Hostname: page-component-76fb5796d-5g6vh Total loading time: 0 Render date: 2024-04-25T20:26:53.602Z Has data issue: false hasContentIssue false
  • English
  • Français

Prioritisation under Value Chain Due Diligence

Published online by Cambridge University Press:  19 March 2024

João Teixeira de Freitas Open the ORCID record for João Teixeira de Freitas [Opens in a new window]
João Teixeira de Freitas*
Affiliation:
Vrije Universiteit Brussel – Brussels School of Governance, Brussels, Belgium
*
Email: joao.de.freitas@vub.be
Rights & Permissions [Opens in a new window]

Abstract

This article analyses the mechanisms of prioritisation and hierarchisation of risk contained under influential soft law frameworks on value chain due diligence. It identifies the main stages of the due diligence process where prioritisation may be required and clarifies the criteria that may be used by corporations for prioritisation decisions. The article contributes to the development of the literature concerning prioritisation mechanisms under value chain due diligence norms, highlighting, from a compliance perspective, how corporations are expected to prioritise both their evaluations to identify and assess adverse impacts as well as their actions to address specific impacts identified and assessed. In doing so, it showcases the challenges present when comparing the significance of adverse impacts pertaining to different policy fields and their implications in a prioritisation context. It then compares the solutions found in these soft law frameworks concerning prioritisation to the ones contained in European laws and legislative proposals on the subject. The analysis reveals the different approaches used by legislators and reflects on their repercussions for prioritisation mechanisms, suggesting the reinforcement and clarification of prioritisation requirements in accordance with international frameworks of reference.

Keywords

Global value chainsprioritisationrisk-based due diligence
Type
Articles
Information
European Journal of Risk Regulation , First View , pp. 1 - 14
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2024. Published by Cambridge University Press

I. Introduction

In recent years, the literature has highlighted the regulation of risk as “central to the modern governance of global value chains”.Footnote 1 Representative of this centrality is the recent attention dedicated by legal scholars to the study of the regulation of value chains through a plethora of legal lenses, arguably generating a “momentum towards developing a ‘law of global value chains’”.Footnote 2 While there is no “settled legal definition of the value chain”, the concept is understood to describe at least a company’s subsidiaries and suppliers, covering to different extents equity and contract-based value chain structures.Footnote 3 Legislative developments in this area have been explained in the recent literature as being part of a broader movement in value chain regulation from sustainability,Footnote 4 human rightsFootnote 5 and corporate social responsibility perspectives.Footnote 6 These initiatives are often categorised with regard to the stringency of the regulatory duties they involve for corporations. In this context, we have witnessed a progressive transformation of the focus of value chain laws from disclosure and reporting regimes to more substantive obligations that “go beyond reporting requirements and oblige transnational corporations to identify, prevent and mitigate non-financial risks in their value chains”.Footnote 7 While initial legislative interventions in this respect targeted specific sectors or issues, a new generation of due diligence laws is broadening substantive obligations, rendering them “more horizontal, cross-sectoral and cross-issue”.Footnote 8 Key developments in this respect are, for instance, the adoption of due diligence laws in France,Footnote 9 GermanyFootnote 10 and Norway.Footnote 11 In the same way, formal legislative proposals have been made concerning the subject in the NetherlandsFootnote 12 and Belgium,Footnote 13 while a European Union (EU)Footnote 14 directive is also being negotiated. These laws are largely inspired by non-binding instruments that have popularised risk-based due diligence such as the United Nations Guiding Principles (UNGPs)Footnote 15 and the Organisation for Economic Co-operation and Development Guidelines for Multinational Enterprises (OECD Guidelines)Footnote 16 – which have recently been updated.Footnote 17 These frameworks are the “international recognised standard[s] of reference” in matters concerning due diligence,Footnote 18 and they serve as the starting point of analysis for understanding the ways in which due diligence is meant to be carried out by enterprises. Both frameworks are complemented by important interpretative guidance documents that are relevant to this research – specifically, the UNGPs Interpretative GuideFootnote 19 and the OECD Guidance.Footnote 20

Value chain due diligence norms are a type of risk-based regulation. Risk-based regulation is an increasingly well-established topic that is studied within several academic and practitioner networks, referenced in numerous pieces of legislation and covered by major international publications with gradual development occurring over close to forty years.Footnote 21 This type of regulatory intervention is designed and adopted to prevent or mitigate risks (both empirically measured and subjectively perceived), aiming at making responses tailored to the specifics of each risk and proportional to the relative importance of different risks.Footnote 22 In risk-based regulations, prioritisation and proportionality assume important dimensions. While regulating every risk might be possible on paper, in practice such a capacity is limited by the level of resources needed to control and implement such regulations. Risk-based regulations with an excessively large scope can thus result in difficulties for compliance, as well as possibly harming the rule of law if it is widely accepted that compliance is impossible.Footnote 23 Furthermore, excessively risk-averse regulatory approaches can have a negative impact on the aggregate risk level, even when compliance is possible, “if the negative economic impact is particularly high, while the direct positive safety impact is low”.Footnote 24 In this context, risk-based prioritisation “looks specifically at focusing resources where the highest risk level is”, while risk proportionality “considers both the level and the characteristics of the risk to determine the most suitable content for regulations (level of standards, degree of prescriptiveness, etc.) and the choice of regulatory instruments (e.g. ex-ante permitting, ex-post controls, certification, registration, etc.)”.Footnote 25 While a plethora of different risk-based regulations and risk regulatory concepts are being used in different areas, value chain due diligence would fall under a specific type of risk regulation that is called “management-based regulation” (or “meta-regulation”).Footnote 26 Coglianese aptly sums up the concept (and provides examples) by stating that management-based regulations impose on corporations “the obligation to ‘Plan–Do–Act–Check’ with respect to addressing a public regulatory problem”, often requiring firms to begin by conducting an internal risk analysis.Footnote 27 The underlying concept of this type of regulatory command is to deploy regulatory authority in a way that leverages the private sector’s knowledge about its particular circumstances and engages firms in developing their own internal procedures and monitoring practices that respond to risks.Footnote 28 Value chain due diligence thus sets out a series of commands that require corporations to adopt very general means that would lead to the achievement of the outcomes of ultimate concern to the regulator (avoidance, prevention and mitigation of adverse impacts) without imposing per se the avoidance of this outcome (occurrence of adverse impacts).Footnote 29

