sv
Menu

2. Risk assessments

Contract clause

Supplier shall identify and assess actual and potential adverse impacts, by

a) identifying risk suppliers,
b) mapping the supply chains of risk suppliers,
c) regularly examining the risks of adverse impacts in its own operations and in the supply chains of risk suppliers,
d) engaging in meaningful consultations with rights-holders or their representatives and obtaining information from credible and independent sources if consultations are not possible in the supply chains of risk suppliers,
e) paying attention to adverse impact on individuals from groups and populations that are at heightened risk of vulnerability or marginalisation, including environmental and human rights defenders and
f) prioritising the most significant risks based on likelihood and severity.

a) Identify risk suppliers​

You shall identify risk suppliers.

Below is our definition of risk suppliers, which takes into account risks throughout the supply chain. This definition is similar to those used for prioritised purchasing categories, which also usually take purchasing volume into account. If you can demonstrate that you identify prioritised purchasing categories based on similar criteria, this is sufficient to fulfill the requirement.

“A risk supplier is a first-tier supplier that is prioritised for further assessment based on the supply chain’s risk profile and not on the strength of the relationship with the supplier. The categorisation shall therefore be based on the overall business context of the supply chain, for example the presence of conflicts or vulnerable groups, weak rule of law, high levels of corruption, or other relevant circumstances. Consideration shall also be given to the activities, products, or services covered, for example extensive use of informal labor, the use of hazardous chemicals, or the use of heavy machinery.”

We have developed a template for prioritising purchasing categories, which is available under Templates process requirement 2.

There is no requirement to use our template.

Suggested verifications

  • Instructions describing the identification of risk suppliers or prioritised purchasing categories.
  • Identification of risk suppliers for sample products.

PAGE CONTENT

a) Identify risk suppliers

b) Map the supply chains

c) Examine the risks of adverse impacts

d) Engage in meaningful consultations

e) Pay attention to particularly vulnerable groups

f) Prioritise based on likelihood and severity

Templates process requirement 2

PROCESS REQUIREMENTS DUE DILIGENCE

1. Policies and responsibilities

2. Risk assessments

3. Prevent and mitigate (causation/contribution)

4. Prevent and mitigate (linkage)

5. Monitoring

6. Complaints

7. Remediation

RELATED LINKS SUPPLIERS

1. Supplier’s commitments

2. Supplier’s due diligence

3. Supplier’s reporting obligation

RELATED LINKS BUYERS

1. Prepare procurement

2. Carry out procurement

3. Manage contract

Guidance for auditor

Fulfils requirement

The company has instructions or equivalent documentation/templates that describe how it identifies risk suppliers/prioritised purchasing categories, including:

  • How the identification is based on the risk profile of the supply chain, not just the strength of the relationship with the supplier.
  • How the assessment takes into account the operational context of the entire supply chain (e.g. presence of conflicts or vulnerable groups, weak rule of law, high levels of corruption) and risks related to operations, products or services (e.g. high use of informal work, hazardous chemicals or heavy machinery). Indexes are accepted here.

Note that if the company has a process for identifying risk suppliers/prioritised purchasing categories that meet the above requirements, this shall be accepted even if a sample products falls outside the prioritisation. In such cases, a new sample product shall be selected which is covered by the company’s prioritisation.

Does not fulfil requirement

The company lacks instructions or equivalent documentation/templates that describe how it identifies risk suppliers/prioritised purchasing categories, or they are incomplete:

  • Identification is based on the strength of the relationship rather than the risk profile of the supply chain.
  • The assessment does not take into account the operational context of the entire supply chain (e.g. presence of conflicts, vulnerable groups, weak rule of law or high levels of corruption) or risks related to operations, products or services (e.g. informal work, hazardous chemicals, heavy machinery). No or few indexes are used.

b) Map the supply chains

You shall map the supply chains for risk suppliers (or prioritised purchasing categories).

