Your Quick Guide To Managing Ethics & Compliance

A few of you have asked me to write about the various supply chain due diligence changes. The European Union (EU)’s Corporate Sustainability Due Diligence Directive (“CSDDD”) is grabbing the most headlines. But Modern Slavery Acts, French, German, and possibly Dutch laws, along with state-level regulation in the States, highlight that this is not new.

Why the fuss, then?

  1. The EU is the biggest ‘bloc’ to move down this path, and there is opposition (within the EU and outside) to this directive.
  2. Sustainability is a broader word than slavery (the EU directive covers human rights and extends to environmental impact).
  3. If we look at precedent EU mega-directives (notably GDPR), they tend to be followed, so we presume companies will act.
  4. Acting looks like a LOT of work.

How to unpack this in a brief newsletter?

👉 What’s happened and what’s expected?

👉 What will the EU do?

👉 How should companies respond?

Directives have wiggle room

Directives are subject to a degree of national-level interpretation. The directive was presented as a legislative proposal in February 2002, and debate has simmered since. The parameters of this debate also tell us what the EU intends.

Who

Large companies, mostly. But it’s not that simple. Organisations with 500 or more people and a net turnover of €150m worldwide are in. If you’re in textiles, agriculture, or extractives, you only need 250 or more people and a net turnover of €40m. There’s an extraterritorial element too. The directive covers non-EU companies trading in the EU and meeting the €150m limit (no mention of employees), or €40m with 50% of turnover generated in those three sectors.

These limits and thresholds have naturally caused some debate. From a sustainability perspective, you can see why. Utilities, infrastructure, transport, construction, manufacturing, and technology (for starters) all have impacts, but thems the rules, for now.

As an add-on, the larger companies must adopt a plan to transition to a sustainable economy and contribute to the 1.5°C global warming target detailed in the Paris Agreement. Simple, right? 😬

What

Organisations meeting the who criteria should know what’s done on their behalf and ensure that those actions don’t lead to human rights or environmental violations. Check the Annexes of the directive, as it gives examples using other existing regulations (child labour, hazardous waste, etc.).

The areas of debate again help us to see the scope of the CSDDD.

Value chain vs chain of activities: the former would cover what your customers do with your products. Hypothetically, if you (a €150m+ firm) make drones for ostensibly civilian purposes, but a client weaponises them and sells them to people involved in human rights atrocities = big trouble. “Chain of activities” is what most of us would call a supply chain – i.e., where, in theory, we have the most significant leverage to effect change. It’s still a significant undertaking. Just look at the device you’re reading this on – how many components, suppliers, sub-suppliers, and on? How do we go that far in a “risk-based” manner?

Financial services included? That’s up to member states. An odd decision for a sector that interacts with every other industry and could be a force multiplier. Think of commodity traders or private equity buy-outs. As someone who works with impact investors (including development financial institutions), we’re missing a trick. One of the BIGGEST problems I’ve seen in DD is leverage. If a well-intentioned €40m turnover seller of sustainable fashion tries to influence a garment manufacturer with 20 bigger clients, how will that work? If the financial institution funding that garment manufacturer’s expansion makes the exact same requirements a condition of lending/investment (and monitors), they’ll listen. That’s been my experience, at least. If EU member states include financial services, the DD should be conducted during the “pre-contractual phase.” I mention this as DD is often phased in FS firms (from initial screening to post-transaction DD and integration).

DD bureaucratic hell: A well-intentioned but staggeringly stupid (watch this space) directive element requires DD at the group level. In simpler terms, the parent company must fulfil the DD on behalf of its subsidiaries. The intention makes absolute sense – it stops firms from dodging the € thresholds by carving their business into subsidiaries they then blame for acts “we were not aware of as DD is done at the subsidiary level”. But, having been on the end of centralised DD for large MNCs a few times, they are (almost without exception) utter farces. Central-level folks lack the subsidiary’s insight into the nature of the proposed relationships and launch into staggeringly cumbersome or cursory DD that asks all the wrong questions and few of the right ones.

Partners vs relationships: “Established business relationships” apparently would make impact and likelihood prioritisation easier. From what I can understand, it’s differentiating between a long-term partner and a one-off contractor and tailoring the DD accordingly. So far, so smart. But it’s also a sort of DD Schrödinger’s cat – we don’t always know how relationships will develop, and we’re meant to do DD at the beginning.

Incentives and disciplinary measures: Some want directors’ compensation tied to sustainability and DD oversight. Again, I understand why, but on a recent survey where respondents were asked to reply to this statement, “I am incentivised to behave ethically,” a considerable number commented words to the effect, “No, but I shouldn’t need incentives.” Why do we always need to discuss incentivising leaders not to violate human rights or the environment? The stick could include civil liability. Victims of an environmental/human rights failure would have to meet four legal conditions:

  1. damage is caused to a natural or legal person
  2. there has been a breach of due diligence obligations
  3. there is a causal link between (1) and (2)
  4. there is fault (intention or negligence).

From what I can see, the CSDDD it’s a bit of a mess in its first iteration. When we consider the opposition/support for the directive differs widely across a very diverse EU bloc (inflamed by the rise of demagogues), the local application could get chaotic. Macron, for example, has already called for a pause on what he sees as overly zealous EU legislation.

