Supplier Risk Management: Compliance & Due Diligence Guide

Q: What is supplier risk management?

Supplier risk management (SRM) is the structured, ongoing program of identifying, assessing, monitoring, and mitigating ESG risks — environmental, social and human rights, governance, and compliance — arising from supply chain relationships. It covers sustainability, human rights, labor, environmental, and governance/compliance risk only; cybersecurity supplier risk, financial solvency screening, and fraud risk are separate disciplines with distinct frameworks and professional communities.

Q: What is the difference between supplier due diligence, supplier risk assessment, and a supplier audit?

Supplier due diligence is a time-bounded investigation of a specific supplier against a legal or regulatory standard — conducted at onboarding or on a risk trigger. A supplier risk assessment scores a supplier's overall ESG risk profile using inherent and residual factors, producing a risk tier and prioritization for audit resource. A supplier audit is a formal, evidence-based verification exercise — usually on-site — that checks practices against a defined standard and produces rated findings with corrective action requirements.

Q: What is ESG due diligence in the supply chain?

ESG due diligence in the supply chain is the structured evaluation of a supplier's environmental, social, and governance practices against defined standards or regulatory requirements. Environmental covers emissions, water, and waste; social covers labor rights, forced labor, child labor, health and safety, and grievance mechanisms; governance covers management systems and board-level accountability. Regulations including CSDDD and LkSG now make key aspects of this process legally mandatory for in-scope companies.

Q: How does supplier risk management relate to third-party risk management (TPRM)?

Third-party risk management (TPRM) is the broader enterprise discipline covering all external parties — suppliers, contractors, service providers, and joint venture partners. SRM is the supply chain subset of TPRM, focused on ESG, human rights, labor, and compliance risk. Many organizations run a dedicated SRM track within TPRM because supply chain ESG risk has distinct regulatory obligations, assessment methodologies (social audits, SMETA, SAQs), and stakeholder audiences that differ materially from cybersecurity or financial risk.

Q: How do you build a supplier risk management program?

A supplier risk management program is built in seven steps: (1) segment your supplier base by risk tier; (2) define your risk taxonomy and scoring model; (3) establish a supplier code of conduct and onboarding questionnaire; (4) conduct tiered assessments proportionate to each supplier's risk tier; (5) monitor suppliers continuously; (6) manage corrective action plans (CAPAs) to verified closure; and (7) report to leadership, regulators, and customers.

Q: How do you conduct a supplier risk assessment?

A supplier risk assessment follows six stages: scope (define which suppliers and which standard), assess (deploy SAQ, desk review, or on-site audit based on risk tier), score (apply your scoring model to produce a risk ranking), decide (accept, conditionally accept, or escalate), remediate (issue CAPAs and track to resolution), and report (document outcomes for internal and regulatory use).

Q: What is the German Supply Chain Due Diligence Act (LkSG)?

Germany's LkSG is a mandatory human rights and environmental due diligence law applying to German companies with 1,000 or more employees (threshold reduced from 3,000 in January 2024). In-scope companies must conduct an annual risk analysis, implement preventive and remedial measures, establish a grievance mechanism, and submit an annual report to BAFA. Non-compliance can result in fines up to €800,000 or 2% of global turnover.

Q: What is the best tool for supplier risk management?

The right tool depends on program maturity, supplier base size, and regulatory obligations. Early-stage programs with fewer than 50 suppliers can start with structured spreadsheets to establish process discipline. As mandatory due diligence obligations accumulate and CAPA volumes grow, a purpose-built platform becomes necessary. A ten-capability vendor-neutral checklist — including configurable taxonomy, SAQ workflows, tiered audits, CAPA tracking, and multi-regulation reporting — provides the objective selection criteria.

Q: Which regulations require supplier due diligence?

Multiple regulations mandate supplier ESG due diligence: CSDDD (EU, application from 26 July 2029 under the 2026 Omnibus I amended timeline); LkSG (Germany, in force 2023); UFLPA (US, enforced since June 2022); CSRD, which requires due diligence disclosure; the Norwegian Transparency Act (in force July 2022); the UK Modern Slavery Act; the Australian Modern Slavery Act; and Canadian Bill S-211 (in force January 2024).

Q: What features should supplier risk management software have?

An ESG-led SRM platform should include: configurable risk taxonomy and scoring, supplier onboarding and SAQ management, multi-tier supplier mapping, audit and assessment workflow, CAPA management, continuous monitoring and alerting, document and certification management, regulatory reporting support (LkSG, modern slavery acts, CSRD), aggregated risk dashboards, and ERP/procurement integration.

Supplier Risk Management: A Compliance & Due Diligence Guide — Certainty Software

Supplier risk management (SRM) is the ongoing, program-level field of identifying, checking, mitigating, and reporting ESG risks across a company’s supplier base. These risks span sustainability, human rights, labor, environmental, and compliance dimensions. Unlike one-off supplier due diligence — a point-in-time investigation — SRM is a continuous program. It segments suppliers by risk tier, deploys tiered assessments, tracks corrective actions to closure, and produces the audit trail that regulators and investors expect.

Additionally, in 2026, SRM is no longer optional. Specifically, the EU CSDDD, Germany’s LkSG, the US UFLPA, and the Norwegian Transparency Act have made supplier due diligence a legal obligation. A growing list of national modern slavery acts adds further requirements. This guide covers the ESG-led scope — not cybersecurity or financial solvency. Specifically, it addresses the regulatory landscape, a seven-step program framework, a six-stage assessment process, software capabilities to look for, and free checklists to get started.

SRM at a glance

What it is	An ongoing program to identify, assess, mitigate, and report ESG, human rights, labor, and compliance risks across the supplier base.
Scope of this guide	ESG-led supplier risk only — environmental, social and human rights, governance, and compliance. Excludes cybersecurity, financial solvency, and fraud risk.
Who runs it	Compliance, sustainability, and procurement functions, often coordinated under a Chief Sustainability or Chief Procurement Officer.
Key regulations	CSDDD, LkSG, UFLPA, CSRD, Norwegian Transparency Act, UK and Australian Modern Slavery Acts, Canadian Bill S-211.
Typical workflow	Segment → define taxonomy → onboard → conduct tiered audits → monitor → remediate via CAPA → report.
Typical outcomes	Audit-ready evidence for regulators and customers, lower exposure to forced-labor import bans, reduced Scope 3 and reputational risk, stronger supplier relationships.

What is supplier risk management?
Supplier risk management vs. due diligence vs. TPRM.
What is ESG due diligence in supply chain compliance?
The regulatory landscape for supplier due diligence.
Standards and frameworks that shape supplier risk programs.
How to build a supplier risk management program.
How to conduct a supplier risk assessment.
What to look for in supplier risk management software.
Free supplier risk assessment checklists and templates.
How Certainty Software supports supplier risk programs.
Key Takeaways.
Frequently Asked Questions (FAQs).
Further reading.

Editorial image of a procurement director reviewing supplier risk data on a tablet in a warehouse — *Figure 1 — Procurement directors need consolidated supplier risk visibility to act quickly on regulatory obligations.*

What is supplier risk management?

