We're glad you're here! Watch this video for an overview of the Due Diligence Compass. Get started and click on "Watch the video".

„Setting priorities“

Identify and evaluate risks

 Core element 2 of the NAP / Supply Chain Due Diligence Act

In the National Action Plan on Business and Human Rights (NAP), the German government formulates its expectations for companies to respect corporate due diligence along the value chain. This is defined in five core elements (in German only):

  1. a human rights policy statement
  2. procedures for the identification of actual or potential adverse impact on human rights
  3. measures to ward off potentially adverse impacts and review of the effectiveness of these measures
  4. reporting
  5. a grievance mechanism
Starting point
Starting point: What are the requirements?
  • Get an overview of your business activities, corporate principles and your own value chain to link your business activities with the risks

Identify potential risks

reading time approx. 10 min

Only if your company is aware of its own environmental and human rights risks can you take appropriate action against them. First, collect cross-sector and country-specific information on your potential risks.

Basic understanding: What to pay attention to?

Jump to implementation

Change of perspective

Environmental and human rights risks are being analysed from the perspective of (potentially) affected people. In the case of manufacturing companies, this can be employees, smallholder farmers in a coffee plantation or local communities in a tannery. In the case of service providers, it can be the users of the service or those whose rights are restricted due to the use of services (e.g. freedom of expression through wiretapping software).

This change of perspective away from the pure focus on risks for one's own company (e.g. reputational risks, production losses) is important. In practice, this can mean that some risks occur less strongly in your own company, but rather in stages of the value chain with which you are not directly connected. Even if not every risk can be directly addressed, this approach is important.


Explanation: Affected persons

In addition to the company's own employees, external service providers (e.g. temporary workers, cleaning and security staff), employees of business partners along the value chain, people who are involved in the extraction of raw materials, local communities at production sites and end users are all involved in the analysis consider.

Identifying Stakeholders and Cooperation Partners

Understand risks

The reference points for the risk analysis are environmental and human rights risks. To understand risks, first deal with industry- and country-specific risks and then, in a second step, check whether these risks actually apply to your company.

You can find an overview of environmental and human rights risks along the value chain here.

Explanation: Potential and actual negative effects

Potential negative effects on human rights and/or the environment are risks that can still be prevented by taking appropriate measures.

Actual negative effects, on the other hand, relate to negative effects on human rights and/or the environment that have already occurred. Actual effects must be ended immediately and made up for in an appropriate framework, or those affected must be compensated.

The Learning System

Assess risks

The size of your company, the industry it belongs to, the type and location of business activity – all these aspects have a direct impact on how risks or negative effects on human rights throughout global supply chains are being determined. Information about these issues form the basis for the risk analysis and help your company proceed in a systematic manner.

Define scope

In principle, you need to record all stages of the value chain as well as all (potentially) affected groups (e.g. employees in your own company or direct suppliers, local communities, etc.) and all environmental impacts. To begin with, you should deliberately implement a broad risk analysis and get an overview of the environmental and human rights risks. Determining potential risks is a first approximation. However, one should remain pragmatic.

Hint: The Helpdesk Business & Human Rights can advise you on this process .

Implementation: How to proceed?

Collect industry- and country-related information systematically
  • In the first step, you should get an overview of the upstream value chain by writing down where your suppliers are located or where the raw materials come from.
  • In addition, you should get an overview of relevant human rights issues in your industry. Based on this, it is possible to develop a basic understanding of relevant risks. The table below shows how this can be done.
  • In many industries, especially in the manufacturing sector, environmental and human rights risks are primarily located in the upstream value chain. In the electronics industry, for example, the procurement of raw materials required for the manufacture of the products poses a major sustainability risk.
  • In the case of service providers, e.g. finance or insurance industry, risks lie often in the downstream value creation and specifically affect the services or products they offer. Accordingly, a bank that has invested in a dam may be held accountable for environmental damage associated with the construction of the dam.
  • The sector-specific examples in the box “Hint: Environmental and human rights risks in selected value chains” illustrate this in more detail.
  • Obtain an overview of all potentially negative effects on human rights and the environment.
Implementation support: CSR Risk Check

With the CSR Risk Check from the Helpdesk Business & Human Rights, in cooperation with MVO and UPJ, you can filter by raw materials, services or products and countries. The result is an overview of potential environmental and human rights risks based on more than 2,700 sources.

