ROADMAP TO CSR
RISK MANAGEMENT
VERSION 3 – DECEMBER 2020
MVO NEDERLAND
Arthur van Schendelstraat 500 T: +31 30 2305600
Postbus 19219 E: [email protected]
3501 DE Utrecht I: www.mvonederland.nl
The Netherlands
1
�1 INTRODUCTION
Customers, governments and civil society organisations expect that companies do business with respect for
people and planet. International agreements about this are laid down in the OECD Guidelines for
Multinational Enterprises and the UN Guiding Principles for Business and Human Rights. Companies are
expected to identify, prevent and reduce CSR risks in their supply chain, upstream and downstream. This is
called ‘CSR due diligence’ or ‘CSR risk management’.
Companies should integrate CSR due diligence in their management systems, policies and procedures. In the
Roadmap CSR Risk Management, we provide practical guidance for companies on how to take action and at
the same time adapt internal policies and procedures. By doing so, we have made the OECD Due Diligence
process more practical for companies, and we included the due diligence principles from the UNGP
Principles for Business and Human Rights. More information about UNGP, OECD and other relevant
international guidelines and regulations is provided in chapter 3.
The Roadmap CSR Risk Management aims to facilitate businesses in taking action and implementing CSR
risk management. It consists of eight practical steps, that will be explained in more detail further in this
document:
1. Check existing CSR policies & activities
2. Map your supply chain;
3. Identify CSR risks;
4. Prioritise CSR risks;
5. Take action and collaborate;
6. Integrate in business processes & provide grievance mechanisms;
7. Monitor progress and evaluate;
8. Communicate about policies and progress.
Figure 1 – The eight steps of CSR risk management
2
�2 CSR RISK MANAGEMENT IN 8 STEPS
STEP 1 - CHECK EXISTING CSR POLICIES & ACTIVITIES
Before you start to manage your CSR risks it is advisable to be in line with existing CSR policy and activities
within your company. Relevant topics for CSR risk management are:
• Policy statement & management commitment: what is the CSR mission and vision of the
organisation and what are the CSR targets?
• How are these translated into (international) activities?
• How does CSR policy affect procurement policies and decisions, and international transactions?
• Has the organisation joined international guidelines and (chain) initiatives? Which management
systems are used? (e.g. ISO 26000, ISO 20400, ISO 9001, ISO 14001)
• How is the company communicating about CSR dilemma’s and performance?
• Is CSR included in complaint procedures, does the company provide grievance mechanisms? NB:
More information about setting up CSR grievance mechanisms is provided in step 6.
STEP 2 - MAP YOUR SUPPLY CHAIN
Figure 2 - The steps within a supply chain from raw material to consumer
To make a good start with CSR risk management it is important to understand the nature and scale of your
supply chain. Key steps include:
• List all products and services that you purchase, produce and export;
• Identify for each product and service in which country it is manufactured;
• Identify for each product and service that you produce and/or export what the downstream supply
chain looks like (customers, countries, waste, etc.);
• Determine for all composite products what the main raw materials and/or semi-finished products
are, and where they come from;
• Check, if possible, how and by whom products are transported.
Tip A practical tool to do a supply chain analysis is to design a Value Chain Map.
You can use the Value Chain Mapping method to map your supply chain. In this article you can find
more information about why this is useful.
3
�STEP 3 - IDENTIFY CSR RISKS
Get an overview and identify current and potential risks from the list of raw materials and products/services
formulated in step 2. CSR risks in your supply chain are related to the nature of the product, the country of
origin and the characteristics of the suppliers.
Risks related to countries and products
Risk information about countries and products (and country-product combinations) can be found in the CSR
Risk Check tool. This practical tool is based on an extensive database containing many CSR sources and
websites. The result, after filling in the tool, is a pdf report for the selected countries and/or products in
which all the CSR risks are summarised per CSR theme (both social and environmental). The information
you get from the CSR Risk Check are all potential risks. You can use this information as a basis for your own
risk assessment, where you translate potential risks into actual risks for your specific company. Besides
information you get from the CSR Risk Check, you need to assess risks related to characteristics of suppliers.
Risks related to characteristics of suppliers
Characteristics of suppliers that influence possible CSR risks are for example: presence of management
systems, the reputation of the supplier, and your relationship with the supplier (pressure on delivery
time/price, temporary contracts, etc.). Research your supply chain and consult all relevant stakeholders
(employees, customers, suppliers, governments, affected communities and civil society organisations) to find
out what the actual risks in your supply chain are. In complex and large supply chains (many different
products and suppliers) it may be wise to start with assessing the strategic suppliers for practical reasons.