Despite the momentum in favour of enacting due diligence obligations, a gap in the literature exists with regard to the study of an often-overlooked yet (arguably) essential aspect of due diligence obligations: the way in which corporations are meant to prioritise assessments and actions to comply.Footnote 30 Prioritisation mechanisms seem to be particularly relevant in the new generation of cross-issue and cross-sectoral due diligence laws. The United Nations Office of the High Commissioner for Human Rights (UN OHCHR)Footnote 31 and the OECDFootnote 32 have recommended that prioritisation mechanisms be a part of the novel legal frameworks translating non-binding due diligence obligations into law. Reporting and disclosure frameworks have also strengthened their requirements concerning prioritisation-specific disclosures.Footnote 33 Furthermore, empirical evidence suggests that despite the utilisation of prioritisation mechanisms by companies conducting value chain due diligence,Footnote 34 significant risks are deprioritised by corporations,Footnote 35 and that prioritisation remains a key challenge for companies.Footnote 36 Also, as will be seen in this article, all novel laws and proposals on due diligence make explicit reference in their text to prioritisation mechanisms.

This article compares the system of prioritisation and hierarchisation of risks devised by the UNGPs and OECD Guidelines to the ones found in European laws and proposals. The research reveals that most new laws on due diligence have regulated questions on prioritisation in a manner that is, at best, incomplete, failing to clarify some important aspects of the operation of the mechanism. Moreover, the analysis conducted identifies approaches that deviate from internationally recognised standards on the subject. The remainder of the article proceeds as follows: Section II is dedicated to developing the system of prioritisation designed by influential soft law instruments concerning value chain due diligence. Section III analyses how these systems have been regulated in different laws and proposals on the subject, comparing the solutions found to the ones developed in Section II. Section IV concludes by focusing on the outlook of the issues analysed.

II. The prioritisation of risks under the UNGPs and the OECD Guidelines

To align their behaviour with the UNGPs or OECD Guidelines, corporations are expected to take several steps to implement the due diligence process. In this context, both frameworks emphasise the possibility for corporations to prioritise their assessments and actions considering the level of risk present in their value chains. The initial step of due diligence that is most relevant for prioritisation, and that helps determine the level of risk, is that of the assessment of adverse value chain impacts. Both the UNGPs and OECD Guidelines place firmly on corporations an obligation to conduct impact assessmentsFootnote 37 ; however, the precise methodology for conducting such assessments is not clearly outlined in the frameworks, it still developing in practice and arguably is highly context-dependent.Footnote 38 While a full exploration of the subject of impact assessments in the context of due diligence is beyond the scope of this paper, some aspects need to be outlined. First, it is important to outline the moments when these assessments take place under the due diligence process, as they are inherently related to prioritisation requirements. Second, it is necessary to outline the criteria that a corporation needs to evaluate when conducting these impact assessments. The UNGPs and OECD Guidelines suggest that corporations prioritise action in two stages: at the initial due diligence stageFootnote 39 and at the level of taking action to address identified impacts.Footnote 40 In this context, it is important to shine a light on two key issues. The first issue relates to the eventual impossibility for corporations to conduct in-depth assessments of all of the entities associated with their value chains. In these scenarios, according to the UNGPs and the OECD Guidelines, corporations are expected to identify general areas where the risk of adverse impacts is most significant and prioritise these for due diligence.Footnote 41 The second issue relates to the eventual impossibility for corporations to address all of the identified and assessed impacts at the same time. In these cases, enterprises are expected to prioritise the order in which they act based on the severity and likelihood of the adverse impact.Footnote 42 This is important because the prioritisation rules regarding the assessment of impacts are distinct from those concerning how companies should address their adverse impacts. This subject is developed subsequently for each of the stages of the due diligence process.

1. Prioritisation at the stage of identification and assessment of impacts

When the number of entities in a value chain is too high to allow for due diligence to be conducted in relation to all of them, enterprises may engage in a “scoping” exercise, trying to identify “general areas of risk” where impacts may be more significant.Footnote 43 The OECD Guidance clarifies that this scoping exerciseFootnote 44 is not a mandatory step in a due diligence context but may apply to companies with diverse operations and complex value chains.Footnote 45 The exercise relates to the “mapping” of operations and the value chain structure a company conducts to identify higher-risk activities, geographies, products or business relationships.Footnote 46 Scoping allows enterprises to evaluate the particular risks of their operations by looking at sectoral, geographical, product and enterprise risk factors, including known risks that the enterprise has faced or is likely to face.Footnote 47 This preliminary assessment thus focuses on “risk factors” and on knowledge of specific impacts. Risk factors are analysed mainly through desk-based research based on credible sources, including information external to the enterprise.Footnote 48 Nonetheless, corporations should consult with “relevant experts and stakeholders” when information gaps exist.Footnote 49 This exercise relates to priorities established for in-depth identification and assessment but not to priorities concerning the order in which a corporation should address or respond to the impacts that have been identified and assessed.Footnote 50 Therefore, companies may, due to the consideration of certain value chain areas as high risk, prioritise those areas and business relations for in-depth evaluation and assessment of risks, effectively delaying the identification and assessment of impacts concerning areas or relations deemed as low risk.

A recent OECD report develops this subject by explaining the idea behind the system. Enterprises should carry “out an initial high-level scoping exercise – across their operations and types of business relationships – to first identify and prioritise their most severe and likely risk issues … on the basis of ‘risk factors’”.Footnote 51 This means that “companies take a holistic approach and consider a broad range of contextual risk factors and data sources [helping] to ensure … prioritisation decisions are, from the very outset, informed and tailored to their own circumstances”.Footnote 52 The whole value chain of an organisation and any associated business ties may not necessarily need to be mapped out completely or in detail for the scoping exercise – businesses are rather expected to comprehend the broad categories of risks and consequences to which they can be exposed depending on their industries, particular sourcing strategies or important client connections.Footnote 53

This may be relevant for compliance in at least two ways. Firstly, the acceptability of justifications for not having identified or assessed certain impacts or risks will depend on prioritisation decisions made by the company at the scoping level. A credible prioritisation exercise is thus directly relevant to demonstrating compliance with due diligence norms. A prioritisation exercise can be “credible” if it follows the relevant guidance of (soft) legal frameworks concerning its exercise, providing justifications for prioritisation decisions based on an analysis of risk factors. By doing so, companies can demonstrate that, despite the occurrence of an impact (or non-detection of a risk), due diligence expectations may still be fulfilled. By contrast, when the company does not make an in-depth assessment of risks in areas of the value chain that should have been deemed as high risk (considering contextual risk factors or previous knowledge), it may already breach the norms, regardless of the occurrence or materialisation of any impact.

