Process requirement 2
Excerpt from the contract clause
Supplier shall identify and assess actual and potential adverse impacts, by
a) identifying risk suppliers,
b) mapping the supply chains of risk suppliers,
c) regularly examining the risks of adverse impacts in its own operations and in the supply chains of risk suppliers,
d) engaging in meaningful consultations with rights-holders or their representatives and obtaining information from credible and independent sources if consultations are not possible in the supply chains of risk suppliers,
e) paying attention to adverse impact on individuals from groups and populations that are at heightened risk of vulnerability or marginalisation, including environmental and human rights defenders and
f) prioritising the most significant risks based on likelihood and severity.
Identifying risk suppliers
You shall identify risk suppliers.
Below you will find our definition of risk suppliers, which takes into account risks to people, the environment and society across the supply chain. As you can see, this definition is similar to definitions of prioritised purchasing categories, which usually also takes into account spend.
"Risk suppliers are first tier suppliers prioritised for further assessment on the basis of their supply chains’ risk profiles and not on the strength of their relationship with the supplier. The categorization shall be based on the entire supply chain’s operating context (e.g. presence of conflict or vulnerable groups, weak rule of law, high rates of corruption), the operations, products or services involved (e.g. high employment of informal work, use of hazardous chemicals, use of heavy machinery), or other relevant considerations."
If you can show that you identify prioritised purchasing categories based on a definition that is similar to our definition of risk suppliers, as well as spend, this is sufficient to meet the requirement.
The relevant considerations for identifying risk suppliers vary across industries. We have developed a template, which can be found below under Templates process requirement 2. Using this template is not mandatory. You may demonstrate compliance with the requirement in other ways.
-
Instructions describing the identification of risk suppliers or prioritised purchasing categories.
-
Identification of risk suppliers for sample products
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documentation/templates that describe how it identifies risk suppliers/prioritised purchasing categories, including:
-
How the identification is based on the risk profile of the supply chain, not just the strength of the relationship with the supplier.
-
How the assessment takes into account the operational context of the entire supply chain (e.g. presence of conflicts or vulnerable groups, weak rule of law, high levels of corruption) and risks related to operations, products or services (e.g. high use of informal work, hazardous chemicals or heavy machinery). Indexes are accepted here.
Note that if the company has a process for identifying risk suppliers/prioritised purchasing categories that meet the above requirements, this shall be accepted even if a sample products falls outside the prioritisation. In such cases, a new sample product shall be selected which is covered by the company’s prioritisation.
Does not fulfil requirement
The company lacks instructions or equivalent documentation/templates that describe how it identifies risk suppliers/prioritised purchasing categories, or they are incomplete:
-
Identification is based on the strength of the relationship rather than the risk profile of the supply chain.
-
The assessment does not take into account the operational context of the entire supply chain (e.g. presence of conflicts, vulnerable groups, weak rule of law or high levels of corruption) or risks related to operations, products or services (e.g. informal work, hazardous chemicals, heavy machinery). No or few indexes are used.
Mapping the supply chains
You shall map the supply chains for risk suppliers.
Mapping supply chains differs from tracing them, as tracing requires information that many suppliers lack. However, you should be aware of the countries where final manufacturing takes place and be able to make a broad assessment of where component manufacturing occurs, where smelters and refiners are located (if relevant to the supply chain), and where raw material extraction takes place.
This assessment is often based on assumptions, especially for raw materials. A useful source is the U.S. Geological Survey’s Mineral Commodity Summaries, which estimates global mining production and reserves for over 90 minerals. You can also use the European Commission’s Raw Materials Information System. Search engines, as well as AI tools, can also assist in mapping efforts.
We have developed a mapping template, available below under Templates process requirement 2. Using this template is not mandatory. You can demonstrate compliance in other ways. Aso remember to update your mappings when you get more information about your supply chains over time.
A free tool for increasing transparency in your supply chains is Open Supply Hub. There, you can upload your suppliers and sub-suppliers. You can also embed the map on your website.