The reason for this is that strategic suppliers have a bigger impact in terms of volume and that obtained long-
term relationships are a good breeding ground for improvements.
This step of identifying risks can result in a list that you make of all the CSR risks for the products/services
you provide (or purchase) as an organisation. This list will contain: countries of origin and supplier names,
and a description of the risks identified (from the CSR Risk Check and from other sources). This list will be
used in step 4 to prioritise, before you can take action in step 5 to tackle those risks.
4
�STEP 4 - PRIORITISE CSR RISKS
It is not possible to address all risks in your supply chain simultaneously, you will have to set priorities.
Prioritise the identified risks based on severity (potential impact on your company and on the environment
and local communities) and likelihood for occurrence. It is important that you involve your stakeholders in
this step, such as employees, customers, suppliers, governments, affected communities, and civil society
organisations.
Likelihood and severity combined determine the extent of the risk, see Figure 3 for a visual explanation:
• Severity: how serious is the identified negative impact? In terms of scale, scope and the possible
irreversibility of the consequences? The UN Guiding Principles provide criteria for the objective
classification of potential human rights risks: scale (what is the negative impact on human rights),
scope (how many people are affected) and irreversibility (are there any limits on the ability to restore
those affected to a situation at least the same as, or equivalent to, their situation before the adverse
impact).
• Likelihood: how likely is it that the negative effect will occur and what is the probability of a negative
effect?
Using the information you collected in the previous step, you can make a qualitative estimate of the severity
(potential negative impact) and the likelihood that this impact will occur.
Risk Rating = Likelihood × Severity
Catastrophic 5 5 10 15 20 25
S
e Significant 4 4 8 12 16 20
v
e
Moderate 3 3 6 9 12 15
r
i
t Low 2 2 4 6 8 10
y
Negligible 1 1 2 3 4 5
1 2 3 4 5
Improbable Remote Occasional Probable Frequent
Likelihood
Figure 3 - Example of a risk matrix
5
�Table 1 shows how a specific company might estimate the actual risk level for a country-product
combination, based on the list of potential risks generated by the CSR Risk Check and additional information
about their own supply chain. You can use a similar list, and extend it to match your company’s needs.
For example: if you fill in ‘China’ and ‘electronics’ in the CSR Risk Check there will be many potential risks.
Nevertheless, if you as a company make use of certifications and you have a good relationship with your
suppliers, the risks will not be as relevant to your business activities in China as for other companies.
Products/materials and suppliers in the red (high risk) category will be given priority when taking action in
step 5.
Although you have collected a lot of information in the previous step, and have consulted guidelines and
stakeholders, it will still be a complex process to estimate the likelihood and severity of risks, especially since
most risk information from public sources is qualitative. Comparing different risks (e.g. child labour in
country X with biodiversity loss in country Y) and determining where you should take action first is difficult,
but will be easier when you become more comfortable with performing CSR due diligence.
Table 1 - Example of quantifying CSR risks for different countries and product characteristics. The information stated
under ‘country of origin’ and ‘sector’ provides an example of a risk analysis for a specific company. This may appear
differently for your own company and countries or products that are not mentioned here may lead to higher CSR risks.
Country-product- Low CSR risk Medium CSR risk High CSR risk
supplier characteristics
Country of origin Western Europe, North Russia, South-Africa, For example: China, India,
America, Australia Eastern Europe Turkey, Bangladesh, Mexico
Source: List of high risk
countries from Amfori-BSCI
Sector Business and facility Retail, wholesale, Agriculture, forestry and
service provision construction, transport fisheries, electronics, textiles,
mining, paper or sectors that
use this, production of various
articles such as office items
Type of activities Service provision, Low-skilled work Unskilled work
specialist work
Nature of the supply Short production chain Production chain with Long production chain with
chain several links many intermediate links
Relationship and Direct and frequent contact Irregular contact with Many indirect suppliers, little
influence on suppliers with suppliers, long-lasting suppliers, limited contact, no or hardly any
relationship with mutual influence on their influence on their actions
trust actions
Supply chain initiatives, Certified (multi- Certified (multi- No initiatives, or only
quality labels & stakeholder) initiatives for stakeholder) initiatives initiatives with self-
management systems both social and for social OR assessment by suppliers
environmental aspects environmental aspects
6
�STEP 5 - TAKE ACTION AND COLLABORATE
In the previous step you prioritised the CSR risks. In this step your company decides how to address the
risks. Addressing/tackling CSR risks has two goals:
1. Reduce or compensate actual negative impact;
2. Prevent or reduce risks of negative impact.
Each company is a link in a chain of suppliers and customers, in which every part makes its own
contribution. To make supply chains truly sustainable, it is necessary to work together with suppliers, buyers,
colleagues, industry associations, other supply chain partners, and stakeholders. The type of involvement in
the eventual (potential) negative impact is one of the determining factors for which actions a company can
take. A company can be the direct cause of the negative impact, contribute to it or be indirectly connected to
it. See Figure 4 for an explanation.
