ESG Due Diligence (FAQ)

In this FAQ, we address some of the common questions and misconceptions surrounding due diligence:

• What is sustainability due diligence?

• Why would you start working on due diligence?

• What is the status of due diligence as a legal requirement?

• What should due diligence look like in practice?

• What are you expected to do when the most severe risks are located deep in your supply chain?

• What do I do when business partners refuse to cooperate?

• Is due diligence the same as sustainable procurement?

• Who should be involved in due diligence?

• What can be the role of digital tools?

Sustainability due diligence is the operational core of responsible business conduct. It is a set of processes through which organisations can identify and manage their (potential) negative impacts on human rights and the environment. These (potential) negative impacts may be linked with their own activities, but can also occur across their value chain—both upstream and downstream, linked with product (mis)use.

Due diligence is integrated in authoritative international standards like the UN Guiding Principles on Business and Human Rights and the OECD Guidelines.

• It solidifies your position as a responsible organisation and business partner, and helps you anticipate and respond to expectations from key stakeholders, including clients and investors.

• It helps you improve ESG ratings and your position in benchmarks. Due diligence and supply chain management are key parameters in ratings used by clients (e.g. Ecovadis, Sedex, IntegrityNext) and investors (e.g. MSCI, Sustainalytics).

• It helps you comply with existing and upcoming legislation (see below).

• It helps you secure access to sustainable finance. For instance, compliance with the OECD guidelines is a key requirement for activities to qualify as sustainable under the EU Taxonomy Regulation.

• Above all, it is sound risk management. It helps you understand and anticipate sustainability risks, which ultimately improves your resilience. And do you really want to be stuck for answers when a subcontractor fails to respect worker rights, or when your raw materials turn out to be contributing to widespread environmental degradation?

Due diligence is most closely associated with the Corporate Sustainability Due Diligence Directive (CSDDD), which will oblige very large companies to carry out sustainability due diligence—although the depth and scope of due diligence obligations will be reshaped by the ongoing Omnibus process.

In addition to the CSDDD, due diligence requirements are integrated into various other pieces of legislation.

1. The CSRD and the associated ESRS. Companies must report on their due diligence processes. Much of the terminology used in the ESRS comes directly from the OECD Guidelines (e.g. “severity and likelihood”, “policies and actions to prevent, mitigate and remediate actual and potential negative impacts”).

2. The European Regulation on deforestation-free products (EUDR). Requires companies importing- or trading in certain commodities (beef, wood, soy, palm oil, cocoa, coffee, rubber) and derived products to carry out deforestation due diligence in order to identify and mitigate risks for deforestation across their supply chains. The EUDR will enter into force on Dec 31, 2025.

3. The Conflict Minerals Regulation (CMR), which has been in force since Jan 1, 2021, obliges EU importers of tin, tantalum, tungsten, and gold (the so-called “3TG” minerals) to carry out supply chain due diligence in line with the OECD Due Diligence Guidance, to ensure that their sourcing of these minerals does not contribute to armed conflict or human rights abuses.

4. The Forced Labour Regulation (FLR) was agreed in early 2024 and is expected to apply from 2027. It prohibits the placing and making available on the EU market, as well as the export from the EU, of any products made with forced labour. National authorities and the European Commission will have the power to investigate companies and supply chains, and if forced labour is found, products must be withdrawn and disposed of, unless companies can demonstrate robust due diligence.

5. The EU Taxonomy Regulation identifies compliance with the OECD Guidelines as one of the key requirements for economic activities to qualify as sustainable.

6. Other pieces of EU legislation contain implicit due diligence requirements. For instance, the REACH Regulation obliges companies to collect, assess, and communicate detailed information on substances they manufacture or import, effectively requiring a form of chemical-related due diligence across supply chains. Similarly, the forthcoming Ecodesign for Sustainable Products Regulation (ESPR) introduces requirements for product design, durability, reparability, and sustainability data disclosure, which will push companies to investigate and manage environmental and social risks in their supply chains.