Supplier risk management (SRM) is the process of identifying, checking, monitoring, and mitigating ESG risks within a company’s supply chain. Furthermore, it encompasses the policies, procedures, and tools an organization uses to ensure suppliers meet defined sustainability, human rights, labor, and compliance standards. Used consistently, SRM protects brand reputation, supports regulatory compliance, and builds supply chain resilience.

Scope of this guide: SRM here means ESG, sustainability, human rights, labor, environmental, and governance/compliance risk only. By contrast, it does not cover cybersecurity supplier risk, financial solvency screening, or fraud and payment risk. Furthermore, each of these is a separate field with its own frameworks and professional communities. This scope distinction is intentional and reflected in every section of this guide, including the FAQ.

However, at its most practical, SRM asks three questions: What ESG risks exist across my supply base? How serious are they? What am I doing about them? All three must be documentable. Notably, regulators from Brussels to Berlin to Washington increasingly require it.

Aerial view of a busy shipping port and logistics hub representing global supply chain complexity — *Figure 2 — Global supply chains demand a structured, repeatable assessment workflow to surface and manage ESG risk.*

The 4 categories of ESG-led supplier risk

In addition, ESG-led supplier risk falls into four categories. In practice, each demands a different assessment approach and generates different compliance obligations.

Environmental risk — Risks from a supplier’s impact on natural systems: GHG emissions (including Scope 3), water consumption, waste management, deforestation, and biodiversity loss. Quantified through the GHG Protocol and reported via the CDP Supply Chain Program and TCFD frameworks.
Social and human rights risk — Risks of forced labor, child labor, unsafe conditions, excessive hours, discrimination, and issues of freedom of association. The primary focus of modern slavery legislation and forced labor import bans such as UFLPA.
Governance and ethics risk — Risks from inadequate supplier management systems. Examples include: no documented policies, weak board oversight, insufficient anti-corruption controls, or failure to respond to audit findings with corrective action plans (CAPAs).
Compliance risk — The risk that a supplier’s operations, or your use of that supplier, violates a mandatory legal or regulatory requirement. Examples include a national modern slavery act, an import ban, or a mandatory due diligence directive.

Therefore, these four categories are not mutually exclusive. A manufacturing supplier in a high-risk geography may carry concurrent risks. Importantly, these include environmental (wastewater), social (excessive overtime), governance (no formal policy), and compliance (supply chain linked to a prohibited region). By contrast, effective SRM addresses all four.

The four categories of ESG-led supplier risk — Environmental, Social & Human Rights, Governance, Compliance — *Figure 3 — The four categories of ESG-led supplier risk.*

Why supplier risk management matters in 2026

Consequently, supplier risk management matters in 2026 because the regulatory, commercial, and reputational consequences of supply chain ESG failures are at an all-time high. Specifically, the era of voluntary disclosure is ending. The EU CSDDD, Germany’s LkSG, and a wave of national modern slavery legislation are converting best practice into legal obligation. Meanwhile, institutional investors, major retail customers, and public-sector procurement bodies are embedding ESG supplier requirements into their contracts and purchasing criteria. Gartner’s TPRM Survey finds 79% of companies now cite third party risk as a top-three supply chain concern. OECD research shows only around 23% of companies conduct formal supplier due diligence across their full tier-1 supplier base. Notably, required regulation is closing that gap fast.

Stat: Following the 2026 Omnibus I amendments, CSDDD now applies to EU companies with 5,000+ employees and €1.5bn+ in net worldwide turnover, and to non-EU companies with €1.5bn+ in EU turnover — a narrower direct scope than originally enacted, but with significant indirect reach into their non-EU supply chains.

Furthermore, companies without a recorded SRM program face fines, import bans, exclusion from public tenders, and civil liability from affected workers and communities. By contrast, those with mature programs respond faster to regulatory inquiries, retain preferred-supplier status with large customers, and identify supply chain vulnerabilities before they become crises.

Supplier risk management vs. due diligence vs. TPRM

Similarly, supplier risk management, supplier due diligence, and third party risk management (TPRM) are related but separate disciplines. Notably, understanding the differences prevents scope confusion and ensures teams apply the right method at each stage of the supplier lifecycle.

Relationship between TPRM, SRM, and supplier due diligence shown as nested ovals — *Figure 4 — TPRM is the broadest category; SRM sits within it; supplier due diligence is one activity within SRM.*

SRM vs. supplier due diligence

Likewise, supplier due diligence is the investigative activity that feeds into a broader SRM program. In practice, due diligence is a time-bounded, evidence-gathering process — evaluating a supplier against specific criteria before onboarding or in response to a risk trigger. SRM, by contrast, is the continuous operational program that includes due diligence as one of its activities. In practice, it also covers ongoing monitoring, performance management, and corrective action.

Notably, think of it this way: due diligence is an event; SRM is a system. Importantly, for example, a company might conduct ESG due diligence on a new supplier at onboarding. Importantly, it then subjects that supplier to quarterly self-check questionnaires and an annual on-site audit as part of its ongoing SRM program.

How TPRM (third-party risk management) relates to SRM

Importantly, third party risk management (TPRM) covers all external parties that create exposure — suppliers, contractors, service providers, joint venture partners, and distributors. SRM is the supply chain subset of TPRM.

Specifically, TPRM covers the full spectrum of outside risk — in most corporate frameworks, cybersecurity, financial, operational, reputational, and compliance risk. Specifically, this guide’s SRM scope is narrower: ESG, sustainability, human rights, labor, and compliance risk in the supply chain. Many organizations run a dedicated SRM track within their TPRM program. Crucially, regulatory obligations, assessment methods, and stakeholder audiences for supply chain ESG risk differ substantially from those for IT vendor security risk.

Supplier audit vs. risk assessment vs. due diligence vs. social audit vs. SMETA — what’s the difference?

In practice, supply chain compliance professionals use five terms interchangeably, but each describes a different method with a different scope, cadence, and output. Furthermore, the table below clarifies each.

Method	Scope	Cadence	Depth	Typical output
Supplier audit	Broad verification of supplier management systems, practices, and documentation against a defined standard or code of conduct	Annual or biennial; triggered by risk tier	High — on-site interviews, records review, facility walkthrough	Audit report with non-conformances and corrective action requirements
Risk assessment	Structured scoring of a supplier’s inherent and residual ESG risk profile using questionnaires, third-party data, and/or desktop review	Ongoing; at onboarding and reassessment intervals	Variable — can be desk-based or on-site	Risk score, risk tier classification, prioritization for deeper review
Due diligence	Time-bounded investigation of a specific supplier or issue against a legal, regulatory, or policy standard	Event-driven (pre-onboarding, contract renewal, risk trigger)	Medium to high — document-led, may involve site visits	Due diligence report confirming compliance or identifying gaps
Social audit	Focused assessment of labor, human rights, and working conditions at a facility	Annual; may be unannounced	High — worker interviews, payroll records, health and safety review	Corrective action plan (CAPA) with rated findings
SMETA (Sedex Members Ethical Trade Audit)	Standardised social audit protocol covering labor, health & safety, environment, and business ethics	Annual or per-customer requirement	High — follows Sedex SMETA methodology, 2-pillar or 4-pillar	SMETA audit report shared on the Sedex platform with buying members

What this means in practice

By contrast, in short, a supplier risk management program uses all five methods, deployed in a tiered way. By contrast, for example, high-risk, high-spend suppliers receive full on-site audits and SMETA assessments. Equally, medium-risk suppliers receive periodic risk assessments and self-check questionnaires. Lower-risk suppliers, however, are managed through due diligence at onboarding and annual monitoring.

