Process requirement 2
Excerpt from the contract clause
Supplier shall identify and assess actual and potential adverse impacts, by
a) identifying risk suppliers,
b) mapping the supply chains of risk suppliers,
c) regularly examining the risks of adverse impacts in its own operations and in the supply chains of risk suppliers,
d) engaging in meaningful consultations with rights-holders or their representatives and obtaining information from credible and independent sources if consultations are not possible in the supply chains of risk suppliers,
e) paying attention to adverse impact on individuals from groups and populations that are at heightened risk of vulnerability or marginalisation, including environmental and human rights defenders and
f) prioritising the most significant risks based on likelihood and severity.
Identifying risk suppliers
You shall identify risk suppliers.
Below you will find our definition of risk suppliers, which takes into account risks to people, the environment and society across the supply chain. As you can see, this definition is similar to definitions of prioritised purchasing categories, which usually also takes into account spend.
"Risk suppliers are first tier suppliers prioritised for further assessment on the basis of their supply chains’ risk profiles and not on the strength of their relationship with the supplier. The categorization shall be based on the entire supply chain’s operating context (e.g. presence of conflict or vulnerable groups, weak rule of law, high rates of corruption), the operations, products or services involved (e.g. high employment of informal work, use of hazardous chemicals, use of heavy machinery), or other relevant considerations."
If you can show that you identify prioritised purchasing categories based on a definition that is similar to our definition of risk suppliers, as well as spend, this is sufficient to meet the requirement.
The relevant considerations for identifying risk suppliers vary across industries. We have developed a template, which can be found below under Templates process requirement 2. Using this template is not mandatory. You may demonstrate compliance with the requirement in other ways.
-
Instructions describing the identification of risk suppliers or prioritised purchasing categories.
-
Identification of risk suppliers for sample products
Guidance for auditor
Fulfils requirement
There are instructions or equivalent documentation/templates describing how risk suppliers/prioritised purchasing categories are identified, including:
-
How the identification is based on the supply chain’s risk profile, and not solely on the strength of the relationship with the supplier.
-
How the assessment takes into account the entire operational context of the supply chain (e.g. presence of conflict or vulnerable groups, weak rule of law, high levels of corruption) and risks related to operations, products, or services (e.g. extensive use of informal labour, hazardous chemicals, or heavy machinery). The use of indexes is accepted here.
If the supplier has a process for identifying risk suppliers/prioritised purchasing categories that meets the above requirements, this shall be accepted even if an individual sample product falls outside the prioritisation. In such cases, a new sample product shall be selected that is included in the supplier’s prioritisation.
Does not fulfil requirement
There are no instructions or equivalent documentation/templates describing how risk suppliers/prioritised purchasing categories are identified, or such documentation is incomplete. Deficiencies may include:
-
The identification of risk suppliers/prioritised purchasing categories is based on the strength of the relationship rather than the risk profile of the supply chain.
-
The assessment does not take into account the operational context across the supply chain (e.g. presence of conflicts, vulnerable groups, weak rule of law, or high levels of corruption), or risks related to activities, products, or services (e.g. informal labour, hazardous chemicals, heavy machinery). No or very few indexes are used.
Mapping the supply chains
You shall map the supply chains for risk suppliers.
Mapping supply chains differs from tracing them, as tracing requires information that many suppliers lack. However, you should be aware of the countries where final manufacturing takes place and be able to make a broad assessment of where component manufacturing occurs, where smelters and refiners are located (if relevant to the supply chain), and where raw material extraction takes place.
This assessment is often based on assumptions, especially for raw materials. A useful source is the U.S. Geological Survey’s Mineral Commodity Summaries, which estimates global mining production and reserves for over 90 minerals. You can also use the European Commission’s Raw Materials Information System. Search engines, as well as AI tools, can also assist in mapping efforts.
We have developed a mapping template, available below under Templates process requirement 2. Using this template is not mandatory. You can demonstrate compliance in other ways. Aso remember to update your mappings when you get more information about your supply chains over time.
