Key steps for conducting CSDDD due diligence

Now that the EU Corporate Sustainability Due Diligence Directive (CSDDD) is in force, itā€™s time to take a closer look at the obligations it imposes, in particular what is meant by the corporate due diligence duty.

Under the new directive, in-scope companies now have an obligation to identify and address both actual and potential adverse human rights and environmental impacts, not just in their own operations, but in the subsidiaries and business partners that comprise their ā€˜chain of activitiesā€™. This is defined as the subsidiaries and partners involved in the production of goods or the provision of services as well as those companies involved in the distribution, transport and storage of products.

What does the CSDDD mean by human rights and environmental due diligence?

In the corporate world, due diligence is usually understood to mean the detailed checks carried out on a company prior to entering into some form of agreement or financial arrangement. Traditionally this has involved a retrospective look at company reports, balance sheets, market performance and other publicly available information in order to make informed decisions.

However, human rights and environmental due diligence, as set out in the CSDDD, takes a very different approach. Using the definition of due diligence in the OECD guidelines for Responsible Business Conduct, the directive imposes a series of specific obligations. This includes not just identifying actual and potential problems, as might be the case with more traditional due diligence, but also developing appropriate measures to address, prevent, mitigate and remediate the adverse impacts found.

As such, an on-going process is required, and one that must be integrated into broader enterprise risk-management systems in the same way that other regulatory measures such anti-corruption, health and safety and fraud prevention measures have been incorporated.

The precise obligations are laid out in Article 5, but importantly, the directive specifies that companies should take a risk-based approach to their due diligence duties. This means prioritising actions according to severity and likelihood, recognising that it may not be possible to address all impacts simultaneously.

Why is CSDDD due diligence different from traditional corporate due diligence?

There are four key elements that distinguish the due diligence requirements as outlined in the directive from what is routinely understood by due diligence.

First, under the CSDDD, companies are required to look at the future as well as the past, identifying potential as well as actual adverse impacts. While preparedness for future shocks is a cornerstone of sound enterprise risk management, the identification and management of possible adverse human rights and environmental impacts will likely require a new approach, and for some organisations, new skills.

Second, the due diligence process outlined in the directive emphasises stakeholder engagement. Unlike the more standard corporate due diligence which relies on documented evidence, the directive requires meaningful consultation with all relevant stakeholders, including workers, management, community groups, worker representatives and civil society organisations. Again, this aligns with the approach to due diligence set out in the OECD Responsible Business Guidance. Only by consulting with potentially affected stakeholders can businesses accurately assess their human rights and environmental impacts and properly identify the prevention and mitigation measures needed.

Third, the directive stipulates that the due diligence should be focused primarily on the adverse impacts to people and planet, with the impact on the business as a secondary, but still important, consideration.
Finally, unlike the more traditional due diligence which is effectively an information gathering exercise, the directive imposes not just an obligation to address and remedy any adverse impacts found, but also significant penalties for any failure to do so. This clearly incentivises companies to fix the issues they find which is not always the case following a due diligence exercise.

Implementing CSDDD due diligence

The directive lists eight specific actions that in-scope companies will need to carry out in order to comply with the corporate due diligence duty. Drawing on our experience of helping businesses to manage and mitigate their adverse impacts, we identify what this is likely to mean in practice.

1. Integrating due diligence into corporate policies and risk management systems

This is a substantial requirement for companies and will involve a number of important steps if it is to be properly achieved.

A good place to start is a gap analysis of existing human rights and environmental policies and procedures against recognised industry standards and corporate best practice. The gap analysis should focus on the key elements needed to put a strong due diligence management system in place. This should include practices such as the governance of human rights and environmental due diligence, senior leadership commitment to implementation as well as policy development and management. Using a framework such as GoodCorporationā€™s Framework on Human Rights and Environmental Due Diligence can help ensure all relevant areas are included.

Companies might also want to consider benchmarking their policies, practices and procedures against those of industry peers and high performing companies using the key requirements of the directive as the comparison criteria.

A benchmark score against industry peers can be a powerful tool for engaging senior executives in the process and can help secure the appropriate allocation of resources to deliver the programmes needed. Data from the benchmark can also be added to the gap analysis and used to inform the action plan of the steps needed to build the necessary policies and management systems.

High on the list is likely to be the development of a due diligence policy that sets out the steps needed to identify, address and remedy both actual and potential adverse human rights and environmental impacts.

Two schools of thought are emerging as to the form such a policy should take. It could be a stand-alone due diligence policy focusing on the human rights and environmental issues. Alternatively, the due diligence requirements of the directive could be incorporated into existing human rights and environmental policies. This approach would align with the OECD guidance on responsible business conduct which recommends combining a companyā€™s plans for implementing such risk-based due diligence into existing policies.

Companies that do not have either a human rights or an environmental policy should look to develop these and be sure to include the necessary due diligence requirements.

2. Identifying adverse human rights and environmental impacts

The first step in identifying both actual and potential adverse human rights impacts is a risk mapping exercise to pinpoint all the areas where adverse impacts are most likely to occur and be most severe, not just in your own operation, but in those of relevant subsidiaries and business partners.