Secondly, even when a company may select high-risk areas for further analysis, this further analysis, wherever it may be focused, needs to encompass at least the various issues regulated by due diligence. A company would thus not be able to say that it prioritised, for instance, carrying out in-depth impact assessments in relation to human rights but ignored carrying out in-depth assessments in relation to environmental matters. Instead, the approach requires corporations to measure and assess impacts relating to all positions protected by due diligence but not necessarily relating to all or the same areas of the value chain. This is not to say that impacts pertaining to different protected interests are necessarily located in the same areas of the value chain. Rather, when and if a company prioritises at the scoping level, it nonetheless needs to determine, for all protected interests regulated by due diligence, what are those high-risk areas, so that it can subsequently prioritise them for more in-depth assessments.

2. Prioritisation at the stage of addressing identified impacts

The second circumstance in which prioritisation may be relevant relates to the high number of impacts assessed when it is impossible to address them all simultaneously. Once certain areas of the value chain are eventually prioritised during scoping, corporations are then expected to conduct further in-depth assessments to precisely evaluate the impacts they may be involved in. After conducting such assessments, the corporation already knows what the impacts involved with its activities are, has already measured them and can locate them in specific areas of the value chain. In this case, soft law frameworks recognise that there may be “legitimate resource and logistical constraints on the ability of the enterprise to address them all immediately”.Footnote 54 This principle is “about sequencing responses”, but corporations would still be accountable for addressing all of their actual and potential impacts.Footnote 55 Furthermore, at this stage, corporations should consult with impacted or potentially impacted stakeholders and rightsholders specifically about prioritisation decisions.Footnote 56 Thus, when a corporation cannot address all impacts, it should prioritise addressing some over others. In this context, a traditional risk assessment approach is followed, ranking impacts relative to each other according to their significance. The significance of an adverse impact is determined with reference to indicators of severity (comprising scale, scope and irremediability) and likelihood.Footnote 57 Fully exploring the meaning of these concepts is beyond the scope of this paper; however, it is important to highlight that indicators of severity appear to be measured differently depending on the type of adverse impact to be assessed. For example, in the field of human rights, the scale of an impact may be expressed as the gravity or extent of infringement of those rights, whereas in the environmental field, this may be understood as the gravity of adverse environmental changes connected to the corporation’s activities. In the same sense, the scope of an impact is usually expressed in the number of people impacted or the percentage of identifiable groups of people that are impacted in the human rights field.Footnote 58 However, in the environmental field, this factor can be expressed by the geographical reach or the number of species impacted.Footnote 59 Despite these differences in metrics, the determination of the level of significance of impacts is an important aspect of what is expected from corporations when conducting in-depth assessments. The significance framework provides evaluation criteria to assess the level of risk for all impacts affecting adversely the different interests protected by due diligence norms.

3. Conclusions on prioritisation under soft law frameworks

The analysis of soft law frameworks reveals important conclusions concerning the moments when prioritisation takes place and the different criteria meant to be used at each stage. Furthermore, both scoping procedures and impact assessments stand out as important tools for prioritisation. At the initial stage of prioritisation, the scoping exercise should deliver an analysis of risk factors that justifies focusing further in-depth impact assessments in certain areas of the value chain. At a later stage, in-depth impact assessments are instead aimed at obtaining a measure for comparing and ranking the various impacts identified against each other. While the methodology to be adopted by corporations for these impact assessments is still developing in practice, soft law frameworks provide some clarity with regard to the outcomes that they are meant to yield. These are, on the one hand, the quantification of the significance indicators associated with specific impacts and, on the other hand, the determination of the type of involvement tying the corporation to those specific impacts. Assessing the significance of adverse impacts yields measurements that allow for a comparison of specific impacts relative to each other – an essential aspect when prioritising. Assessing the type of involvement that ties a corporation to an adverse impact will rather determine the nature of the responsibility binding the corporation with regard to remediation and the use of leverage.Footnote 60

However, even if impact assessments can yield such outcomes, the question remains as to determining how corporations can integrate these assessments within their corporate governance structures concerning the management of risks. Fasterling explores the challenges of integrating value chain risk assessments within broader frameworks of enterprise risk management (ERM), highlighting the inherent tensions involved in integrating broader public regulatory goals such as environmental or human rights protection within ERM systems that presuppose that all relevant risks can be ultimately rendered in strongly commensurate terms.Footnote 61 The analysis of prioritisation conducted here further reveals important limitations of risk management approaches related to the question of commensurability: namely, concerning the comparability of the significance of impacts pertaining to different policy domains. As seen, indicators of severity (scale, scope and remediability) are measured in different ways depending on the type of impact considered. There is thus difficulty in comparing measures of severity that do not pertain to impacts affecting the same protected interests under due diligence regulations. Even assuming one can compare these measures of severity, the different weight attributed to the likelihood component in the case of human rights impacts complicates the establishment of a cross-issue hierarchy of impacts. Contrary to other types of impacts, the likelihood of human rights risks will have a lesser weight in the assessment of its overall significance because a delayed response may affect remediability.Footnote 62 Corporations are not meant to delay their responses to human rights impacts that have a low probability of occurring, and the dominant factor to consider is instead the severity of the impact.Footnote 63 Thus, if a human rights impact is determined to have the same level of severity as an environmental impact, it will be difficult for an enterprise to assess when the likelihood of that environmental impact would justify determining its significance as superior to that of the human rights impact. This is problematic since, to comply with due diligence obligations, a corporation should be able to justify why it prioritises addressing certain impacts over others; however, if it does so, it opens itself up to the possibility of being held accountable for this decision. Impacts pertaining to the same policy domain appear to be measured by indicators of significance that are comparable, and corporations could arguably devise a methodology to demonstrate credibly why addressing one concern should take priority over another. The situation is different when choosing to prioritise across different protected positions, and it is not clear, neither in the literature nor in any of the frameworks, how this challenge is to be addressed. A final note in this section should also mention that due diligence is a dynamic process. As such, over time, the nature, quantity and significance of risks present in a firm’s value chain can vary. This complicates the process for corporations, as it requires a constant monitoring of the levels of risk already identified as well as a constant monitoring of possible risks not yet identified. Only by ensuring such monitoring can corporations guarantee that the level of significance of different impacts is correctly assessed and ranked against other adverse impacts identified.

