On January 30, 2024, the European Union released the final draft of the Corporate Sustainability Due Diligence Directive, or CSDDD, legislation that was first introduced by the European Parliament in February 2022 to address environmental, social, and governance (ESG) standards within companies and in their supply chains. If adopted, the law will go into effect in phases starting in 2027.
Because of its requirements to assess the ESG practices of supply chain partners, any organization that does business in the EU should be prepared to establish or improve its supply chain due diligence program.
This post examines the proposed law’s requirements, applicability, and penalties, and suggests best practices to prepare for its implementation.
The CSDDD outlines specific obligations for companies to perform due diligence on their operations and supply chains to identify, prevent, mitigate, and account for adverse impacts on the environment, and labor and human rights. The law is related to the Corporate Sustainability Reporting Directive (CSRD), which lays out specific ESG reporting requirements – including those that arise from their supply chains – as part of their regular company disclosures.
The CSDDD includes eight due diligence obligations.
Companies are required to integrate due diligence into their corporate policies (see Amendment 85, Article 5). This involves defining and adopting a due diligence policy that outlines the company's approach to identifying and addressing adverse impacts on human rights and the environment.
Organizations must proactively identify actual and potential adverse impacts on human rights and the environment in their own operations, their subsidiaries, and throughout their value chains (see Amendment 40, Recital 30). This includes both direct and indirect business relationships.
Upon identifying adverse impacts, companies are obligated to prevent potential impacts from materializing and to mitigate actual impacts (see Amendment 45, Recital 34). This involves taking appropriate actions and measures, which could include adjusting operations, engaging with suppliers or business partners, or implementing corrective action plans.
If adverse impacts occur, companies must account for how they address these impacts and, where necessary, provide for or cooperate in the remediation process. This includes ensuring that remediation is accessible to affected parties and is aligned with international standards.
Companies need to establish or participate in a grievance mechanism that is accessible to individuals and communities who may be impacted by the company's activities. This mechanism should allow for the submission of complaints regarding non-compliance with the company's due diligence obligations.
Organizations should monitor the ongoing effectiveness of due diligence measures and actions taken to address adverse impacts. This involves regular assessment and adaptation of strategies and measures in response to findings.
Companies are required to publicly report on their due diligence policies, processes, and findings (see Amendment 92, Article 11). This includes disclosing how they identify and address adverse impacts, as well as the outcomes of their due diligence efforts.
For relationships in the supply chain that pose a high risk of adverse impacts, companies must take additional steps. This could involve deeper engagement with affected stakeholders, conducting more detailed assessments, and collaborating with other entities to address systemic issues.
The directive emphasizes a continuous and proactive approach to due diligence, requiring companies to not only assess and address risks once but to monitor and adapt their strategies over time.
Once passed, the CSDDD legislation will apply to EU companies and parent companies with over 500 employees and a worldwide turnover higher than 150 million euro. The obligations will also apply to companies with over 250 employees and with a turnover of more than 40 million euros if at least 20 million are generated in one of the following sectors: manufacturing and wholesale trade of textiles, clothing, and footwear, agriculture including forestry and fisheries, manufacture of food and trade of raw agricultural materials, extraction and wholesale trade of mineral resources or manufacture of related products and construction. Implementation will be phased in over three years based on turnover and company size, with implementation ending in 2029.
How Does ESG Fit Into Your TPRM Program?
Our 14-page guide shares a best practices framework for incorporating ESG into your third-party risk management program.
Companies can be held legally responsible if they fail to adequately identify, prevent, mitigate, or end actual or potential adverse impacts on human rights and the environment, and this failure leads to harm. However, the CSDDD leaves the individual EU Member States responsible for establishing penalties for non-compliance with the directive's obligations according to their legal frameworks and traditions.
In general, penalties for non-compliance must be effective, proportionate to the severity of the non-compliance, and dissuasive enough to prevent future violations. Penalties can include fines of up to 5% of their net worldwide turnover, orders to cease the non-compliant behaviors or other administrative sanctions, and can involve public disclosure (e.g., “naming and shaming”) which can harm a company’s reputation.