-
Supply chain mappings (Excel spreadsheets, Word documents, etc.), for sample products.
-
Printouts of digital supply chain trackings, for sample products.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documentation/templates that describe how it maps supply chains for risk suppliers/prioritised purchasing categories.
Supply chain mappings for sample products are available, including:
-
Excel files, Word documents or digital tools or similar.
-
Confirmed information on countries for final manufacturing and at least an overall assessment of countries for component manufacturing, smelting/refining and raw material extraction.
-
The assumptions and sources that have been used for the mapping.
Does not fulfil requirement
The company lacks instructions or equivalent documentation/templates that describe how it maps supply chains for risk suppliers/prioritised purchasing categories.
Supply chain mappings for sample products are missing or incomplete:
-
There are no Excel files, Word documents, digital tools or similar.
-
There is no confirmed information on countries for final manufacturing and/or overall assessment of countries for component manufacturing, smelting/refining or raw material extraction.
-
No information about the assumptions and sources used for the mapping is available.
Examining the risks of adverse impacts
You shall regularly investigate the risks of adverse impacts in your own operations and in the supply chains of risk suppliers.
Many risk assessments for your own operations are already conducted in accordance with national legislation, such as the Work Environment Act, the Discrimination Act, and the Environmental Code. However, the responsibilities differ—HR and environmental experts primarily manage risks within your operations, while sustainability and purchasing specialists often focus on supply chain risks.
When examining risks in the supply chains of risk suppliers, the assessment shall cover all types of adverse impact as described in the Supplier Code of Conduct or an equivalent standard, such as the European Sustainability Reporting Standards. However, this standard does not include the Code of Conduct’s provisions on anti-competitive behaviour and taxation, which means you need to add them separately. You shall also ensure that all relevant rights-holders are covered by the assessment – including affected communities, workers, the environment, and society as a whole.
The supply chain tiers you have mapped (final production, component manufacturing, smelting and refining, and raw material extraction) shall be included in the risk assessment. It is possible to either:
-
conduct a consolidated assessment of adverse impact across the entire supply chain, or
-
conduct separate assessments for each tier.
The assessment shall not rely solely on indexes – you need to use qualitative and contextual sources. If forced labour is the most significant risk, this shall be clearly stated so that appropriate actions can be taken. Make sure to also consider both geographic risks, sector risks, and product risks.
Geographic risks
Geographic risks are conditions in a particular country which may make sector risks more likely. Geographic risk factors can generally be classified as those related to the regulatory framework (e.g. alignment with international conventions), governance (e.g. strength of inspectorates, rule of law, level of corruption), socio-economic context (e.g. poverty and education rates, vulnerability and discrimination of specific populations) and political context (e.g. presence of conflict).
Sector risks
Sector risks are risks that are prevalent within a sector globally as a result of the characteristics of the sector, its activities, its products and production processes. For example, the extractive sector is often associated with risks related to a large environmental footprint and impacts on local communities. In the garment and footwear sector, risks associated with respect for trade union rights, occupational health and safety and low wages are prevalent, amongst others.
Product risks
Product risks are risks related to inputs or production processes used in the development or use of specific products. For example, garment products with beading or embroidery hold a higher risk of informal employment and precarious work and phones and computers may contain components that are at risk of being mined from conflict areas.
We have developed a risk assessment template, which can be found below under Templates process requirement 2. Using this template is not mandatory. You can demonstrate compliance in other ways.
-
Instructions describing how you examine risks of adverse impacts in your operations and supply chains. The document shall specify time intervals and circumstances for risk assessments.
-
Risk assessments for the company's own operations.
-
Risk assessments for the supply chains of sample products.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documentation/templates that describe how it examines risks in its own operations, including:
-
How the requirement for regularity is met, for example at least every 12 months and in the event of new activities or changes in the operations.
-
How all risks of adverse impacts are identified and assessed based on the commitments in the Supplier Code of Conduct, European Sustainability Reporting Standards or equivalent standard.