Once the risks are understood, it will be important to carry out in-depth assessments of those risks to identify the scope, scale, remediability and likelihood. To do this effectively businesses will need to be cognisant of the many adverse human rights and environmental impacts that can occur; the high-risk locations, sectors and industries that form part of their operations, and the stakeholders that can provide accurate and relevant information.

3. Engaging with stakeholders

Meaningful consultation with stakeholders is a critical element of this new corporate due diligence duty. It reinforces one of the key tenets of the legislation, that the focus is on impacts on people and planet rather than the business itself. This element of the due diligence requirements draws on the UNGP guidance which finds that only by consulting with affected stakeholders can the risks and impacts be properly understood, mitigated and remediated.

This consultation should be part of the information gathering process and will be needed to feed into the action plan going forward. It will be important to scope out key stakeholders carefully, ideally via a mapping exercise, ensuring that a representative cross-section of stakeholders is included to safeguard the credibility of the information received. Where appropriate, it may be advantageous to include NGOs, worker representatives and the relevant authorities to give a truly accurate picture of the issues to be addressed. On occasions, it may not be possible to get enough information from affected stakeholders, in which case a panel of experts should be pulled together to obtain the evidence needed.

Once the stakeholders have been identified, the scope of the consultation can be agreed and the process carried out, taking care to ensure confidentiality where necessary and that participants will not be subject to any form or retaliation.

4. Developing and implementing an action plan for improvement

Once all the risk are identified and understood, prevention, mitigation and remediation measures need to be considered and planned for. It is unlikely that everything can be addressed simultaneously, so the most severe and likely impacts should be tackled first.

The CSDDD requires companies to take ā€˜appropriate measuresā€™ to address any adverse human rights and environmental impacts. This means understanding the level of involvement the company has in causing or contributing to the impact and the companyā€™s ability to influence the business partner causing or jointly causing the harm.

Once these steps have been identified, an action plan is needed outlining the preventative and/or corrective measures being put in place with clearly defined timelines, qualitative indicators for measuring improvement and importantly, designated owners with allocated responsibilities.

Companies will need to work closely with their business partners to ensure all are aligned with the goals for improvement. A programme of capacity building can help deliver the right support across the chain of activities. Additionally, contractual assurances from businesses may be needed, ideally including some form of compliance verification, possibly using an independent third party. It may also be necessary to consider collective actions with others operating in the same sector to use combined leverage to effect change.

Some of this may require substantial adjustments to business practices and these will need to be integrated into operational procedures and infrastructure with appropriate investment and training to ensure effectiveness. Some of this investment may also be needed for business partners as the directive expects in-scope companies to provide financial support to SME business partners whose viability may be jeopardised through their CSDDD compliance.

5. Ensuring the right speak-up channels

Under the directive, due diligence is an on-going process rather than a one-off task. As such, a speak-up system will be needed to receive and address complaints. For many companies, this will involve reviewing the existing system to make sure it conforms to the CSDDD requirements.

An effective speak-up or grievance system must be publicly available to allow people and companies to submit complaints about your operations and those of your business partners. It should be easily accessible, easy to use and transparent.

It will also be necessary to ensure that if a relevant incident is reported, it will be properly dealt with via an appropriate triage, filter and escalation process. Experienced investigation resources will also be needed to analyse reports thoroughly so the correct response can be determined.

Finally, as with any good speak-up system, it will be important to have a plan for on-going communication with stakeholders regarding the complaint and measures in place to prevent any retaliation.

6. Monitoring progress and improvement

Essential to the on-going process will be a system for monitoring progress and the effectiveness of any prevention or remediation measures in place. Companies will need to determine the monitoring criteria including performance or progress indicators, adherence to timescales, effectiveness of corrective measures and details of any new or emerging incidents.

Monitoring should be conducted at least annually with staff appropriately trained and educated on what the process entails.

7. Assessing whether to disengage

Engagement rather than disengagement is prioritised in the directive, with disengagement to be considered only in the most severe cases and as a last resort where other measures have failed. Before disengaging, companies must try to implement an improvement plan, supporting business partners as appropriate to build capacity and compliance, and using their leverage as far as possible.

Where these measures have failed, and disengagement is being considered, a company should assess any negative impacts of disengagement and whether these might outweigh the adverse impacts being addressed. Where confident that this is not the case, disengagement should be considered provided that steps can be taken to mitigate any adverse impacts of terminating and sufficient notice is given.

Conclusion

Not only are in-scope companies expected to follow these specified due diligence duties, they will also be required to communicate publicly on the actions taken in line with the obligations set out in the Corporate Sustainability Reporting Directive and the European Sustainability Reporting Standards.

While many companies have been taking steps to assess and address any adverse human rights and environmental impacts of their operations, compliance with the specific duties of the directive, particularly with the extension into the chain of activities, is likely to necessitate a shift in gear.

Nonetheless, many businesses have welcomed the directive as it creates greater legal certainty and a more level playing field on which to operate. GoodCorporation is working with companies to help create a roadmap towards CSDDD compliance, using our framework for gap analyses, benchmarking, policy and strategy development. For further information contact a member of our team.