What is ESG due diligence in supply chain compliance?

ESG due diligence in supply chain compliance evaluates a supplier’s environmental, social, and governance practices against defined standards and regulatory requirements. Notably, it creates recorded evidence that an organization has taken reasonable steps to address ESG risks in its supply base. Specifically, regulatory frameworks such as CSDDD and LkSG now make key aspects of this process required.

Additionally, certainty’s ESG checklist is a practical starting point for teams structuring their ESG assessments. In practice, it translates regulatory requirements into field-ready questions and is available free and without registration.

Environmental, social, and governance dimensions in supplier due diligence

Moreover, each of the three ESG dimensions has a separate set of indicators, data sources, and compliance obligations in supplier due diligence. Risk profiles also vary significantly by sector — see ESG risks across industries for industry-specific patterns in manufacturing, construction, energy, agriculture, and other high-exposure verticals.

Environmental: Environmental due diligence evaluates a supplier’s Scope 3 upstream emissions, water and energy use, waste management, chemical handling, and environmental permits and issues. Importantly, key data sources include supplier self-reported data, third part environmental certifications (ISO 14001), regulatory violation records, and CDP Supply Chain reports. Furthermore, for a primer on supplier climate data and Scope 3 footprints, see the guide to Scope 3 emissions and the supply chain.

Social and human rights: Social due diligence evaluates labor standards. Specifically, these include working hours, wages, freedom of association, child labor controls, forced labor prevention, discrimination policies, and health and safety management. Data sources include audit findings, SMETA reports, SA8000 certifications, worker surveys, and grievance mechanism outputs. By contrast, this dimension faces the most regulation. UK, Australian, and Canadian modern slavery legislation, the UFLPA, and the OECD Guidelines all require recorded social due diligence. Certainty’s ESG audit and assessment solutions support each of these frameworks with configurable assessment templates.

Governance: Governance due diligence evaluates whether a supplier has the management systems to sustain compliance. Furthermore, it covers board-level oversight of ESG issues, anti-corruption and anti-bribery policies, recorded supplier management procedures, whistleblower protections, and responsiveness to audit findings. A supplier with strong governance is better placed to identify and fix issues before they escalate.

Why ESG due diligence is now a compliance obligation, not a voluntary exercise

However, ESG due diligence is now a legal obligation in multiple jurisdictions — not merely best practice. Germany’s LkSG has required in-scope companies to conduct risk analyses and implement due diligence measures across their direct supply chains since January 2023. By contrast, indirect supplier obligations apply where companies have substantiated knowledge of a risk. Notably, the EU’s CSDDD, published in 2024, extends required human rights and environmental due diligence to large EU companies. It also covers non-EU companies with significant EU turnover. The EU Corporate Sustainability Reporting Directive (CSRD) requires large companies to disclose their ESG due diligence process and the material risks they identified.

In addition, Canada, Australia, the UK, the United States, and Norway have all enacted disclosure or import-control requirements covering forced labor and modern slavery. Notably, the combined effect: for any organization operating across global supply chains, ESG supplier due diligence is a compliance baseline. In practice, it must be recorded, repeatable, and able to demonstrate a risk-proportionate response.

Stat: Germany’s BAFA reports that LkSG initially applied to approximately 3,000 German companies with 3,000 or more employees. In practice, the threshold dropped to 1,000 employees from January 2024.

The regulatory landscape for supplier due diligence

Supplier due diligence regulatory timeline 2015–2029 — *Figure 5 — The regulatory timeline: from the UK Modern Slavery Act (2015) to CSDDD application under the 2026 Omnibus I amended timeline (2029).*

Therefore, required supply chain due diligence legislation has emerged at pace since 2015. Importantly, the pace accelerated sharply from 2022. Importantly, the regulations below are the primary frameworks any global procurement, sustainability, or compliance leader must understand.

EU Corporate Sustainability Due Diligence Directive (CSDDD / CS3D)

Consequently, the EU Corporate Sustainability Due Diligence Directive (CSDDD), also known as CS3D, entered into force in 2024. Specifically, it creates a required human rights and environmental due diligence obligation for large EU companies and for non-EU companies with significant EU-market revenues. In-scope companies must identify, prevent, mitigate, and account for adverse human rights and environmental impacts across their operations, subsidiaries, and established business relationships.

Furthermore, the 2026 Omnibus I amending directive (Directive (EU) 2026/470, in force 18 March 2026) reset the CSDDD timeline. Specifically, member states must now transpose CSDDD into national law by 26 July 2028, and companies must comply from 26 July 2029 — a single, unified application date that replaces the original three-tier phase-in. The Omnibus also raised the in-scope thresholds: CSDDD now applies to EU companies with more than 5,000 employees and more than €1.5 billion in net worldwide turnover, and to non-EU companies generating more than €1.5 billion in EU turnover. CSDDD introduces civil liability for in-scope companies that fail to comply, with administrative penalties capped at 3% of net worldwide turnover. Crucially, organizations sourcing from or selling into the EU should treat 2026–2028 as implementation time, not idle time — map value chains, gap-check due diligence programs, and stand up the audit trail before the 2029 application date.

German Supply Chain Due Diligence Act (LkSG)

Similarly, the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, or LkSG) has been in force since January 2023. By contrast, it requires German companies — and non-German companies with a German branch — with 1,000 or more employees to implement recorded due diligence procedures. Equally, the employee threshold was reduced from 3,000 to 1,000 in January 2024. These procedures must cover human rights and certain environmental risks across direct suppliers and, where companies have substantiated knowledge, indirect suppliers. For a detailed walkthrough of LkSG obligations, timelines, and compliance steps, see the guide to Germany’s Supply Chain Due Diligence Act.

LkSG obligations include four requirements: an annual risk analysis, a grievance mechanism, remediation measures, and an annual report to BAFA. BAFA actively enforces the law. Notably, it has issued guidance, conducted inquiries, and can impose fines of up to €800,000 or 2% of annual global turnover for the largest companies.

Uyghur Forced Labor Prevention Act (UFLPA)

Likewise, the Uyghur Forced Labor Prevention Act (UFLPA) is a US federal law signed in December 2021. US Customs and Border Protection (CBP) has enforced it since June 2022. In practice, the law creates a rebuttable presumption. Specifically, goods from the Xinjiang Uyghur Autonomous Region — or from entities on the UFLPA Entity List — are presumed to involve forced labor. CBP prohibits such goods from US importation. For practical guidance on supply chain traceability and CBP enforcement, see the dedicated UFLPA compliance guide.

Notably, to rebut the presumption and import affected goods, importers must provide clear and convincing evidence that the goods were not produced with forced labor. Importantly, this requirement has driven demand for deep, multi-tier supply chain mapping in sectors including solar energy, cotton, polysilicon, aluminum, and automotive. Furthermore, companies that cannot trace components to source face detention and exclusion. Enforcement is material: US Customs and Border Protection has detained over $3.7 billion in shipments at US ports under UFLPA since June 2022.

