Process requirement 2
We explain the concepts of risk suppliers, supply chain mapping, rights-holder consultations and particularly vulnerable groups, as well as how to prioritise risks based on likelihood and severity.
Excerpt from the contract clause
Supplier shall identify and assess actual and potential adverse impacts, by
a) identifying risk suppliers,
b) mapping the supply chains of risk suppliers,
c) regularly examining the risks of adverse impacts in its own operations and in the supply chains of risk suppliers,
d) engaging in meaningful consultations with rights-holders or their representatives and obtaining information from credible and independent sources if consultations are not possible in the supply chains of risk suppliers,
e) paying attention to adverse impact on individuals from groups and populations that are at heightened risk of vulnerability or marginalisation, including environmental and human rights defenders and
f) prioritising the most significant risks based on likelihood and severity.
Identifying risk suppliers
You shall identify risk suppliers.
Below you will find our definition of risk suppliers, which takes into account risks to people, the environment and society across the supply chain. As you can see, this definition is similar to definitions of prioritised purchasing categories, which usually also takes into account spend.
”Risk suppliers are first tier suppliers prioritised for further assessment on the basis of their supply chains’ risk profiles and not on the strength of their relationship with the supplier. The categorization shall be based on the entire supply chain’s operating context (e.g. presence of conflict or vulnerable groups, weak rule of law, high rates of corruption), the operations, products or services involved (e.g. high employment of informal work, use of hazardous chemicals, use of heavy machinery), or other relevant considerations.”
If you can show that you identify prioritised purchasing categories based on a definition that is similar to our definition of risk suppliers, as well as spend, this is sufficient to meet the requirement.
The relevant considerations for identifying risk suppliers vary across industries. We have developed a template, which can be found below under Templates process requirement 2. Using this template is not mandatory. You may demonstrate compliance with the requirement in other ways.
Suggested verifications
- Instructions describing the identification of risk suppliers or prioritised purchasing categories.
- Identification of risk suppliers for sample products.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documentation/templates that describe how it identifies risk suppliers/prioritised purchasing categories, including:
- How the identification is based on the risk profile of the supply chain, not just the strength of the relationship with the supplier.
- How the assessment takes into account the operational context of the entire supply chain (e.g. presence of conflicts or vulnerable groups, weak rule of law, high levels of corruption) and risks related to operations, products or services (e.g. high use of informal work, hazardous chemicals or heavy machinery). Indexes are accepted here.
Note that if the company has a process for identifying risk suppliers/prioritised purchasing categories that meet the above requirements, this shall be accepted even if a sample products falls outside the prioritisation. In such cases, a new sample product shall be selected which is covered by the company’s prioritisation.
Does not fulfil requirement
The company lacks instructions or equivalent documentation/templates that describe how it identifies risk suppliers/prioritised purchasing categories, or they are incomplete:
- Identification is based on the strength of the relationship rather than the risk profile of the supply chain.
- The assessment does not take into account the operational context of the entire supply chain (e.g. presence of conflicts, vulnerable groups, weak rule of law or high levels of corruption) or risks related to operations, products or services (e.g. informal work, hazardous chemicals, heavy machinery). No or few indexes are used.
Mapping the supply chains
You shall map the supply chains for risk suppliers.
Mapping supply chains differs from tracing them, as tracing requires information that many suppliers lack. However, you shall be aware of the countries where final manufacturing takes place and be able to make a broad assessment of where component manufacturing occurs, where smelters and refiners are located (if relevant to the supply chain), and where raw material extraction takes place.
This assessment is often based on assumptions, especially for raw materials. A useful source is the U.S. Geological Survey’s Mineral Commodity Summaries, which estimates global mining production and reserves for over 90 minerals. You can also use the European Commission’s Raw Materials Information System. Search engines, as well as AI tools, can also assist in mapping efforts.
We have developed a mapping template, available below under Templates process requirement 2. Using this template is not mandatory. You can demonstrate compliance in other ways. Aso remember to update your mappings when you get more information about your supply chains over time.
A free tool for increasing transparency in your supply chains is Open Supply Hub. There, you can upload your suppliers and sub-suppliers. You can also embed the map on your website.
Map Your Supply Chains
Do you want to learn how to map your supply chains?
Spend 15 minutes on our training.
Suggested verifications
- Supply chain mappings (Excel spreadsheets, Word documents, etc.), for sample products.
