence regulations. There should be a process in place for assessing the reliability of the data being collected from suppliers and third parties (e.g., audit firms, consultants) and for determining the appropriate level of transparency and disclosure. 

Understanding your current level of maturity is a critical step to prioritizing where to focus efforts and proceed efficiently. Just as you need to prioritize where to go in-depth with your suppliers, you need to prioritize which elements of your supply chain due diligence program to focus on. You can’t work on everything at once. You need to measure so you know where to improve.

To make it practical, it takes a combination of technology and human expertise to understand and make decisions effectively and efficiently. This will require new internal collaborations and new collaborations with your key suppliers.

For these collaborations to be effective, the parties must commit to a common goal and move beyond sharing transactional data to trading strategic data. They must also establish a common language and shared performance metrics.

Scaling Supply Chain Risk Management

We know that the plethora of supply chain risk, due diligence, and reporting legislations can be overwhelming and managing and mitigating environmental and social risks in your supply chain can be complicated. A well-structured supply chain due diligence program requires time, analytics, and subject matter expertise.

We believe that the structured, systemic, collaborative measure and improve approach based on the OECD Due Diligence Guidance For Responsible Business Conduct framework is the reasonable way to improve your supply chain risk performances scalably.

To learn more about how Ethisphere can help improve your supply chain due diligence program and systematically and practically understand your current suppliers, and their inherent and residual risk, explore these resources:

• Podcast: How to Prioritize Your Supply Chain Risk
• Podcast: Understanding New Supply Chain Regulations
• Podcast: Managing Due Diligence and Supply Chain Relationships