Further information: Identify country and industry risks

Industry-related information

Learn from other companies

Hint: Environmental and human rights risks in selected value chains

As a rule, information can already be used to determine the extent of environmental and human rights risks, especially at the industry and country level, which your company should examine. Here you will find examples for selected industries:

Study | BMAS | 2020 | Die Achtung von Menschenrechten entlang globaler Wertschöpfungsketten. Risiken und Chancen für Branchen der deutschen Wirtschaft | click here (in German only).


Gather information on cross-cutting issues – raw materials, transport & logistics and disposal/recycling:
  • Certain processes in the value chain are of great importance across industries for corporate due diligence and sustainable supply chain management. Consider these in addition to the industry-specific topics. 
  • These cross-cutting issues include raw materials, transport and logistics, as well as disposal/recycling.
  • Familiarise yourself with sustainability issues on these key matters. There is extensive information on all three topics in Table 2 below.
  • Raw materials form the basis for industrial production. Extractive raw materials such as minerals or metals are essential for many German industries and are obtained from various countries around the world.
  • The transport of goods and their storage are important economic functions. Here, too, it is important to examine environmental and human rights risks. This is especially true for companies in industries in which transport and logistics processes play a major role. In addition to wholesale and retail, this includes the automotive and electronics industries, mechanical engineering and the metal industry. Think, for example, of the working conditions in truck transport, on container ships or at ports.
  • The same applies to disposal and recycling activities, especially if they take place abroad. This affects primarily the automotive, shipping, chemical and information and communication technology industries.
  • Other cross-cutting issues that you should examine include “classic” procurement issues such as building cleaning/cleaning specialists, security personnel/security services, catering and building maintenance. If possible, you should also record environmental and human rights risks for these service sectors.
Further information: Cross-cutting issues
Create an overview of environmental and human rights risks throughout the value chain
  • Summarise the information from the various sources and assign the identified environmental and human rights risks to the value chain tiers.
  • Use the mapping of your value chain and the locations (see step 1.2 Understand your value chain)
  • Check which risks, meaning negative environmental and human rights impacts, occur at which value chain tier and/or in which process.
    Risk analysis tool
  • The determination of the potential risks is a first approximation. As a next step, you should combine the results with company-specific data to determine actual risks.
Implementation support: Creating an overview of environmental and human rights risks along the value chain

With the help of a visualisation, you can clearly assign environmental and human rights risks to the individual value chains and prepare information for the in-depth analysis that follows in the next step. This way you can bring your interim results from the first and second phases of the Due Diligence Compass together (see the example below).

You can find a template for the visualisation in the online portal "Sustainability Management for SMEs" from the Bavarian State Office for the Environment (in German only).

Online tool | Bavarian State Office for the Environment | Nachhaltigkeitsmanagement für KMU – Nachhaltige Lieferkette. Prozessschritte und Starter-Kit | Click here (in German only).

Hint: Guide to conducting risk analyses for cocoa producing countries

Members of the German Initiative on Sustainable Cocao have committed to implementing their human rights and environmental due diligence obligations in accordance with the UN Guiding Principles on Business and Human Rights by 2025. The guide published by the SÜDWIND Institut für Ökonomie und Ökumene takes up an important core element of the implementation of the due diligence obligations. It is intended to support SMEs in carrying out risk analyses for the cocoa-growing countries with which they work.

The publication guides - illustrated by an additional flowchart - in detail through the seven steps companies can use to conduct the risk analysis. It also includes background information and analysis for the main cocoa-producing countries of Côte d'Ivoire, Ghana, Cameroon, Nigeria, Ecuador, Peru, the Dominican Republic, Nicaragua, Liberia, Togo, Sierra Leone and Bolivia.

The guide was intensively discussed with the members of the working group "Human Rights Due Diligence" of the German Initiative on Sustainable Cocoa. Furthermore, the Helpdesk on Business & Human Rights supported the entire process of developing this publication. 

Read the guide here. Please click here to access the flow chart as a supplement to the guide.



Identifying actual risks

reading time approx. 5 min

Use the industry and country-specific overview of potential environmental and human rights risks to determine which risks apply to your company. To do this, involve your employees and direct suppliers as well as other external sources.

Basic understanding: What to pay attention to?

Jump to implementation

Since every company has its own characteristics, especially with regards to its various locations, its suppliers and the countries it supplies to, not every industry or country risk necessarily corresponds to the company-specific risk.  

It is therefore important that you compare the previous research results with your own company activities in order to identify additional risk areas and to check whether the results of the industry- and country-specific research apply to your company.

The Learning System

The comparison can also be used to document and compare existing processes and measures. Phase 3 Selecting and implementing measures deals intensively with the actual situation.

Implementation: How to proceed?