   
   

In short, due diligence requirements are increasingly embedded in a patchwork of EU legislation. Some companies will not be (directly) subject to legal obligations, whereas others may be affected by several types of legislation. The key is to resist treating due diligence as a separate compliance exercise, and to instead build a holistic due diligence system that spans the full spectrum of risks.

International due diligence standards and legislation describe the processes that due diligence must involve: identifying and assessing risks, taking action to mitigate risks, tracking progress, communicating, remediation, and integrating due diligence into policies and management processes. Yet, this description remains abstract and difficult to interpret, particularly for smaller organisations.

This is why at Möbius, we have developed a hands-on approach that consists of three workstreams: (1) Understanding and prioritising risks; (2) Mitigating risks; and (3) Governance. More on this approach can be found here.

Due diligence is often equated with full supply chain transparency, or the need to continuously monitor all actors across your supply chain. This is not what due diligence is about. It is about focusing efforts where risks are highest. For some companies, this could be their own activities or those of direct business partners. For others, the most severe risks are located further “upstream” or “downstream”.

Many companies have little influence on what happens deep in their supply chain. In such cases, efforts can focus on making sure that your supplier takes adequate action to understand and mitigate risks. In addition, companies can join industry-specific initiatives (e.g., Amfori BSCI, Responsible Business Alliance) or multi-stakeholder initiatives (e.g., Fair Wear Foundation, Trustone) to exercise leverage together with others.

Engaging with business partners is the art of the possible. In some cases, business partners may be eager to start the discussion, and may even have their own due diligence processes in place. In other cases, your requests may fall on deaf ears.

The key is to aim for improvement over time. Start slow, by integrating questions on sustainability risks into conversations with your business partner. Emphasize the business case: clients are asking for it, there are legal requirements, they can improve their positioning, ...

It is only when business partners show absolutely no willingness to improve over time that other—more drastic—measures can be considered. Disengagement may be commercially sensitive, and is rarely the best course of action from a sustainability perspective. Yet from a risk perspective, it may eventually become untenable to continue working with parties that consistently fail to address human rights risks.

Due diligence is more than sustainable procurement, but sustainable procurement can—and arguably must—form part of a due diligence process, as one of the central ways in which companies can attempt to mitigate risks in their supply chains.

Sustainability can be integrated more centrally into supplier selection and onboarding. For instance, sustainability criteria in tenders/selection processes reward suppliers who can demonstrate that they have processes and actions in place to address sustainability risks. Certifications (e.g., ISO 14001, ISO 50001, ISO 45001, BCorp, Amfori BSCI), ratings (e.g., EcoVadis), and participation in initiatives such as the VOKA SDG Charter can be important indications that suppliers take sustainability seriously.

Beyond supplier selection, the key to successful due diligence lies in continuous supplier engagement. Make sure that suppliers understand your sustainability goals, and how you want to involve them in reaching those goals. Don’t make it a top-down exercise, but talk to suppliers and try to address their concerns and—if possible—their constraints. In many cases, you will learn that they are not dissimilar from yours.

It is important to have commitment at the top, and to clearly identify a person responsible within the organization. Who that person should be depends on the size of the organization. It can be someone who is specifically tasked with due diligence, or it can be someone wearing multiple hats.

More importantly, to be effective, due diligence should involve people across different business functions. At least in part, the choice of who to involve should depend on where the most severe risks lie. In addition to procurement, sustainability, and legal teams, this could mean that human resources (for risks related to own workforce), sales (for downstream risks), or product design (for product-related risks) must also be involved.

There are a wide range of digital solutions available that make lofty promises about their ability to “map full supply chains and risks” and to help you “comply with confidence”. Yet, many companies working with digital tools are often left disappointed.

Digital tools can certainly support due diligence processes, notably through their ability to collect and analyse data at scale. Yet they also have shortcomings, depending on their scope (from full value chain to direct business partners) and the data used (from primary data collected from suppliers to secondary data collected through web scraping and data mining). No tool is perfect, and it is important to make targeted choices depending on your specific objectives.