Share
Viewpoints

Establishing effective due diligence structures: Getting closer to a risk-based approach

January 2026

January 15, 2025

By Swantje Pabst, Advisor & Tammy Vallejo, Advisor

____

Driven by evolving expectations, including new legal requirements, businesses are making efforts to bring their supply chain due diligence programs closer to a risk-based approach. Although not an easy task, given the diversity and complexity of supply chains, companies are realizing the importance of moving from a one-size-fits-all approach that mainly focuses on auditing first-tier suppliers to a more targeted methodology that prioritizes risks to people.

Based on Shift’s work with companies on Supply Chain Due Diligence, there are a number of key insights that businesses can be guided by when reassessing their supply chain programs.

Audit information is often not used to its full potential

Recognizing the limitations of an audit-only approach to risk-based due diligence, companies are exploring how to use audits more strategically to forge collaborative partnerships and drive action.

  • Audits can be used to identify mature suppliers that consistently perform well and transition them into strategic partnerships for collaborative action to address human rights impacts.
  • Audits can help businesses understand if they are targeting the right suppliers through a better understanding of both their risk profile and their willingness to collaborate.
  • Audits can be an entry point for building stronger relationships with suppliers, initiating meaningful discussions that can drive positive changes in their practices.

Liability concerns need to be navigated

When companies start actively looking into risks, sensitivities can be heightened. Companies may hold back on employing essential risk assessment tools out of concern that becoming aware of risks may itself expose the company to liability.

However, being unaware of a potential risk can leave a company unprepared to provide a defensible explanation of its actions to address that risk, or why it was not prioritized for action. As sustainability due diligence and reporting legislation develops, the best way to prepare for implementation will be a proactive, systematic approach to risk identification that follows a clear logic of severity and likelihood and, where choices have to be made due to resource constraints, addresses the most severe risks and impacts on people first.

Internal buy-in and leadership engagement needs to be fostered.

A lack of understanding among senior leaders of the scale of risks that they may not know about is a recurring challenge. They may also have concerns that detailed risk assessments may lead to further blind spots if this means that resources are redirected away from broad assessments. Company leadership must be fully aware of the most salient risks within its business activities and understand the rationale and consequences of focusing on particular parts of the supply chain. This requires a defensible strategy that recognizes that different timelines may be needed depending on the availability of information about parts of their supply chains, with concrete plans to address gaps in knowledge. This can then inform a convincing public explanation of the company’s approach.

  • Openly discuss all available options and agree on an approach that narrows the risk focus to a point that the company is comfortable with.
  • Consider establishing an internal body to focus on the most severe cases and empower the people closest to the case to take the necessary actions.
  • Ensure that representatives from regional/local offices are involved, as they are often closer to potential or actual risks.

Develop a more targeted approach, driven by data and informed by workers’ voices

Data has proven to be key both internally in moving towards a more risk-based approach and in segmenting suppliers and deploying different human rights due diligence tools.

  • Build a comprehensive risk platform that consolidates all relevant information in one place.
  • Integrate workers’ voices and other stakeholder perspectives to triangulate information and make sure that issues have been corrected.
  • If adverse media screening is used in building the risk profile of suppliers, this should be complemented by additional data that provides detail beyond evidence of controversies.
  • Integrating existing regional/local data plays a crucial role in moving from general risk areas to specifically identifying the most severe risks.  

Build better HRDD process steps

When setting up due diligence systems, their effectiveness largely depends on the level of internal integration between the different process elements and data points.

  • Check if the company’s identified salient human rights issues are reflected in supply chain due diligence processes.
  • Take contextual factors into account when onboarding suppliers: if a supplier lacks a policy on forced labour, is it operating in a country with little or no risk of forced labour or in one with well-known impacts?
  • Integrate minimum human rights risk criteria into the supplier onboarding process.
  • Combine country and commodity risks to narrow the focus.
  • Use recurrent findings from audits to establish risk categorisation.
  • Focus on risk levels, rather than a binary risk/no risk, to avoid internal complacency leading to inaction.
  • Seek support from regional colleagues to understand local nuances and develop targeted regional/local action plans, particularly around high-risk ingredients and materials

Tips for getting started

  • Build gradually: reminding suppliers about the commitments they have signed up to is a good first step.
  • Get more comfortable with the uncomfortable: have open conversations about human rights risks that the company may be connected to, based on an understanding of the importance of achieving positive outcomes for people rather than necessarily being able to control and eliminate all risks.
  • Make the business case for addressing priority risks.
  • Clearly identify specific roles and responsibilities at an early stage.
  • Draw on existing internal knowledge and processes to inform risk identification and analysis; human rights due diligence does not always mean starting from scratch.
  • Once you have an overview, use the logic of a risk-based approach to narrow the focus and be able to explain why, for example, only certain suppliers were audited based on an overarching rationale.
  • Being defensive is riskier: reacting to risks brought up by external actors is likely to be more resource-intensive and less efficient, forcing companies to respond to impacts they might have been able to address much earlier, at a less severe stage.

As businesses face evolving expectations and regulatory requirements, adapting supply chain due diligence programs to a risk-based approach is not just beneficial – it is imperative.

Take Action
Related work to Establishing effective due diligence structures: Getting closer to a risk-based approach
September 2025 |

Business Model Red Flags

Learn more
September 2025 |

Red Flag 25. Greenhouse gas-intensive activities, products and services that contribute to negative impacts on people's rights

Learn more
September 2025 |

Red Flag 24. Aggressive tax-minimization strategies

Learn more
September 2025 |

Red Flag 23. Markets where regulations fall below human rights standards

Learn more
Like what you’re seeing?
Get notified whenever Shift releases a new resource, viewpoint, or insight.