When working with clients to support their compliance with new supply chain legislation, we are frequently asked how far they need to go to satisfy the regulators. This is becoming increasingly common as the requirement for reporting is widening and companies find themselves swept up in a metaphorical regulatory net.
What do the people responsible for supply chain due diligence reporting want (and need) to know. Put simply, when is enough, enough?
The honest reply to this question, which may not, at first, sound all that helpful, is there is no right answer. It genuinely depends on a wide range of factors. To understand what is enough for your organisation, we need to look at the actual legislation.
Supply chain due diligence legislation such as the EU CS DDD, Lieferkettengesetz, BRSR Core, Australia’s Modern Slavery Act and similar legislation emerging across the world set out very clearly its expectations for compliance. First, legislation usually sets out the requirement for organisations to take a risk-based approach to due diligence within the supply chain. Secondly, it states that the effort undertaken to do that must be commensurate with the organisation’s business and the complexity of the supply chain.
In particular, the guidance usually refers to the “adequacy of risk assessment” saying risk assessment should not present an undue burden, however, organisations should ensure that the effort undertaken is appropriate to their business activities and the risks associated with those activities.
Of course, when you think about it, this makes complete sense. ESG supply chain risk management can never be done in a one-size-fits-all kind of way. A privately-owned chain of sandwich shops employing 1000 people will have very different risks to a multinational manufacturing organisation sourcing raw materials from multiple continents and the legislation, quite rightly, recognises that. That’s not to say that the sandwich shops will have no risk, but the basic risk profile will be much lower relatively and so, as you would expect, the expectations placed on it, in terms of supply chain risk assessment, are proportionately lower.
So how do you identify what is appropriate for your business? To do this, the OECD Due Diligence Guidance for Responsible Business Conduct recommends carrying out a “broad scoping exercise” to create a high-level picture of end-to-end supply chain risk. This broad, multi-disciplined approach is integral to successful supply chain due diligence and key for organisations that need to be able to demonstrate to the relevant regulatory authorities that they do understand their risks and that they have “done enough” to mitigate them.
But doing enough is becoming increasingly challenging. The structure and sheer scale of today’s supply chains mean that ESG issues and their causes can be extremely hard to identify, understand and eradicate. Intensive and sustained effort is required to monitor and report at the required frequencies. The data needed to comply goes beyond regular operational boundaries and, often, without due care, data sources with questionable provenance, accuracy or interpretation can often become primary sources of information which undermine the basis for the risk assessment, management, and subsequent disclosures – presenting a substantial threat to a business’s reputation and their regulatory compliance.
For this reason, at Achilles, when we work with organisations to support their ESG and wider regulatory compliance, we never rely on data from just one source, and we don’t rely on information that is solely gathered from web crawling. Instead, we always start by collecting and assessing data from a wide range of sources including (but not limited to) documentation from organisations in your supply chain, publicly accessible and historical information from the internet and investigation reports from NGOs and charities. Uniquely, we also bring in information captured from our extensive, global, in-person audit programme, and the voices of workers gathered over many years of interviews in similar industries and regions to paint a complete picture of your supply chain risk.
It’s that level of detailed analysis and insight that facilitates a comprehensive disclosure and gives you the confidence that you have “done enough”. Only when an accurate picture has been created is it really possible to move on to the next step in your journey to “doing enough” – incorporating quality management principles into a risk-based human rights due diligence approach.