Mapping supply chains differs from tracing them. Tracing means being able to follow materials and products through every stage of production. Mapping means that you must:

  • know in which countries final manufacturing takes place, and
  • be able to make an overall assessment of where component manufacturing, smelters and refineries are located (if relevant to the supply chain), as well as where raw material extraction takes place.

The assessment is often based on assumptions, particularly for raw materials. The following sources may be helpful in the mapping process:

We have developed a template for supply chain mapping, which is available under Templates process requirement 2. There is no requirement to use our template.

A free tool for supply chain transparency is Open Supply Hub. There, you can upload your suppliers and sub-suppliers. You can also embed the map on your website.

Map Your Supply Chains

Do you want to learn how to map your supply chains?

Spend 15 minutes on our training.

Go to training

Suggested verifications

  • Supply chain mappings (Excel spreadsheets, Word documents, etc.), for sample products.
  • Printouts of digital supply chain trackings, for sample products.

Guidance for auditor

Fulfils requirement

The company has instructions or equivalent documentation/templates that describe how it maps supply chains for risk suppliers/prioritised purchasing categories.

Supply chain mappings for sample products are available, including:

  • Excel files, Word documents or digital tools or similar.
  • Confirmed information on countries for final manufacturing and at least an overall assessment of countries for component manufacturing, smelting/refining and raw material extraction.
  • The assumptions and sources that have been used for the mapping.
Does not fulfil requirement

The company lacks instructions or equivalent documentation/templates that describe how it maps supply chains for risk suppliers/prioritised purchasing categories.

Supply chain mappings for sample products are missing or incomplete:

  • There are no Excel files, Word documents, digital tools or similar.
  • There is no confirmed information on countries for final manufacturing and/or overall assessment of countries for component manufacturing, smelting/refining or raw material extraction.
  • No information about the assumptions and sources used for the mapping is available.

c) Examine the risks of adverse impacts

You shall regularly investigate the risks of adverse impacts in your own operations and in the supply chains of risk suppliers.

Many risk assessments for your own operations are conducted in accordance with national legislation, such as the Work Environment Act, the Discrimination Act, and the Environmental Code. However, the responsibilities differ – HR and environmental experts primarily manage risks within your operations, while sustainability and purchasing specialists focus on supply chain risks.

When examining risks in the supply chains of risk suppliers, the assessment shall cover all types of adverse impact as described in the Supplier Code of Conduct or an equivalent standard. You shall also ensure that all relevant rights-holders are covered – affected communities, workers, the environment, and society as a whole.

The supply chain tiers you have mapped (final production, component manufacturing, smelting and refining, and raw material extraction) shall be included in the risk assessment. It is possible to either:

  • conduct a consolidated assessment of adverse impact across the entire supply chain, or
  • conduct separate assessments for each tier.

The assessment shall not rely solely on indexes – you need to use qualitative and contextual sources. If forced labour is the most significant risk, this shall be stated so that appropriate actions can be taken.

Make sure to also consider both geographic risks, sector risks, and product risks.

Geographic risks

Geographic risks are conditions in a particular country which may make sector risks more likely. Geographic risk factors can generally be classified as those related to the regulatory framework (e.g. alignment with international conventions), governance (e.g. strength of inspectorates, rule of law, level of corruption), socio-economic context (e.g. poverty and education rates, vulnerability and discrimination of specific populations) and political context (e.g. presence of conflict).

Sector risks

Sector risks are risks that are prevalent within a sector globally as a result of the characteristics of the sector, its activities, its products and production processes. For example, the extractive sector is often associated with risks related to a large environmental footprint and impacts on local communities. In the garment and footwear sector, risks associated with respect for trade union rights, occupational health and safety and low wages are prevalent, amongst others.

Product risks

Product risks are risks related to inputs or production processes used in the development or use of specific products. For example, garment products with beading or embroidery hold a higher risk of informal employment and precarious work and phones and computers may contain components that are at risk of being mined from conflict areas.

We have developed a risk assessment template, which can be found under Templates process requirement 2.

There is no requirement to use our template.