III. The prioritisation of risks under due diligence laws and legislative proposals

This section analyses the various laws and proposals that are “hardening” due diligence obligations. Comparing the solutions found in these laws on the question of prioritisation to those found in soft law frameworks can be useful for understanding whether regulatory action in this field is aligned with non-binding normative frameworks. Even though all frameworks analysed contain at least references to risk prioritisation, the level of detail and development of these requirements and their operation are variable across the different norms analysed. As will be seen, two different approaches are identified in this context: a more limited and general approach as well as a more detailed and specific approach.

1. Laws on value chain due diligence

a. A limited and general approach

Some of the laws enacted on this subject in the EU opt to regulate the question of prioritisation following a limited and general approach. This approach consists in mentioning the concept of prioritisation without detailing the ways in which it is meant to operate. For example, the French law merely contains references to prioritisation without specifying the stages at which it can take place nor the criteria to be followed by enterprises when prioritising.Footnote 64 Similarly, the Norwegian law also merely contains a reference to prioritisation appearing to be directed only at the stage of addressing impacts.Footnote 65 The question raised is thus that of knowing how the concept of prioritisation should be interpreted under these laws. Good arguments would support interpreting the concept of prioritisation under these laws in accordance with that developed under international soft law frameworks of reference. For example, parliamentary works on the French law referred to the UNGPs and OECD Guidelines as sources of inspiration to interpret the obligation,Footnote 66 and the Norwegian law goes further by making clear that due diligence should be carried out “in accordance with the OECD Guidelines”.Footnote 67 Nevertheless, these laws and proposals can be said to regulate the question of prioritisation mechanisms in a limited and very general manner. The concept of prioritisation is merely placed within these regulations without much explanation concerning the relevant aspects of its operation.

b. A detailed and specific approach

Other laws opt to follow a different approach by regulating in more detail the question of prioritisation. The German law is the case in point here, in that is provides in its text a set of prioritisation criteria to be followed by corporations by alluding to various factors in a non-exhaustive list.Footnote 68 A recent interpretative guidance document issued by the German administration on the question of prioritisation also clarifies that prioritisation can take place at the scoping level and that corporations should focus efforts on data collection regarding high-risk suppliers, provided that they are aware of their integration into the value chain.Footnote 69 The guidance also makes clear that, at this stage, the abstract assessment of risks should take place by reference to risk factors (mentioning at least sector-specific and country-specific factors).Footnote 70 In this respect, the interpretation set out in the guidance by the German administration seems to be aligned with international frameworks of reference. However, with regards to prioritisation criteria at the level of addressing adverse impacts, the German law outlines criteria that go beyond what is developed by international frameworks of reference. The guidance document on the prioritisation of risk concerning the law clarifies that the German legislator intended to apply the significance framework only to a select group of entities in the value chains of companies bound by the legislation: namely, high-risk direct suppliers.Footnote 71 The criteria to be used in prioritisation decisions on addressing impacts related to other entities in the value chain (eg indirect suppliers) is thus broader than the one found in the soft law frameworks. This solution found in the German law was justified because of concerns relating to the proportionality of the regulation and the need to limit further the vertical value chain scope of the regulation by introducing an adequacy criterion based on a sliding model of involvement in adverse impacts (instead of the graduated model found in soft law frameworks).Footnote 72 However, the solution found appears to be problematic for prioritisation in at least one sense. It frustrates the objective of requiring corporations to address, in the first place, those adverse value chain impacts that are more significant. It does so by displacing factors used for other purposes and bringing them into the analysis of prioritisation and hierarchisation of risks. For example, the nature of the causal relationship between a company and a given risk determines the kind of response that corporations should take. Certain stronger or closer causal relations (causation or contribution) will, in principle, warrant remediation, whereas weaker or more distant ones (linkage) may only give rise to an obligation to prevent or mitigate a risk. However, this question is different from knowing which impacts corporations should prioritise when prioritisation is necessary. It may well be that an impact to which a corporation is merely linked should be prioritised for action because it is more significant than one that the same corporation may have caused or contributed to. Thus, factors “such as the degree of leverage a company has over a particular business relationship, will impact the actions companies take to address an impact – but not how they prioritise”.Footnote 73 By adding an expanded set of prioritisation criteria, the German legislator may have increased the flexibility awarded to companies to comply with the regulation; however, this flexibility comes at the expense of not requiring corporations to prioritise addressing the most significant risks present in their value chains.

2. Legislative proposals on value chain due diligence

Despite not being formally enacted laws on value chain due diligence, a mention of current legislative proposals on this subject is useful for reflecting on the approaches identified in Section III.1 and for showcasing the realm of possibilities suggested by different legislators when regulating the question of prioritisation.