- Printouts of digital supply chain trackings, for sample products.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documentation/templates that describe how it maps supply chains for risk suppliers/prioritised purchasing categories.
Supply chain mappings for sample products are available, including:
- Excel files, Word documents or digital tools or similar.
- Confirmed information on countries for final manufacturing and at least an overall assessment of countries for component manufacturing, smelting/refining and raw material extraction.
- The assumptions and sources that have been used for the mapping.
Does not fulfil requirement
The company lacks instructions or equivalent documentation/templates that describe how it maps supply chains for risk suppliers/prioritised purchasing categories.
Supply chain mappings for sample products are missing or incomplete:
- There are no Excel files, Word documents, digital tools or similar.
- There is no confirmed information on countries for final manufacturing and/or overall assessment of countries for component manufacturing, smelting/refining or raw material extraction.
- No information about the assumptions and sources used for the mapping is available.
Examining the risks of adverse impacts
You shall regularly investigate the risks of adverse impacts in your own operations and in the supply chains of risk suppliers.
Many risk assessments for your own operations are already conducted in accordance with national legislation, such as the Work Environment Act, the Discrimination Act, and the Environmental Code. However, the responsibilities differ—HR and environmental experts primarily manage risks within your operations, while sustainability and purchasing specialists often focus on supply chain risks. The risk assessments for your own operations shall be based on your operating context and relevant risks.
When examining risks in the supply chains of risk suppliers, the assessment shall cover all types of adverse impact as described in the Supplier Code of Conduct or an equivalent standard, such as the European Sustainability Reporting Standards. However, this standard does not include the Code of Conduct’s provisions on anti-competitive behaviour and taxation, which means you need to add them separately. You shall also ensure that all relevant rights-holders are covered by the assessment – including affected communities, workers, the environment, and society as a whole.
The supply chain tiers you have mapped (final production, component manufacturing, smelting and refining, and raw material extraction) shall be included in the risk assessment. It is possible to either:
- conduct a consolidated assessment of adverse impact across the entire supply chain, or
- conduct separate assessments for each tier.
The assessment shall not rely solely on indexes – you need to use qualitative and contextual sources. If forced labour is the most significant risk, this shall be clearly stated so that appropriate actions can be taken. Make sure to also consider both geographic risks, sector risks, and product risks.
Geographic risks
Geographic risks are conditions in a particular country which may make sector risks more likely. Geographic risk factors can generally be classified as those related to the regulatory framework (e.g. alignment with international conventions), governance (e.g. strength of inspectorates, rule of law, level of corruption), socio-economic context (e.g. poverty and education rates, vulnerability and discrimination of specific populations) and political context (e.g. presence of conflict).
Sector risks
Sector risks are risks that are prevalent within a sector globally as a result of the characteristics of the sector, its activities, its products and production processes. For example, the extractive sector is often associated with risks related to a large environmental footprint and impacts on local communities. In the garment and footwear sector, risks associated with respect for trade union rights, occupational health and safety and low wages are prevalent, amongst others.
Product risks
Product risks are risks related to inputs or production processes used in the development or use of specific products. For example, garment products with beading or embroidery hold a higher risk of informal employment and precarious work and phones and computers may contain components that are at risk of being mined from conflict areas.
We have developed a risk assessment template, which can be found below under Templates process requirement 2. Using this template is not mandatory. You can demonstrate compliance in other ways.
Sources
When investigating risks, you should use your own or third-party employee surveys, grievance mechanisms, factory audits, health and safety inspections, environmental and social impact assessments, KYC processes and compliance systems.
You should also request relevant information from risk suppliers where possible.
You should also analyse and integrate information from international organisations, civil society, national human rights institutions, governments, trade unions, industry associations, and the media.
What is meant by regularly?
Due diligence is a continuous process that requires regular review of risks of adverse impact. This means that you should analyse risks:
- Before starting a new activity or business relationship (e.g. mergers, acquisitions, new customers, countries and markets).
- Before major decisions or changes in operations are implemented (e.g. exits from business relationships).
- In response to or as a preventative measure against changes in the business or supply chain (e.g. increasing social tensions).
- Regularly, at least every 12 months , during the life cycle of the activity or business relationship.
The most effective way is to assess the impact as early as possible in the process to mitigate risks and take necessary measures in a timely manner.
Is this needed if you sell certified products?
The short answer is yes. No certification is foolproof and it is crucial to understand the risks in the supply chain. Choosing certified products is primarily a method of reducing risk, but it does not replace the need to identify and assess adverse impacts. It is also important to be prepared if and when adverse impacts arise – especially if they are severe.