Sources

When investigating risks, you should use your own or third-party employee surveys, grievance mechanisms, factory audits, health and safety inspections, environmental and social impact assessments, KYC processes and compliance systems. You should also request relevant information from risk suppliers where possible.

You should also analyse and integrate information from international organisations, civil society, national human rights institutions, governments, trade unions, industry associations, and the media.

Sources

What is meant by regularly?

Due diligence is a continuous process that requires regular review of risks of adverse impact. This means that you should analyse risks:

  • Before starting a new activity or business relationship (e.g. mergers, acquisitions, new customers, countries and markets).
  • Before major decisions or changes in operations are implemented (e.g. exits from business relationships).
  • In response to or as a preventative measure against changes in the business or supply chain (e.g. increasing social tensions).
  • Regularly, at least every 12 months , during the life cycle of the activity or business relationship.

The most effective way is to assess the impact as early as possible in the process to mitigate risks and take necessary measures in a timely manner.

Is this needed if you sell certified products?

The short answer is yes.

No certification is foolproof and it is crucial to understand the risks. Choosing certified products is primarily a risk reducing measure, but it does not replace the need to identify and assess adverse impacts. It is also important to be prepared if and when adverse impacts arise – especially if they are severe.

Identify & Assess Adverse Impacts

Do you want to learn how to identify and assess adverse impacts?

Spend 20 minutes on our training.

Go to training

Suggested verifications

  • Instructions describing how you examine risks of adverse impacts in your operations and supply chains. The document shall specify time intervals and circumstances for risk assessments.
  • Risk assessments for the company’s own operations.
  • Risk assessments for the supply chains of sample products.

Guidance for auditor

Fulfils requirement

The company has instructions or equivalent documentation/templates that describe how it examines risks in its own operations, including:

  • How the requirement for regularity is met, for example at least every 12 months and in the event of new activities or changes in the operations.
  • How all risks of adverse impacts are identified and assessed based on the commitments in the Supplier Code of Conduct, European Sustainability Reporting Standards or equivalent standard.
  • How all relevant rights-holders are covered (affected communities, workers, the environment and society as a whole).

The company has instructions or equivalent documentation/templates that describe how it examines supply chain risks, including:

  • How the requirement for regularity is met, for example at least every 12 months and in the event of new business relationships or changes in the supply chain.
  • How all risks of adverse impacts are identified and assessed based on the commitments in the Supplier Code of Conduct, European Sustainability Reporting Standards or equivalent standard.
  • How all relevant rights-holders are covered (affected communities, workers, the environment and society as a whole).
  • How all relevant tiers are included (final manufacturing, component manufacturing, smelting/refining and raw material extraction).
  • How risk assessments are not based solely on indices and include both geographical, industry and product risks.

Risk assessments for the company’s own operations exist, based on relevant contexts and risk perspectives.

Risk assessments for the supply chains of sample products are available and they cover all commitments/ESRS, all relevant rights-holders, all relevant tiers – while not being based solely on indices and covering both geographical, industry and product risks.

Note that there is a difference between risk assessments—which include all risks, all rights holders and all stages—and supplier assessments.

Does not fulfil requirement

The company lacks instructions or equivalent documentation/templates that describe how it examines risks in its own operations, or they are incomplete:

  • Risk assessments are not carried out regularly, for example annually and in the event of new activities or changes in the operations.
  • Not all risks of adverse impacts are identified or assessed based on the commitments in the Supplier Code of Conduct, European Sustainability Reporting Standards or equivalent standards.
  • Not all relevant rights-holders are covered (affected communities, workers, the environment and/or society as a whole).

The company lacks instructions or equivalent documentation/templates that describe how it examines supply chains risks, or they are incomplete:

  • Risk assessments are not carried out regularly, for example annually and in the event of new business relationships or changes in the supply chain.
  • Not all risks of adverse impacts are identified or assessed based on the commitments in the Supplier Code of Conduct, European Sustainability Reporting Standards or equivalent standards.
  • Not all relevant rights-holders are covered (affected communities, workers, the environment and/or society as a whole).
  • All relevant tiers are not included (final manufacturing, component manufacturing, smelting/refining and raw material extraction).
  • Risk assessments are based solely on indices or do not include both geographical, industry and product risks.