Corporate Sustainability Reporting Directive (CSRD)

Importantly, the EU Corporate Sustainability Reporting Directive (CSRD) significantly expands the scope and depth of sustainability reporting required from large companies operating in the EU. Specifically, its predecessor — the Non-Financial Reporting Directive — required broad narrative disclosure. CSRD mandates reporting against the European Sustainability Reporting Standards (ESRS), which cover climate, nature, social and human rights, and governance topics.

Specifically, for supplier risk management, CSRD matters because it requires organizations to disclose their due diligence processes and material ESG risks in the value chain. Furthermore, companies must also report the metrics used to track remediation. External auditors must provide limited assurance on reported information from 2026, moving toward reasonable assurance. By contrast, companies within scope of CSRD need a functioning SRM program to produce credible CSRD reports.

Norwegian Transparency Act (Åpenhetsloven)

In practice, the Norwegian Transparency Act (Åpenhetsloven) entered into force in July 2022. By contrast, the Norwegian Consumer Authority (Forbrukertilsynet) enforces it. Notably, the Act applies to larger Norwegian enterprises and to foreign enterprises selling goods or services in Norway. Companies must conduct due diligence on human rights and decent working conditions in their operations and supply chains. They must publish the results in an annual statement. They must also respond to written information requests from consumers or civil society.

By contrast, the Transparency Act has a right-to-information mechanism: anyone can submit a written request, and the company must respond substantively within three weeks. Notably, non-compliance can result in orders, fines, and public enforcement action.

UK Modern Slavery Act

On balance, the UK Modern Slavery Act requires commercial organizations supplying goods or services in the UK to produce an annual transparency statement. In practice, in practice, the threshold is annual turnover of £36 million or more. In practice, each statement must set out steps taken during the financial year to ensure slavery and human trafficking are not present in the supply chain.

Additionally, boards must approve each statement, and a director must then sign it. Importantly, in addition, the UK Home Office publishes guidance and maintains a registry of submitted statements. However, the current Act does not impose prescriptive due diligence requirements or financial penalties for inadequate statements. Importantly, as a result, the Government has consulted on required reporting requirements and compliance penalties. Enforcement pressure from investors, customers, and civil society has also increased significantly.

Stat: The UK Home Office Modern Slavery Statement Registry contains over 30,000 statements from UK and international companies as of 2024. Specifically, it provides a searchable public record of corporate modern slavery reports.

Australian Modern Slavery Act

Moreover, the Australian Modern Slavery Act 2018 requires entities based or operating in Australia to submit an annual Modern Slavery Statement to the Border Force. Furthermore, the threshold is AU$100 million or more in annual revenue. The Border Force maintains a public online register of these statements. Crucially, each statement must describe the entity’s structure, operations, and supply chains; the risks identified; actions taken to address them; and how effectiveness is measured.

However, the Australian Act operates alongside the NSW Modern Slavery Act 2018, which applies to entities with NSW Government contracts. By contrast, both Acts impose disclosure obligations that require a functioning supply chain due diligence capability.

Canadian Bill S-211 (Fighting Against Forced Labour and Child Labour in Supply Chains Act)

Canadian Bill S-211 — the Fighting Against Forced Labour and Child Labour in Supply Chains Act — received Royal Assent in May 2023. Notably, it came into force on 1 January 2024. Equally, it applies to government institutions and private-sector entities above defined size thresholds. Covered entities are listed on a Canadian stock exchange, or meet two of three criteria: CA$20m in assets, CA$40m in revenues, or 250 employees. Covered entities must report annually to the Minister of Public Safety on steps to prevent forced labor or child labor in supply chains.

In addition, like the modern slavery acts in the UK and Australia, Bill S-211 establishes disclosure obligations rather than prescriptive due diligence requirements. However, knowingly making a false or misleading statement in a report is an offence. Enforcement is expected to intensify as the legislation matures.

OECD Guidelines and UN Guiding Principles (UNGPs) on Business and Human Rights

Therefore, the OECD Guidelines for Multinational Enterprises and the UN Guiding Principles on Business and Human Rights (UNGPs) are foundational frameworks for corporate human rights due diligence. CSDDD, LkSG, and most modern slavery laws explicitly benchmark against them.

Consequently, the UN Office of the High Commissioner for Human Rights (UN OHCHR) developed the UNGPs. They introduce the concept of a company’s “responsibility to respect” human rights across its value chain — separate from the state’s duty to protect. Specifically, the OECD Guidelines translate these principles into sector-specific due diligence guidance covering minerals, garments, agriculture, financial services, and more. Together, they define what “adequate” human rights due diligence looks like in practice. Mandatory due diligence legislation is interpreted against these standards.

GHG Protocol and Scope 3 supplier emissions

Furthermore, the GHG Protocol Corporate Value Chain (Scope 3) Standard is the most widely used framework for measuring and managing Scope 3 greenhouse gas emissions. Scope 3 Category 1 (purchased goods and services) and Category 2 (capital goods) make up the largest share of most companies’ Scope 3 footprints. Suppliers are therefore the single biggest lever for reducing downstream emissions. The guide to Scope 3 emissions and the supply chain covers supplier data collection, reduction targets, and CDP and CSRD reporting.

Similarly, CSRD’s ESRS E1 climate standard requires reporting on Scope 3 emissions. The SEC has also been developing Scope 3 disclosure requirements. CDP’s Supply Chain Program collects climate, water, and forests data directly from suppliers on behalf of buying companies. For supplier risk programs, emissions data collection, supplier engagement on climate targets, and Scope 3 checking are now core SRM activities.

Stand up your supplier risk program faster than you can read a directive

CSDDD, LkSG, UFLPA, the Norwegian Transparency Act, and modern slavery laws share one requirement: a recorded, repeatable supplier due diligence audit trail. Certainty delivers it. Certainty gives compliance, sustainability, and procurement teams a single platform to run it.

Book a Demo

Standards and frameworks that shape supplier risk programs

Likewise, beyond required regulation, voluntary standards and reporting frameworks define best practice in supplier risk management. Understanding them is essential for building a credible program — and for interpreting the supplier documentation you receive.

ISO 20400 (Sustainable Procurement)

ISO 20400:2017 Sustainable Procurement is the international standard for integrating sustainability considerations into procurement processes. It provides guidance — not prescriptive requirements — for embedding environmental, social, and governance criteria into sourcing decisions, supplier selection, and contract management. ISO 20400 is process-oriented: it helps organizations answer how to make procurement sustainable, not just what to report. It is widely used as an internal governance reference when designing SRM programs and supplier codes of conduct.

RBA Code of Conduct, SEDEX, SMETA, and SA8000

Notably, four frameworks dominate social compliance auditing in global supply chains. Here is a summary of each.

Responsible Business Alliance (RBA) Code of Conduct — The RBA Code of Conduct is the leading standard for labor, health and safety, environmental, and ethics in electronics. Many large electronics brands require it of their suppliers. RBA’s Validated Audit Program (VAP) verifies conformance with the Code across six sections.

