CSDDD by topic

Supply Chain Risk Assessment (Human Rights Risk Assessment)

Last updated · 2026-06-08

A supply chain risk assessment, also called a human rights risk assessment, is how you score where adverse human rights and environmental impacts are most likely and most severe across your chain of activities. Under the EU Corporate Sustainability Due Diligence Directive (CSDDD), this assessment drives where you prioritise prevention, verification and remediation.

TL;DR

  • A supply chain risk assessment scores where adverse impacts are most likely and most severe.
  • It is the core of step 2 ("identify and assess") of the CSDDD due diligence cycle.
  • A practical method combines country risk, sector risk and product or commodity risk.
  • The output is a prioritised list of salient issues and high-risk relationships to act on first.
  • Prioritising by severity and likelihood is explicitly allowed by both the OECD framework and the CSDDD.
Free DD QuestionnaireCheck if you are in scope

In plain English

What supply chain risk assessment means

Risk assessment turns your value chain map into a ranked view of risk. You look at where partners operate (country risk), what they do (sector risk), and what they supply (product or commodity risk), combine those signals, and surface the salient issues and relationships that need the most attention. It is a judgement-based process supported by data, not a single score.

How this fits the CSDDD

Supply chain risk assessment is the assessment stage of step 2 ("identify and assess") of the CSDDD due diligence cycle. Directive (EU) 2024/1760 Omnibus I (Directive (EU) 2026/470)

Why it matters

Why supply chain risk assessment matters under the CSDDD

  • It is how the CSDDD expects you to prioritise: you act first on the most severe and likely impacts.
  • It makes your due diligence proportionate and defensible to supervisory authorities.
  • It tells you which suppliers to question, audit or support, and how intensively.
  • It is the bridge between mapping (where partners are) and action (what you do about them).

The detail

Country x sector x product risk

Country risk captures governance, rule of law, labour conditions and environmental enforcement where a partner operates. Sector risk captures the inherent human rights and environmental exposure of an industry, for example agriculture, textiles, electronics or extractives.

Product or commodity risk captures the specific impacts associated with what is supplied, such as commodities linked to forced labour or to environmental harm. Combining the three gives a richer signal than any one alone.

Identifying salient issues

A salient issue is a human rights or environmental risk that is most severe and most likely in your specific context. Examples include forced labour, child labour, unsafe conditions, discrimination, water and pollution impacts, and harm to local communities.

You identify salient issues by overlaying the country, sector and product signals on your mapped relationships and looking for where they concentrate.

Prioritisation under the CSDDD

Both the OECD Due Diligence Guidance and the CSDDD allow you to prioritise where you cannot address all impacts at once, based primarily on severity and likelihood. This prioritisation must be reasoned and documented.

Omnibus I reinforced a risk-based approach focused on direct partners, with deeper assessment triggered by plausible information of an impact, so your risk assessment also defines when to look deeper.

For the underlying standards, see the OECD Due Diligence Guidance and the UN Guiding Principles on Business and Human Rights.

Step by step

How to approach supply chain risk assessment

  1. Pull your mapped relationships and attach country, sector and product or commodity risk signals.
  2. Combine the signals into an inherent-risk view for each relationship.
  3. Surface the salient issues where risks concentrate.
  4. Prioritise by severity and likelihood, and document the rationale.
  5. Decide the verification intensity (questionnaire, audit, on-site) for each priority.
  6. Define triggers for going deeper than tier-1 on plausible information.

Checklist

Supply Chain Risk Assessment checklist

  • Country risk source identified and applied.
  • Sector risk classification applied to each relationship.
  • Product or commodity risk considered.
  • Salient issues named and prioritised by severity and likelihood.
  • Prioritisation rationale documented.
  • Verification intensity assigned to each priority relationship.

Put it into practice

Ready to act on this? Start with our free due diligence questionnaire to see what a customer can ask you for, check whether you are directly in scope with the scope checker, score your suppliers with the risk-assessment tool, and look up any unfamiliar term in the glossary. For the full picture of the directive, read what the CSDDD is.

FAQ

Supply Chain Risk Assessment: common questions

What is a supply chain risk assessment under the CSDDD?
It is the process of scoring where adverse human rights and environmental impacts are most likely and most severe across your chain of activities, by combining country, sector and product or commodity risk. The output is a prioritised list of salient issues and high-risk relationships to act on first.
How do you assess human rights risk in a supply chain?
Overlay country risk, sector risk and product or commodity risk on your mapped relationships, surface the salient issues where risks concentrate, then prioritise by severity and likelihood and document your reasoning. The CSDDD and OECD framework both allow prioritisation when you cannot address everything at once.
Can I prioritise some risks over others?
Yes. Both the OECD Due Diligence Guidance and the CSDDD allow prioritisation based primarily on severity and likelihood when you cannot address all impacts simultaneously. The prioritisation must be reasoned and documented.
Is there a free tool to run a risk assessment?
Yes. CSDDD Navigator offers a free risk-assessment tool that walks you through country, sector and product risk and helps you surface salient issues. It is guidance, not legal advice.

Related topics

Keep reading

value chain mapping

Value Chain Mapping

Value chain mapping, sometimes called supply chain mapping, is the process of understanding who your business partners are and where the highest risks sit across your chain of activities. Under the EU Corporate Sustainability Due Diligence Directive (CSDDD), and especially after Omnibus I, this is framed as a risk-based scoping exercise rather than an obligation to map every supplier in full.

Read the guide →
supplier audit

Supplier Audit

A supplier audit is a way to verify that a business partner actually meets the standards in your code of conduct. Under the EU Corporate Sustainability Due Diligence Directive (CSDDD), audits are one of several verification methods that support prevention, remediation and monitoring, but they have real limits and should be used as part of a wider approach.

Read the guide →
human rights due diligence

Human Rights Due Diligence

Human rights due diligence (HRDD) is the ongoing process a company uses to identify, prevent, mitigate and account for how its operations and business relationships affect people. It comes from the UN Guiding Principles and the OECD Guidelines, and the EU Corporate Sustainability Due Diligence Directive (CSDDD) now makes this process a legal obligation for the largest companies, alongside environmental due diligence.

Read the guide →

Get ahead of the CSDDD

If a big customer has sent you a due diligence questionnaire, our free DDQ shows what you actually need to send. Then explore the tools and guides built for your role.

Free DD Questionnaire

This is guidance, not legal advice

This page explains how supply chain risk assessment works under the CSDDD in plain English. It is guidance, not legal advice. For decisions specific to your business, confirm with the official sources we link or a qualified adviser. The directive is still settling after Omnibus I, so we keep this page current.

Sources

  1. [1]Directive (EU) 2024/1760 (CSDDD / CS3D), original text (EUR-Lex)retrieved 8 Jun 2026
  2. [2]Omnibus I final amending act (Directive (EU) 2026/470): CSDDD amendments finalisedretrieved 8 Jun 2026
  3. [3]Clifford Chance: Omnibus I concludes CSDDD and CSRD reformsretrieved 8 Jun 2026
  4. [4]European Commission: Corporate sustainability due diligenceretrieved 8 Jun 2026
  5. [5]OECD Due Diligence Guidance for Responsible Business Conductretrieved 8 Jun 2026
  6. [6]UN Guiding Principles on Business and Human Rightsretrieved 8 Jun 2026

The CSDDD Brief

Subscribe to The CSDDD Brief

We watch Brussels so you don't. Plain-English CSDDD updates, free.

No spam. Unsubscribe anytime.