Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

European Corporate Due Diligence Draft Directive: 5 Recommendations to Prepare for Supply Chain Risk Assessments

When enacted, this regulation will require organizations to report on their supply chain partners’ human rights and environmental practices. Here’s how you can get ahead of supply chain risk assessments and avoid penalties.
Scott Lang
VP, Product Marketing
June 17, 2021
Blog eu corp due diligence 0621

In March 2021, the European Parliament published a draft directive that introduced mandatory corporate due diligence requirements in areas such as human rights and environmental practices in an organization's supply chain. Developed in response to the COVID-19 pandemic and failures of voluntary, country-level corporate governance regimes, the directive aims to unify European Union (EU) member states’ approaches to enforcing human rights and environmental laws at the weakest points in organizations’ value chains: their third-party relationships.

Under the directive, any organization in the EU – whether private, state-owned or publicly-listed – would be required to, "identify and assess potential or actual impacts on human rights, the environment or good governance caused by, contributing to or linked to their operations or business relationships, using a risk-based monitoring methodology that takes into account the impact, nature and context of the undertaking’s operations," and "review business relationships for the same risks."

The European Corporate Due Diligence Draft Directive: Third-Party Risk Management Requirements

Although the directive has not yet passed into a law, it is important that any organization that does business in the EU begin assessing their supply chain partners' human rights and environmental practices and develop remediations to mitigate any potential financial, legal, or reputational risks before they arise.

At the broadest level, requirements of the directive related to third-party risk management can include:

  • Establishing and implementing a due diligence strategy, and reviewing it annually
  • Conducting due diligence according to the likelihood and severity of adverse human rights or environmental impacts
  • Publishing a statement – including the supporting risk assessment and data – concluding that the company does not cause, contribute to, or directly link to adverse human rights or environmental impacts
  • Verifying that subcontractors and suppliers comply with obligations

Organizations that fail to meet the directive’s obligations will be subject to penalties and possible reputational damage, so it’s essential to establish a sound program for assessing supply chain partner practices.

5 Recommendations to Prepare for Supply Chain Partner Audits per the European Corporate Due Diligence Draft Directive

To prepare for any forthcoming supply chain audits, consider these recommendations.

1. Implement comprehensive supply chain partner pre-screening

Ensure that procurement and sourcing teams have access to intelligence pertaining to the human rights and environmental practices of new supply chain partners. This can include centralized assessment results, reputational information, legal actions, and previous sanctions – enabling procurement to make informed supplier sourcing decisions.

2. Regularly assess your supply chain partners

Leverage an automated solution that hosts assessment questionnaires, raises risks based on variance to acceptable results, and offers specific remediation recommendations. Include supporting evidence and documentation with assessment results to simplify inevitable audit reporting.

3. Fill gaps between assessments with continuous reputational monitoring

Regular (usually annual) assessments and attestations are essential to documenting supply chain partner controls, policies and processes, but they are static and point-in-time. Adding real-time monitoring of the following sources will help to catch potential adverse events before they impact your business and validate the results of assessments.

  • Supplier Reputation: Public and private sources of reputational information, including regulatory and legal actions, M&A activity, and conflicts of interest.
  • Global Sanctions: Screen against the world’s most important sanctions lists (including OFAC, EU, UN, BOE, FBI, BIS, etc.), global enforcement lists, and court filings (such as the FDA, US HHS, UK FSA, SEC and more).
  • Adverse Media: Negative news, adverse social media coverage and sentiment to ensure supply chain partners don’t damage your organization’s reputation.

4. Know your Nth parties

Your supply chain partners rely on their own suppliers and third parties to deliver goods and services to you and other customers. And you need to respond quickly when adverse events surface in your extended partner ecosystem. That’s why it’s important to identify and visualize relationships between your organization and third, fourth and Nth parties to discover dependencies and risks.

5. Simplify compliance reporting

Although it hasn’t been passed into law yet, this directive will undoubtedly require regular reporting and attestation to country-level and EU-level regulatory bodies. The fastest, least-complex approach to audit reporting would be to automatically map the assessment results discussed in recommendation number 2 to any regulation or framework. This can’t be done using spreadsheets and email – you will need a central platform for collecting, assessing, analyzing, and reporting on findings.

Next Steps to Prepare for the European Corporate Due Diligence Directive

How prepared will your organization be for any supply chain partner audits required for European Corporate Due Diligence Directive compliance when it becomes law?

Prevalent can help you centralize the management of supply chain partners, define the appropriate assessment methodology, monitor adherence to requirements, and simplify regulatory reporting. Get started today by monitoring your top supply chain partners for free or contacting us for a strategy session.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo