With great fanfare, the Corporate Sustainability Due Diligence Directive (CSDDD) will soon become law in the EU. As many have commented – and we have written about repeatedly for four years (see here, here, here and here for a small sampling) – the law contemplates a comprehensive approach to human rights due diligence for covered companies. With it, human rights is poised to become a business imperative, integrated into company processes and business dealings like anti-corruption and other fields of international regulatory compliance.

However, as the dust is beginning to settle after extensive backroom negotiations and a frenzied final legislative push in March, companies are now asking a foundational question about this due diligence law: what exactly does it mean by due diligence? The stock answer, drilled into human rights professionals since the 2011 adoption of the UN Guiding Principles on Business and Human Rights (UNGPs), is that due diligence is a dynamic and perpetual process involving risk and impact identification, mitigation, monitoring, and disclosure. It looks at the past (impacts that may have occurred), the present (impacts that may be occurring), and – unlike many other types of diligence exercises – the future (potential impacts that may occur). Unlike most other forms of due diligence, it emphasizes stakeholder engagement, includes perceived risks and impacts within its ambit, and prioritizes risks and impacts to stakeholders primarily and the business secondarily. These basic principles are largely reflected in the CSDDD, to no great surprise.

It also provides hints regarding the practical, tangible steps that companies are reasonably expected to take under the law, that are generally consistent with good practice. From a process standpoint, companies need to map operations and supply chains to identify where risks may be most severe and likely, create a due diligence policy and integrate its requirements into systems and processes, conduct annual in-depth evaluations of risks and impacts, and report annually through the CSRD (or a process the EU has yet to develop). As with other types of due diligence, companies are to employ qualitative and quantitative factors with commonly used inputs; in addition to company-wide risks (e.g., business operations risks, geographic and context risks, product and service risks, sectoral risks), companies should inform their due diligence with information from public reports, grievances received through a reporting mechanism, and the outputs of stakeholder engagement. Risks should be prioritized based on a traditional UNGPs salience framework of severity (scale, scope and remediability) informed by likelihood, and heightened due diligence should be performed consistent with UNDP guidance in conflict-affected and high risk areas. All such details are consistent with good human rights due diligence.

While official guidance is expected over the coming year, these contours reflect good human rights practice, focused on risk/impact identification and prioritization – the most labor-intensive component of the due diligence process. That, in turn, contemplates a three step process: defining the contours of what you are diligencing, gathering information, and analyzing the information to prioritize and develop achievable and responsive action plans.

On what human rights issues are you conducting due diligence?

The scope of a human rights diligence exercise can be narrow – focusing on a single issue or right, such as child labor – or it can be substantially broader, encompassing all human rights across global operations and value chains.

The CSDDD itself envisions a substantial breadth. The law applies to a company’s operations, supply chain and a few potential downstream activities (distribution, storage and transportation). In an Annex, the CSDDD specifically lists a range of human rights directly in scope.^[1]

In addition, the CSDDD also lists 12 international conventions^[2] and provides that a human rights abuse includes the rights enshrined in those instruments if: (a) the right is capable of abuse by a non-state actor;^[3] (b) the abuse directly impairs a legal interest protected in the instrument; and (c) the company “could have reasonably foreseen the risk that such human right may be affected,” taking into account the relevant circumstances (such as business operations, chain of activities, sector, geography and operational context). Therefore, any given right identified in the instruments is potentially in scope if it can apply to companies and there is a reasonable possibility it may be impaired by the company or its chain of activities. The bottom line: most of the human rights in the International Bill of Human Rights and ILO Core Conventions are in scope for a CSDDD due diligence exercise.

Those rights can be whittled down, of course, refining the list to those most applicable to the business. The mechanism for doing so is this first step: mapping operations and chain of activities to identify where adverse impacts are most likely to occur and to be most severe. That will involve, on a preliminary basis, identifying which human rights risk areas may be in scope in which functions, units or locations. Most CSDDD due diligence exercises will then target those areas, the most likely impacted stakeholders, and the likely rights in scope.

Steps to gather and review relevant human rights information

The second step in the process is perhaps the most challenging: gathering appropriately comprehensive and responsive information. Information gathering for human rights due diligence falls into three categories.