Type of engagement
Being associated with
If a company is Causing an Contributing to an impact through its
at risk of… impact an impact activities, products or
services
Then the
company Limit/prevent the risk of the impact
should…
Use its leverage on
other responsible
parties to try to
Use its leverage on other limit/prevent the
responsible parties to try to impact, and...
limit/prevent the impact,
And… and...
Increase leverage if necessary
And if the Provide Provide No responsibility for
recovery recovery and/or recovery, but company
impact
and/or redress redress for the can choose to
occurs...
for the violation violation contribute to recovery
Figure 4 - Schematic explanation of how a company should address CSR risks, based on their position in the supply
chain1
1This figure is based on these documents: Shift report about identifying and prioritising risks and the UN Interpretive Guide on Human
Rights.
7
�After the prioritisation of the International CSR risks in step 4, you are going to start working on the
arrangements. This could be, for example, joining a supply chain initiative or having discussions with
suppliers. You should take the following actions:
• Draft an action plan for the most material risks in your supply chain together with your supplies,
buyers, colleagues, industry association and other supply chain partners. Also involve civil society
organisations in this process;
• For smaller companies: start working on arrangements for a limited number of products;
• Join existing supply chain or industry initiatives. For example, the Sustainable Trade Initiative (IDH)
has set up several projects to achieve sustainability in food chains, such as in the case of, among
others, palm oil, nuts, citrus fruits and cocoa;
• Are there no collaboration initiatives yet? In that case, take the first step and talk to your suppliers,
buyers, colleagues and industry association. Start a dialogue with parties who do not cooperate,
possibly together with competitors and other stakeholders. Use CSR labels when purchasing small
volumes or facilitatory products. The ITC Standards Map provides information on more than 210
standards, codes of conduct and certifications related to sustainability in international supply chains;
• Are you a small purchaser? Then join forces with other companies and your sector organisation.
Encourage suppliers to register their CSR performance on a platform such as ISEAL, SIM Supply
Chain, Fira, GSES or Ecovadis;
• Keep contact with non-cooperating parties as much as possible, also with competitors and other
stakeholders. End the relationship if nothing improves, or in the event of serious violations;
• Repair the damage that has already been caused. The CSR Risk Check contains concrete advice per
country/product/theme on how to tackle or reduce risks;
• End the relationship if no improvements are made despite continuous support, or if serious
misconduct occurred.
Tip Use the Supply Chain Influence Checklist to enhance your influence in the supply chain, and to take
more targeted action towards suppliers.
8
�STEP 6 - INTEGRATE IN BUSINESS PROCESSES & PROVIDE GRIEVANCE MECHANISMS
It is important for a good implementation of CSR risk management that the organisation (especially the
procurement organisation) is well organised to set out arrangements. The application of responsible
procurement becomes easier when it is centrally organised. The organisation will need less effort (and
money) in case the total number of suppliers is lower.
Several activities are possible to integrate CSR into business processes, for example by setting up an
interdepartmental working group, adjusting the CSR policy and ensuring commitment from management.
How this is done is exemplified by using the example below of integrating CSR into procurement processes.
For a good integration of CSR in procurement, take the following actions:
Adapt internal organisation & procedures
• Ensure that, within each department of your company, certain people are accountable for the
implementation of CSR arrangements, with the emphasis on the procurement department. Hold one
person accountable for the implementation of the responsible-procurement policy, preferably the
head of procurement (in smaller organisations this can also be the director);
• Consider implementing the ISO 20400 Guideline for Socially Responsible Procurement in your
organisation. ISO 20400 is the international guideline for CSR and is based on the more general ISO
26000 guideline. The ISO 20400 guideline offers practical tools to set up and guarantee a socially
responsible procurement process for both public and private organisations;
• Integrate due diligence into your existing risk management system, and other management systems
such as ISO14001, ISO9001. For more information: ISO 26000 and OECD Due Diligence Guidance
for Responsible Business Conduct;
• Train procurement staff on CSR and sustainable procurement. It is important that the right
incentives are given to meet the procurement conditions. For example, last minute orders and low
prices can be an incentive to neglect labour standards at the expense of the involved employees. If
procurement staff are only expected to realise deals for the lowest price, they will not be motivated to
include CSR aspects in their supplier selection.