Risk assessments for the company’s own operations are missing or incomplete, that is, they are not based on the context and/or relevant risks.

Risk assessments for the supply chains of sample products are completely absent or incomplete – for example, they do not cover all commitments/ESRS, all relevant rights-holders and/or all relevant tiers, or they are based solely on indices and/or fail to include geographical, industry and/or product risks.

d) Engage in meaningful consultations

You shall engage in meaningful consultations with rights-holders or their representatives and obtain information from credible and independent sources if consultations are not possible in the supply chains of risk suppliers.

Consultation can take place through, for example, dialogue with trade union representatives, meetings, surveys or hearings. The purpose is to understand how adverse impacts affect people in a specific context.

Consultation helps you understand whether rights holders’ perceptions of adverse impacts differ from yours or from each other’s. For example, changes to shift schedules may affect parents with caregiving responsibilities or religious people. Consultation demonstrates respect for their views and rights and contributes to trust and sustainable solutions.

During consultation, you need to take linguistic, cultural and gender-related barriers into account to ensure that no one is excluded. Rights holders may also have conflicting views, which can make these issues sensitive.

Our risk assessment template, available at Templates process requirement 2, includes space to document consultations or which credible and independent sources you have used. There is no requirement to use our template.

Meaningful consultations

The consultations you conduct shall be meaningful. This means that they shall be characterised by two-way communication and good faith of participants on both sides. It also means that the consultations shall be responsive and ongoing.

The four criteria are defined below.

Two-way engagement means that both companies and rights-holders freely express opinions, share perspectives and listen to alternative viewpoints to reach a mutual understanding. It also means that relevant rights-holders have the opportunity to help design and carry out engagement activities themselves.
Both companies and rights-holders are expected to act in good faith in engagement activities. This means that companies engage with the genuine intention to understand how relevant rights-holders are affected by their activities. It also means that companies are prepared to address any adverse impacts they cause or contribute to, and that rights-holders honestly represent their interests, intentions and concerns.
Responsive engagement means that companies seek to inform their decisions by eliciting the views of those likely to be affected by the decision. It is important to engage potentially impacted rights-holders prior to taking any decision that may impact them. This involves the timely provision of all information needed by the potentially impacted rights-holders to be able to make an informed decision as to how the company’s decision could impact their interests. It also means there is following-through on implementation of agreed commitments, ensuring that adverse impacts to impacted and potentially impacted rights-holders are addressed including through provision of remedies when companies have caused or contributed to the impacts.
Ongoing engagement means that rights-holder engagement activities continue throughout the lifecycle of an operation or activity and are not a one-time endeavour.

Rights-holders and their representatives

Rights-holders are individuals or groups who have specific rights in relation to specific duty-bearers. Under the Universal Declaration of Human Rights, all people are rights-holders. People should also be regarded as active participants in the realization of their rights, both directly and through their representatives.

Examples include:

Rights-holderRepresentative
Workers, including outsourced and informal workersEmployee representatives and trade unions, civil society organisations and non-governmental organisations
Affected communities at the local, regional or national level, including people living near or downstream from an operation, such as landowners, farmers and indigenous peoplesCommunity-based organisations, including religious and community leaders, environmental and human rights defenders, civil society organisations and non-governmental organisations

Where there are many rights-holders, it is often more practical to consult with credible representatives. For example, in the case of a factory restructuring or closure, you can consult trade unions instead of individual workers.

In cases where adverse impacts affect large groups collectively – such as corruption or greenhouse gas emissions – it is not possible to consult all rights-holders directly. In such situations, it may be more appropriate to engage with civil society organisations or non-governmental organisations.

Consultations according to Swedish legislation

The Co-Determination in the Workplace Act contains requirements for information and negotiation with employee organisations prior to significant changes in operations.

The Work Environment Act contains requirements for cooperation between employers and employees in Chapter 6. These requirements are further specified in the Work Environment Authority’s provisions and general recommendations on systematic work environment management (AFS 2023:1).