Identify & Assess Adverse Impacts
Do you want to learn how to identify and assess adverse impacts?
Spend 20 minutes on our training.
Suggested verifications
- Instructions describing how you examine risks of adverse impacts in your operations and supply chains. The document shall specify time intervals and circumstances for risk assessments.
- Risk assessments for the company’s own operations.
- Risk assessments for the supply chains of sample products.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documentation/templates that describe how it examines risks in its own operations, including:
- How the requirement for regularity is met, for example at least every 12 months and in the event of new activities or changes in the operations.
- How all risks of adverse impacts are identified and assessed based on the commitments in the Supplier Code of Conduct, European Sustainability Reporting Standards or equivalent standard.
- How all relevant rights-holders are covered (affected communities, workers, the environment and society as a whole).
The company has instructions or equivalent documentation/templates that describe how it examines supply chain risks, including:
- How the requirement for regularity is met, for example at least every 12 months and in the event of new business relationships or changes in the supply chain.
- How all risks of adverse impacts are identified and assessed based on the commitments in the Supplier Code of Conduct, European Sustainability Reporting Standards or equivalent standard.
- How all relevant rights-holders are covered (affected communities, workers, the environment and society as a whole).
- How all relevant tiers are included (final manufacturing, component manufacturing, smelting/refining and raw material extraction).
- How risk assessments are not based solely on indices and include both geographical, industry and product risks.
Risk assessments for the company’s own operations exist, based on relevant contexts and risk perspectives.
Risk assessments for the supply chains of sample products are available and they cover all commitments/ESRS, all relevant rights-holders, all relevant tiers – while not being based solely on indices and covering both geographical, industry and product risks.
Note that there is a difference between risk assessments—which include all risks, all rights holders and all stages—and supplier assessments.
Does not fulfil requirement
The company lacks instructions or equivalent documentation/templates that describe how it examines risks in its own operations, or they are incomplete:
- Risk assessments are not carried out regularly, for example annually and in the event of new activities or changes in the operations.
- Not all risks of adverse impacts are identified or assessed based on the commitments in the Supplier Code of Conduct, European Sustainability Reporting Standards or equivalent standards.
- Not all relevant rights-holders are covered (affected communities, workers, the environment and/or society as a whole).
The company lacks instructions or equivalent documentation/templates that describe how it examines supply chains risks, or they are incomplete:
- Risk assessments are not carried out regularly, for example annually and in the event of new business relationships or changes in the supply chain.
- Not all risks of adverse impacts are identified or assessed based on the commitments in the Supplier Code of Conduct, European Sustainability Reporting Standards or equivalent standards.
- Not all relevant rights-holders are covered (affected communities, workers, the environment and/or society as a whole).
- All relevant tiers are not included (final manufacturing, component manufacturing, smelting/refining and raw material extraction).
- Risk assessments are based solely on indices or do not include both geographical, industry and product risks.
Risk assessments for the company’s own operations are missing or incomplete, that is, they are not based on the context and/or relevant risks.
Risk assessments for the supply chains of sample products are completely absent or incomplete – for example, they do not cover all commitments/ESRS, all relevant rights-holders and/or all relevant tiers, or they are based solely on indices and/or fail to include geographical, industry and/or product risks.
Engaging in meaningful consultations
You shall engage in meaningful consultations with rights-holders or their representatives and obtain information from credible and independent sources if consultations are not possible in the supply chains of risk suppliers.
Consultations can take place through social dialogue, surveys, meetings, hearings, or other methods. The purpose is to understand how a specific impact affects individuals in a given context.
Engaging in meaningful consultations with rights-holders or their representatives helps you determine whether their perceptions of adverse impacts differ from each other or from your own. For example, changes in shift schedules may affect parents with childcare responsibilities or religious people. Through consultation, you demonstrate respect for their perspectives and rights, which builds trust and promotes sustainable solutions.
Consultations require special consideration of linguistic, cultural, and gender-related barriers to ensure that no one is excluded. Additionally, rights-holders may have conflicting opinions, making certain issues sensitive.
In the risk assessment template we have developed, available below under Templates process requirement 2, you shall note down your consultations and the sources you have used.
