How should companies prepare for the EU directive on corporate due diligence and accountability?
This white paper was originally published in March 2021 with Steele Compliance here. It was launched with a webinar discussion on 23rd June 2021. It is highly recommended to view this page on a desktop.
It has now been a month since the European Commission closed its consultation into mandatory corporate due diligence and accountability in value chains across the bloc. The consultations built on a draft directive text published by the Parliament of the European Union in September 2020, as we have been discussing with our clients these past months. As I write this, Germany’s parliament is on the cusp of passing due diligence legislation.
How should compliance programs react to these changes? What effects will there be on compliance due diligence, whistle blowing requirements and risk assessments?
We have answered these questions and more in this white paper on the draft directive, with a diagrammatic mapping to NorthStar’s program design (here). The articles will be released over the coming weeks. We hope you enjoy them, and of course feel free to reach out to us with questions or discussion points on our analysis!
Is this directive needed?
In the course of my work I have seen my share of challenging human rights situations. These have left me in no doubt that there is a moral obligation to address ESG issues, and especially human rights abuses, in corporate value chains.
In many instances, increased trade has been good for people around the world. But in part we have outsourced our issues to poorer places with lower scrutiny.
Companies are today struggling to get to grips with ESG obligations in value chains; the draft EU directive reduces doubts as to what is expected.
How is it scoped?
The draft directive includes all “undertakings” governed by the law of a member state or established in EU territory. In other words, any firm active on the EU market will need to comply, even if headquartered outside of the EU. There is no limit on size of firm or sector in the text, though the German legislation I mentioned above is reported to set a threshold beginning at around 3000 employees.
The proposal covers the entire “value chain”, not just the supply chain, inside or outside the EU. So you need to be looking in all directions when considering your preparations – subsidiaries, suppliers, partners, customers, third parties, etc.
There is a broad range of risks included (“human rights, including social and labour rights, the environment, and good governance”) - essentially the draft directive covers the whole ESG spectrum. That includes topics like integrity and corruption, so whatever current DD setup you have in place, it may need ‘lifting’ or re-positioning to meet the draft directive’s requirements.
Subsidiaries are deemed compliant under their parent company’s actions. This is a welcome aspect – there were some very confused discussions regarding the EU Whistle Blowing Directive, on whether each subsidiary had to have its own, closed whistle blowing system to achieve compliance.
What will the final directive look like, and when will it come into force?
There is an expectation that the final directive will look much like the draft. The fact that the EU Parliament has issued a draft is, in itself, unusual. It implies consensus and momentum amongst EU institutions. Germany’s national law suggests many want this to happen very quickly indeed, though controversy has arisen in relation to concerns it will make German business uncompetitive.
If we assume a similar process is followed to that of the EU Whistle Blowing Directive (see here for more details), we can expect compliance to be a formalised requirement in the next two to three years – around late 2023. Germany’s law is coming into force during that same year.
What obligations are placed on organisations?
Our illustration below shows what needs to be done to comply, assuming the final directive remains in line with the draft.
Assurance is advisable for large organisations, ensuring that the measures have been appropriately taken into the governance and management systems, and that their disclosures are accurately prepared.
Where do “value chains” begin and end?
As discussed above, draft directive covers the entire “value chain”, not just the supply chain, both inside and outside the EU.
The clear inclusion of all direct and indirect relationships will be welcomed by some – companies often struggle where to draw a line. One of the most frequently asked questions when we help clients implementing due diligence programs is - “isn’t more than one degree of separation outside our control?” Firms will have to identify all of their subcontractors, sub-agents, tier two dealers, etc.
But there will be situations where one genuinely cannot know the full extent of the value chain. Dealer networks for manufactured goods sometimes include a mixture of retailers and end-users. Some second-hand markets are big business with often very low margins – how complex do we make these transactions through due diligence requirements?
A rule of thumb could be, ‘if you don’t know who is in your value chain, a risk exists and there is work to be done.’ So if the next partner in the chain is unclear somehow, or if the provenance of their goods/services is doubtful, work on it and disclose it.