-
How all relevant rights-holders are covered (affected communities, workers, the environment and society as a whole).
The company has instructions or equivalent documentation/templates that describe how it examines supply chain risks, including:
-
How the requirement for regularity is met, for example at least every 12 months and in the event of new business relationships or changes in the supply chain.
-
How all risks of adverse impacts are identified and assessed based on the commitments in the Supplier Code of Conduct, European Sustainability Reporting Standards or equivalent standard.
-
How all relevant rights-holders are covered (affected communities, workers, the environment and society as a whole).
-
How all relevant tiers are included (final manufacturing, component manufacturing, smelting/refining and raw material extraction).
-
How risk assessments are not based solely on indices and include both geographical, industry and product risks.
Risk assessments for the company's own operations are available, at least if the company is covered by the Work Environment Act, the Discrimination Act and the Environmental Code, is certified or if it is covered by sector-specific laws aimed at, for example, corruption/business ethics.
Risk assessments for the supply chains of sample products are available and they cover all commitments/ESRS, all relevant rights-holders, all relevant tiers – while not being based solely on indices and covering both geographical, industry and product risks.
Note that there is a difference between risk assessments—which include all risks, all rights holders and all stages—and supplier assessments.
Does not fulfil requirement
The company lacks instructions or equivalent documentation/templates that describe how it examines risks in its own operations, or they are incomplete:
-
Risk assessments are not carried out regularly, for example annually and in the event of new activities or changes in the operations.
-
Not all risks of adverse impacts are identified or assessed based on the commitments in the Supplier Code of Conduct, European Sustainability Reporting Standards or equivalent standards.
-
Not all relevant rights-holders are covered (affected communities, workers, the environment and/or society as a whole).
The company lacks instructions or equivalent documentation/templates that describe how it examines supply chains risks, or they are incomplete:
-
Risk assessments are not carried out regularly, for example annually and in the event of new business relationships or changes in the supply chain.
-
Not all risks of adverse impacts are identified or assessed based on the commitments in the Supplier Code of Conduct, European Sustainability Reporting Standards or equivalent standards.
-
Not all relevant rights-holders are covered (affected communities, workers, the environment and/or society as a whole).
-
All relevant tiers are not included (final manufacturing, component manufacturing, smelting/refining and raw material extraction).
-
Risk assessments are based solely on indices or do not include both geographical, industry and product risks.
Risk assessments for the company's own operations are completely absent or incomplete, despite the fact that the company is subject to the Work Environment Act, the Discrimination Act, and/or the Environmental Code, certifications or sector-specific laws aimed at, for example, corruption/business ethics.
Risk assessments for the supply chains of sample products are completely absent or incomplete – for example, they do not cover all commitments/ESRS, all relevant rights-holders and/or all relevant tiers, or they are based solely on indices and/or fail to include geographical, industry and/or product risks.
Engaging in meaningful consultations
You shall engage in meaningful consultations with rights-holders or their representatives and obtain information from credible and independent sources if consultations are not possible in the supply chains of risk suppliers.
Consultations can take place through social dialogue, surveys, meetings, hearings, or other methods. The purpose is to understand how a specific impact affects individuals in a given context.
Engaging in meaningful consultations with rights-holders or their representatives helps you determine whether their perceptions of adverse impacts differ from each other or from your own. For example, changes in shift schedules may affect parents with childcare responsibilities or religious people. Through consultation, you demonstrate respect for their perspectives and rights, which builds trust and promotes sustainable solutions.
Consultations require special consideration of linguistic, cultural, and gender-related barriers to ensure that no one is excluded. Additionally, rights-holders may have conflicting opinions, making certain issues sensitive.
In the risk assessment template we have developed, available below under Templates process requirement 2, you shall note down your consultations and the sources you have used.
-
Instructions describing consultations with rights-holders in your own operations, how these fulfill the requirement for meaningful consultations, and how they are used as a basis for risk assessments.
-
Instructions describing consultations with rights-holders in the supply chain.