Meaningful consultations
The consultations you conduct shall be meaningful. This means that they shall be characterised by two-way communication and good faith of participants on both sides. It also means that the parties shall be responsive and the consultations ongoing. The four criteria are defined below.
| Two-way engagement means that both you and rights-holders freely express opinions, share perspectives and listen to alternative viewpoints to reach a mutual understanding. It also means that relevant rights-holders have the opportunity to help design and carry out engagement activities themselves. |
| Both you and rights-holders are expected to act in good faith in engagement activities. This means that you engage with the genuine intention to understand how relevant rights-holders are affected by your activities. It also means that you are prepared to address any adverse impacts you cause or contribute to, and that rights-holders honestly represent their interests, intentions and concerns. |
| Responsive engagement means that you seek to inform your decisions by eliciting the views of those likely to be affected by the decision. It is important to engage potentially impacted rights-holders prior to taking any decision that may impact them. This involves the timely provision of all information needed by the potentially impacted rights-holders to be able to make an informed decision as to how your decision could impact their interests. It also means there is following-through on implementation of agreed commitments, ensuring that adverse impacts to impacted and potentially impacted rights-holders are addressed including through provision of remedies when you have caused or contributed to the impacts. |
| Ongoing engagement means that rights-holder engagement activities continue throughout the lifecycle of an operation or activity and are not a one-time endeavour. |
Rights-holders and their representatives
Rights-holders are individuals or groups who have specific rights in relation to specific duty-bearers. All people are rights-holders under the Universal Declaration of Human Rights. All people shall also be considered active agents in the realisation of their rights – both directly and through their representatives. Examples:
| Rights-holder | Representative |
| Workers, including outsourced and informal workers | Employee representatives and trade unions, civil society organisations and non-governmental organisations |
| Affected communities at the local, regional or national level, including people living near or downstream from the operation, such as landowners, farmers and indigenous peoples | Community-based organisations including religious and community leaders, environmental and human rights defenders, civil society organisations, and non-governmental organisations |
Where there are many rights-holders, it is often easier to consult with credible representatives. For example, in the case of a factory restructuring or closure, you can consult with trade unions instead of individual workers. In the case of adverse impacts that cause collective harm – such as corruption affecting entire populations or greenhouse gas emissions with transboundary effects – broad consultation with all rights-holders is not possible. In such cases, it may be more appropriate to consult with representatives, such as civil society organisations or non-governmental organisations.
Alternatives to consultation
You shall always engage in meaningful consultations with rights-holders, or their representatives, in and around your own operations. However, consulting with rights-holders in supply chains may be difficult. Alternatively, you can obtain information from credible and independent sources, including third-party audits based on interviews with workers. There are also publicly available sources from governments, academic institutions, civil society and non-governmental organisations.
To gain a deeper understanding of rights-holders’ perspectives within specific industries or contexts, you should also monitor Swedish and international media and use search engines and AI tools.
Consultations according to Swedish legislation
In Sweden, legislation requires several forms of consultations, including the following:
- The Work Environment Act regulates cooperation between employers and employees in Chapter 6, where the obligations are described in more detail in the Swedish Work Environment Authority’s regulation on systematic work environment work (AFS 2001:1).
- The Discrimination Act contains corresponding requirements in Chapter 3.
- The Environmental Code (Chapter 6) states that anyone who plans to conduct an activity or take an action that requires a permit or decision on permissibility must consult with the individuals who may be assumed to be particularly affected.
Social dialogue
The main objective of social dialogue is to promote consensus and democratic engagement among the actors in in the world of work. Social dialogue can take place as a tripartite process, with the government participating as an official party, or as a bipartite relationship between trade unions and employers’ organisations. It can be formal or informal, and is often a combination of both. Social dialogue can take place at national, regional or company level. For social dialogue to work, the following is necessary:
- Strong, independent workers’ and employers’ organisations with access to relevant information and technical capacity to participate.
- Political will and commitment from all parties to actively participate.
- Respect for fundamental rights, such as freedom of association and the right to collective bargaining.
- Appropriate institutional support to ensure effective dialogue.
In the Swedish labour market, there are over 100 trade unions and employers’ organisations, which together administer around 650 collective agreements. Sweden has a high rate of collective agreement coverage, although the coverage rate is falling. However, this decline is not as sharp as the decline in union membership. Thanks to the collective agreement coverage, social dialogue is common in Sweden.
In global supply chains, the situation is often different. If you do not actively promote the right to freedom of association and collective bargaining, as well as the requirement to consult with rights-holders, there is a risk that your suppliers will not apply social dialogue in consultation with their workers. Instead, they may:
- Rely on their own management or a for-profit third party.
