The risk assessment logic

Modified on Thu, 16 Oct at 4:53 PM

The risk analysis at Daato begins with an abstract risk analysis, as required by the LkSG. It facilitates targeted risk prioritization because suppliers and own business units are classified according to their sustainability risk on the basis of two key factors. These two factors are their product data (the type of products they supply or the product categories they are involved in) and their country data (the country from which they supply these products).

First, we assess the risk associated with the countries from which the suppliers source their products. This includes assessing factors such as political stability, labor practices, environmental regulations and legal compliance specific to those countries.

Secondly, we analyze the risk associated with the product groups with which the suppliers are involved. This assessment takes into account factors such as industry regulations, supply chain complexity and the potential for human rights violations or environmental damage in these product categories.

Finally, we combine the results of the country and product group risk assessments to produce a comprehensive risk report for each supplier and business unit. This allows us to assign a risk level to each supplier and business unit, ranging from "Very High" to "Low", based on the combination of their product and country data. By combining these factors, we can effectively categorize suppliers and own business units according to their overall risk level.

Country risk assessment

Our country risk assessment analyzes quantitative data from internationally recognized indices mapped to the 13 social and environmental risks in the Supply Chain Due Diligence Act (SCDDA). Sources include, among others, ILO, World Bank (WDI), UNDP, WHO, and Transparency International. We cover 185 countries (a small number omitted due to incomplete/unavailable data). The country list follows UN statistics in line with BAFA guidance.

Because indicators come on different scales, we normalize all values to a 0–100 scale, where 100 = Low risk (safer conditions) and 0 = High risk (riskier conditions). This makes heterogeneous datasets comparable and allows consistent aggregation across risk types.

For each SCDDA risk category (e.g., child labour, freedom of association), the indices provide the likelihood dimension. We then apply a severity weighting to reflect the potential impact of each risk type. Severity levels are based on Giannakis et al. (2016), where certified supply-chain professionals rated the potential damage from 1 (minor) to 5 (critical). This produces country risk scores per risk type that incorporate:

the probability/likelihood (from the normalized indices), and
the severity (from Giannakis), used as a weighting factor.

Finally, we aggregate the per-risk results into an overall country score using a weighted scoring model and map outcomes to Low / Moderate / High / Very High. For example, Bangladesh falls into a Very High risk category across relevant indicators, whereas Denmark is Low risk. This method keeps the probability evidence rooted in public indices while transparently reflecting impact via severity.

Product group risk assessment

To assess risks for product groups, we compile evidence from a diverse set of sectoral, academic, and NGO sources. These sources often indicate whether a risk exists but not how likely it is. Therefore, for products we explicitly model both dimensions using reference values from Giannakis et al. (2016):

Severity: potential impact (1–5).
Probability: benchmark likelihood (1–5) for how often such risks are typically observed in comparable industries.

For each product/product group, we identify which SCDDA risk categories are evidenced in our research. Each identified risk contributes a weighted score (severity × probability) to that product’s total. Summing across all relevant risks yields the aggregate product score, which we map to Low / Moderate / High / Very High.

Example: Fisheries shows two relevant risks in our sources — forced labour and biodiversity impacts. Their combined weighted value is 31, corresponding to Moderate risk on our normalized scale. In contrast, a group like palm oil typically accumulates higher totals due to multiple high-impact risks (e.g., child labour, forced labour, deforestation), leading to High or Very High.

Consolidated country and product group risk assessment

In the final step, we combine the country score (probability from indices, adjusted by severity) with the product score (severity and probability from Giannakis reference values applied to evidenced risks) using a standardized risk matrix. Each supplier or own business entity is assigned a single default risk level based on the intersection of these two dimensions.

Example: a supplier dealing in palm oil (product: Very High risk) sourced from Indonesia (country: High risk) is classified overall as Very High risk according to the Daato default matrix.

This integrated approach delivers a transparent, reproducible, and compliant assessment that prioritizes high-risk suppliers and supports targeted mitigation in line with the SCDDA.

The concrete risk assessment

The abstract risk assessment is followed by a further risk assessment step: the concrete risk assessment. The aim here is to address in detail the risks identified as part of the abstract risk analysis for prioritized suppliers. This assessment is carried out directly by obtaining information from suppliers or the company's own business units.

At Daato, this step includes two processes to choose from:

Code of Conduct
Self-assessment

Code of Conduct

According to Section 6 (4) of the Act, one of the preventive measures to ensure compliance with human rights and environmental requirements is the contractual assurance of a direct supplier. Daato allows users to require suppliers to accept the Code of Conduct and manage the entire process.

Once the document is uploaded in the settings, users can send the request to the supplier. The supplier can either accept and sign the attached code of conduct or upload their existing code of conduct (provided it complies with the Supply Chain Due Diligence Act). For more information about the law and code of conduct requirements, suppliers can refer to the guidance page included in any other request.

Before the status of the Code of Conduct changes to "Accepted", users must review and accept the supplier's responses. If there are changes to the code of conduct file in the settings, the status of suppliers who have already gone through this process will be marked as "Missing".