-
Meeting minutes from social dialogue, hearings, and other consultation procedures for sample products.
-
Results from worker voice programs and/or surveys related to sample products.
-
Risk assessments for the company’s own operations, including the consultations that form the basis of the assessment.
-
Risk assessments for the supply chain of sample products, including any consultations and/or the sources used for the assessment.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documentation/templates that describe how it engages in consultations with rights-holders or their representatives in its own operations, including:
-
How statutory consultations are applied under the Work Environment Act, the Discrimination Act and/or the Environmental Code.
-
How social dialogue is applied (tripartite/bipartite process; formal/informal; national, regional or company level).
-
How consultations are characterized by two-way communication, responsiveness, good faith and continuity.
The Company has instructions or equivalent documentation/templates that describe how it engages in consultations with rights-holders or their representatives in the supply chain, including:
-
How meaningful consultations are also sought in the supply chain, for example through employee interviews during visits and audits or worker voice programs.
-
How information is obtained from credible and independent sources if direct consultations are not possible.
There is documentation that shows that consultations have been carried out in the company's own operations, such as employee surveys or minutes of meetings from statutory consultations and social dialogue and/or hearings with affected communities, as well as evidence that these form the basis for risk assessments.
There is evidence showing that consultations have been carried out in the supply chains of sample products, such as employee interviews during audits, or that consultations have been replaced by credible and independent sources such as civil society, academia, authorities and the media—as well as evidence that the consultations/sources form the basis for risk assessments.
Does not fulfil requirement
The company lacks instructions or equivalent documentation/templates that describe how it engages in consultations with rights-holders or their representatives in its own operations, or they are incomplete:
-
Statutory consultations are not applied under the Work Environment Act, the Discrimination Act and/or the Environmental Code.
-
Social dialogue is not applied (tripartite/bipartite process; formal/informal; national, regional or company level).
-
Consultations are not characterised by two-way communication, responsiveness, good faith and continuity.
The company lacks instructions or equivalent documentation/templates that describe how it engages in consultations with rights-holders or their representatives in the supply chain, or they are incomplete:
-
Meaningful consultations, such as through worker interviews during visits and audits or worker voice programs, are not sought.
-
Information is not obtained from credible and independent sources if direct consultations are not possible.
There is no documentation showing that consultations have been carried out in the company's own operations, such as employee surveys or minutes of meetings from statutory consultations and social dialogue and/or hearings with affected communities, or evidence that these have been used in risk assessments.
There is a lack of evidence showing that consultations have been carried out in the supply chains of sample products, such as employee interviews during audits, or that consultations have been replaced by credible and independent sources such as civil society, academia, authorities or the media—or evidence that the consultations/sources have been used in risk assessments.
Paying attention to particularly vulnerable groups
You shall pay attention to adverse impact on individuals from groups and populations at heightened risk of vulnerability or marginalisation, including environmental and human rights defenders. The purpose is to ensure that you do not contribute to or exacerbate such vulnerability or marginalisation.
The UN has developed rights for the following groups:
Indigenous peoples
Children
Women
Persons with disabilities
National or ethnic, religious and linguistic minorities
Migrant workers and their families
In situations of armed conflict, you shall also respect the norms of international humanitarian law.
What does "pay attention to" mean? When identifying risks, consider whether they affect groups with increased vulnerability or marginalisation. If there is a risk of land grabbing and indigenous peoples live on the land, this should be acknowledged. If there is a risk of debt bondage, a form of forced labour, migrant workers are a particularly vulnerable group. If there is a risk freedom of expression may be restricted, environmental and human rights defenders could be particularly exposed.
By identifying vulnerable groups, you will be better prepared for dialogue with risk suppliers and for managing adverse impacts in the supply chain. The analysis also makes it easier to prioritise the most significant risks based on likelihood and severity, as vulnerable groups are often the most affected.
In the risk assessment template we have developed, available below under Templates process requirement 2, you will find guidance on paying attention to particularly vulnerable groups.