- Using NGOs or internal worker-management committees.
- Consult with a so-called “yellow” union – a union controlled by the employer – instead of an independent and genuine union.
To ensure social dialogue in the supply chain, you need to examine the specific structures of the factories and countries where you source goods. It is also important to work with your suppliers to ensure that social dialogue actually takes place and that workers’ rights are respected.
Worker voice programs
In addition to efforts to strengthen freedom of association and collective bargaining, you can use technology, especially mobile phones, to collect information directly from workers. These tools give workers a channel to express their concerns while helping to reduce the risk of adverse impact.
For this to be effective, it is crucial to collaborate with your suppliers. This increases the likelihood that they will engage in the process and take the necessary actions. However, worker participation is key to success. They must feel safe to provide feedback without fear of reprisal and believe that their views can actually lead to change. To avoid overloading workers with surveys and questions, it is also beneficial to coordinate with other buyers and use joint programs within the same factory.
Suggested verifications
- Instructions describing consultations with rights-holders in your own operations, how these fulfill the requirement for meaningful consultations, and how they are used as a basis for risk assessments.
- Instructions describing consultations with rights-holders in the supply chain.
- Meeting minutes from social dialogue, hearings, and other consultation procedures for sample products.
- Results from worker voice programs and/or surveys related to sample products.
- Risk assessments for the company’s own operations, including the consultations that form the basis of the assessment.
- Risk assessments for the supply chain of sample products, including any consultations and/or the sources used for the assessment.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documentation/templates that describe how it engages in consultations with rights-holders or their representatives in its own operations, including:
- How statutory consultations are applied under the Work Environment Act, the Discrimination Act and/or the Environmental Code.
- How social dialogue is applied (tripartite/bipartite process; formal/informal; national, regional or company level).
- How consultations are characterized by two-way communication, responsiveness, good faith and continuity.
The Company has instructions or equivalent documentation/templates that describe how it engages in consultations with rights-holders or their representatives in the supply chain, including:
- How meaningful consultations are also sought in the supply chain, for example through employee interviews during visits and audits or worker voice programs.
- How information is obtained from credible and independent sources if direct consultations are not possible.
There is documentation that shows that consultations have been carried out in the company’s own operations, such as employee surveys or minutes of meetings from statutory consultations and social dialogue and/or hearings with affected communities, as well as evidence that these form the basis for risk assessments.
There is evidence showing that consultations have been carried out in the supply chains of sample products, such as employee interviews during audits, or that consultations have been replaced by credible and independent sources such as civil society, academia, authorities and the media—as well as evidence that the consultations/sources form the basis for risk assessments.
Does not fulfil requirement
The company lacks instructions or equivalent documentation/templates that describe how it engages in consultations with rights-holders or their representatives in its own operations, or they are incomplete:
- Statutory consultations are not applied under the Work Environment Act, the Discrimination Act and/or the Environmental Code.
- Social dialogue is not applied (tripartite/bipartite process; formal/informal; national, regional or company level).
- Consultations are not characterised by two-way communication, responsiveness, good faith and continuity.
The company lacks instructions or equivalent documentation/templates that describe how it engages in consultations with rights-holders or their representatives in the supply chain, or they are incomplete:
- Meaningful consultations, such as through worker interviews during visits and audits or worker voice programs, are not sought.
- Information is not obtained from credible and independent sources if direct consultations are not possible.
There is no documentation showing that consultations have been carried out in the company’s own operations, such as employee surveys or minutes of meetings from statutory consultations and social dialogue and/or hearings with affected communities, or evidence that these have been used in risk assessments.
There is no evidence showing that consultations have been carried out in the supply chains of sample products, such as employee interviews during audits, or that consultations have been replaced by credible and independent sources such as civil society, academia, authorities or the media—or evidence that the consultations/sources have been used in risk assessments.
Paying attention to particularly vulnerable groups
You shall pay attention to adverse impact on individuals from groups and populations at heightened risk of vulnerability or marginalisation, including environmental and human rights defenders. The purpose is to ensure that you do not contribute to or exacerbate such vulnerability or marginalisation.
The UN has developed rights for the following groups:
Indigenous peoples
Women
National or ethnic, religious and linguistic minorities
Children
Persons with disabilities
Migrant workers and their families
In situations of armed conflict, you shall also respect the norms of international humanitarian law.