A free tool for increasing transparency in your supply chains is Open Supply Hub. There, you can upload your suppliers and sub-suppliers. You can also embed the map on your website.
-
Supply chain mappings (Excel spreadsheets, Word documents, etc.), for sample products.
-
Printouts of digital supply chain trackings, for sample products.
Guidance for auditor
Fulfils requirement
There are instructions or equivalent documentation/templates describing how supply chains for risk suppliers/prioritised purchasing categories are mapped.
The supply chains for sample products have been mapped and documented using, for example, Excel files, Word documents, or digital tools.
-
There is information on the countries where final production takes place, and at least a general assessment of where component manufacturing, smelting/refining, and raw material extraction occur (if relevant).
-
Assumptions and sources used can be accounted for.
-
Does not fulfil requirement
There is no instruction or equivalent documentation/templates describing how supply chains for risk suppliers/prioritised purchasing categories are mapped.
The supply chains for sample products have not been mapped, or documentation such as Excel files, Word documents, or digital tools is missing.
-
There is no information on the countries where final production takes place and/or no general assessment of where component manufacturing, smelting/refining, and raw material extraction occur (if relevant).
-
Assumptions and sources used cannot be accounted for.
Examining the risks of adverse impacts
You shall regularly investigate the risks of adverse impacts in your own operations and in the supply chains of risk suppliers.
Many risk assessments for your own operations are already conducted in accordance with national legislation, such as the Work Environment Act, the Discrimination Act, and the Environmental Code. However, the responsibilities differ—HR and environmental experts primarily manage risks within your operations, while sustainability and purchasing specialists often focus on supply chain risks.
When examining risks in the supply chains of risk suppliers, the assessment shall cover all types of adverse impact as described in the Supplier Code of Conduct or an equivalent standard, such as the European Sustainability Reporting Standards. However, this standard does not include the Code of Conduct’s provisions on anti-competitive behaviour and taxation, which means you need to add them separately. You shall also ensure that all relevant rights-holders are covered by the assessment – including affected communities, workers, the environment, and society as a whole.
The supply chain tiers you have mapped (final production, component manufacturing, smelting and refining, and raw material extraction) shall be included in the risk assessment. It is possible to either:
-
conduct a consolidated assessment of adverse impact across the entire supply chain, or
-
conduct separate assessments for each tier.
The assessment shall not rely solely on indexes – you need to use qualitative and contextual sources. If forced labour is the most significant risk, this shall be clearly stated so that appropriate actions can be taken. Make sure to also consider both geographic risks, sector risks, and product risks.
Geographic risks
Geographic risks are conditions in a particular country which may make sector risks more likely. Geographic risk factors can generally be classified as those related to the regulatory framework (e.g. alignment with international conventions), governance (e.g. strength of inspectorates, rule of law, level of corruption), socio-economic context (e.g. poverty and education rates, vulnerability and discrimination of specific populations) and political context (e.g. presence of conflict).
Sector risks
Sector risks are risks that are prevalent within a sector globally as a result of the characteristics of the sector, its activities, its products and production processes. For example, the extractive sector is often associated with risks related to a large environmental footprint and impacts on local communities. In the garment and footwear sector, risks associated with respect for trade union rights, occupational health and safety and low wages are prevalent, amongst others.
Product risks
Product risks are risks related to inputs or production processes used in the development or use of specific products. For example, garment products with beading or embroidery hold a higher risk of informal employment and precarious work and phones and computers may contain components that are at risk of being mined from conflict areas.
We have developed a risk assessment template, which can be found below under Templates process requirement 2. Using this template is not mandatory. You can demonstrate compliance in other ways.
-
Instructions describing how you examine risks of adverse impacts in your operations and supply chains. The document shall specify time intervals and circumstances for risk assessments.
-
Risk assessments for the company's own operations.
-
Risk assessments for the supply chains of sample products.
Guidance for auditor
Fulfils requirement
There are instructions or equivalent documentation/templates describing how risks are assessed in the company’s own operations and in the supply chains of risk suppliers/prioritised purchasing categories, including:
-
How the requirement for regularity is fulfilled — for example, at least every 12 months and in connection with events such as new activities or business relationships, or changes in the company or supply chain.