The Discrimination Act contains requirements for cooperation within the framework of active measures in Chapter 3.

The Environmental Code contains requirements for consultation in Chapter 6. Anyone planning to carry out an activity or take a measure requiring a permit or a decision on admissibility must consult with individuals who may be particularly affected.

Alternatives to consultation

You shall always engage in meaningful consultation with rights-holders, or their representatives, in and around your own operations. In supply chains, however, such consultations can be difficult to carry out. In such cases, third-party audits based on interviews with workers can be a way of obtaining rights-holders’ perspectives.

You may also use credible and independent sources, such as reports from public authorities, academic institutions, civil society organisations, and non-governmental organisations.

Sources

You should also follow Swedish and international media as well as subscribe to the Business and Human Rights Centre’s newsletter.

Suggested verifications

  • Instructions describing consultations with rights-holders in your own operations, how these fulfill the requirement for meaningful consultations, and how they are used as a basis for risk assessments.
  • Instructions describing consultations with rights-holders in the supply chain.
  • Workers surveys or minutes from meetings, hearings, and other consultation procedures for sample products.
  • Risk assessments for the company’s own operations, including the consultations that form the basis of the assessment.
  • Risk assessments for the supply chain of sample products, including any consultations and/or the sources used for the assessment.

Guidance for auditor

Fulfils requirement

The company has instructions or equivalent documentation/templates that describe how it engages in consultations with rights-holders or their representatives in its own operations, including:

  • How statutory consultations are applied under the Co-Determination in the Workplace Act, the Work Environment Act, the Discrimination Act and/or the Environmental Code.
  • How consultations are characterized by two-way communication, responsiveness, good faith and continuity.

The Company has instructions or equivalent documentation/templates that describe how it engages in consultations with rights-holders or their representatives in the supply chain, including:

  • How meaningful consultations are also sought in the supply chain, for example through employee interviews during visits and audits or worker surveys.
  • How information is obtained from credible and independent sources if direct consultations are not possible.

There is documentation that shows that consultations have been carried out in the company’s own operations, such as employee surveys or minutes of meetings from statutory consultations and/or hearings with affected communities, as well as evidence that these form the basis for risk assessments.

There is evidence showing that consultations have been carried out in the supply chains of sample products, such as employee interviews during audits, or that consultations have been replaced by credible and independent sources such as civil society, academia, authorities and the media – as well as evidence that the consultations/sources form the basis for risk assessments.

Does not fulfil requirement

The company lacks instructions or equivalent documentation/templates that describe how it engages in consultations with rights-holders or their representatives in its own operations, or they are incomplete:

  • Statutory consultations are not applied under the Co-Determination in the Workplace Act, the Work Environment Act, the Discrimination Act and/or the Environmental Code.
  • Consultations are not characterised by two-way communication, responsiveness, good faith and continuity.

The company lacks instructions or equivalent documentation/templates that describe how it engages in consultations with rights-holders or their representatives in the supply chain, or they are incomplete:

  • Meaningful consultations, such as through worker interviews during visits and audits or worker surveys, are not sought.
  • Information is not obtained from credible and independent sources if direct consultations are not possible.

There is no documentation showing that consultations have been carried out in the company’s own operations, such as employee surveys or minutes of meetings from statutory consultations and/or hearings with affected communities, or evidence that these have been used in risk assessments.

There is no evidence showing that consultations have been carried out in the supply chains of sample products, such as employee interviews during audits, or that consultations have been replaced by credible and independent sources such as civil society, academia, authorities or the media – or evidence that the consultations/sources have been used in risk assessments.

e) Pay attention to particularly vulnerable groups​

You shall pay attention to adverse impact on individuals from groups and populations at heightened risk of vulnerability or marginalisation, including environmental and human rights defenders.

The purpose is to ensure that you do not contribute to or exacerbate such vulnerability or marginalisation.