What does “pay attention to” mean? When identifying risks, consider whether they affect groups with increased vulnerability or marginalisation. If there is a risk of land grabbing and indigenous peoples live on the land, this should be acknowledged. If there is a risk of debt bondage, a form of forced labour, migrant workers are a particularly vulnerable group. If there is a risk freedom of expression may be restricted, environmental and human rights defenders could be particularly exposed.
By identifying vulnerable groups, you will be better prepared for dialogue with risk suppliers and for managing adverse impacts in the supply chain. The analysis also makes it easier to prioritise the most significant risks based on likelihood and severity, as vulnerable groups are often the most affected.
In the risk assessment template we have developed, available below under Templates process requirement 2, you will find guidance on paying attention to particularly vulnerable groups.
Gender perspective
Below are some things to consider from a gender perspective when assessing risks:
| Is the business conducted in a context where women are subjected to serious discrimination? | This increases the risk of discrimination in work situations. |
| Does the activity significantly impact the local economy, the environment, and access to land and livelihoods? | Women are responsible for most of the world’s agriculture and food supply. |
| Are the activities conducted in a conflict or post-conflict area? | Women are particularly vulnerable in conflicts, including when sexual violence is often used as a method of warfare. |
| Is it a sector where a large number of women are employed, such as clothing, electronics or agriculture? | These sectors tend to be undervalued (for example in terms of health and safety and wages) as a result of the view of women in general. |
| Are there overlapping vulnerabilities, such as indigenous female workers who cannot read? | Increased vulnerability due to overlapping/accumulated vulnerability should be taken into account. |
| Are workers in the informal economy included in the supply chain? | Women make up a high proportion of workers in the informal economy. |
| Do the reports based on assessments take into account women’s opinions and situation? | It is crucial that women participate in consultations and dialogues so that women’s situation can be adequately highlighted. |
Children's perspective
Below are some things to consider when assessing risks. The table is an abridged version of the Danish Institute for Human Rights and UNICEF’s guide Children’s Rights in Impact Assessments.
| Children as family members of workers | Children as labour | Children as members of communities |
| Do working conditions and circumstances enable women and men to be active parents? • Living wage? • Working hours? • Provisions for pregnant and breastfeeding women? • Parental leave? • Support for migrant and seasonal workers to be parents remotely? • Childcare? • Healthcare? • Good quality education? Pay particular attention if the business is conducted in a context characterised by: • High proportion of migrants workers • Poverty and significant informal sector • Restrictions on trade union rights | Are young workers above the minimum age protected from hazardous work? • Restrictions on working hours? • Restrictions on working at dangerous heights? • Restrictions on the use of dangerous machinery, equipment and tools? • Restrictions on the transport of heavy loads? • Exposure to hazardous substances/processes? • Exposure to night work? • Exposure to work where the young worker is unreasonably confined to the employer’s premises? Pay particular attention if the business is conducted in a context characterised by: • School leaving age is not the same as minimum working age • High incidence of child labour or young workers • Low accessibility to and quality of schools as well as low proportion of enrolled students and low proportion of students who have completed schooling • Large and mandatory internship programs that can be used to compensate for labour shortages • High proportion of migrants workers • Poverty and significant informal sector • Restrictions on trade union rights | Does the activity include land acquisition and population displacement/removal? • Has consultation been carried out with the population to identify and address adverse impacts on children? • Have children’s rights to, among other things, education, protection, health, adequate food and water, adequate standard of living and participation been taken into account? • Has free, prior and informed consent been obtained from indigenous peoples? Does the activity involve private or public security forces? • Is there a risk of children being recruited or used by security forces for security-related work, or for work related to food deliveries, logistics, administration, espionage? • Is there a risk that children will come into contact with security forces, for example due to illegal intrusions or as witnesses to security forces’ violations? • Is there a risk of children being subjected to abuse, threats and harassment by security forces? Are the operations conducted in an area affected by disasters, conflicts or political instability? • Is the business involved in hazardous activities that pose a higher risk of man-made disasters? • Does the population include children who may be particularly vulnerable, such as children with disabilities, displaced children, migrant children, children separated from their families, or children from indigenous groups? • Is there a risk that the activity supports warring factions or exacerbates discrimination or tensions by consulting or interacting more with one group than with others? Does the activity contribute to extensive environmental impact? • Is there a risk that children’s food security and health will be affected? The lack of clean water is a serious threat as waterborne diseases such as diarrhoea are a leading cause of death among children under 5. • Children also absorb a higher proportion of pollutants than adults do. Pay particular attention if the business is conducted in a context characterised by: • Indigenous people • Conflicts and political instability • Rural and remote areas • High crime rate • State requirements to use public security forces • Non-functioning criminal justice systems, including for children and young people • Disasters (floods, droughts, earthquakes, cyclones) • Food insecurity and malnutrition • Poverty and significant informal sector |
Environmental and human rights defenders
You should also pay attention to the negative impact on environmental and human rights defenders. They are on the front lines protecting our rights and our planet. Among them are indigenous peoples, trade union leaders, land and environmental defenders, anti-corruption activists, journalists and others who expose corporate irresponsible business practices and fight for human rights.