-
How all risks of adverse impacts are identified and assessed, for example based on the commitments in the Supplier Code of Conduct, the European Sustainability Reporting Standards, or an equivalent list.
-
How all relevant rights-holders are covered, including affected communities, workers, the environment, and society as a whole.
-
How all relevant tiers (final production, component manufacturing, smelting/refining, and raw material extraction), in accordance with previous mappings, are included in supply chain risk assessments.
-
How supply chain risk assessments are not based solely on indexes, and include both geographic risks, sector risks, and product risks.
There are documented risk assessments for sample products:
-
Own operations: At a minimum covering occupational health and safety, discrimination, and the environment if the supplier is subject to legal requirements. Risk assessments may also exist due to certifications or sector-specific regulations, including those related to corruption.
-
Supply chain: Risk assessments that cover all risks of adverse impacts, all relevant rights-holders, and all relevant tiers, and are based on geographic risks, sector risks, and product risks — not solely on indexes.
Note that there is a difference between risk assessments — which cover all risks, all rights-holders and all tiers — and supplier assessments.
Does not fulfil requirement
There are no instructions or equivalent documentation/templates describing how risks are assessed in the company’s own operations and in the supply chains of risk suppliers/prioritised purchasing categories, or such documentation is incomplete. Deficiencies may include:
-
There is no indication that risk assessments are conducted regularly, for example annually and in connection with events such as new activities or business relationships, or changes in the company or supply chain.
-
The lists of risks of adverse impacts that are assessed are not aligned with the Supplier Code of Conduct, the European Sustainability Reporting Standards, or an equivalent standard.
-
The risk assessments do not cover all relevant rights-holders – affected communities, workers, the environment, and/or society as a whole.
-
The supply chain risk assessments do not cover all relevant tiers (final manufacturing, component manufacturing, smelting/refining, and raw material extraction) as identified in previous mappings.
-
The supply chain risk assessments are based solely on indexes or do not cover both geographic risks, sector risks, and product risks.
There are no documented risk assessments for the sample products, or they are incomplete:
-
Own operations: Risk assessments are entirely missing or do not cover occupational health and safety, discrimination, and the environment – despite the company being subject to legal requirements. Risks related to corruption/business ethics are not documented, despite sector-specific regulations or certifications.
-
Supply chain: Risk assessments are entirely missing or do not cover all risks of adverse impacts, all relevant rights-holders, and/or all relevant tiers, or they are based solely on indexes rather than including geographic risks, sector risks, and product risks.
Engaging in meaningful consultations
You shall engage in meaningful consultations with rights-holders or their representatives and obtain information from credible and independent sources if consultations are not possible in the supply chains of risk suppliers.
Consultations can take place through social dialogue, surveys, meetings, hearings, or other methods. The purpose is to understand how a specific impact affects individuals in a given context.
Engaging in meaningful consultations with rights-holders or their representatives helps you determine whether their perceptions of adverse impacts differ from each other or from your own. For example, changes in shift schedules may affect parents with childcare responsibilities or religious people. Through consultation, you demonstrate respect for their perspectives and rights, which builds trust and promotes sustainable solutions.
Consultations require special consideration of linguistic, cultural, and gender-related barriers to ensure that no one is excluded. Additionally, rights-holders may have conflicting opinions, making certain issues sensitive.
In the risk assessment template we have developed, available below under Templates process requirement 2, you shall note down your consultations and the sources you have used.
-
Instructions describing consultations with rights-holders in your own operations, how these fulfill the requirement for meaningful consultations, and how they are used as a basis for risk assessments.
-
Instructions describing consultations with rights-holders in the supply chain.
-
Meeting minutes from social dialogue, hearings, and other consultation procedures for sample products.
-
Results from worker voice programs and/or surveys related to sample products.
-
Risk assessments for the company’s own operations, including the consultations that form the basis of the assessment.
-
Risk assessments for the supply chain of sample products, including any consultations and/or the sources used for the assessment.