The Dutch proposal goes further than a mere mention of prioritisation by setting a clear obligation for companies to collect information on sectoral, geographical, product and enterprise-level risk factors in the initial stages of due diligence.Footnote 74 The initial version of the Belgian proposal only contained a reference to prioritisationFootnote 75 ; however, the amended version of the proposal goes further by developing prioritisation criteria, adding that companies must assess the “significance, the risk and the urgency” of adverse impacts, using language arguably inspired by the OECD Guidelines.Footnote 76 In providing such additions, these texts furnish additional normative content related to aspects that are relevant for prioritisation: namely, the assessment of risk factors in the Dutch case or the assessment of significance indicators in the Belgian case. The pathway of the EU negotiations on the due diligence text also showcases interesting aspects. The European Commission proposal only had short references to prioritisation in its recital,Footnote 77 making unclear the ways in which corporations are supposed to prioritise in the operative part of the text. However, later versions of the text start to enter the terrain of more specific and detailed approaches. The European Council’s general approach added a new “Article 6a” on the subject of prioritisation and explicitly mentioned the scoping procedure (contemplating the possibility for corporations of conducting it and, through it, deciding on priorities for in-depth assessment).Footnote 78 The recent European Parliament (EP) political compromise more clearly defines the concept of risk factors,Footnote 79 as well as their relevance in the context of prioritisation decisions at the initial stages of due diligence.Footnote 80 In relation to the significance framework, all of the EU documents analysed here mentioned it to some extent as the criteria to be followed in the context of prioritisation at the level of addressing impacts by referring to the severity and likelihood of adverse impacts.Footnote 81 However, only the European Council’s general approach makes clear that, at the level of addressing the impacts identified and assessed, the significance criterion is the one that provides exclusive guidance on prioritisation decisions.Footnote 82 While the final text of the law is still being negotiated, it is worth noting that the inclusion of contextual risk factors as criteria to be “taken into account” at the stage of addressing impacts appears not to be aligned with the aims of prioritisation established by soft law frameworks internationally, which reserve for this stage the significance of identified risks as the exclusive criteria for prioritising action. In this sense, the recent EP proposal appears to deviate from internationally recognised guidance on the subject. The analysis of these proposals also reveals that, as they evolve through different versions, prioritisation mechanisms tend to be regulated in an increasingly detailed and specific manner, as can be seen in the evolution of the Belgian and EU proposals.

3. Stakeholder engagement and prioritisation

An aspect where all laws and proposals are silent is the question of stakeholder engagement concerning prioritisation decisions. Only the EU,Footnote 83 DutchFootnote 84 and BelgianFootnote 85 frameworks clearly state that the measures and plans to be established by a company should be elaborated based upon a consultation of interested stakeholders. The NorwegianFootnote 86 and GermanFootnote 87 laws, respectively, adopt less stringent formulations by requiring corporations to “communicate” or “give due consideration to the interests” of affected stakeholders and rights-holders. Nevertheless, none of the frameworks address the question of whether prioritisation decisions imply specific stakeholder engagement, as is made clear by the OECD Guidance.Footnote 88 As argued elsewhere, stakeholder engagement requirements have different functions in the different stages of the due diligence process.Footnote 89 At the initial stage of identifying and assessing impacts, stakeholder engagement would serve to help one to understand the specific impacts of a corporation’s value chain, support prioritisation decisions, reveal whether stakeholders have different perspectives on what the impacts are and how significant they may be and identify different perspectives within and between stakeholder groups.Footnote 90 This contrasts with the role of stakeholder engagement at a stage when corporations are addressing specific impacts. Here, stakeholder engagement is rather expected so that stakeholders can contribute ideas on appropriate actions to take.Footnote 91 In particular, taking into account the prioritisation mechanisms just described, it can be argued that stakeholder engagement at the scoping level can help ensure that corporations are selecting the correct areas of the value chain for further analysis, and that the adverse impacts addressed in those areas are probably the most significant in each policy field. By contrast, at the level of prioritising specific actions, stakeholder engagement should focus on the specific prioritisation decisions being considered by the enterprise to address certain impacts over others. If companies are not transparent about their prioritisation decisions, stakeholders may have difficulties understanding them and be concerned that corporations are not being held accountable for all of their impacts. This analysis highlights that stakeholder engagement can arguably contribute to better prioritisation decisions. However, for the moment, the question of stakeholder engagement in the context of prioritisation decisions is not regulated by any of the laws and proposals within the realm of theoretical possibility.

IV. Conclusion

This analysis shows how the system of prioritisation and hierarchisation of risks developed by the UNGPs and OECD Guidelines has permeated into laws and legislative proposals, suggesting that it holds considerable normative influence in regulatory initiatives relating to due diligence. As these mechanisms become integrated into hard law, prioritisation decisions may imply responsibility for non-compliance when corporations do not identify, assess or address specific impacts. This paper argues that whether and how prioritisation is conducted should not be a matter solely at the discretion of corporations but should rather be mandated by legislation. Given this, specifying prioritisation requirements and modes of operation within the legislative text has the advantage of detailing what is expected from corporations when prioritising, the moments when this prioritisation can take place, the criteria to be used by corporations to this effect and the stakeholder engagement requirements concerning these decisions. Not developing or specifying such aspects leaves these questions unanswered and open to interpretative leeway. This absence of clarity may have repercussions for the application and interpretation of those laws, such as knowing whether and what kinds of justifications a corporation might advance for conducting in-depth assessments and evaluations concerning certain specific corporate activities or business relations but not others, or for deciding to address certain adverse impacts over others. This article thus argues that the specification of these aspects in the text of the norms is welcomed, particularly when it is aligned with international soft law standards on the matter. To facilitate this task, new laws being designed on the subject should clearly address the questions of when and how to prioritise. A correct understanding and application of prioritisation allows companies to prioritise consistently and effectively across jurisdictions without “giving undue weight to other factors”, such as the proximity of or influence over a business partner or the nature of the causal connection to the harm.Footnote 92 Deviating from the significance framework risks leading companies to spend time and resources mapping and evaluating risks and impacts whose significance is probably low, thus frustrating the aims of due diligence.Footnote 93 The analysis of laws and proposals raises awareness of the fact that some frameworks regulate prioritisation mechanisms in ways that might not be entirely aligned with soft law frameworks on the matter, with a case in point being the conflation of the significance framework with other prioritisation criteria at the stage of addressing impacts found in the German law and EP proposal. This article thus alerts us to the potential nefarious effects that such conflation might entail: namely, those of frustrating the aims of risk-based prioritisation of requiring companies to address in the first place those impacts that are relatively more significant in the overall context of their value chain. A clearer understanding of the prioritisation mechanisms contained in soft law frameworks provides an important basis for understanding what is expected of corporations in this context. This article provided this analysis, filling a gap in the literature and also highlighting the difficulties that remain concerning the comparability of adverse impacts pertaining to different protected interests regulated by due diligence.