The Business & Human Rights Resource Centre runs a database with information on attacks on human rights defenders around the world. There you can, among other things, search for attacks by country.
Business & Human Rights Resource Centre – Civic Freedoms & HRD Data
Another source is the Observatory for the Protection of Human Rights Defenders, which is run by the International Federation for Human Rights and the World Organisation Against Torture.
Other vulnerable groups and sources
In many contexts, it is important to also consider groups whose rights are not explicitly defined by the UN, such as people with low socio-economic status, street children, homeless youth, LGBTQI people, refugees, asylum seekers and those affected by climate change. The Human Rights Measurement Initiative tracks several at-risk groups through its Rights Tracker. n our compilation of sources, you will find more resources that can help you identify particularly vulnerable groups in different contexts.
Suggested verifications
- Instructions describing how you identify particularly vulnerable groups.
- Risk assessment for the company’s own operations, including information on particularly vulnerable groups.
- Risk assessment for the supply chains of sample products, including information on particularly vulnerable groups.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documentation/templates that describe how it pays attention to particularly vulnerable groups in risk assessments for its own operations.
The company has instructions or equivalent documentation/templates that describe how it pays attention to particularly vulnerable groups in supply chain risk assessments.
Particularly vulnerable groups have been identified in risk assessments for the company’s own operations.
Particularly vulnerable groups have been identified in supply chain risk assessments of sample products.
Does not fulfil requirement
The company lacks instructions or equivalent documentation/templates that describe how it pays attention to particularly vulnerable groups in risk assessments for its own operations.
The company lacks instructions or equivalent documentation/templates that describe how it pays attention to particularly vulnerable groups in supply chain risk assessments.
Particularly vulnerable groups have not been identified in risk assessments for the company’s own operations.
Particularly vulnerable groups have not been identified in supply chain risk assessments of sample products.
Prioritise risks based on likelihood and severity
You shall prioritise the most significant risks based on likelihood and severity.
There is no hierarchy within international human rights law—human rights are interrelated, interdependent, and indivisible. However, it is often impossible to address all adverse impacts at the same time, which requires prioritisation based on likelihood and severity.
Standard risk assessment methods weigh likelihood and severity equally. However, if an impact has low likelihood but high severity, severity becomes the determining factor. The focus should be on the impact that causes the greatest harm, such as the risk of loss of life, even if the likelihood is low.
Severity shall be assessed based on the adverse impact’s:
- Scale, which refers to the gravity of the adverse impact.
- Scope, which concerns the reach of the impact, for example the number of individuals that are or will be affected or the extent of environmental damage.
- Irremediable character, which means any limits on the ability to restore the individuals or environment affected to a situation equivalent to their situation before the adverse impact.
Examples of scale, scope and irremediable character
The table is from pp. 43-44 of the OECD Due Diligence Guidance for Responsible Business Conduct.