• Simplify your supplier portfolio and length of your supply chain: reduce the number of suppliers and
brokers, making it easier to set out arrangements;
• Please note that CSR risk management also involves other departments within the company, not only
purchasing. It is also important to involve (product) management and, for example, in order to
anchor CSR throughout the company.
Interact with suppliers
• Start applying sustainable procurement at the moment you select new suppliers. Then you do not
have to deal with existing contracts and agreements made earlier. Let the new supplier actively
participate in sustainability questions related to his own products and services;
• Aim for long-term contracts with suppliers and good relationships with them as much as possible.
This makes it, for example, easier to implement ambitions relating the production conditions. Also
join regular contact moments with suppliers to address CSR themes;
• Include a paragraph with CSR provisions in the procurement conditions, or (even better) draw up a
separate supplier code that is communicated to all suppliers. Integrate sustainability in all
procurement procedures and (legal) documents, such as terms of delivery and contracts. In these
documents, refer to the CSR provisions in the supplier code;
• Ask your (in)direct suppliers and buyers about their CSR policy, processes and performances. Clearly
explain to your suppliers (or give training, if necessary) why you strive for better working and
environmental conditions and why this is also beneficial for them (e.g. less staff losses and higher
production efficiency);
• Visit your (in)direct suppliers and customers, and assess them on social and environmental issues.
You may also do this together with other buyers/suppliers, or have it done by an independent
organisation. Involve NGOs, trade unions and other experts in the monitoring process, for example
to test the methodology or to set up joint fact-finding missions and audits;
9
� • Is there an international and external complaint system (grievance mechanism)? Check the current
complaints procedure and adjust it if necessary, to ensure that individuals, workers, groups and
organisations that are negatively affected in your supply chain can access it. See chapter 1 for more
detailed information about grievance mechanisms.
Provide effective grievance mechanisms & complaint procedures
Internal (e.g. workers) and/or external stakeholders (e.g. communities living around production plant) may
suffer from irresponsible business activities. Businesses should be open to feedback. Inputs and feedback
from remediation processes can help strengthen identification of real and potential adverse impacts by
highlighting issues that may not have received sufficient attention, and by providing inputs on how to
effectively respond to adverse impacts.
Is there an international and external complaint system (grievance mechanism) in your company? Check the
current complaints procedure and adjust it if necessary, to ensure that individuals, workers, groups and
organisations that are negatively affected in your supply chain can access it.
Core criteria from OECD Guidelines for Responsible Business for operational level grievance mechanisms:
• Legitimacy: Does the grievance mechanism work in a fair and objective way?
• Accessibility: Is the grievance mechanism known by all stakeholders? Can all internal and external
stakeholders access the grievance mechanism and file a complaint?
• Predictability: Is the process explained beforehand and following a clear path with timeframe?
• Equitability: Do all parties involved have access to sources of information, advice and expertise
necessary to engange in process on respectful terms?
• Compatibility: Is the grievance mechanism in line with internationally recognised human rights?
• Transparency: Is the process transparent, are parties updated in the process and is sufficient
information provided to make the process effective?
• Being dialogue-based: is the mechanism updated with lessons learned and is dialogue sought to
address and resolve grievances?
Tip Use the guidance document that SOMO made about grievance mechanisms in the electronics sector,
this can be applied in other sectors as well.
10
�STEP 7 - MONITOR PROGRESS AND EVALUATE
A one-time assessment of your supply chain has only a limited lifespan. It is important that your company
ensures that there is a process of continuous improvement. For this, it is important to do the following
checks:
• Are the results of the arrangements/actions from step 5 verified?
• Is there a need to change the approach, if necessary, based on the results of the verification?
• Is there a periodic update of the risk analysis?
Measuring results
Results of the policy can be expressed in terms of achievement of concrete targets or Key Performance
Indicators (KPIs). Based on this, the progress can be reported (step 8). The aims should be formulated
SMART (specific, measurable, action-oriented, result-oriented and time-bound) as much as possible in order
to make monitoring and communication on this subject possible. Examples of this are:
• Percentage of purchases of sustainably certified raw materials within a given period;
• Percentage of signed supplier codes;
• Percentage of executed audits in a given period.
Auditing or no auditing?
One useful element to monitor progress in the supply chain is to conduct audits at suppliers and producers,
with the aim of issuing a certificate or an audit report. These audits can be carried out by a third party or the
customer. However, audits are not always a reliable instrument and sometimes do not give a comprehensive
assessment of the situation. Furthermore, companies should keep in mind that an audit report only gives
information on the status quo of the day of the audit. The reliability of audits can be influenced by many
factors, such as inexperienced auditors and a corruption-friendly environment. A painful example of this is
the fact that the Rana Plaza factory in Bangladesh, which collapsed in April 2013, was being audited.