The UN has developed rights for the following groups:

Indigenous peoples

Women

National or ethnic, religious and linguistic minorities

Children

Persons with disabilities

Migrant workers and their families

However, there are many more vulnerable groups, see for example Human Rights Measurement Initiative’s Rights Tracker.

By identifying vulnerable groups, you will be better prepared to address adverse impacts. It also makes it easier to prioritise the most significant risks based on likelihood and severity.

Our risk assessment template, available at Templates process requirement 2, includes support for identifying particularly vulnerable groups. There is no requirement to use our template.

Gender perspective

Below are some things to consider from a gender perspective:

Do the activities take place in a context where women or girls are subject to widespread discrimination?This may increase the risk of discrimination, harassment and unequal working conditions.
Do the activities significantly affect the local economy, environment, or access to land and livelihoods?Women often have less access to land, resources and social protection and may therefore be disproportionately affected..
Do the activities take place in a conflict or post-conflict area?Women and girls are often particularly vulnerable in conflict situations, including to sexual and gender-based violence.
Is it a sector where many women work, such as the garment industry, electronics or agriculture?Female-dominated sectors are often associated with higher risks related to low wages, insecure employment and inadequate health and safety conditions.
Are there overlapping vulnerabilities related to, for example, gender, ethnicity, migration status, disability or level of education?Overlapping vulnerabilities may increase the risk of adverse impacts and limit people’s ability to access support or make their voices heard.
Are workers in the informal economy part of the supply chain?Women are overrepresented in parts of the informal economy where working conditions and protection of rights are often weaker.
Do the reports and assessments used take women’s perspectives and experiences into account?It is important that women are able to participate in consultations and dialogues so that risks and impacts can be properly understood and addressed.

Child perspective

Below are some things to consider from a child perspective:

Children as family members of workersChildren as labourChildren as members of communities
Do working conditions and circumstances enable women and men to be active parents?

• Living wage?
• Working hours?
• Provisions for pregnant and breastfeeding women?
• Parental leave?
• Support for migrant and seasonal workers to be parents remotely?
• Childcare?
• Healthcare?
• Good quality education?

Pay particular attention if the business is conducted in a context characterised by:

• High proportion of migrants workers
• Poverty and significant informal sector
• Restrictions on trade union rights		Are young workers above the minimum age protected from hazardous work?

• Restrictions on working hours?
• Restrictions on working at dangerous heights?
• Restrictions on the use of dangerous machinery, equipment and tools?
• Restrictions on the transport of heavy loads?
• Exposure to hazardous substances/processes?
• Exposure to night work?
• Exposure to work where the young worker is unreasonably confined to the employer’s premises?

Pay particular attention if the business is conducted in a context characterised by:

• School leaving age is not the same as minimum working age
• High incidence of child labour or young workers
• Low accessibility to and quality of schools as well as low proportion of enrolled students and low proportion of students who have completed schooling
• Large and mandatory internship programs that can be used to compensate for labour shortages
• High proportion of migrants workers
• Poverty and significant informal sector
• Restrictions on trade union rights		Does the activity include land acquisition and population displacement/removal?

• Has consultation been carried out with the population to identify and address adverse impacts on children?
• Have children’s rights to, among other things, education, protection, health, adequate food and water, adequate standard of living and participation been taken into account?
• Has free, prior and informed consent been obtained from indigenous peoples?

Does the activity involve private or public security forces?

• Is there a risk of children being recruited or used by security forces for security-related work, or for work related to food deliveries, logistics, administration, espionage?
• Is there a risk that children will come into contact with security forces, for example due to illegal intrusions or as witnesses to security forces’ violations?
• Is there a risk of children being subjected to abuse, threats and harassment by security forces?

Are the operations conducted in an area affected by disasters, conflicts or political instability?

• Is the business involved in hazardous activities that pose a higher risk of man-made disasters?
• Does the population include children who may be particularly vulnerable, such as children with disabilities, displaced children, migrant children, children separated from their families, or children from indigenous groups?
• Is there a risk that the activity supports warring factions or exacerbates discrimination or tensions by consulting or interacting more with one group than with others?