| | Scale | Scope | Irremediable character |
| Human rights | • Extent of infringement of access to basic life necessities or freedoms (e.g. education, livelihood, etc.) | • Number of people impacted • % of identifiable groups of people impacted | • The extent to which the impact can be rectified (e.g. through compensation or restitution) • Whether the people affectedcan be restored to their exercise of the right in question |
| Workers’ rights | • Extent of impact workers’ health or safety • Whether the violation concerns a fundamental right at work | • Number of workers/employees impacted • Extent to which impacts are systemic (e.g. to a particular geography, industry or sub-sector) • Extent to which some groups are disproportionately affected by the impacts (e.g. minorities, women, etc.) | • Extent to which the impact can be rectified (e.g. through compensation, reinstatement, etc.) • Whether the workers affected can be restored to the prior enjoyment of the right in question • The extent to which the intimidation of workers for forming or joining a trade union will effectively deny workers the right to representation |
| The environment | • Extent of impact on human health • Extent of changes in species composition • Water use intensity (% use of total available resources) • Degree of waste and chemical generation (tons; % of generation) | • Geographic reach of the impact • Number of species impacted | • Degree to which rehabilitation of the natural site is possible or practicable •The length of time remediation would take |
| Business ethics | • Monetary amount of the bribe • Loss of life or severe bodily harm caused by bribery • Criminal nature of the bribe • Extent of impact on markets, people, environment and society due to decisions made based on bribery • Size of the profit gained from the bribery | • Frequency at which bribes are paid • Geographic spread of bribery • Number and/or level of officials, employees or agents engaged in bribery • Extent of activities linked with bribery • Number of identifiable groups impacted by decisions based on bribery | • Extent of damage to society due to loss of public funds • Extent to which activities undertaken and enabled by bribery will lead to irremediable adverse impacts |
Severity is not an absolute concept but must be assessed in relation to other adverse impacts in each individual case. Particularly vulnerable groups are often severely affected, making it important to consider them when prioritising the most significant risks. Once these have been addressed, work should continue with the next most severe risks and then progressively with the others.
In the risk assessment template we have developed, available below under Templates process requirement 2, you will find guidance on prioritising risks based on likelihood and severity.
Suggested verifications
- Instructions describing the prioritisation based on likelihood and severity.
- Risk assessments for the company’s own operations, including prioritisations based on likelihood and severity.
- Risk assessments for the supply chains of sample products, including prioritisations based on likelihood and severity.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documentation/templates that describe how it prioritises risks based on likelihood and severity, including how severity is assessed based on:
- Scale: gravity of the adverse impact.
- Scope: reach of the impact, for example the number of individuals that are or will be affected or the extent of environmental damage.
- Irremediable character: any limits on the ability to restore the individuals or environment affected to a situation equivalent to their situation before the adverse impact.
Risks in the company’s own operations have been prioritised based on likelihood and severity.
Risks in the supply chains of sample products have been prioritised based on likelihood and severity.
Note that likelihood and severity are not the same as likelihood and consequence. Due diligence focuses on adverse impacts on people, the environment and society, not on risks to the company. These risk assessments also differ from the double materiality analyses carried out under the CSRD, where both the impact on the operating environment and the impact on the company’s earnings are taken into account.
Does not fulfil requirement
The company lacks instructions or equivalent documentation/templates that describe how it prioritises risks based on likelihood and severity, or they are incomplete. That is, severity is not assessed based on:
- Scale: gravity of the adverse impact.
- Scope: reach of the impact, for example the number of individuals that are or will be affected or the extent of environmental damage.
- Irremediable character: any limits on the ability to restore the individuals or environment affected to a situation equivalent to their situation before the adverse impact.
Risks in the company’s own operations have not been prioritised based on likelihood and severity.
Risks in the supply chains of sample products have not been prioritised based on likelihood and severity.
Templates process requirement 2
- Template for identification of risk suppliers (prioritised purchasing categories)
- Supply chain mapping template
- Supply chain risk assessment template incl. action plans and remediation plan
- Responsible sourcing instruction template (section 2) (currently under revision)
Process requirements
Integrate commitments into policies and allocate responsibility for policies and due diligence
We explain the requirements for policies and how responsibilities shall be allocated between the board of directors, managers, and employees.
Identify and assess adverse impacts
We explain the concepts of risk suppliers, supply chain mapping, rights-holder consultations and particularly vulnerable groups, as well as how to prioritise risks based on likelihood and severity.
Prevent and mitigate adverse impacts that you cause or contribute to
We explain the responsibility to cease activities that cause or contribute to adverse impacts, establish action plans, and promote sustainable purchasing practices.
Prevent and mitigate adverse impacts linked to your operations
We explain the responsibility regarding supplier assessments, action plans, and the forwarding of requirements—including transparency—as well as the ability to temporarily suspend or terminate the contract.
Monitor the measures to prevent and mitigate adverse impacts
We explain what we mean by following-up action plans, meaningful consultations with rights-holders, and addressing deviations.
Enable complaints
We explain the key functions of complaints procedures, for which stakeholders they should be accessible, and the need to address submitted complaints.
Provide for remediation
We explain the concept of remediation, when remediation is required, the importance of engaging in meaningful consultation with affected rights-holders, and the need to assess whether they are satisfied with both the process and the outcome.