Guidance for auditor
Fulfils requirement
There are instructions or equivalent documentation/templates describing how consultations with rights-holders or their representatives are carried out in the company’s own operations and in the supply chains, including:
-
How statutory consultations are applied in the operations, for example in accordance with the Work Environment Act, the Discrimination Act, and the Environmental Code.
-
How social dialogue is applied in the operations (tripartite/bipartite process; formal/informal; at national, regional, or company level).
-
How consultations are characterised as meaningful, that is, marked by two-way engagement, responsiveness, good faith, and ongoing.
-
How meaningful consultations are also sought in the supply chain, for example through interviews with workers during visits and audits or worker voice programs, and how information is obtained from credible and independent sources if direct consultations are not possible.
There is supporting documentation showing that consultations have been carried out at least within the company’s own operations and, and if direct consultations are not possible replaced with credible and independent sources in the supply chain for sample products, for example:
-
Employee surveys or meeting minutes from statutory consultations and social dialogue, as well as hearings with affected communities, which also inform the risk assessments in the company’s own operations.
-
Source references in supply chain risk assessments for sample products, such as interviews conducted during visits or audits and worker voice programs, or credible and independent sources from, for example, civil society, academia, authorities, and the media.
-
Does not fulfil requirement
If risk assessments are missing or contain critical deficiencies, this shall also affect the assessment of meaningful consultations.
There are no instructions or equivalent documentation/templates describing how consultations with rights-holders or their representatives are carried out in the company’s own operations and/or in the supply chains, or such documentation is incomplete. Deficiencies may include:
-
Statutory consultations are not applied in the operations, for example in accordance with the Work Environment Act, the Discrimination Act, or the Environmental Code.
-
Social dialogue is not applied in the operations (tripartite/bipartite process; formal/informal; at national, regional, or company level).
-
There is no information indicating that consultations are meaningful — based on two-way engagements, responsiveness, good faith, and continuity.
-
There is no information indicating that meaningful consultations are also sought in the supply chain, for example through interviews with workers during visits and audits or worker voice programs, and that information is obtained from credible and independent sources if direct consultations are not possible.
There is no supporting documentation showing that consultations have been carried out at least within the company’s own operations, and if direct consultations are not possible, replaced with credible and independent sources in the supply chain for sample products, for example:
-
Own operations: Employee surveys/meeting minutes from statutory consultations and social dialogue, and hearings with affected communities.
-
Supply chain: Source references in supply chain risk assessments for sample products, such as interviews conducted during vistis and audits and worker voice programs, or credible and independent sources from, for example, civil society, academia, authorities, and the media.
Paying attention to particularly vulnerable groups
You shall pay attention to adverse impact on individuals from groups and populations at heightened risk of vulnerability or marginalisation, including environmental and human rights defenders. The purpose is to ensure that you do not contribute to or exacerbate such vulnerability or marginalisation.
The UN has developed rights for the following groups:
Indigenous peoples
Children
Women
Persons with disabilities
National or ethnic, religious and linguistic minorities
Migrant workers and their families
In situations of armed conflict, you shall also respect the norms of international humanitarian law.
What does "pay attention to" mean? When identifying risks, consider whether they affect groups with increased vulnerability or marginalisation. If there is a risk of land grabbing and indigenous peoples live on the land, this should be acknowledged. If there is a risk of debt bondage, a form of forced labour, migrant workers are a particularly vulnerable group. If there is a risk freedom of expression may be restricted, environmental and human rights defenders could be particularly exposed.
By identifying vulnerable groups, you will be better prepared for dialogue with risk suppliers and for managing adverse impacts in the supply chain. The analysis also makes it easier to prioritise the most significant risks based on likelihood and severity, as vulnerable groups are often the most affected.
In the risk assessment template we have developed, available below under Templates process requirement 2, you will find guidance on paying attention to particularly vulnerable groups.
-
Instructions describing how you identify particularly vulnerable groups.
-
Risk assessment for the company's own operations, including information on particularly vulnerable groups.
-
Risk assessment for the supply chains of sample products, including information on particularly vulnerable groups.
