The risk assessment logic

Modified on Tue, 6 Aug, 2024 at 3:13 PM

The abstract risk assessment


The risk analysis at Daato begins with an abstract risk analysis, as required by the LkSG. It facilitates targeted risk prioritization because suppliers and own business units are classified according to their sustainability risk on the basis of two key factors. These two factors are their product data (the type of products they supply or the product categories they are involved in) and their country data (the country from which they supply these products). 


First, we assess the risk associated with the countries from which the suppliers source their products. This includes assessing factors such as political stability, labor practices, environmental regulations and legal compliance specific to those countries.


Secondly, we analyze the risk associated with the product groups with which the suppliers are involved. This assessment takes into account factors such as industry regulations, supply chain complexity and the potential for human rights violations or environmental damage in these product categories.


Finally, we combine the results of the country and product group risk assessments to produce a comprehensive risk report for each supplier and business unit. This allows us to assign a risk level to each supplier and business unit, ranging from "Very High" to "Low", based on the combination of their product and country data. By combining these factors, we can effectively categorize suppliers and own business units according to their overall risk level.


The country risk assessment


Our country risk assessment involves analyzing data from country risk indicators in relation to the 13 social and environmental risks set out in the Supply Chain Act. This data comes from various reputable sources such as ILOSTAT, World Development Indicators and others. We have included data from 185 countries in our risk assessment and omitted a few due to incomplete or unavailable data. The list of countries is based on UN statistics in accordance with BAFA guidelines.


After collecting the data for each risk type specified in the Supply Chain Act, we categorized them as "Very High", "High", "Moderate" and "Low". For example, we assessed factors such as the percentage of children aged 5-17 who are engaged in child labor. This in-depth analysis provides us with insights into the risk levels of different countries and supports our overall risk assessment process, leading to informed decisions in line with the requirements of the law.


Our approach to assessing the severity and likelihood of risks is based on research conducted by Giannakis in 2016. The study involved a survey of 30 selected companies and interviews with two large manufacturing companies in the UK and France. These interactions helped determine whether these risks were evident in their organizations. They also held in-depth discussions with managers from two textile companies to explore potential causes and impacts of sustainability risks.


A comprehensive survey was then conducted involving 600 certified senior supply chain professionals from various industry sectors. These participants were asked to rate the severity and likelihood of occurrence for each risk on a scale of 1 to 5. This detailed assessment process, shown in Table 2, provided a comprehensive understanding of the perceived severity and likelihood of these risks. The comprehensive nature of the methodology ensures a robust analysis that contributes to a sound approach to abstract risk assessment.


We matched the sustainability risks listed in the research paper by Giannakis et al. with the risks specified in the Supply Chain Act. We then assigned a risk priority number to each risk type. This prioritization was determined by considering the severity of the potential impact and the likelihood of occurrence, as shown in Figure 3.


By linking the risks identified in the research paper to the requirements of the Supply Chain Act, we ensured a comprehensive assessment. The risk priority numbers derived from the combined assessment of impact severity and likelihood of occurrence provide a structured way to identify and address the most serious risks.


By applying a specific severity scale and the data obtained from country indices, we calculated individual country risk scores for each risk listed in the Supply Chain Act. In addition, we determined overall country risk scores by applying a weighted scoring model. These calculation results yielded a spectrum of countries that fall into different risk categories. For example, Bangladesh was identified as "very high" risk in terms of sourcing, while Denmark was categorized as less risky. This systematic approach allowed us to accurately assess countries and rank them according to their potential risk level.


The product risk assessment


To assess the risks associated with product groups, we used the CSR Risk Checker tool. This tool enabled us to carry out a comprehensive inventory of products and their corresponding sustainability risks in the context of the supply chain. The CSR Risk Check Tool, a collaboration between MVO Nederland, UPJ and the Business & Human Rights Helpdesk at the Agency for Business & Development, serves as a free online resource for identifying Corporate Social Responsibility (CSR) risks.


