In March 2021, the European Parliament published a draft directive that introduced mandatory corporate due diligence requirements in areas such as human rights and environmental practices in an organization's supply chain. Developed in response to the COVID-19 pandemic and failures of voluntary, country-level corporate governance regimes, the directive aims to unify European Union (EU) member states’ approaches to enforcing human rights and environmental laws at the weakest points in organizations’ value chains: their third-party relationships.
Under the directive, any organization in the EU – whether private, state-owned or publicly-listed – would be required to, "identify and assess potential or actual impacts on human rights, the environment or good governance caused by, contributing to or linked to their operations or business relationships, using a risk-based monitoring methodology that takes into account the impact, nature and context of the undertaking’s operations," and "review business relationships for the same risks."
Although the directive has not yet passed into a law, it is important that any organization that does business in the EU begin assessing their supply chain partners' human rights and environmental practices and develop remediations to mitigate any potential financial, legal, or reputational risks before they arise.
At the broadest level, requirements of the directive related to third-party risk management can include:
Organizations that fail to meet the directive’s obligations will be subject to penalties and possible reputational damage, so it’s essential to establish a sound program for assessing supply chain partner practices.
To prepare for any forthcoming supply chain audits, consider these recommendations.
Ensure that procurement and sourcing teams have access to intelligence pertaining to the human rights and environmental practices of new supply chain partners. This can include centralized assessment results, reputational information, legal actions, and previous sanctions – enabling procurement to make informed supplier sourcing decisions.
Leverage an automated solution that hosts assessment questionnaires, raises risks based on variance to acceptable results, and offers specific remediation recommendations. Include supporting evidence and documentation with assessment results to simplify inevitable audit reporting.
Regular (usually annual) assessments and attestations are essential to documenting supply chain partner controls, policies and processes, but they are static and point-in-time. Adding real-time monitoring of the following sources will help to catch potential adverse events before they impact your business and validate the results of assessments.
Your supply chain partners rely on their own suppliers and third parties to deliver goods and services to you and other customers. And you need to respond quickly when adverse events surface in your extended partner ecosystem. That’s why it’s important to identify and visualize relationships between your organization and third, fourth and Nth parties to discover dependencies and risks.
Although it hasn’t been passed into law yet, this directive will undoubtedly require regular reporting and attestation to country-level and EU-level regulatory bodies. The fastest, least-complex approach to audit reporting would be to automatically map the assessment results discussed in recommendation number 2 to any regulation or framework. This can’t be done using spreadsheets and email – you will need a central platform for collecting, assessing, analyzing, and reporting on findings.
How prepared will your organization be for any supply chain partner audits required for European Corporate Due Diligence Directive compliance when it becomes law?
Prevalent can help you centralize the management of supply chain partners, define the appropriate assessment methodology, monitor adherence to requirements, and simplify regulatory reporting. Get started today by monitoring your top supply chain partners for free or contacting us for a strategy session.
CMMC v2.0 streamlines certification levels, eliminates proprietary maturity layers, and adjusts third-party risk assessment responsibilities. Learn...