Does the activity contribute to extensive environmental impact?

• Is there a risk that children’s food security and health will be affected? The lack of clean water is a serious threat as waterborne diseases such as diarrhoea are a leading cause of death among children under 5. • Children also absorb a higher proportion of pollutants than adults do.

Pay particular attention if the business is conducted in a context characterised by:

• Indigenous people
• Conflicts and political instability
• Rural and remote areas
• High crime rate
• State requirements to use public security forces
• Non-functioning criminal justice systems, including for children and young people
• Disasters (floods, droughts, earthquakes, cyclones)
• Food insecurity and malnutrition
• Poverty and significant informal sector

Environmental and human rights defenders

Environmental and human rights defenders are individuals or groups working to protect human rights or the environment. This may include, for example, Indigenous peoples, trade union representatives, journalists, land and environmental defenders, or anti-corruption activists.

Defenders may be exposed to:

  • threats and death threats,
  • violence and harassment,
  • arbitrary detention,
  • judicial harassment and so-called SLAPP lawsuits,
  • disappearances and killings.

Business & Human Rights Centre documented 790 attacks against human rights defenders linked to business-related impacts during 2025, including 53 killings.

When conducting risk assessments, you should therefore pay particular attention to:

  • operations in conflict-affected or high-risk areas,
  • impacts on Indigenous peoples and local communities,
  • land rights and natural resources,
  • conflicts linked to mining, agriculture, energy, or infrastructure projects,
  • risks of reprisals against individuals raising complaints or criticism.

You may, among other sources, use:

Civic Freedoms & HRD Data – Business and Human Rights Centre

The Observatory For the Protection of Human Rights Defenders

Suggested verifications

  • Instructions describing how you identify particularly vulnerable groups.
  • Risk assessment for the company’s own operations, including information on particularly vulnerable groups.
  • Risk assessment for the supply chains of sample products, including information on particularly vulnerable groups.

Guidance for auditor

Fulfils requirement

The company has instructions or equivalent documentation/templates that describe how it pays attention to particularly vulnerable groups in risk assessments for its own operations.

The company has instructions or equivalent documentation/templates that describe how it pays attention to particularly vulnerable groups in supply chain risk assessments.

Particularly vulnerable groups have been identified in risk assessments for the company’s own operations.

Particularly vulnerable groups have been identified in supply chain risk assessments of sample products.

Does not fulfil requirement

The company lacks instructions or equivalent documentation/templates that describe how it pays attention to particularly vulnerable groups in risk assessments for its own operations.

The company lacks instructions or equivalent documentation/templates that describe how it pays attention to particularly vulnerable groups in supply chain risk assessments.

Particularly vulnerable groups have not been identified in risk assessments for the company’s own operations.

Particularly vulnerable groups have not been identified in supply chain risk assessments of sample products.

f) Prioritise based on likelihood and severity

You shall prioritise the most significant risks based on likelihood and severity.

There is no hierarchy within human rights – human rights are interconnected, interdependent and indivisible. At the same time, it is often impossible to address all adverse impacts simultaneously. Prioritisation is therefore necessary.

Where an adverse impact has already occurred, meaning it is actual, severity determines the prioritisation. In the case of potential adverse impact, both likelihood and severity need to be considered.

Upstream in supply chains, information is often limited and traceability low, which can make it difficult to determine whether an impact is actual or potential. In such cases, it is often relevant to take likelihood into account.

If an impact has a low likelihood but high severity, severity takes precedence. The focus needs to be on the impacts causing the greatest harm, such as risk of loss of life, even where the likelihood is assessed as low.

Severity shall be assessed based on the adverse impact’s:

  • Scale, which refers to the gravity of the adverse impact.
  • Scope, which concerns the reach of the impact, for example the number of individuals that are or will be affected or the extent of environmental damage.
  • Irremediable character, which means any limits on the ability to restore the individuals or environment affected to a situation equivalent to their situation before the adverse impact.
Examples of scale, scope and irremediable character

The table is from pp. 43-44 of the OECD Due Diligence Guidance for Responsible Business Conduct.

ScaleScopeIrremediable character
Human rights• Extent of infringement of access to basic life necessities or freedoms (e.g. education, livelihood, etc.)• Number of people impacted
• % of identifiable groups of people impacted		• The extent to which the impact can be rectified (e.g. through compensation or restitution)
• Whether the people affectedcan be restored to their exercise of the right in question
Workers’ rights• Extent of impact workers’ health or safety
• Whether the violation concerns a fundamental right at work		• Number of workers/employees impacted
• Extent to which impacts are systemic (e.g. to a particular geography, industry or sub-sector)
• Extent to which some groups are disproportionately affected by the impacts (e.g. minorities, women, etc.)		• Extent to which the impact can be rectified (e.g. through compensation, reinstatement, etc.)
• Whether the workers affected can be restored to the prior enjoyment of the right in question
• The extent to which the intimidation of workers for forming or joining a trade union will effectively deny workers the right to representation
The environment• Extent of impact on human health
• Extent of changes in species composition
• Water use intensity (% use of total available resources)
• Degree of waste and chemical generation (tons; % of generation)		• Geographic reach of the impact
• Number of species impacted		• Degree to which rehabilitation of the natural site is possible or practicable
•The length of time remediation would take
​Business ethics• Monetary amount of the bribe
• Loss of life or severe bodily harm caused by bribery
• Criminal nature of the bribe
• Extent of impact on markets, people, environment and society due to decisions made based on bribery
• Size of the profit gained from the bribery		• Frequency at which bribes are paid
• Geographic spread of bribery
• Number and/or level of officials, employees or agents engaged in bribery
• Extent of activities linked with bribery
• Number of identifiable groups impacted by decisions based on bribery		• Extent of damage to society due to loss of public funds
• Extent to which activities undertaken and enabled by bribery will lead to irremediable adverse impacts

Severity is not an absolute concept and must be assessed in relation to other adverse impacts in each individual case.

Particularly vulnerable groups are often more affected, which should be taken into account when prioritising risks.

Our supply chain risk assessment template, available at Templates process requirement 2, provides support for prioritising risks. There is no requirement to use our template.

Once the most severe risks have been addressed, the work needs to continue progressively with the remaining risks.

Suggested verifications

  • Instructions describing the prioritisation based on likelihood and severity.
  • Risk assessments for the company’s own operations, including prioritisations based on likelihood and severity.
  • Risk assessments for the supply chains of sample products, including prioritisations based on likelihood and severity. 

Guidance for auditor

Fulfils requirement

The company has instructions or equivalent documentation/templates that describe how it prioritises risks based on likelihood and severity, including how severity is assessed based on:

  • Scale: gravity of the adverse impact.
  • Scope: reach of the impact, for example the number of individuals that are or will be affected or the extent of environmental damage.
  • Irremediable character: any limits on the ability to restore the individuals or environment affected to a situation equivalent to their situation before the adverse impact.​​​

Risks in the company’s own operations have been prioritised based on likelihood and severity.

Risks in the supply chains of sample products have been prioritised based on likelihood and severity.

Note that likelihood and severity are not the same as likelihood and consequence. Due diligence focuses on adverse impacts on people, the environment and society, not on risks to the company. These risk assessments also differ from the double materiality analyses carried out under the CSRD, where both the impact on the operating environment and the impact on the company’s earnings are taken into account.

Does not fulfil requirement

The company lacks instructions or equivalent documentation/templates that describe how it prioritises risks based on likelihood and severity, or they are incomplete. That is, severity is not assessed based on:

  • Scale: gravity of the adverse impact.
  • Scope: reach of the impact, for example the number of individuals that are or will be affected or the extent of environmental damage.
  • Irremediable character: any limits on the ability to restore the individuals or environment affected to a situation equivalent to their situation before the adverse impact.​​​

Risks in the company’s own operations have not been prioritised based on likelihood and severity.

Risks in the supply chains of sample products have not been prioritised based on likelihood and severity.