Organizations can start preparing today to meet the obligations of the CSDDD even before it fully comes into force. Early preparation will not only help ensure compliance but also facilitate a smoother transition to the new requirements. Here are seven steps organizations can take now.
Build a cross-functional team of key stakeholders responsible for supply chain operations, procurement, compliance, and meeting legal obligations. This team should evaluate your company’s current supply chain due diligence processes, sustainability initiatives, and compliance mechanisms, identifying gaps between current internal practices and the requirements outlined in the directive. Results of the evaluation should be revised internal policies, codes of conduct, and procedures for sourcing, selecting, and continuously evaluating suppliers, as well as offboarding suppliers that fail to address risks. Ensure that these policies are clearly communicated and accessible to all supply chain partners.
Since the directive applies to the entire supply chain, ensure that all supplier and business partner contracts include enforceable language for conducting due diligence, remediating findings according to agreed-upon service levels, and reporting. This may involve revising contracts, conducting joint assessments, and providing support or training to suppliers.
Based on Step 1, develop a comprehensive supply chain due diligence strategy (or revise your existing one) that aligns with the directive's requirements and your organization’s third-party risk management or broader enterprise risk management programs. This strategy should cover human rights, environmental impacts, and governance aspects throughout your supply chain – as well as other risk types such as data breach risks, financial failures, and operational disruptions.
Start by conducting an inherent risk assessment to profile and tier all suppliers according to the impact that a supply chain disruption or negative due diligence finding could have on your business’ operations. The results of this inherent risk assessment will categorize suppliers and expose potential problems that can dictate further diligence.
Implement or enhance risk management systems to identify, assess, and mitigate adverse impacts on human rights and the environment. Leverage a central platform for managing suppliers and regular risk assessments. Look for solutions that include many pre-built assessment templates that will enable your team to flexibly evaluate the ESG practices of your supply chain partners. A central platform should also include data collection, evidence management, and workflow-based routing rules and tasks for issue escalation based on answers.
Suggest specific remediations for risks that exceed the organization’s risk appetite and use contractual obligations to enforce them. Supplier risk management platforms offer built-in remediation guidance for all questions and possible risks, improving efficiency and reducing the time required to meet risk reduction requirements.
Prepare to meet the directive's transparency and reporting requirements by developing a framework for public reporting on your due diligence processes, findings, and actions taken to address adverse impacts. Common ESG domains to structure reporting around include community; CSR strategy; emissions; human rights; management; product responsibility; resource use; shareholders; and workforce protections.
To accomplish this, many organizations select a common framework for ESG reporting such as:
The results of this reporting can be directly mapped to CSDDD requirements using a central risk management platform.
Assessments are essential for gaining an insider’s view into a company’s ESG practices. However, a lot can happen between annual report submissions. That’s why it is important to validate regular due diligence assessment results with continuous insights into reputational information, adverse media and negative news, regulatory and legal actions, sanctions, and more. You can then correlate continuous monitoring intelligence with assessment results to validate findings and suggest any further required remediations. Consolidate these different sources of intelligence under a single pane of glass so that you maximize your due diligence efforts and can extend this information to internal stakeholders.
By taking proactive steps to align your operations and supply chains with the principles of the CSDDD, your organization not only prepares for compliance but also positions itself as a leader in corporate sustainability and responsibility.
Align Your TPRM Program with Expanding ESG Regulations
Download this guide to review current and future ESG standards and legislation, and learn how to prepare your TPRM program for compliance.
The Prevalent Third-Party Risk Management Platform enables you to address supply chain risks by automating survey-based assessments of supplier ESG practices and validating the results with continuous external monitoring of their real-world practices. With Prevalent, you can:
For more on how Prevalent can help mitigate ESG risks in your supply chain to address the requirements in CSDDD, contact us today to schedule a personalized demonstration.
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024
Learn how integrating the NIST Privacy Framework with third-party risk management (TPRM) helps organizations enhance data...
09/12/2024