Financial support

This article has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 949690).

Competing interests

The author declares none.

References

1 P Verbruggen, “New Liabilities in Global Value Chains: An Introduction” (2022) 13 European Journal of Risk Regulation 541, 541.

2 J Salminen and M Rajavuori, “Transnational Sustainability Laws and the Regulation of Global Value Chains: Comparison and a Framework for Analysis” (2019) 26 Maastricht Journal of European and Comparative Law 602, 603.

3 ibid, 617–20.

4 ibid.

5 C Bright et al, “Toward a Corporate Duty for Lead Companies to Respect Human Rights in Their Global Value Chains?” (2020) 22 Business and Politics 667.

6 A Rühmkorf, “Global Supply Chain Governance: The Search for What Works” (2018) 23 Deakin Law Review 63.

7 Verbruggen, supra, note 1, 544.

8 A Pietrancosta, “Codification in Company Law of General CSR Requirements: Pioneering Recent French Reforms and EU Perspectives” [2022] SSRN Electronic Journal, para 6 <https://www.ssrn.com/abstract=4083398> (last accessed 31 August 2022).

9 Loi n° 2017-399 du 27 mars 2017 relative au devoir de vigilance des sociétés mères et des entreprises donneuses d’ordre (French law).

10 Act on Corporate Due Diligence Obligations for the Prevention of Human Rights Violations in Supply Chains (Lieferkettensorgfaltspflichtengesetz – LkSG), Official Translation of the German Federal Ministry of Labour and Social Affairs (2021) <https://www.bmas.de/EN/Services/Press/recent-publications/2021/act-on-corporate-due-diligence-in-supply-chains.html> (last accessed 9 June 2022) (German law).

11 Act Relating to Enterprises’ Transparency and Work on Fundamental Human Rights and Decent Working Conditions, LOV-2021-06-18-99, Translation Provided by the Norwegian Ministry of Children and Families (2021) <https://lovdata.no/dokument/NLE/lov/2021-06-18-99> (last accessed 9 November 2022) (Norwegian law).

12 MVO Platform, “Unofficial English Translation of the Dutch Bill for Responsible and Sustainable International Business Conduct” (2022) <https://www.mvoplatform.nl/en/translation-of-the-bill-for-responsible-and-sustainable-international-business-conduct/> (last accessed 9 November 2022) (Dutch proposal).

13 For the proposal, see Proposition de Loi Instaurant un Devoir de Vigilance et un Devoir de Responsabilité à Charge des Entreprises Tout au Long de Leurs Chaînes de Valeur, 2 April 2021, DOC 55 1903/001 <https://www.lachambre.be/FLWB/PDF/55/1903/55K1903001.pdf> (last accessed 11 October 2023) (Belgian proposal); for the amendment of the proposal, see Proposition de Loi Instaurant un Devoir de Vigilance et un Devoir de Responsabilité à Charge des Entreprises Tout au Long de Leurs Chaînes de Valeur – Amendement, 8 August 2022, DOC 55 1903/003 <https://www.lachambre.be/FLWB/PDF/55/1903/55K1903003.pdf> (last accessed 11 October 2023) (Belgian amendment).

14 For the EU proposal, see European Commission, “Proposal for a Directive of the European Parliament and of the Council on Corporate Sustainability Due Diligence and Amending Directive (EU) 2019/1937” (2022) COM/2022/71 Final <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022PC0071> (last accessed 11 October 2023) (Commission proposal); for the Council’s general approach, see also Council of the European Union, “Proposal for a Directive of the European Parliament and of the Council on Corporate Sustainability Due Diligence and Amending Directive (EU) 2019/1937 – General Approach” (2022) Interinstitutional File 15024/1/22 <https://data.consilium.europa.eu/doc/document/ST-15024-2022-REV-1/en/pdf> (last accessed 5 January 2023) (Council’s general approach). For the European Parliament version, see “Amendments Adopted by the European Parliament on 1 June 2023 on the Proposal for a Directive of the European Parliament and of the Council on Corporate Sustainability Due Diligence and Amending Directive (EU) 2019/1937 (COM(2022)0071 – C9-0050/2022 – 2022/0051(COD))” (2023) <https://www.europarl.europa.eu/doceo/document/TA-9-2023-0209_EN.html> (last accessed 18 October 2023) (EP political compromise).

15 OHCHR, “Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy’ Framework” (UN 2011) UN Doc HR/PUB/11/04 <https://digitallibrary.un.org/record/720245> (last accessed 9 June 2022) (UNGPs).

16 OECD, OECD Guidelines for Multinational Enterprises, 2011 Edition (OECD 2011) <https://doi.org/10.1787/9789264115415-en> (last accessed 9 June 2022).

17 OECD, OECD Guidelines for Multinational Enterprises on Responsible Business Conduct (OECD 2023) <https://doi.org/10.1787/81f92357-en> (last accessed 4 October 2023) (OECD Guidelines).

18 Pietrancosta, supra, note 8, para 14.

19 OHCHR, “The Corporate Responsibility to Respect Human Rights – An Interpretative Guide” (UN 2012) HR/PUB/12/02 <https://www.ohchr.org/en/publications/special-issue-publications/corporate-responsibility-respect-human-rights-interpretive> (last accessed 6 January 2023) (UNGPs Interpretative Guide).

20 OECD, “OECD Due Diligence Guidance for Responsible Business Conduct” (2018) <https://www.oecd.org/investment/due-diligence-guidance-for-responsible-business-conduct.htm> (last accessed 9 June 2022) (OECD Guidance).

21 OECD, OECD Regulatory Policy Outlook 2021 (OECD 2021) 184 <https://www.oecd-ilibrary.org/governance/oecd-regulatory-policy-outlook-2021_38b0fdb1-en> (last accessed 9 January 2024).

22 ibid, 209.

23 ibid, 187.

24 ibid.

25 ibid, 189.