Audits are nonetheless an important element of CSR risk management and can act as a source of information
to identify risks and measure progress. A corrective action plan (CAP) should be derived from the audit
findings and the CAP should be monitored as well. This is one essential component for structural changes
and long-lasting improvements.
Tip Interesting readings about the pros and cons of certification are for instance the publications Beyond
Certification and Certification - a sustainable solution? Also interesting to read is how Philips tackles
the theme of Beyond Auditing in its supply chain.
Non-compliance
What happens if a supplier does not meet the standards of the purchaser as determined in a code of conduct
or terms of delivery? In advance, make agreements with suppliers about the possible consequences of your
policy. Give your suppliers the opportunity to improve and help them when it is needed. Ending the contract
immediately is often not the solution, and not desirable. Not only does this shift the problem to another
purchaser, but it also endangers the continuity of delivery, especially with critical (strategic) suppliers.
Suppliers are more likely to comply with your requirements if you have fair trading conditions and
reasonable prices and if you are trying to establish a good working relationship.
11
�STEP 8 - COMMUNICATE ABOUT POLICIES AND PROGRESS
Transparency and communication to external parties is an important part of supply chain responsibility. Key
steps include:
• Keep up the dialogue with individuals, communities and organisations who may be adversely
impacted in your supply chain about your approach and progress;
• Decide how you wish to publicly account for your actions, for example through your regular annual
report, a separate sustainability report, information on your website, or a special brochure;
• Consult your stakeholders on the reporting topics. What information and performance do they
expect from your company?;
• Publish your information (online and/or in your annual report);
• Even if you do not publish a separate sustainability report, communicate via your regular (online)
channels, like newsletters or LinkedIn;
• If you choose for formal reporting, consider using the UNGP Reporting Framework as a format. You
can also apply the Global Reporting Initiative standard for sustainability reporting, or the UN Global
Compacts Communication of Progress (CoP).
12
�3 INTERNATIONAL DUE DILIGENCE GUIDELINES
HOW CAN CORPORATE SOCIAL RESPONSIBILITY (CSR) RISKS BE MANAGED?
International guidelines provide companies with guidance on how to conduct their business in accordance
with human rights and labour, social, environmental and anti-corruption standards. Companies should be
aware of these standards, commit themselves to their objectives and take them into account appropriately in
their business activities. Fundamental standards include:
• UN Guiding Principles for Business and Human Rights with provisions on the state access to
remedies. To disseminate and implement the Guiding Principles on Business and Human Rights, the
UN Working Group encourages all states to develop, enact and update a national action plan (NAP)
on business and human rights as part of the state responsibility. So far 23 states have produced
national action plans.
• OECD Guidelines for Multinational Enterprises. The OECD guidelines provide recommendations on
responsible corporate conduct with regard to human rights, transparency and information
obligations, industrial relations, the environment, corruption, consumer protection, technology
transfer, competition and taxation, as well as rules on complaints, review and arbitration procedures.
• OECD Due Diligence Guidance for Responsible Business Conduct. Also, for several sectors, sector
guidance is available (textile, agriculture, extractives).
• ILO core labour standards with their four basic principles: freedom of association and right to
collective bargaining, elimination of forced labour, abolition of child labour and prohibition of
discrimination in employment and occupation. The ILO core labour standards are universally
applicable human rights.
• ILO Tripartite Declaration of Principles concerning Multinational Enterprises and Social Policy. It
provides internationally active companies with important information on how they can structure
their CSR measures in accordance with the ILO core labour standards and other international labour
standards.
• IFC Performance Standards on Environmental and Social Sustainability and IFC Environmental,
Health, and Safety Guidelines. The eight standards developed by the private sector department of the
World Bank define important environmental and social standards and are based on human rights. In
addition to labour standards, the standards provide guidance on dealing with local communities,
resource efficiency, land rights, biodiversity, indigenous peoples and cultural heritage.
Companies should also be aware of certain European or local (legal) frameworks that may affect them.
Examples of frameworks, standards and laws can be found here:
• EU Timber Regulation
• EU Conflict Minerals Regulation
• EU Regulation on Non-Financial Reporting
• European Coalition of Corporate Justice gives periodic updates of due diligence legislation in
different European countries
CSR risk management is required in order to implement the international standards described above and the
resulting management principles for the responsible management of supply and value chains. The elements
outlined here provide an initial overview and are not to be understood as a rigid sequence, but as part of a
living and continuous process.
13