SEDEX (Supplier Ethical Data Exchange) — Sedex is a nonprofit membership organization providing a shared data platform. Suppliers upload ethical trade data (labor standards, health and safety, environment, business ethics) and buyers access and analyze that data across their supply base. Sedex is one of the world’s largest platforms for ethical supply chain data, with over 85,000 supplier members globally.

SMETA (Sedex Members Ethical Trade Audit) — SMETA is the audit method developed by Sedex. A SMETA audit covers two pillars (labor standards, health and safety) or four pillars (adding environment and business ethics). A SMETA-approved audit company conducts it. Completed SMETA audit reports are shared on the Sedex platform, enabling one audit to satisfy multiple buyers — reducing the audit burden on suppliers.

SA8000 — SA8000 is an auditable certification standard developed by Social Accountability International (SAI). It specifies requirements for decent work: child labor, forced labor, health and safety, freedom of association, discrimination, disciplinary practices, working hours, and remuneration. SA8000-certified suppliers have undergone rigorous third party audits and ongoing surveillance, giving buyers a high-confidence indication of social compliance.

CDP Supply Chain Program, GRI, SASB, and TCFD

Importantly, four reporting frameworks shape how companies collect, report, and disclose ESG data from suppliers. Each is summarized below.

CDP Supply Chain Program — The CDP Supply Chain Program enables buying organizations to send questionnaires to suppliers through the CDP platform. It collects uniform climate, water, and forests data. CDP scores and benchmarks supplier responses, giving buyers a consistent dataset for Scope 3 management and climate-related procurement decisions.

GRI (Global Reporting Initiative) — The GRI Standards are the most widely used sustainability reporting standards globally. GRI 308 (Supplier Environmental Assessment) and GRI 414 (Supplier Social Assessment) define how to assess ESG risks and what to disclose publicly.

SASB (Sustainability Accounting Standards Board) — SASB Standards provide industry-specific metrics for disclosing material sustainability topics to investors. Several SASB standards include supply chain metrics relevant to SRM, particularly in food and beverage, apparel, and technology hardware.

TCFD (Task Force on Climate-related Financial Reports) — The TCFD framework is now integrated into ISSB standards (IFRS S2). It requires disclosure of climate-related risks including Scope 3 emissions and supply chain transition risk. TCFD-aligned disclosure has become an investor expectation and is referenced in CSRD’s ESRS E1.

Amfori BSCI, UN Global Compact, and Fair Labor Association

Amfori BSCI (Business Social Compliance Initiative) — Amfori BSCI is a supply chain management system for retailers, importers, and brands. It helps them monitor and improve working conditions globally. Participating companies commit to the BSCI Code of Conduct and use a common audit method and scoring system. The system is prevalent in European retail and consumer goods supply chains.

UN Global Compact (UNGC) — The UN Global Compact is the world’s largest corporate sustainability initiative, with over 20,000 signatory companies. They commit to ten principles covering human rights, labor, environment, and anti-corruption. Signatory status is used as a governance baseline indicator. However, it requires only an annual Communication on Progress rather than third party checking.

Fair Labor Association (FLA) — The Fair Labor Association combines a code of conduct, audit method, and accreditation to improve labor standards. Its focus is apparel, footwear, and agriculture. FLA accreditation involves comprehensive labor compliance assessments and public reporting.

How to build a supplier risk management program

Seven-step supplier risk management program flowchart — *Figure 6 — The seven-step SRM program framework: segment, define, onboard, audit, monitor, remediate, report.*

Specifically, a supplier risk management program follows seven steps, applied in sequence. Together they create a recorded, risk-proportionate, and continuously improving system. Whether you are building from scratch or formalizing existing ad-hoc practices, these steps provide the recommended ESG-led framework. Teams wanting to complement this framework with a rigorous operational audit method will find value in the guide to layered process audits. That guide covers shop floor-level audits that many SRM programs deploy alongside supplier assessments.

Step 1 — Segment your supplier base by risk tier

In practice, the first step is to segment all active suppliers into risk tiers based on their inherent ESG risk profile. Not all suppliers carry equal risk. Applying the same due diligence intensity to every supplier is neither feasible nor proportionate.

By contrast, key segmentation criteria include spend level, product or service category, country of operation, and the nature of the relationship. High-risk sectors — textiles, electronics, agriculture, construction, and extractives — warrant greater scrutiny. Additionally, use country-risk indices for human rights, rule of law, and environmental protection. A three-tier model is most common:

Tier 1 — high risk: requires a full audit and assessment cycle.
Tier 2 — medium risk: uses periodic self-assessment and desk review.
Tier 3 — lower risk: managed through onboarding due diligence and annual monitoring.

On balance, in short, Step 1 creates a tiered supplier register that drives the intensity of everything that follows.

Step 2 — Define your risk taxonomy and scoring model

Additionally, the second step is to define precisely what ESG risks you are checking and how you will score them. A risk taxonomy lists the specific risk categories, sub-categories, and indicators relevant to your industry and supply chain. Typical taxonomies cover forced labor, child labor, working hours, wages, health and safety, environmental compliance, governance systems, and country or sector risk.

Moreover, the scoring model assigns weights to each category based on regulatory requirements, business risk appetite, and stakeholder expectations. A food company sourcing from Southeast Asia might weight labor rights and agricultural environmental impacts most heavily. An electronics manufacturer might prioritize minerals sourcing and factory safety. The scoring model should be recorded, consistently applied, and reviewed annually. Regulators and auditors expect to see a principled basis for how suppliers are prioritized.

Step 3 — Establish a supplier code of conduct and onboarding questionnaire

However, the third step is to define the standards your suppliers must meet — and capture their agreement in writing. A supplier code of conduct defines the ESG and compliance requirements all suppliers must meet to do business with you. It should reference applicable regulatory frameworks (CSDDD, LkSG, modern slavery acts) and international standards (UNGPs, OECD Guidelines, ILO core conventions).

In addition, the supplier onboarding questionnaire is the first data-gathering step. It captures supplier self-declaration against the code of conduct, requests supporting documentation (policies, certifications, previous audit reports), and identifies initial risk flags for follow-up. Onboarding questionnaires should be tiered — longer and more detailed for high-risk suppliers, shorter for lower-risk ones.

Step 4 — Conduct tiered audits and assessments (self-assessment, desk review, on-site)

Therefore, the fourth step is to deploy the right assessment type for each supplier tier. Use three assessment modes in combination. Each is described below.

Self-assessment questionnaire (SAQ) — A structured survey completed by the supplier. Low-cost and scalable; used for medium and lower-risk suppliers and as a first-pass screen for high-risk ones. SAQ responses must be validated — suppliers have an incentive to present favorably.
Desk review / documentary assessment — Review of supplier-provided documentation against defined criteria: policies, certifications, audit reports, corrective action records. Used to validate SAQ responses and assess governance and management system adequacy.
On-site audit — An in-person assessment at the supplier’s facility, typically conducted by trained auditors using a standardized protocol. On-site audits include facility walkthroughs, worker interviews, payroll and time records review, and health and safety inspections. For highest-risk suppliers, accredited third parties can conduct SMETA or RBA VAP audits. These provide the highest confidence and are mutually recognized across buyers.