If the code of conduct agreement process takes place outside of the tool, users can mark the status of the supplier's code of conduct agreement as accepted. In addition, code of conduct agreements can also be used to influence the risk level. In this case, the risk level of companies marked as "Code of Conduct Accepted" will be downgraded by one level.

Self-assessment

The self-assessment involves the completion of self-assessment questionnaires by the supplier or own business unit to record specific risk-related details.

The supplier or business unit collects data from its suppliers or units. This approach ensures a focused understanding of the risks within the supply chain and enables accurate risk management strategies and compliance with legal requirements under the Supply Chain Due Diligence Act.

Self-assessment questionnaires are structured questionnaires that collect information from suppliers and own business units about their social, environmental and ethical practices. They are carefully designed and contain customized questions for each risk category identified in the Supply Chain Due Diligence Act.

Daato offers two different sets of questionnaires - one for suppliers and one for own business units. Both are divided into five different sections: 1) General information 2) Governance 3) Business ethics 4) Responsible supply chain management 5) Due diligence questions (risk specific).

The self-assessment questionnaires contain predominantly closed questions, including multiple choice and yes/no questions. They also require an upload of evidence documents or explanations on the specific implementation of certain measures. These questions comprehensively cover various aspects of the company's business activities and sustainability risk potential. The structured sections of the SAQs enable a detailed understanding of different dimensions and contribute to a comprehensive understanding of the risk profile of each supplier or business unit.

Certain sections of the questionnaire are mandatory for all suppliers and own business units and ensure a standardized assessment process. However, the risk-related topics, which focus on due diligence issues (risk-specific), are only mandatory if the results of the abstract assessment indicate a risk level above "Low" for a specific country-product combination. This approach streamlines the risk prioritization process and minimizes the data collection burden for suppliers. Alternatively, our customers have the flexibility to choose a comprehensive approach by sending the entire SAQ to suppliers or their own business units.

Daato efficiently monitors the progress of the requested self-assessment questionnaires and provides status updates to our clients - whether the questionnaires are requested, under review or completed.

Once the review for accuracy and relevance of the answers provided is completed by the supplier or business unit, our tool performs a comprehensive assessment based on the answers in each section of the self-assessment questionnaire. Each section has a maximum score that is compared to the score of the submitted responses. This automated system identifies, scores and prioritizes the risks from "Very High", "High", "Medium" to "Low".

Once the scores of the self-assessment questionnaires are assessed, we improve the accuracy of the final self-assessment by taking into account the number of employees at the supplier company or own business units. Essentially, suppliers or own business units that achieve a "Very high" risk score in the self-assessment questionnaires but have a relatively low number of employees (between 0 and 10) are adjusted down one risk level. They are then classified as "high risk" in the final assessment of the self-assessment questionnaires.

Conversely, a similar approach applies to suppliers or own business units that achieve a "High" risk score in the self-assessment questionnaires but have a significant number of employees (over 250). In such cases, their risk level is raised by one level and they are classified as "Very high" risk in the final assessment of the self-assessment questionnaires.

The risk assessment is refined by taking into account the number of employees. This makes it possible to obtain a more precise risk level for suppliers and own business units. The approach takes into account the severity and probability of each risk category and leads to a more comprehensive assessment of the overall risk profile.

Based on the process described, each supplier or business unit is now assigned a so-called risk priority. In addition to the risk level from the abstract risk analysis, this risk priority now also includes - based on the answers to the questionnaire - the categories of influence and causal contribution.

Risk level and risk priority

The risk level is determined by a differentiated and multi-stage assessment based on concrete data and specific criteria.

The first step in determining the risk level is an abstract assessment. In this step, Daato identifies suppliers or its own business units that operate in countries with high human rights and environmental risks or manufacture products that are associated with violations in these areas. This initial assessment is based on country and industry analyses.

After the abstract assessment, a more detailed, concrete assessment is carried out using the self-assessment questionnaire. This questionnaire poses risk-specific due diligence questions to the suppliers or own business units. The questions are designed to identify and assess specific risks.

The result of the questionnaire represents the specific risk assessment. Two main factors are taken into account here:

Severity of the risk: How serious are the potential impacts of the identified risk? This includes both the immediate and long-term impact on human rights and the environment.
Likelihood of occurrence: How likely is it that the risk will occur? This is based on historical data, current reports and forecasts.

The abstract and concrete assessment are combined to determine the final risk level. The result of the questionnaire, which integrates both the severity and the probability of the risk, is used as the overall assessment.

The risk priority, on the other hand, includes - in addition to the risk level - other factors such as the customer's influence on the supplier and the causal relationship between the customer's actions and the supplier's risk. The ability to exert influence is assessed on the basis of the following criteria:

Order volume in relation to the supplier's turnover: A higher order volume compared to the supplier's turnover means greater influence.
Relationship length: Long-term relationships increase the ability to exert influence.
Relationship quality: A strong and trusting relationship enables more effective collaboration to minimize risk.

The causal relationship is assessed as follows:

Causation questions: questions in the SAQ examine whether the customer has had a negative impact on the supplier through its business practices (e.g. through price pressure or unfair contract terms).

Based on these other factors, coupled with the risk level from the abstract and concrete risk assessment, the risk priority is calculated and divided into four categories:

Very high
High
Medium
Low