The categorization of product groups was based on UNCTAD's Standard International Trade Classification (SITC) Revision 3. Before assessing the risks associated with product groups, we harmonized and adjusted the risks in the CSR Risk Check Tool to align with the risks defined in the German Supply Chain Due Diligence Act (LkSG). To facilitate this alignment, we compared the risk definitions between the CSR Risk Checker and the Lieferkettensorgfaltspflichtengesetz (LkSG). Through this process, we ensured that the identified risks exactly matched the criteria set out in the LkSG and excluded CSR risks that were outside the scope of the Lieferkettensorgfaltspflichtengesetz (LkSG). 


By carefully adapting and adjusting the risk assessment framework of the CSR Risk Checker tool to the requirements of the Supply Chain Due Diligence Act, we have created a robust basis for the assessment of product group risks.


The prioritization of risks, determined by their severity and likelihood, served as the basis for defining a range of "Very High", "High", "Moderate" and "Low" risk products. For example, a product group such as palm oil, which is characterized by a high probability of child labour, environmental hazards and other related risks, fell into the "High" risk product group category.


By applying the risk ranking approach based on both severity and probability, we have created a structured hierarchy of risks associated with different products. This methodology enabled us to identify and prioritize high-risk product groups with a detailed understanding of their risk profile.


The consolidated country and product group risk assessment


In the final phase of the abstract risk assessment, we consolidate the results derived from the country risk assessment and the product group risk analysis. This consolidation results in a single score that is assigned to each supplier.


For example, if a supplier/own business unit trades palm oil, a product group that is classified as very high risk due to the high risks associated with it. If this palm oil is sourced from Indonesia, a country that is considered high risk, the supplier/business unit will be categorized as Very High Risk according to the standard risk matrix provided by Daato.


This final step completes the holistic picture of each supplier's risk level by integrating findings from the country and product group assessment. The risk matrix serves as a visual representation of this comprehensive risk assessment and supports decision-making and targeted risk management strategies. This integrated approach ensures that suppliers are assessed on the basis of multiple dimensions, providing a well-rounded assessment of their risk profile in the context of the requirements of the Supply Chain Due Diligence Act.


The concrete risk assessment


The abstract risk assessment is followed by a further risk assessment step: the concrete risk assessment. The aim here is to address in detail the risks identified as part of the abstract risk analysis for prioritized suppliers. This assessment is carried out directly by obtaining information from suppliers or the company's own business units.


At Daato, this step includes two processes to choose from:

  • Code of Conduct
  • Self-assessment


Code of Conduct


According to Section 6 (4) of the Act, one of the preventive measures to ensure compliance with human rights and environmental requirements is the contractual assurance of a direct supplier. Daato allows users to require suppliers to accept the Code of Conduct and manage the entire process.


Once the document is uploaded in the settings, users can send the request to the supplier. The supplier can either accept and sign the attached code of conduct or upload their existing code of conduct (provided it complies with the Supply Chain Due Diligence Act). For more information about the law and code of conduct requirements, suppliers can refer to the guidance page included in any other request.


Before the status of the Code of Conduct changes to "Accepted", users must review and accept the supplier's responses. If there are changes to the code of conduct file in the settings, the status of suppliers who have already gone through this process will be marked as "Missing".


If the code of conduct agreement process takes place outside of the tool, users can mark the status of the supplier's code of conduct agreement as accepted. In addition, code of conduct agreements can also be used to influence the risk level. In this case, the risk level of companies marked as "Code of Conduct Accepted" will be downgraded by one level.


Self-assessment


The self-assessment involves the completion of self-assessment questionnaires by the supplier or own business unit to record specific risk-related details.


The supplier or business unit collects data from its suppliers or units. This approach ensures a focused understanding of the risks within the supply chain and enables accurate risk management strategies and compliance with legal requirements under the Supply Chain Due Diligence Act.


Self-assessment questionnaires are structured questionnaires that collect information from suppliers and own business units about their social, environmental and ethical practices. They are carefully designed and contain customized questions for each risk category identified in the Supply Chain Due Diligence Act.


Daato offers two different sets of questionnaires - one for suppliers and one for own business units. Both are divided into five different sections: 1) General information 2) Governance 3) Business ethics 4) Responsible supply chain management 5) Due diligence questions (risk specific).