There is a final, more nuanced moral point to be made on value chains. The draft directive is, in effect, asking for a moral stance from companies saying, “I won’t do business with certain other individuals or companies.” Yet it leaves open the possibility of knowingly engaging with customers and other businesses who may be involved in human rights abuses … so long as they’re not in your “value chain”. For example - if you sell to a retailer who also buys from other suppliers for a different product and those suppliers are using child labour. The human rights abuses in such a scenario are potentially ‘out of scope’. In making this point I don’t expect a puritan approach from companies; all I am saying is that the EU, to its credit, is trying to deal with a difficult issue. But in doing so it has left open spaces, and perhaps could go even further.
This is yet another framework being placed on companies … are the expectations realistic?
Overall we see compliance with the draft directive as realistic for larger companies. Compliance can be achieved efficiently if a company has the right maturity level. This is in fact an opportunity to bring together different expectations into one process of “Business Partner Integrity”, which we introduce as a topic here. It’s also an opportunity to engage positively with business partners and within your sector(s).
We see issues for smaller and less mature organisations. There is a strong argument for a targeted and proportionate approach in the final directive text. The draft takes these concerns into account through additional support and tailored measures for small and medium-sized enterprises (“SMEs”). Germany has taken this into account through its threshold of organisations with over 3000 employees.
Can we share the workload?
Sectoral approaches are an interesting development whereby organisations can share tools and resources to achieve compliance. One can imagine increased focus on certifications or even shared databases for certain industries, showing who has been ‘approved’ or not. The risks around such centralised approaches are myriad, and should perhaps be tackled in another article.
It remains to be seen how all of this will be transposed into national law by member states. We hope the failings of GDPR can be avoided when it comes to targeted measures and meaningful outcomes for SMEs.
How will the directive be enforced?
One of the most challenging issues in the directive is enforcement. This will be based on national legislation and led by national supervisory authorities.
The big questions for enforcement will be, “where does the value chain begin and end?”, “where is the point at which a harm is simply too remote?” and “at what point does liability stop attaching to your (limited) involvement in a value chain?”
National authorities are already overloaded with a whole range of enforcement challenges. And this is where the directive begins to feel like a top-down exercise, in which everyone is expected to comply, but there is a low possibility of member states and undertakings making a good go of it. The UK’s Modern Slavery Act has been criticised for resulting in pointless annual statements. The debate may well be, “is this directive just lip service?”
It is difficult to see how an entity can be held liable for certain issues in the value chain. Although the due diligence requirement could be used to say “you knew” or “you should have known”, it will be tough to make the mud ‘stick’ - some risks are just too remote.
All of this leads us to ask:
Could a ‘case by case’ approach be inevitable, assessing what happened with a particular risk in a particular value chain? How effective and efficient does that sound?
Are we really expecting enforcement of ‘downstream’ risks amongst an undertaking’s customers? The draft directive’s preambles focus on suppliers, suggesting there may be some pragmatism there.
What about offences where there is no foreseeability? Emerging risks or first-time breaches can come as a total surprise. Your obligations to remedy the situation might still apply, especially under reputational pressure. But could a court really impose further liability?
In short, let’s hope for a pragmatic approach from supervisory authorities, prosecutors and the courts. National differences will make for interesting analysis, given the variations across the bloc that we see in legal forms, liability regimes and enforcement practices.
Our job will be to look at how the fallout can be incorporated into our client’s compliance programs. The draft directive is a step in the right direction, but isn’t the end of the journey.
Bio and useful links
Ezekiel (Zeke) is the Founder of NorthStar and is the former Senior Vice President and Chief Compliance Officer at Volvo Group and Yara International. He prides himself on pragmatic advice, sharing his passion for ethics, compliance and ESG with clients who need creative and intelligent solutions. North Star Limited is a consultancy based in Edinburgh and working with clients globally. Zeke’s LinkedIn profile can be found here.
Website: Home | North Star Compliance
European Parliament draft directive - PR_INL (europa.eu)
EU Commission study on DD in supply chains (January 2020) - Study on due diligence requirements through the supply chain - Publications Office of the EU (europa.eu)
Commission consultation (closed on 8 February 2021) - Sustainable corporate governance (europa.eu)
Contact us at firstname.lastname@example.org