No alt text provided for this image

How

As Monty Python asked in The Life Of Brian, “How should we f-off, oh lord?” The way every other piece of legislation asked you to:

  1. Policies
  2. Risk assessment
  3. Monitor
  4. Communicate
  5. Train
  6. Have speak up procedures/channels

I’m not being glib intentionally. As is common with European legislation setting a high bar, the how bit is lacking (putting it kindly). In particular, eight years after the UK Modern Slavery Act, and 12 after the UK Bribery Act, evidencing a detailed risk assessment is largely left to interpretation. In the CSDDD, companies are asked to prevent and mitigate “potential adverse impacts” and “end and minimise [which one!?] actual adverse impacts”. I paraphrase to make my point more punchy, but my cynical interpretation isn’t far off.

Again, I’ll use a case I investigated a while back to make the point:

💣 UK food business accused of using child labour in the press.

💣 The business bought a commodity agri-product from a wholesaler.

💣 The wholesaler bought it from tens of micro-plantations across the region.

💣 In some plantations (in very poor regions), people take kids to work.

💣 Why? Because there is no State (schools, welfare, childcare, etc.).

💣 Plus, they need teenage kids to earn money in the brief harvest season.

💣 So, what should the UK firm do?

💣 The local government won’t help, and what about all the other plantations?

The answer is, of course, that something can be done. But it’s NEVER easy or quick. So phrases like “end” or “minimise” are, in my view, counterproductive. They push regulated firms, with shareholders to report to, into kneejerk decisions that seldom help the victims. The UK Modern Slavery Act did at least explain that in exactly these sorts of cases, the onus of any investigation should be protecting victims from further harm, not expediency. I hope that when it gets to national-level legislation around the CSDDD, there will be a pragmatism that solving small things like SUSTAINABILITY aren’t done in quarterly reporting cycles.

Enforcement

In many ways, the CSDDD isn’t news. There are regulations covering everything from conflict minerals, to timber, to forced labour, and disposal of batteries. I cite these examples, as there is an expectation that the entity bringing these goods/services into the EU demonstrate that they don’t contravene any of the aforementioned rules and regs.

I’ve seen EU regulation underwhelm (as it did with sanctions) and overwhelm (GDPR?). Let’s see… I suspect the proof of the pudding will be at the national level, where I’d bet on wildly uneven application.

So what?

Many of you will read this and think, it sounds a bit like more of the same. Procedurally, it doesn’t mark a huge change for many large MNCs. You’re already doing DD for anti-corruption, anti-money laundering, and sanctions compliance. The advice in these cases is simple: integrate, don’t duplicate.

I’ve heard of book-length DD questionnaires that reflect not risk reality but a horrendous DD Frankenstein’s Monster – body parts of checklists stitched together. Why? I don’t know. With the technology available to me (a small business), I can build simple logic into a questionnaire cheaply and quickly. That many huge and expensive procurement and DD systems don’t do this is staggering. Therefore, a good first question for large MNCs would be, “Does our procurement system work for us, or do we work for it?”

As the table below indicates (to make a point, not serve as the basis for a DD framework), the areas of risk that most traditional DD covers overlap more than it extends, but there are some nodal points (if/then logic steps).

No alt text provided for this image
What would you add for CSDDD?

BUT, there is one exception. While complex, Understanding human rights impacts (see the example above) is more evidential than estimating environmental impacts. Take the example of cows. To some, they are methane machines devastating our environment. To others, they are a cornerstone of regenerative agriculture (and moving away from monoculture farming, which is itself accused of numerous environmental ills). I am NOT an environmental expert, but these two poles of the argument indicate the need for context (intensive farming on what was once primary rainforest, versus smallholdings in regenerative systems, for example). Establishing “environmental impact” is not as simple as a DD questionnaire or a bit of Googling.

I’ve worked with firms with the experts to make these assessments – they’ve had skin in the game and boots on the ground (to use two of my favourite cliches). Finding expert environmental impact DD folks will be very different to the other, more obviously human risks that large firms have (by now) become accustomed to. That many peddlers of DD are now purporting to have the credentials to conduct the environmental impact bit should be treated with extreme caution. Having worked on multi-disciplinary projects with environmental and social impact risk experts, the DD methodology and inputs are fundamentally different. It’s like a tailor saying they’re now also a barber – both relate to appearance and use scissors, but that doesn’t mean it’ll end well.

What should I do?

How do I wrap up such a huge topic? I’ll save discussion around the practicalities of setting-up risk-based DD frameworks, what to include in the scope, and how to conduct DD for another day (maybe; it’s a book in itself).

No alt text provided for this image

For now, maybe we should take a strategic step back. Could this legislation be the catalyst to ask some better questions? For example:

  1. Why do we need inputs X or Y?
  2. Why must we get X or Y from entity A or B?
  3. Why didn’t we look for alternatives (1 or 2)?
  4. Why do/don’t we risk-rank suppliers this way (why these questions)?
  5. Why do we do DD this way (scope, providers, triage, decision-making)?

Before embarking on a mammoth (and costly) DD binge, try some whys and take a more strategic approach to your supply chain. Even if you’re a large firm, you have at least a year to do so. I know it’s still a big ask, but as someone who has been doing DD (in various formats) since 2006, I can tell you that it’ll be a total nightmare if the tactics (how, who, and what your DD covers) aren’t backed with a strategy.

“Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.”

Need more?

Book a (free) strategy session, get new articles, and other content designed to be useful and fun.

Your Quick Guide To Managing Ethics & Compliance

Be the first to know

Subscribe to receive a weekly newsletter with trends, news, and hacks for all things risk. PLUS, behavioural science, investigations, human risk, and alternate perspectives.