Consequently, audit frequency should be risk-proportionate: highest-risk suppliers annually, medium-risk suppliers every two to three years, with trigger-based reassessment whenever a risk event occurs. Certainty’s supplier audit solutions provide the end-to-end process for scheduling, deploying, and tracking assessments at scale — from SAQ through on-site audit and CAPA closure.

Step 5 — Monitor continuously (adverse media, ESG ratings, regulatory alerts)

Furthermore, the fifth step is to move beyond point-in-time assessments to continuous monitoring. A single annual audit provides a snapshot. Monitoring provides the signal that conditions have changed.

Similarly, continuous monitoring covers five areas. First, adverse media screening for labor issues, environmental incidents, or regulatory action. Second, regulatory and sanction list updates (UFLPA Entity List additions, OFAC sanctions). Third, changes in country risk profiles. Fourth, supplier self-reported incident notifications. Fifth, ESG rating updates. Define monitoring triggers in advance: what event prompts a reassessment? What constitutes a formal risk escalation? Automated alerts integrated into your SRM platform make this scalable at volume.

Step 6 — Manage corrective action plans (CAPAs) and re-audits

Likewise, the sixth step ensures that identified risks and non-conformances are tracked through to resolution. A corrective action plan (CAPA) documents the finding, its severity, the agreed remediation action, the responsible party, and the deadline for resolution. CAPAs are the primary mechanism through which a supplier risk program improves supplier performance over time.

CAPA management requires a formal process. Issue the finding, obtain supplier acknowledgement, receive the remediation plan, track progress against milestones, and verify closure through documentary evidence or a follow-up visit. Unresolved CAPAs should escalate through defined commercial consequences: reduced order volume, procurement hold, or — in cases of persistent material non-conformance — responsible off-boarding. LkSG and CSDDD regulators expect companies to follow up on identified risks and document the outcome.

Step 7 — Report to leadership, regulators, and customers

Notably, the seventh step closes the loop with structured reporting. Supplier risk management data only creates value when it drives decisions and reports. Internal reports to the board cover four areas: the supplier risk register, open CAPA status, significant risk events, and program KPIs. External reporting covers three areas. First, required regulatory submissions (LkSG annual report to BAFA, Modern Slavery Act statements, CSRD ESRS reports). Second, customer requests for due diligence evidence. Third, voluntary public reporting through GRI and CDP.

Importantly, good reporting also feeds back into Step 1. Risk insights from monitoring and audits should update the supplier segmentation, ensuring the program remains dynamically risk-proportionate rather than static.

How to conduct a supplier risk assessment

Specifically, conducting a supplier risk assessment is a six-stage process. It begins with defining what you are checking and ends with a recorded decision on how to manage the identified risk. The steps below apply whether you are checking a new supplier at onboarding or re-checking an existing supplier in your ongoing SRM cycle.

Supplier risk assessment workflow — Scope, Assess, Score, Decide, Remediate, Report — *Figure 7 — The six-stage supplier risk assessment workflow.*

Choosing the assessment type (self-assessment vs. desk review vs. on-site audit)

In practice, the right assessment type depends on the supplier’s risk tier, the information already available, and the regulatory standard you need to meet. Start with the decision rule: what level of evidence is proportionate to the risk this supplier carries?

By contrast, for lower-risk suppliers, a self-check questionnaire (SAQ) is typically sufficient at onboarding, followed by an annual or biennial refresh. With medium-risk suppliers, an SAQ validated against supporting documentation (policies, certificates, previous audits) provides an acceptable desktop assessment. However, high-risk suppliers, and any supplier in an elevated-risk sector or geography, must receive an on-site audit. Ideally, a trained auditor conducts it using a uniform protocol such as SMETA or your own proprietary method. In addition, unannounced audits are more reliable for detecting systemic non-conformances. Use them for highest-risk assessments where culturally and commercially feasible.

Building your supplier risk assessment questionnaire

On balance, a supplier risk assessment questionnaire is the data-collection tool that translates your risk taxonomy into specific, answerable questions. A well-designed questionnaire covers five core domains.

Legal and regulatory compliance — Does the supplier comply with applicable labor, environmental, and health and safety laws in the country of operation? Are there any regulatory issues, fines, or enforcement actions in the past three years?
Labor and human rights — What are the supplier’s policies on child labor, forced labor, working hours, wage payment, freedom of association, and non-discrimination? Is there a documented grievance mechanism available to workers?
Environmental management — Does the supplier have an environmental management system (ISO 14001 or equivalent)? What are its energy, emissions, water, and waste metrics? Are there any environmental permit issues?
Governance and management systems — Does the supplier have a code of conduct, ESG policy, and executive accountability for compliance? How does it manage its own sub-suppliers?
Corrective action history — Has the supplier previously undergone a social or environmental audit? What findings were raised, and how were they resolved?

Additionally, calibrate questions to the supplier’s sector and geography. Agricultural suppliers in high-risk countries require heavier weighting on labor rights and land rights than professional services suppliers in low-risk jurisdictions.

Scoring, ranking, and escalation thresholds

Moreover, risk scoring converts questionnaire responses and audit findings into a ranked risk profile. This enables consistent, comparable treatment across the supplier base. A scoring model typically combines two components. Both are described below.

Inherent risk score — Based on the supplier’s sector, country of operation, and product/service category, before any assessment data is applied. Inherent risk captures the structural exposure.
Residual risk score — Adjusted from the inherent score based on the supplier’s responses, documented controls, certifications, and audit findings. A supplier with a strong SMETA history and ISO 14001 certification scores lower risk than an unaudited supplier in the same sector.

Stat: OECD research finds that companies conducting regular supply chain due diligence are far more likely to identify and fix human rights issues early.

However, define escalation thresholds in the scoring model. For example, any supplier scoring above a defined threshold is automatically flagged for a full on-site audit. A critical finding — child labor, forced labor, or imminent health and safety risk — triggers an immediate escalation protocol regardless of overall score.

Acting on findings: CAPA, re-audit, and responsible off-boarding

In addition, assessment findings require a defined response. Tier your responses by finding severity. Four levels apply.

Observation / low-severity finding — Acknowledged by the supplier; remediation plan submitted within 30 days; progress tracked in the SRM system.
Minor non-conformance — Formal CAPA issued; supplier must submit root-cause analysis and remediation plan within 30 days; verification required within 90 days.
Major non-conformance — Commercial escalation triggered (procurement hold on new orders); formal CAPA with 60-day remediation plan; mandatory on-site re-audit to verify closure.
Critical finding (zero-tolerance) — Escalate immediately to senior leadership and legal. Suspend procurement. Engage the supplier on an urgent corrective action timeline. If unresolved, initiate responsible off-boarding with a documented transition to an alternative supplier.

Therefore, responsible off-boarding means exiting a supplier relationship without simply transferring harm elsewhere. Communicate the reasons for disengagement. Give suppliers a reasonable notice period. Where possible, work with industry bodies or NGOs to support affected workers.

What to look for in supplier risk management software

Consequently, supplier risk management software helps organizations run a structured, scalable, and auditable SRM program. It covers supplier onboarding and risk assessment, monitoring, CAPA management, and compliance reporting. The market spans purpose-built ESG and compliance platforms, broader GRC suites with supplier modules, and procurement platforms with embedded risk capabilities. The right tool depends on program maturity, supply chain complexity, regulatory obligations, and integration requirements.