26 For development of the concept, see V Jentsch, “Corporate Social Responsibility between Self-Regulation and Government Intervention: Monitoring, Enforcement and Transparency” (2020) 31 European Business Law Review 285. See also C Parker, “Meta-Regulation: Legal Accountability for Corporate Social Responsibility” (3 November 2006) <https://papers.ssrn.com/abstract=942157> (last accessed 17 January 2024).

27 For an analysis of the advantages and shortcomings of this type of regulation, see C Coglianese, “Management-Based Regulation: Implications for Public Policy”, Risk and Regulatory Policy – Improving the Governance of Risk (OECD 2010) pp 163 and ff <https://www.oecd-ilibrary.org/content/component/9789264082939-10-en> (last accessed 6 March 2024).

28 ibid, 159.

29 For a complete discussion on the types of regulatory commands available in the context of risk-based regulation, see ibid, 159 and ff.

30 “Compliance” in this article refers to fulfilment of the binding legal requirements established by due diligence laws. Such fulfilment may be assessed by an enforcement authority or judge in particular cases.

31 OHCHR, “UN Human Rights ‘Issues Paper’ on Legislative Proposals for Mandatory Human Rights Due Diligence by Companies” (2020) p 11 <https://www.ohchr.org/sites/default/files/Documents/Issues/Business/MandatoryHR_Due_Diligence_Issues_Paper.pdf> (last accessed 6 July 2022); see also DR Boyd and S Keene, “Essential Elements of Effective and Equitable Human Rights and Environmental Due Diligence Legislation” (UN OHCHR 2022) p 16 <https://www.ohchr.org/sites/default/files/documents/issues/environment/srenvironment/activities/2022-07-01/20220701-sr-environment-policybriefing3.pdf> (last accessed 13 January 2023).

32 OECD, “Translating a Risk-Based Due Diligence Approach into Law: Background Note on Regulatory Developments Concerning Due Diligence for Responsible Business Conduct” (2022) pp 26–27 <https://mneguidelines.oecd.org/translating-a-risk-based-due-diligence-approach-into-law.pdf> (last accessed 13 January 2023).

33 See, eg, the new Art 3(d) of the Disclosure chapter of the 2023 version of the OECD Guidelines. See also Art 4 para 2(a) of Regulation (EU) 2019/2088 of the European Parliament and of the Council of 27 November 2019 on sustainability-related disclosures in the financial services sector 2019 (OJ L 317/1); see also para 34(b) of the draft requirements on disclosure designed to be applied by corporations complying with the new EU Directive 2022/2464 on Corporate Sustainability Reporting (CSRD) in EFRAG, “Draft European Sustainability Reporting Standards – ESRS 2 – General Disclosures” (2022) <https://www.efrag.org/Assets/Download?assetUrl=%2Fsites%2Fwebpublishing%2FSiteAssets%2F07.%2520Draft%2520ESRS%25202%2520General%2520disclsoures%2520November%25202022.pdf> (last accessed 9 October 2023).

34 R McCorquodale et al, “Human Rights Due Diligence in Law and Practice: Good Practices and Challenges for Business Enterprises” (2017) 2 Business and Human Rights Journal 195, 209.

35 A Schilling-Vacaflor, “Integrating Human Rights and the Environment in Supply Chain Regulations” (2021) 13 Sustainability 9666, 11 <https://doi.org/10.3390/su13179666> (last accessed 17 October 2023).

36 J Harrison, “Human Rights Due Diligence: Challenges of Method, Power and Competition” (Warwick Research Archive Portal, 16 March 2023) p 13 <http://wrap.warwick.ac.uk/174876/> (last accessed 11 October 2023).

37 For the obligation to assess adverse human rights impacts, see UNGPs, pp 19–20; UNGPs Interpretative Guide, p 40; The OECD Guidelines extend this obligation to other protected interests, eg Art 1(a) of the Environment chapter of the OECD Guidelines.

38 The literature on this aspect tends to focus on specific types of impact assessments to be conducted by corporations in the context of their due diligence process. For example, the literature on human rights impact assessments (HRIAs) has highlighted that “there is no unique framework or unique methodology to identify risks and implement human rights compliance requirements and procedures”; in LL Rodríguez, “Human Rights Compliance Assessment (HRCA)” in WL Filho et al (eds), Good Health and Well-Being (New York, Springer International Publishing 2019) p 4 <http://link.springer.com/10.1007/978-3-319-71058-7_13-1> (last accessed 11 February 2021). Concerns have also been raised regarding the credibility and robustness of HRIAs in Harrison, supra, note 36, 13. The literature on environmental impact assessments (EIAs), while extensive, is rather focused on national laws whose application is usually confined to major developments that are likely to have a significant impact on the environment, typically setting thresholds below which an EIA is not required. As such, this literature provides limited insights, since the expectation placed on companies under due diligence seems to be “not triggered by a particular threshold of risk” and can therefore refer to “additional impact assessments than those required by national legislation” or “emphasise higher expectations on how business entities carry out assessments required by national legislation”; in E Morgera, Corporate Environmental Accountability in International Law (2nd edition, Oxford, Oxford University Press 2020) p 149.

39 UNGPs, Commentary to Principle 17; OECD Guidelines, Commentary to ch II, para 20.

40 UNGPs, Principle 24; OECD Guidelines, Commentary to ch II, para 19.

41 UNGPs, Commentary to Principle 17; OECD Guidelines, Commentary to ch II, para 20.

42 UNGPs, Principle 24 and Commentary; OECD Guidelines, Commentary to ch II, para 19.

43 See UNGPs, Commentary to Principle 17; see also UNGPs Interpretative Guide, p 42; 2023 OECD Guidelines, Commentary to ch II, para 19.

44 For a definition of the scoping exercise, see OECD Guidance, p 61, distinguishing it from the actual assessment of impacts.

45 ibid, p 25.

46 ibid, pp 61–62.

47 ibid, pp 25, 62.

48 The OECD Guidance provides a list with examples of primary and secondary sources that enterprises should base their high-level risk analysis on at pp 25, 63, 64.

49 ibid, p 25, Practical Action (c).