Guidance for auditor
Fulfils requirement
There are instructions or equivalent documentation/templates describing how particularly vulnerable groups — such as indigenous peoples, women, national or ethnic, religious and linguistic minorities, children, persons with disabilities, or migrant workers and their families — are taken into account.
Particularly vulnerable groups have been identified in risk assessments for the company’s own operations.
Particularly vulnerable groups have been identified in supply chain risk assessments for sample products.
Does not fulfil requirement
If risk assessments are missing or contain critical deficiencies, this shall also affect the assessment of particularly vulnerable groups.
There are no instructions or equivalent documentation/templates describing how particularly vulnerable groups — such as indigenous peoples, women, national or ethnic, religious and linguistic minorities, children, persons with disabilities, or migrant workers and their families — are taken into account.
Particularly vulnerable groups have not been identified in risk assessments for the company’s own operations.
Particularly vulnerable groups have not been identified in supply chain risk assessments for sample products.
Prioritise risks based on likelihood and severity
You shall prioritise the most significant risks based on likelihood and severity.
There is no hierarchy within international human rights law—human rights are interrelated, interdependent, and indivisible. However, it is often impossible to address all adverse impacts at the same time, which requires prioritisation based on likelihood and severity.
Standard risk assessment methods weigh likelihood and severity equally. However, if an impact has low likelihood but high severity, severity becomes the determining factor. The focus should be on the impact that causes the greatest harm, such as the risk of loss of life, even if the likelihood is low.
Severity shall be assessed based on the adverse impact’s:
-
Scale, which refers to the gravity of the adverse impact.
-
Scope, which concerns the reach of the impact, for example the number of individuals that are or will be affected or the extent of environmental damage.
-
Irremediable character, which means any limits on the ability to restore the individuals or environment affected to a situation equivalent to their situation before the adverse impact.
Severity is not an absolute concept but must be assessed in relation to other adverse impacts in each individual case. Particularly vulnerable groups are often severely affected, making it important to consider them when prioritising the most significant risks. Once these have been addressed, work should continue with the next most severe risks and then progressively with the others.
In the risk assessment template we have developed, available below under Templates process requirement 2, you will find guidance on prioritising risks based on likelihood and severity.
-
Instructions describing the prioritisation based on likelihood and severity.
-
Risk assessments for the company's own operations, including prioritisations based on likelihood and severity.
-
Risk assessments for the supply chains of sample products, including prioritisations based on likelihood and severity.
Guidance for auditor
Fulfils requirement
There are instructions or equivalent documentation/templates describing how risks are prioritised based on likelihood and severity, including:
-
How severity is assessed based on:
-
Scale: gravity of the adverse impact.
-
Scope: reach of the impact, for example the number of individuals that are or will be affected or the extent of environmental damage.
-
Irremediable character: any limits on the ability to restore the individuals or environment affected to a situation equivalent to their situation before the adverse impact.
In the risk assessments for the company’s own operations, the risks have been prioritised based on likelihood and severity.
In the supply chain risk assessments for sample products, the risks have been prioritised based on likelihood and severity.
Likelihood and severity are not the same as likelihood and consequence. Due diligence is about adverse impacts on people, the environment, and society – not about risks to the company.
Nor are these risk assessments the same as the double materiality analyses conducted for sustainability reporting, which take into account both impact materiality and financial materiality.
Does not fulfil requirement
If risk assessments are missing or contain critical deficiencies, this shall also affect the assessment of prioritisation based on likelihood and severity.
There are no instructions or equivalent documentation/templates describing how risks are prioritised based on likelihood and severity, or such documentation is incomplete. This means that severity is not assessed based on:
-
Scale: gravity of the adverse impact.
-
Scope: reach of the impact, for example the number of individuals that are or will be affected or the extent of environmental damage.
-
Irremediable character: any limits on the ability to restore the individuals or environment affected to a situation equivalent to their situation before the adverse impact.
In the risk assessments for the company’s own operations, the risks have not been prioritised based on likelihood and severity.
In the supply chain risk assessments for sample products, the risks have not been prioritised based on likelihood and severity.