The self-assessment questionnaires contain predominantly closed questions, including multiple choice and yes/no questions. They also require an upload of evidence documents or explanations on the specific implementation of certain measures. These questions comprehensively cover various aspects of the company's business activities and sustainability risk potential. The structured sections of the SAQs enable a detailed understanding of different dimensions and contribute to a comprehensive understanding of the risk profile of each supplier or business unit.


Certain sections of the questionnaire are mandatory for all suppliers and own business units and ensure a standardized assessment process. However, the risk-related topics, which focus on due diligence issues (risk-specific), are only mandatory if the results of the abstract assessment indicate a risk level above "Low" for a specific country-product combination. This approach streamlines the risk prioritization process and minimizes the data collection burden for suppliers. Alternatively, our customers have the flexibility to choose a comprehensive approach by sending the entire SAQ to suppliers or their own business units.


Daato efficiently monitors the progress of the requested self-assessment questionnaires and provides status updates to our clients - whether the questionnaires are requested, under review or completed.


Once the review for accuracy and relevance of the answers provided is completed by the supplier or business unit, our tool performs a comprehensive assessment based on the answers in each section of the self-assessment questionnaire. Each section has a maximum score that is compared to the score of the submitted responses. This automated system identifies, scores and prioritizes the risks from "Very High", "High", "Medium" to "Low". 


Once the scores of the self-assessment questionnaires are assessed, we improve the accuracy of the final self-assessment by taking into account the number of employees at the supplier company or own business units. Essentially, suppliers or own business units that achieve a "Very high" risk score in the self-assessment questionnaires but have a relatively low number of employees (between 0 and 10) are adjusted down one risk level. They are then classified as "high risk" in the final assessment of the self-assessment questionnaires.


Conversely, a similar approach applies to suppliers or own business units that achieve a "High" risk score in the self-assessment questionnaires but have a significant number of employees (over 250). In such cases, their risk level is raised by one level and they are classified as "Very high" risk in the final assessment of the self-assessment questionnaires.


The risk assessment is refined by taking into account the number of employees. This makes it possible to obtain a more precise risk level for suppliers and own business units. The approach takes into account the severity and probability of each risk category and leads to a more comprehensive assessment of the overall risk profile.


Based on the process described, each supplier or business unit is now assigned a so-called risk priority. In addition to the risk level from the abstract risk analysis, this risk priority now also includes - based on the answers to the questionnaire - the categories of influence and causal contribution.


Risk level and risk priority


The risk level is determined by a differentiated and multi-stage assessment based on concrete data and specific criteria. 


The first step in determining the risk level is an abstract assessment. In this step, Daato identifies suppliers or its own business units that operate in countries with high human rights and environmental risks or manufacture products that are associated with violations in these areas. This initial assessment is based on country and industry analyses.


After the abstract assessment, a more detailed, concrete assessment is carried out using the self-assessment questionnaire. This questionnaire poses risk-specific due diligence questions to the suppliers or own business units. The questions are designed to identify and assess specific risks.


The result of the questionnaire represents the specific risk assessment. Two main factors are taken into account here:

  • Severity of the risk: How serious are the potential impacts of the identified risk? This includes both the immediate and long-term impact on human rights and the environment.
  • Likelihood of occurrence: How likely is it that the risk will occur? This is based on historical data, current reports and forecasts.


The abstract and concrete assessment are combined to determine the final risk level. The result of the questionnaire, which integrates both the severity and the probability of the risk, is used as the overall assessment.


The risk priority, on the other hand, includes - in addition to the risk level - other factors such as the customer's influence on the supplier and the causal relationship between the customer's actions and the supplier's risk. The ability to exert influence is assessed on the basis of the following criteria:


  • Order volume in relation to the supplier's turnover: A higher order volume compared to the supplier's turnover means greater influence.
  • Relationship length: Long-term relationships increase the ability to exert influence.
  • Relationship quality: A strong and trusting relationship enables more effective collaboration to minimize risk.


The causal relationship is assessed as follows:


  • Causation questions: questions in the SAQ examine whether the customer has had a negative impact on the supplier through its business practices (e.g. through price pressure or unfair contract terms).


Based on these other factors, coupled with the risk level from the abstract and concrete risk assessment, the risk priority is calculated and divided into four categories:

  • Very high
  • High
  • Medium
  • Low


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article

Preview
0 of 0