First, to assure that companies are compiling the most relevant information responsive to their key human rights (and environmental) risks and impacts, they need to embed human rights indicators into operational processes and management systems. They also need to draw upon information and data that relevant functional units generate. That may include, for instance, environmental impacts, health and safety incidents, labor and employment issues, or security-related matters. Embedding human rights indicators and engaging with functional units can lead to real time data generation, and tracking metrics that can be used to evaluate risks and impacts on an ongoing basis.

Second, companies gather information to evaluate human rights risks through a variety of ad hoc sources. These can include media and NGO reports, workplace surveys, sector or geographic litigation or investigations, grievance or hotline reporting, company audits or internal investigations, and/or meetings with internal or external stakeholders.^[4] Viewing these different data inputs holistically, along with the information generated from operational processes and management systems, can provide a good picture of a company’s day-to-day risks and impacts.

Finally, companies must conduct formal human rights diligence exercises. Those can be performed in a variety of ways and should be calibrated to the risk profile of the company and its chain of activities – full human rights impact assessments, global salient risk assessments, higher level materiality analyses, or a series of rapid due diligence exercises focused on a particular area or activity. They may also involve subscription database searches to evaluate potential supplier risks. These should be done consistent with a stated cadence depending on the risk profile, and certainly when a risk profile changes. The output likely will incorporate the results of the systematized and ad hoc information generated over the course of the year to create the most comprehensive risk profile.

Steps to review and prioritize human rights information

The third step of the process involves analyzing the data collected against the potential rights in scope. Primarily, the CSDDD describes a salience assessment – e.g., using the data collected to determine the scale (degree of harm), scope (how widespread), remediability (how easy to fix), and likelihood of a risk or impact. Companies often create a type of scorecard, which the CSRD contemplates, reflecting the salience analysis. Other companies use different tools, such as stoplight systems, tiering, or alignment with enterprise risk matrix scoring, for risk and impact ranking.

For those salient risks identified, a company may consider the extent to which, under the UNGPs formula, it may reasonably cause, contribute to or be directly linked (CCDL) to that salient risk. That CCDL analysis, coupled with the salience analysis, can help a company prioritize and strategize its responsive measures and how it may disclose relevant risks in its public reporting.

The CSDDD suggests that the review and prioritization should be updated at least annually to account for changes.

Conclusion

While the three-step process described above aligns with the CSDDD, there is an important caveat: the full scope of a company’s obligations and commitments may be broader than human rights. The CSDDD covers environmental and human rights, and other laws, such as the EU Deforestation Regulation, the EU Batteries Regulation, and the EU Conflict Minerals Regulation, include additional due diligence provisions. Further, the national measures adopted as part of the implementation of the CSDDD across Member States and voluntary industry standards may contain additional requirements. To the extent a company desires to leverage efficiencies and conduct a single due diligence exercise that covers all of its obligations and commitments, the undertaking becomes even more substantial. Nonetheless, as human rights due diligence will soon emerge as a business imperative, a strategy to address these diligence mandates – through one process or several – should be expected.

^[1] These include the right to life, freedom from torture, the right to liberty and security, privacy, religious freedom, a range of workplace protections (including an adequate living wage and adequate housing, and prohibitions of child labor, exploitation and trafficking, modern slavery, and discrimination), freedom of association, collective bargaining, a variety of children’s rights (including the right to achieve the highest attainable standard of health, education, and an adequate standard of living), and multiple environmental impacts including but not limited to the prohibition against measurable environmental degradation (such as harmful soil change, water or air pollution, harmful emissions, excessive water consumption, degradation of land, or other impact on natural resources, including deforestation), adverse impacts on biological diversity, wetlands and pollution of the marine environment.

^[2] The Annex lists, for instance, the ICCPR, the ICESCR, the Convention on Rights of the Child, the ILO Fundamental Conventions, the Convention Against Discrimination, the Abolition of Forced Labor Convention, as well as others.

^[3] International human rights instruments traditionally have applied only to states, and some of the rights in those instruments are not transposable to private entities.

^[4] Importantly, where it is not reasonably possible to carry out effective engagement with stakeholders, companies must consult additionally with experts who can provide credible insights into actual or potential adverse impacts.