Engage in an exchange with employees
  • The exchange makes it possible to map all central perspectives in the company as well as foster motivation for sustainable supply chain management.
  • Use existing sources of information, for example documentations from internal environmental management, compliance hotlines, employee surveys, works council minutes or reports on specific incidents (see step 5.3 Feed back results into the processes).
Implementation support: Preparatory questions for the exchange with employees

Who should be involved?

Departments that are already dealing with environmental and human rights risks should be involved. This could also include departments, responsible colleagues or committees related to corporate strategy, law/compliance, purchasing/procurement, human resources, sustainability, quality management, environmental management, public relations and the works council.

Target group-oriented communication

In the case of smaller companies, many activities run directly through the management. If this applies to your company, you should involve the management at this point.

Try to adapt terminology to the respective field of activity or business area of the participants. This promotes an understanding of sustainability issues, which are likely to be new at least for some departments.

In which format should the exchange take place?

A direct exchange is recommended for a systematic approach (for example: a workshop in which various departments identify and discuss environmental and human rights risks). In addition, interviews with key people in the company can help prepare the exchange or to address specific topics.

Basically, it is important to be well prepared and to have a clear formulation of what you expect from colleagues as well as what they can expect in return. A clear process is also key. You should also plan enough time to present the (new) topic and to gather information from various departments and committees.

A transparent process also includes a certain amount of regularity in order to allow new findings to flow into risk management. Here it is advisable, for example, to put together a small project team from the workshop and arrange regular meetings/jour fixes. In addition, it is recommended that you inform those involved that there are further process steps in which their participation is of great importance – this includes, among other things, the comparison with existing processes and measures in phase 3 Selecting and implementing measures.

The Helpdesk Business & Human Rights can advise you on this process.


Get in touch with your direct suppliers
  • Especially SMEs should use existing information (if possible) in order to keep the time required for the first risk analysis within limits.
  • In this phase of the risk analysis, you should (if possible) also talk to your direct suppliers (see step 3.5 Supplier Review and Capacity Building)
  • The strategies or guidelines of the suppliers themselves can provide information.
  • If available, certificates of credible environmental or social audits, self-assessments of a supplier or on-site visits can be used to determine the actual risks that affect your company.
  • An overview of the sustainability standards relevant to your company and a classification of their performance as instruments for implementing due diligence processes can soon be found in the Standards Compass.

Supplier Review

Use other sources
  • As a rule, when starting sustainable supply chain management, there is no direct contact with those (potentially) affected by negative sustainability effects.
  • If there are contacts with NGOs or experts from civil society organizations, you should use them to understand to what extent the human rights of affected groups are (potentially) impaired or endangered by the actions of your company.
  • The Helpdesk Business & Human Rights regularly brings companies and civil society together to discuss in a confidential setting how both sides can work together constructively on site. The information packages for the event series “Round Table: NGOs and Companies” can be found here.
  • You should strive for an exchange with (potentially) affected persons, NGOs and other experts, when developing and expanding your risk analysis. (see step 2.3 Assess and prioritise risks continuously)
    Identifying Stakeholders and Cooperation Partners
    Interview Guide Civil Society
Record your company's connection to environmental and human rights risks along the value chain
  • After completing the company-specific approach to environmental and human rights risks, you should clarify the link between the identified risks and your company. This makes it easier for you to prioritise environmental and human rights risks in the following steps.
  • Determine how your company is connected to the identified sustainability risks. To do this, use the visualisation of your supply chain developed from step 1.2:
    • Causation: Sustainability risks occur in one's own company or in subsidiaries;
    • Contribution: Sustainability risks arise with contractual business partners/direct suppliers;
    • Indirect connection: Sustainability risks arise with sub-suppliers (without a contractual relationship with your company).
  • At this point, it is a question of pragmatic categorisation.
  • This helps you to develop measures to avert negative effects based on the risk analysis (see step 3.3 Derive measures from risk management)
  • With this information, you can move on to the last step of phase 2: the assessment and prioritisation of environmental and human rights risks.

Supplier Review
Target Group-Oriented Communication


Assess and prioritise risks continuously

reading time approx. 9 min

Prioritize and evaluate the environmental and human rights risks that you’ve identified continuously so that the most serious risks can be addressed first with appropriate measures. Always ask yourself: Which sustainability risks should my company focus on?

Basic understanding: What to pay attention to?