Scope note for software evaluation: This section covers SRM software in its ESG and supply chain compliance sense. It covers tools for managing sustainability, human rights, labor, environmental, and governance risk across the supplier base. It does not address cybersecurity vendor risk management tools or financial solvency screening platforms, which serve separate use cases and audiences.

10 capabilities an ESG-led SRM platform must have (vendor-neutral checklist)

When evaluating SRM software for an ESG-led program, look for these ten capabilities. Each is described below.

Configurable risk taxonomy and scoring — The platform must let you define your own risk categories, weightings, and scoring methodology. Regulatory requirements differ by jurisdiction, and no two supply chains carry identical risk profiles.
Supplier onboarding and SAQ management — Automated SAQ distribution, completion rate tracking, and a secure supplier portal for document upload and submission. SAQs must be version-controlled and auditable.
Multi-tier supplier mapping — The ability to map beyond direct (Tier 1) suppliers to sub-suppliers (Tier 2 and Tier 3). This is essential for CSDDD compliance and forced labor traceability in complex supply chains.
Audit and assessment workflow — End-to-end management of on-site and desktop audits, including scheduling, checklist deployment, finding capture, and report generation. Standardized audit templates should be configurable to SMETA, RBA VAP, or proprietary protocols.
Corrective action plan (CAPA) management — Formal CAPA workflow: finding issuance, supplier response, milestone tracking, verification, and closure. CAPAs must be linked to specific audit findings and supplier records.

Monitoring, reporting, and integration capabilities

Continuous monitoring and alerting — Adverse media, regulatory, and sanctions data sources alert the SRM team to risk events between assessment cycles. Monitoring should cover UFLPA Entity List additions, LkSG-relevant enforcement actions, and country-risk changes.
Document and certification management — A centralized repository for supplier certifications (ISO 14001, SA8000, SMETA reports), policies, and due diligence evidence. Expiry tracking and automated renewal reminders are included.
Regulatory reporting support — Built-in templates or data exports structured for mandatory regulatory submissions: LkSG annual report, Modern Slavery Act statement, CSRD ESRS disclosures. Compliance evidence must be auditable and reportable without manual re-compilation.
Analytics and risk dashboards — Aggregate views across the supplier base include heatmaps by country, CAPA open/closed status, and audit coverage rates. Board-level reporting exports in standard formats.
Integration with ERP and procurement systems — The platform must connect to your ERP and procurement system. This makes supplier risk status visible in purchasing workflows and keeps supplier master data synchronized.

Spreadsheet, GRC suite, or dedicated platform — how trade-offs shift with program maturity

Furthermore, the right tool type depends on where your organization is in its SRM journey. Early-stage programs with fewer than 50 active suppliers and no required reporting obligations can often begin with basic spreadsheets or templates. At this stage, process field matters more than tooling sophistication. As the supplier base grows, regulatory obligations accumulate. When assessment and CAPA volumes exceed what spreadsheet management can handle reliably, a dedicated ESG or supplier compliance platform becomes necessary.

Similarly, larger GRC suites offer supplier risk modules alongside broader enterprise risk, audit, and compliance capabilities — useful for organizations consolidating tooling across functions. Dedicated supplier ESG and compliance platforms offer deeper functionality for supply chain due diligence, assessment process, and regulatory reporting. They typically deploy faster and require lower configuration overhead for SRM-specific use cases.

Integration requirements (ERP, procurement, sustainability reporting)

Likewise, integration determines whether SRM data flows seamlessly into business decisions or remains a siloed compliance exercise. At minimum, an SRM platform should integrate with three systems. First, the ERP (supplier master data and spend data). Second, the procurement system (risk-to-buy process controls). Third, the sustainability reporting platform (Scope 3 emissions data and CSRD reports). Two-way integration is preferable where possible. Risk status from the SRM system should be visible to buyers at point-of-purchase. Spend data from procurement should update supplier segmentation dynamically.

Free supplier risk assessment checklists and templates

Certainty Software provides four free, practitioner-designed checklists that support the core activities of an ESG-led supplier risk management program. Each checklist is an immediate download. No registration is required. Each is designed for direct deployment in assessment processes or for adaptation to your own program requirements.

ESG Checklist — An assessment checklist covering the environmental, social, and governance dimensions of supplier compliance. Use it at onboarding or annual self-check to capture a baseline ESG profile across your supplier base.

German Supply Chain Act (LkSG) Due Diligence Checklist — A compliance checklist set up around Germany’s LkSG obligations. It covers risk analysis, preventive and remedial measures, grievance mechanisms, and documentation requirements for BAFA reporting.

Uyghur Forced Labor Prevention Act (UFLPA) Compliance Checklist — A supply chain traceability checklist for companies importing into the United States. It is established based on CBP’s expectations for rebutting the UFLPA forced labor presumption.

Supplier Social and Environmental Compliance Checklist — A comprehensive on-site and desk-review checklist. It covers labor standards, health and safety, environmental management, and governance — aligned to SMETA 4-pillar and RBA Code of Conduct criteria.

Notably, all four checklists are available at certaintysoftware.com/resources/checklists/.

How Certainty Software supports supplier risk programs

Certainty Software is an audit and inspection management platform built for organizations running compliance, ESG, and supplier risk programs. Compliance teams, sustainability managers, and procurement functions use it to run assessments at scale, track corrective actions, and produce defensible evidence for regulatory reporting.

Certainty’s approach: audit-led, ESG-native supplier risk

Importantly, Certainty’s supplier risk capability rests on a configurable audit and assessment platform. Organizations adapt it to their own risk taxonomy, supplier code of conduct, and regulatory context. The platform enables uniform questionnaire deployment across large supplier bases, formal CAPA management, and aggregated risk reporting across categories, geographies, and business units. Unlike generic survey tools, Certainty is purpose-built for the compliance process. Findings link to specific audit events, CAPAs carry milestone accountability, and all evidence sits in a tamper-evident audit trail that regulators can review. Certainty’s ESG audit solutions extend this capability to environmental and governance assessments across the supplier base.

Who Certainty is built for

Specifically, compliance teams, sustainability directors, procurement leaders, and supply chain assurance functions use Certainty to run formal, evidence-based supplier risk programs. It suits organizations facing required regulatory obligations such as LkSG, CSDDD, UFLPA, modern slavery acts, and CSRD. Complex, multi-geography supply chains — where assessment volume, CAPA management, and cross-portfolio risk visibility are the main challenges — are the primary use case. Learn more at certaintysoftware.com/solutions/supplier-audits/.

Case study: DNV scales global supplier audits on Certainty

DNV customer spotlight — DNV scales global supplier audits on Certainty — *Figure 8 — DNV selected Certainty as the core platform for its global supply chain audit program. Read the full case study →*

DNV is one of the world’s leading assurance, checking, and risk management providers, operating across maritime, energy, food and beverage, healthcare, and automotive sectors. DNV has a global presence spanning more than 100 countries. It works with thousands of industrial and commercial clients to assess and improve safety, quality, and sustainability performance in their operations and supply chains.