50 The OECD Guidance at p 45 explicitly states that “prioritisation of significant risks or impacts will be relevant both when enterprises identify impacts, as well as when they seek to (address) prevent and mitigate impacts” (emphasis added). Highlighting the same understanding referring to the need for “practical, prioritised impact assessment[s]” for companies with vast value chains, see Y Aftab, A Mocle and E Rights, “A Structured Process to Prioritize Supply Chain Human Rights Risks – A Good Practice Note Endorsed by the United Nations Global Compact Human Rights and Labour Working Group on 9 July 2015” (United Nations Global Compact 2015) pp 15–16 <https://unglobalcompact.org/library/2851> (last accessed 11 October 2023).

51 OECD, supra, note 32, 7–8.

52 ibid, 10.

53 ibid.

54 UNGPs Interpretative Guide, p 82. See also OECD Guidance, pp 17, 46.

55 UNGPs Interpretative Guide, p 84.

56 OECD Guidance, p 28, Practical Action (e).

57 UNGPs, Commentary to Principle 14; OECD Guidance, p 42. The OECD Guidance also mentions that the imminence of an impact may be considered secondarily to support prioritisation decisions at p 73.

58 ibid.

59 ibid, 43.

60 For a detailed discussion of the subject, see the debate in JG Ruggie and JF Sherman, “The Concept of ‘Due Diligence’ in the UN Guiding Principles on Business and Human Rights: A Reply to Jonathan Bonnitcha and Robert McCorquodale” (2017) 28 European Journal of International Law 921.

61 B Fasterling, “Human Rights Due Diligence as Risk Management: Social Risk versus Human Rights Risk” (2017) 2 Business and Human Rights Journal 225.

62 UNGPs, Commentary to Principle 24.

63 UNGPs Interpretative Guide, p 83.

64 Pointing out the absence of clear criteria, see also E Savourey and S Brabant, “The French Law on the Duty of Vigilance: Theoretical and Practical Challenges Since its Adoption” (2021) 6 Business and Human Rights Journal 141, 148.

65 Section 4(c) states that due diligence means to “implement suitable measures to cease, prevent or mitigate adverse impacts based on the enterprise’s prioritisations and assessments pursuant to (b)”.

66 S Brabant, C Michon and E Savourey, “Cornerstone of the Law on the Corporate Duty of Vigilance” (2017) Revue Internationale de la Compliance et de l’Éthique des Affaires 6–7.

67 Section 4.

68 German law, Section 3(2).

69 Federal Office for Economic Affairs and Export Control (BAFA), “Identifying, Weighting and Prioritizing Risks Guidance on Conducting a Risk Analysis as Required by the German Supply Chain Due Diligence Act ‘Lieferkettensorgfaltspflichten-Gesetz’ or ‘LkSG’” p 11 <https://www.bafa.de/SharedDocs/Downloads/EN/Supply_Chain_Act/guidance_risk_analysis.pdf?__blob=publicationFile&v=2> (last accessed 3 October 2023).

70 ibid, 12–16.

71 ibid, 14.

72 The vertical value chain scope of due diligence regulations describes what degree of efforts for different parts of a value chain a corporation is required to adopt in order to discharge the due diligence obligation. For an in-depth discussion of the subject, see D Krebs, “Environmental Due Diligence Obligations in Home State Law with Regard to Transnational Value Chains” in P Gailhofer, D Krebs, A Proelss, K Schmalenbach and R Verheyen (eds), Corporate liability for transboundary environmental harm (New York, Springer 2022) pp 280–84.

73 OECD, supra, note 32, 6; this is also explicitly recognised in Amendment 42 of the EP compromise.

74 Section 2.3.1 para 2(b) and (c).

75 In Art 8 §2 2º, the proposal mentions that corporations are to adopt a vigilance plan that “describes the mechanisms put in place by the undertaking to comply” and shall include “a mapping of the risks intended to identify, analyse and prioritise them” (author’s translation).

76 Art 11 §2 3º (author’s translation). The reference to risk here can be understood as a reference to probability, and the reference to urgency can be understood as a mention of the concept of imminence (see supra, note 56).

77 The Commission proposal mentions prioritisation in its explanatory memorandum when analysing the proportionality of the proposal (p 14), in Recitals 29 and 30 and in the definition of “appropriate measure” in Art 3(q).

78 Council’s general approach, Art 6a and Recital 29 and 30.

79 Defining that risk factors can be situated at “company”, “business model”, “geographic”, “product”, “service” and “sectoral” levels. See EP political compromise, Amendment 129.

80 See ibid, Amendment 151.

81 In Art 3(q) of the Commission proposal, an “appropriate measure” is to one that can achieve the objectives of due diligence, “commensurate with the degree of severity and the likelihood of the adverse impact”; for the Council’s approach, see Art 6a of the general approach. It should be noted, however, that no mention is made of the predominance of severity in the assessment of human rights impacts; for the Parliament’s political compromise, see Amendment 204.

82 See Art 6a of the Council’s general approach; compare with Art 8b proposed by the EP in its political compromise in Amendment 204, where risk factors are once again mentioned at this stage as criteria to guide prioritisation.

83 Art 6 para 4, Art 7 para 2(a) and Art 8 para 3(b) of both the Commission proposal and the Council’s general approach; in relation to the European Parliament political compromise on this topic, see also C Omari, “The EU Parliament Position on the CSDDD – Towards Requiring Meaningful Stakeholder Engagement” (Rights as Ususal, 12 June 2023) <https://orbilu.uni.lu/bitstream/10993/55337/1/The%20EU%20Parliament%20Position%20on%20the%20CSDDD%20%3A%20Towards%20Requiring%20Meaningful%20Stakeholder%20Engagement%3F%20%7C%20Rig.pdf> (last accessed 18 October 2023).

84 Section 2.3.1 Art 4(b).

85 Belgian proposal, Art 8 §3; Belgian amendment, Art 11 §3.

86 Section 4(e).

87 Section 4 para 4.

88 See supra, note 56.

89 S Curphey and J Cole, “Stakeholder Engagement in Human Rights Due Diligence” (2 January 2022) <https://papers.ssrn.com/abstract=4178446> (last accessed 18 October 2023).

90 ibid, 24.

91 ibid, 21–22.

92 OECD, supra, note 32, 17.

93 ibid.