The importance of companies´ behaviour in the climate transition and to achieve a sustainable development has led to increasing requirements on corporate responsibility and an ongoing shift towards more binding rules in the sustainability field. In accordance with a proposed new EU directive, requirements will be imposed on companies to implement due diligence processes in relation to sustainability. The main features of the proposal have been explained here. In this article series, Cederquist’s specialists on Corporate Sustainability explain which due diligence measures should be taken according to the proposed directive and existing international standards in the field.
In the first part of this article series, which can be read here, we described how due diligence should be integrated in the policies and management systems of the company in accordance with the proposed EU directive and the OECD Due Diligence Guidance for Responsible Business Conduct. This supports companies’ subsequent process of identifying, preventing, mitigating and accounting for the management of potential and actual adverse impacts on human rights and the environment in their own operations, supply chain and other business relationships (the due diligence process).
In the following, we will elaborate on the fundamental step of the due diligence process related to the identification of potential and actual adverse impacts.
A key prerequisite for a company to be able to manage the adverse impacts that may arise for human rights and the environment is that the company has adequate procedures in place to identify relevant risks. The proposed directive therefore requires companies to take appropriate measures to identify actual and potential adverse impacts on human rights and the environment arising from their own operations or those of their subsidiaries and, where they are linked to their value chains, from established business relationships. This requirement is subject to a number of defined limitations, which are discussed below.
As to what constitutes relevant adverse impacts, reference is made to a number of international conventions in the respective fields, which are listed in an annex to the proposed directive. The directive thus covers adverse environmental impacts resulting from a breach of a prohibition or an obligation under the listed international environmental conventions, as well as adverse impacts on protected persons resulting from a violation of the listed rights or prohibitions as set out in the listed international human rights conventions.
In line with the OECD guidance, the directive sets requirements for companies’ behaviour, rather than for companies’ to achieve a certain result. In other words, companies are not expected to be able to eliminate (the risk of) all adverse impacts in their operations and value chain, but the due diligence requirement is that the company should take appropriate measures to identify and manage relevant risks.
An “appropriate measure” is defined as a measure that is capable of achieving the objectives of due diligence, commensurate with the degree of severity and the likelihood of the adverse impact, and reasonably available to the company, taking into account the circumstances of the specific case, including characteristics of the economic sector and of the specific business relationship and the company’s influence thereof, and the need to ensure prioritisation of action. If the company takes action in line with this, but an adverse impacts still occur, this does not mean that the company has failed in its obligations. However, the entity may need to take the necessary steps to address the adverse impact and consider the event in the due diligence process going forward, including any improvement measures.
The severity of an adverse impact is usually assessed on the basis of factors such as severity (e.g., the extent to which people’s fundamental rights and freedoms are restricted), scope (e.g., how many people are affected) and the risk of irreversible effects (i.e., whether the adverse impact can be reversed as if it had not occurred, which is not possible in the case of death, for example).
If the adverse impact does not arise from the company’s own operations but from a business relationship in the company’s value chain, the company’s influence over the business relationship in question is also considered.
The same reasoning mentioned above, i.e., that the expectations on the company’s behaviour regarding impacts arising from the company’s value chain must be related to influence thereof, can also be found in the underlying international standards. A significant difference, however, is that the proposed directive introduces a de facto limitation of the due diligence obligation itself to activities in the value chain carried out by entities with which the company is considered to have an “established business relationship”. This is an entirely new concept, which is defined as a business relationship, whether direct or indirect, which is, or which is expected to be lasting, in view of its intensity or duration and which does not represent a negligible or merely ancillary part of the value chain.
The proposed definition is not very easy to understand, and it also includes a couple of other defined concepts. For the purposes of the directive, a “business relationship” is a relationship with a contractor, subcontractor or any other legal entity (“partner”) (i) with which the company has a commercial agreement or to which the company provides financing, insurance or reinsurance, or (ii) that performs business operations related to the products or services of the company for or on behalf of the company. Furthermore, the company’s “value chain” includes activities related to the production of goods or the provision of services by a company, including the development of the product or the service and the use and disposal of the product as well as the related activities of upstream and downstream established business relationships of the company. As regards regulated financial undertakings, “value chain” with respect to the provision of these specific services shall only include the activities of the clients receiving such loan, credit, and other financial services and of other companies belonging to the same group whose activities are linked to the contract in question. The value chain of such regulated financial undertakings does not cover SMEs receiving the specified services.
The proposal requires companies to reassess the “established” nature of their business relationships on a regular basis and at least every 12 months.
The introduction of the concept has been widely criticised, partly because the restriction as such risks defeating the purpose of the directive insofar as it is concerned with addressing the major sustainability risks that generally occur further down the value chain, and partly because of the difficulties in understanding which business relationships are covered. One concern is that companies will be forced to put a lot of focus on defining different business relationships instead of addressing the most serious risks in the value chain.
As regards smaller companies operating in certain high-risk sectors with high environmental impacts covered by the directive, they are only required to identify serious actual and potential adverse impacts relevant to their specific sector. In line with what was mentioned above in relation to the appropriateness of measures, an adverse environmental or human rights impact is defined as serious if it is particularly significant in nature, affects a large number of people or a large area of the environment, or is irreversible or particularly difficult to remedy because of the measures required to restore the situation that existed before the effect occurred.
Regulated financial undertakings providing credit, loans or other financial services are only required to identify actual and potential adverse human rights and environmental impacts prior to the provision of the service.
On the question of how companies should go about identifying actual and potential adverse impacts in practice, the proposed directive essentially suggests that appropriate resources should be used, and that this may include independent reports and information gathered through the complaints procedure provided for (which will be the subject of a forthcoming article). Furthermore, it follows that, where appropriate, companies should also gather information through consultation with potentially affected groups, including employees and other relevant stakeholders. Such stakeholder dialogue is often highlighted as one of the most important components of successful due diligence and as something that should take place throughout the process.
The motives further elaborate that the identification should be based on quantitative and qualitative information in order to allow for a comprehensive identification of adverse impacts. As an example of adverse environmental impacts, it is mentioned that the company should obtain information on the initial state of high-risk sites or facilities in value chains. In certain situations, such as before the start of a new activity or business relationship and before major decisions or changes in the business or operating environment, a dynamic and regular assessment of human rights and environmental conditions should take place. Furthermore, such assessments should be carried out on a regular basis and at least annually for ongoing operations and business relationships.
More practical guidance on risk identification and assessment can be found in the OECD guidance, which (very briefly) recommends that the following steps are taken:
Identify areas where significant sustainability risks are most likely to arise through a broad review of operations, business relationships and value chains based on factors such as industry, product, geography and company-specific risks. Prioritise the most serious risk areas as a starting point for deeper analysis.
Identify the business areas, suppliers and other business relationships associated with the priority risk areas and conduct a deeper analysis of the specific adverse impact attributable to them.
In order to determine the appropriate next step, an assessment should be made as to whether the company caused or contributed to the adverse impact, or whether the adverse impact is directly linked to the company’s activities, products or services through a business relationship.
As the company cannot usually act on all potential and actual adverse impacts simultaneously, the most significant risks and adverse impacts should be prioritised for action, based on the severity (as described above) and likelihood of the effects.
The guidance emphasises that the assessments described above need to be reviewed regularly, as well as in the event that the company is considering making any significant changes that may have an impact on the risks.