Jump to implementation

Consider the entire value chain

Try to consider all the issues along the value chain that you identified in the two previous steps of the Due Diligence Compass. In many industries, the risks of negative effects for the affected parties and the environment are higher along the supply chain than at their own location. It is therefore important that companies do not focus solely on their own activities. The assessment and prioritisation should be undertaken irrespective of the influence you can exert to promote sustainability in your value chain.

Reduce complexity

While you should always keep an eye on your entire value chain, it can be too overwhelming to evaluate and prioritise all identified environmental and human rights risks, especially in the beginning. As a result, it makes sense to focus on certain products, sustainability issues, value creation stages or business relationships – based on, for example, available industry or country-specific information – and evaluate and prioritise (potential) negative effects there.

Evaluation criteria

There are two dimensions to consider when prioritising risks: the severity of the (potential) negative impact and the probability of occurrence. The (potential) negative impact refers to the impact on the affected parties or the environment. This understanding is critical to the appropriate handling of environmental and human rights risks. This is particularly important if you want to use existing risk management processes.

In addition, the severity of the (potential) negative effects is weighted higher in the prioritisation than the probability of occurrence. If, for example, there is a risk of life-threatening working conditions due to a lack of fire protection measures, this information must be followed up on, even if the probability of occurrence is classified as low.

Perform evaluation and prioritisation

There is no one-size-fits-all threshold for when an impact is severe. This makes it critical to consider the question of severity. Dialogue within the company is important here. Involve your colleagues in the assessment and prioritization – as you have already done when identifying environmental and human rights risks.

In the future you should try to involve external stakeholders as well. This applies to your suppliers and (potentially) affected parties on-site. NGOs can be a good first point of contact because they have in-depth knowledge of many environmental and human rights risks and have contacts with affected persons.  Particularly the exchange of ideas with business partners can create a basis of trust that is necessary for subsequent steps and measures. This doesn't necessarily have to take place right at the beginning. It can be a step that is taken once you have already conducted a robust risk assessment and want to come back to your suppliers or other business partners with very specific concerns.
Risk analysis tool

Use existing risk management systems

If you already use risk management systems for other areas, you should check whether the risk assessment and prioritisation can be integrated into these existing systems (e.g. into management systems such as EMAS/ISO 14001, SA8000 or ISO 9001). This can contribute to a more robust methodology and may facilitate the assessment and prioritisation itself, because your employees in charge of risk management bring valuable experience with them.
The Learning System


Implementation: How to proceed?

Familiarise yourself with evaluation criteria
  • The assessment of environmental and human rights risks is based on two criteria: the severity of the (potential) negative effects and the consideration of likelihood.
  • Assess the severity of impacts by their scale, scope and irremediable character. 
  • There is no one-size-fits-all threshold to assess when an impact is severe.
  • A (potential) negative impact on affected parties and the environment can also be severe if only one of the three dimensions of scale, scope and irremediability is classified as severe.
Understanding severity in practice
Understanding severity in practice
Dimension Approaches and challenges High severity example
Scale: How serious is the (potential) negative impact? - To what extent is a (potentially) affected person able to protect themselves?
- How vulnerable are they to negative effects?
- Child labour in the mining sector at the extraction level
Scope: How many (potentially) affected persons are there? - At the direct supplier level: number of employees

- In the deeper supply chain: more challenging, the use of reports from NGOs can be helpful
- An entire production site

- A local community

- Individual case or entire group (e.g. factory workers)
Irremediability: How difficult would it be to fix or prevent the (potential) negative impact? - Damage that cannot be repaired, technical requirements
- Acceptance of the measures among those affected
- Irreversible damage (e.g. health burdens that massively affects the quality of life)

Study | Global Compact Network Netherlands, Oxfam, Shift | 2016 | Doing business with respect for human rights: a guidance tool for companies | p. 52 | click here; Study | The Danish Institute for Human Rights | 2016 | Analysing Impacts Practitioner Supplement | p. 8 ff. | click here  

  • In addition to the severity, note the consideration of likelihood of (potential) negative effects. How likely is it that the impact will or could occur in your company?
  • Consider your own business activities and – where possible – the ability of your suppliers to manage environmental and human rights risks. 
  • For the assessment of the likelihood of a (potential) negative impact, contextual factors such as special country or industry risks are particularly relevant. Use your research results from the previous step (see 2.1 Identify potential risks).
  • You should also try to include the results of the comparison of existing measures and processes from phase 3 Select and implement measures in the assessment of the likelihood.
  • Which internal management approaches and processes does your company already have in place to address identified risks?
  • Are there internal or external indications of violations in your value chain or at your suppliers?

