In April 2024, the European Parliament took a significant step towards more sustainable and ethical business practices by adopting the Corporate Sustainability Due Diligence Directive (CSDDD).
So, what is the aim of this European Union (EU) directive on sustainability due diligence?
The aim of the directive is to encourage sustainable and responsible corporate behavior and ensure human rights and environmental considerations are embedded into a company's operations and corporate governance.
It requires companies to conduct due diligence to identify, prevent, and mitigate risks related to environmental and human rights issues in their supply chains. It also calls on businesses to address the adverse impacts of their operations, including in their value chains inside and outside Europe.
It marks a crucial phase in a four-year legislative process targeted at ensuring corporate and social responsibility (CSR) throughout EU-invested supply chains.
Human rights and environmental due diligence obligations involve conducting risk assessments on suppliers, business partners, and other third parties. This is in order to identify risks that could have negative impacts on human rights and the environment, holding companies accountable for any adverse environmental impacts and/or human rights violations due to their business activities; implementing measures to prevent and address these risks; and monitoring and reporting on the effectiveness of those measures.
Also in scope of the due diligence requirements is the need to engage stakeholders, such as workers, local communities, and civil society organizations to ensure their concerns are taken into consideration. Overall, the goal of due diligence is to promote responsible business practices, protect human rights, and minimize negative environmental impacts throughout a company's operations and supply chain.
There are essentially five pillars for CSDDD that need to be considered and managed. They formulate a risk-based approach and they also ensure businesses can check the effectiveness of their approach.
Human rights violations and environmental crime can be indicative of other risks, including money laundering and sanctions evasion. Many businesses in the EU have already built supplier due diligence practices into their risk management models, forming part of an Environmental and Social Governance (ESG) policy. Others have been preparing for compliance in this area following the advent of directives, such as the Corporate Sustainability Reporting Directive (CSRD). So, the CSDDD is, for many an ongoing journey.
The journey towards the CSDDD began in 2020 with studies undertaken by the European Commission. These studies focused on directors’ duties and sustainable corporate governance, and highlighted the need for careful, stringent due diligence requirements. In February 2022, the Commission proposed a draft of the CSDDD, outlining obligations for companies to identify, assess, prevent, mitigate, address, and remedy adverse impacts on people and the planet. The issues addressed ranged from child labor and slavery to pollution and deforestation.
The directive mandates companies develop transition plans aligning their operations with the Paris Agreement's goal of limiting global warming to 1.5°C in the fight to halt climate change. Member states are required to establish supervisory authorities to investigate and penalize non-compliant firms. While there was provisional agreement, some initial drafts of the directive received pushback from member states concerned about the administrative burden or potential legal implications.
To ensure approval, some compromises had to be made. The thresholds were raised so the new CSDDD covers businesses with 1,000 employees and €450 million in annual revenue (an increase from 500 employees and €150 million in revenue). Other areas have been reduced in scope: indirect business partners have been excluded from the downstream chain of activities definition; climate transition plans remain a part of the directive, but the requirement to align financial incentives for directors has been removed; changes have also been made to the civil liability clause, giving member states more flexibility.
While changes reduce its reach, the CS3D remains more ambitious than the recently-circulated French proposal which would have excluded approximately 80% of companies in the EU market. In its current form, the CS3D is expected to affect circa. 5,000 companies across the EU.
The timeline for implementation has also extended, so those EU companies with more than 5,000 employees and €1.5 billion in revenue are now required to comply by 2027. And those companies with more than 3,000 employees and €900 million in revenue have until 2028. All other applicable companies must comply by 2029.
The importance of thorough third-party risk management shines through all of this. Large organizations, particularly companies such as automotive and luxury goods providers, often work with extensive networks of suppliers, including smaller businesses across different regions and jurisdictions where legal oversight and regulation can vary significantly.
The stakes are extremely high in this area of risk management and compliance. Getting supplier risk management wrong can threaten a company’s future success. Effective supplier risk management is critical for regulatory compliance and for maintaining operational resilience. It’s also key to protecting corporate reputations from the fallout of negative media coverage linked to unethical practices within supply chains.
Achieving compliance with supplier due diligence regulations needs a transparent, unified, risk-based approach. This involves conducting comprehensive risk assessments and continuously monitoring third parties across a supply chain for changing risk factors, for example related to sanctions violations and money laundering risk.
One of the biggest challenges companies in the EU and beyond face in this regard is the fragmentation of data, technology and processes to be able to establish a true picture of risk. Some companies operate with more than 50 different enterprise resource planning (ERP) systems, and this can make it extremely difficult to have a cohesive view of counterparty risk. Third-party relationships can be wide and deep in large global organizations so establishing this unified approach isn't always easy.
Automated know your supplier (KYS) processes can help address some of the data, technology and process challenges, however. Automated KYS checks verify critical information, such as company addresses and beneficial ownership structures, helping to build a risk profile that's always on. When new risks related to a supplier are identified, businesses can receive alerts and then make informed decisions about what to do next i.e. carry out enhanced due diligence, establish a mitigation plan, or off-board the third party in question.
Moody’s solutions help unify and automate KYS and a risk-based approach to supplier due diligence, bringing together people, processes and technology to offer companies greater transparency and visibility of risk across their supply chains. We offer a unified approach to supplier onboarding and perpetual risk monitoring.
Ensuring effective compliance with the CSDDD and other related regulation necessitates a robust, risk-based approach to supplier due diligence. In a risk-based approach three key steps to consider are:
Moody's can help with extensive entity verification solutions, including data related to UBOs, sanctions, and adverse media screening, providing access to comprehensive datasets and analytics tools to identify and verify business ownership networks. To generate risk profiles, automated company checks can be used to generate standardized risk scores for each supplier. And to promote transparency across supply chains, Moody's can offer solutions like shell company indicator, which leverages information on ~500million companies and their ownership and control structures.
The adoption of the new legislation by the European Parliament is a landmark in the global journey towards more responsible business practices that protect human rights and the environment. By putting more stringent supplier due diligence requirements in place, the EU will hold companies accountable for their impact throughout their supply chains.
This directive, coupled with effective third-party risk management solutions, can help create a more sustainable and ethical business environment in Europe and across the world.
Please get in touch to talk to us about your supplier due diligence and third-party risk management processes, we would love to hear from you.