-
Instructions describing how you identify particularly vulnerable groups.
-
Risk assessment for the company's own operations, including information on particularly vulnerable groups.
-
Risk assessment for the supply chains of sample products, including information on particularly vulnerable groups.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documentation/templates that describe how it pays attention to particularly vulnerable groups in risk assessments for its own operations.
The company has instructions or equivalent documentation/templates that describe how it pays attention to particularly vulnerable groups in supply chain risk assessments.
Particularly vulnerable groups have been identified in risk assessments for the company’s own operations.
Particularly vulnerable groups have been identified in supply chain risk assessments of sample products.
Does not fulfil requirement
The company lacks instructions or equivalent documentation/templates that describe how it pays attention to particularly vulnerable groups in risk assessments for its own operations.
The company lacks instructions or equivalent documentation/templates that describe how it pays attention to particularly vulnerable groups in supply chain risk assessments.
Particularly vulnerable groups have not been identified in risk assessments for the company’s own operations.
Particularly vulnerable groups have not been identified in supply chain risk assessments of sample products.
Prioritise risks based on likelihood and severity
You shall prioritise the most significant risks based on likelihood and severity.
There is no hierarchy within international human rights law—human rights are interrelated, interdependent, and indivisible. However, it is often impossible to address all adverse impacts at the same time, which requires prioritisation based on likelihood and severity.
Standard risk assessment methods weigh likelihood and severity equally. However, if an impact has low likelihood but high severity, severity becomes the determining factor. The focus should be on the impact that causes the greatest harm, such as the risk of loss of life, even if the likelihood is low.
Severity shall be assessed based on the adverse impact’s:
-
Scale, which refers to the gravity of the adverse impact.
-
Scope, which concerns the reach of the impact, for example the number of individuals that are or will be affected or the extent of environmental damage.
-
Irremediable character, which means any limits on the ability to restore the individuals or environment affected to a situation equivalent to their situation before the adverse impact.
Severity is not an absolute concept but must be assessed in relation to other adverse impacts in each individual case. Particularly vulnerable groups are often severely affected, making it important to consider them when prioritising the most significant risks. Once these have been addressed, work should continue with the next most severe risks and then progressively with the others.
In the risk assessment template we have developed, available below under Templates process requirement 2, you will find guidance on prioritising risks based on likelihood and severity.
-
Instructions describing the prioritisation based on likelihood and severity.
-
Risk assessments for the company's own operations, including prioritisations based on likelihood and severity.
-
Risk assessments for the supply chains of sample products, including prioritisations based on likelihood and severity.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documentation/templates that describe how it prioritises risks based on likelihood and severity, including how severity is assessed based on:
-
Scale: gravity of the adverse impact.
-
Scope: reach of the impact, for example the number of individuals that are or will be affected or the extent of environmental damage.
-
Irremediable character: any limits on the ability to restore the individuals or environment affected to a situation equivalent to their situation before the adverse impact.
Risks in the company's own operations have been prioritised based on likelihood and severity.
Risks in the supply chains of sample products have been prioritised based on likelihood and severity.
Note that likelihood and severity are not the same as likelihood and consequence. Due diligence focuses on adverse impacts on people, the environment and society, not on risks to the company. These risk assessments also differ from the double materiality analyses carried out under the CSRD, where both the impact on the operating environment and the impact on the company's earnings are taken into account.
Does not fulfil requirement
The company lacks instructions or equivalent documentation/templates that describe how it prioritises risks based on likelihood and severity, or they are incomplete. That is, severity is not assessed based on:
-
Scale: gravity of the adverse impact.
-
Scope: reach of the impact, for example the number of individuals that are or will be affected or the extent of environmental damage.
-
Irremediable character: any limits on the ability to restore the individuals or environment affected to a situation equivalent to their situation before the adverse impact.
Risks in the company's own operations have not been prioritised based on likelihood and severity.
Risks in the supply chains of sample products have not been prioritised based on likelihood and severity.