Supplier Review

Explanation: Factors that can increase the likelihood of negative impacts

In principle, country and governance contexts must be taken into account: crises and conflicts, the presence of vulnerable groups and possibly their state oppression, as well as poverty are all factors that make negative effects on people and the environment more likely.

For example, if your company operates in a country with a high risk of corruption or has contracts with suppliers in a country with a risk of corruption, this increases the risk that environmental or human rights are disregarded.

Workplaces that are isolated or difficult to access, such as in mining, are often associated with an increased risk of occupational accidents. In industries that use very complex and broad supply chains, such as the electronics industry, there is a higher probability that there will be violations of environmental and human rights in the upstream stages of the value chain.

Access to or reliability of information is also an important factor. For example, if there are indications of discrepancies or if there is little transparency in a certain part of the value chain, a higher risk should be assumed and, if necessary, a closer examination should be considered in order to classify the exact risks and their likelihood of occurrence more precisely.

Carry out the evaluation and prioritisation.
  • An SME should be pragmatic during the evaluation process
  • Try not to use complex quantitative evaluation models (especially in the beginning).
  • Try to approach the evaluation by describing the severity and rating it on a scale from 1 to 3, for example.
    Risk analysis tool


Implementation support: Examples of severity assessment

The Danish Institute for Human Rights has developed toolkits ("Analyzing Impacts Practitioner Supplement") that show how the severity level can be assessed along the three dimensions of scale, scope and irremediability. The examples can help you make your own assessment.

  • Involve your colleagues (and external parties if necessary) in the assessment and prioritisation.
    The Learning System
  • Document and visualise your results for internal and external communication (see steps 4.2 Communicate progress internally and step 4.3 Communicating progress externally)
    Key Performance Indicators for Due Diligence
Implementation support : Visualisation option: Risk matrix

A risk matrix (sometimes also known as a materiality analysis) can help you present the two evaluation criteria “severity” and “likelihood of occurrence”. 

Based on:
Online-Tool | Bavarian State Office for the Environment | Nachhaltigkeitsmanagement für KMU – Nachhaltige Lieferkette. Prozessschritte und Starter-Kit | click here (in German only) 


Implementation support: In-depth risk analysis and assessment

An in-depth risk analysis gives a good overview of which topics are important in your supply chain. In terms of methodology, you can use a human rights impact assessment, for example. Such an assessment can take place at the country, sector or product level.

As a smaller company, an in-depth risk analysis can be very time-consuming and resource intensive. If necessary, there is the option to fall back on industry solutions or to initiate a joint project as part of a collaboration with other SMEs. In order to avoid overwhelming your employees, the analysis can take place in the next phase.

The publication “Assessing human rights risks and impacts” by the DGCN and DIMR contains detailed case studies, particularly on human rights impact assessments.

Risk analysis tool

The Helpdesk Business & Human Rights can advise you on this process.

  • Repeat the due diligence process at regular intervals to take into account both internal and external changes.
    The Learning System
  • For example, it makes sense to carry out a risk analysis again when new business areas are launched, or raw materials are purchased from other countries.
  • In principle, a risk analysis should be carried out again at least every 1-2 years in order to also take external factors into account, such as changes in country and governance contexts.
Further information: Assistance in assessing and prioritising negative effects

A number of guidance documents and tools are available to you for assessing and prioritising risks.

First, you should familiarise yourself with the UN Guiding Principles on Business and Human Rights. Principles 14 and 24 explain the UN's framework of requirements for risk assessment and prioritisation.

The guide titled Assessing human rights risks and impacts from the Global Compact Network Germany, the German Institute for Human Rights and twentyfifty shows how to proceed step by step and what to be aware of.

Risk analysis tool

You can also consult the OECD Due Diligence Guidance for Responsible Business Conduct (pages 25-28; 61-73), which in turn refers to the industry-specific guidelines for corporate due diligence (page 9) of the OECD. These guidelines have been developed for the raw materials, agricultural, textile and clothing sectors and for financial companies and investors.

Further literature and links are available in the Risk Analysis and Measures information package from the Helpdesk Business & Human Rights (in German only).

As in the previous steps, the CSR Risk Check is particularly suitable for an initial assessment of the local environmental and human rights situation in developing and emerging countries.

The Human Rights Impact Assessment Guidance and Toolbox (HRIA) from the Danish Institute for Human Rights is also an important tool that can help you with risk assessment and prioritisation.

Continue with phase …

Do you have any questions?

Do not hesitate to contact us
by email or call us:
helpdeskwimr@wirtschaft-entwicklung.de +49 (0)30 590099-430

Commissioned by