In practice, as demand for uniform, transparent supplier assurance grew across DNV’s client portfolio, the organization faced a familiar challenge. Multiple business units ran parallel supplier audit programs on disparate tools. There was no common data model, no unified reporting layer, and no scalable way to aggregate findings across geographies and sectors.

DNV selected Certainty as the core platform for its global supply chain audit program. As a result, the implementation uniform assessment templates across DNV’s supplier-facing audit method. This enabled consistent data capture regardless of which business unit conducted the assessment or in which country. In addition, supplier findings from manufacturing, energy, food, and automotive engagements now aggregate into a single data environment. Therefore, DNV’s management and its clients get a consolidated view of supply chain risk exposure — a single source of truth for regulatory reporting. For the full picture, the full DNV case study details how the organization moved to a unified program supporting CSDDD, CSRD, and other required framework requirements.

Outcome and impact

By contrast, in summary, the outcome: DNV moved from fragmented, business-unit-level reporting to a unified program. This program supports DNV’s internal assurance governance and the supply chain risk reports its clients need under CSDDD, CSRD, and other required frameworks. As a result, assessment turnaround times improved. In addition, CAPA tracking moved from email and spreadsheet to a managed process. Today, DNV’s auditors operate from a consistent global method rather than locally adapted variations.

Key Takeaways

Supplier risk management is the ESG-led program covering sustainability, human rights, labor, and governance risk — not cybersecurity or financial solvency.
From 26 July 2029 the EU CSDDD will require annual supplier due diligence for in-scope companies (EU 5,000+ employees and €1.5bn+ turnover; non-EU 5,000+ employees and €1.5bn+ EU turnover) under the 2026 Omnibus I amended timeline. LkSG, UFLPA, and the Norwegian Transparency Act are already in force.
A mature SRM program runs in seven steps: segment, taxonomy, onboard, audit, monitor, fix, report — refreshed annually.
A supplier risk assessment runs in six stages: scope, assess, score, decide, fix, report.
The right SRM software has ten key capabilities. These include configurable taxonomy, SAQ workflows, tiered audits, CAPA tracking, continuous monitoring, multi-regulation reporting, tier-2 visibility, audit trails, role-based access, and integrations.
DNV uses Certainty as the core system for its global supply chain audit program. It standardizes templates, aggregates findings, and reports risk exposure from a single source of truth.
Responsible sourcing is the procurement-function expression of SRM — same program, buyer-side perspective.

Frequently Asked Questions (FAQs)

1. What is supplier risk management?

On balance, supplier risk management (SRM) is the structured, ongoing program of identifying, checking, monitoring, and mitigating ESG risks in supply chain relationships. These risks cover environmental, social and human rights, governance, and compliance. Cybersecurity supplier risk, financial solvency screening, and fraud risk are separate disciplines with separate frameworks and professional communities.

2. What is the difference between supplier due diligence, supplier risk assessment, and a supplier audit?

Additionally, supplier due diligence is a time-bounded investigation against a legal or regulatory standard, conducted at onboarding or on a risk trigger. A supplier risk assessment scores a supplier’s overall ESG risk profile using inherent and residual factors, producing a risk tier and audit prioritization. A supplier audit is a formal, evidence-based checking — usually on-site — that checks practices against a standard and creates rated findings.

3. What is ESG due diligence in the supply chain?

Moreover, ESG due diligence in the supply chain evaluates a supplier’s environmental, social, and governance practices against defined standards or regulatory requirements. Environmental covers emissions, water, and waste. Social covers labor rights, forced labor, child labor, health and safety, and grievance mechanisms. Governance covers management systems and board-level accountability. Regulations including CSDDD and LkSG now make key aspects of this process legally required for in-scope companies.

4. How does supplier risk management relate to third-party risk management (TPRM)?

However, third party risk management (TPRM) is the broader enterprise field covering all external parties — suppliers, contractors, service providers, and joint venture partners. SRM is the supply chain subset of TPRM. It focuses on ESG, human rights, labor, and compliance risk. Many organizations run a dedicated SRM track within TPRM. Supply chain ESG risk has separate regulatory obligations, assessment methods (social audits, SMETA, SAQs), and stakeholder audiences.

5. How do you build a supplier risk management program?

In addition, a supplier risk management program has seven steps. (1) Segment your supplier base by risk tier. (2) Define your risk taxonomy and scoring model. (3) Establish a supplier code of conduct and onboarding questionnaire. (4) Conduct tiered assessments proportionate to each supplier’s risk tier. (5) Monitor suppliers continuously. (6) Manage corrective action plans (CAPAs) to verified closure. (7) Report to leadership, regulators, and customers. See the seven-step program framework for the full walkthrough.

6. How do you conduct a supplier risk assessment?

Therefore, a supplier risk assessment follows six stages. (1) Scope: define which suppliers and which standard. (2) Assess: deploy SAQ, desk review, or on-site audit based on risk tier. (3) Score: apply your scoring model to produce a risk ranking. (4) Decide: accept, conditionally accept, or escalate. (5) Fix: issue CAPAs and track to resolution. (6) Report: document outcomes for internal and regulatory use. See the step-by-step assessment guide and download the free Supplier Social and Environmental Compliance Checklist.

7. What is the German Supply Chain Due Diligence Act (LkSG)?

Consequently, Germany’s LkSG is a required human rights and environmental due diligence law. It applies to German companies with 1,000 or more employees (reduced from 3,000 in January 2024). In-scope companies must conduct an annual risk analysis, implement preventive and remedial measures, establish a grievance mechanism, and submit an annual report to BAFA. Non-compliance can result in fines up to €800,000 or 2% of global turnover. Download the free LkSG Due Diligence Checklist for a compliance walkthrough.

8. What is the best tool for supplier risk management?

Furthermore, the right tool depends on program maturity, supplier base size, and regulatory obligations. Early-stage programs with fewer than 50 suppliers can start with basic spreadsheets to establish process field. As mandatory due diligence obligations accumulate and CAPA volumes grow, a purpose-built platform becomes necessary. For a full breakdown — including the ten-capability vendor-neutral checklist — see What to look for in supplier risk management software.

9. Which regulations require supplier due diligence?

Similarly, multiple regulations mandate supplier ESG due diligence. Key laws include CSDDD (EU, application from 26 July 2029 under the 2026 Omnibus I amended timeline), LkSG (Germany, in force 2023), and UFLPA (US, enforced since June 2022). The Norwegian Transparency Act applies from July 2022. CSRD requires due diligence disclosure. Modern slavery acts apply in the UK, Australia, and Canada (Bill S-211, in force January 2024). For details on each regulation, see the regulatory landscape section.

10. What features should supplier risk management software have?

Likewise, an ESG-led SRM platform needs ten core capabilities. The first five are: configurable risk taxonomy and scoring, supplier onboarding and SAQ management, multi-tier supplier mapping, audit and assessment process, and CAPA management. The remaining five are: continuous monitoring, document management, regulatory reporting support (LkSG, modern slavery acts, CSRD), aggregated risk dashboards, and ERP/procurement integration. See the ten-capability checklist for a full breakdown and trade-off guidance.

11. How does Certainty Software support supplier risk management?

Certainty Software is an audit-led, ESG-native SRM platform for compliance teams, sustainability directors, and procurement functions. It provides configurable risk taxonomy and scoring, automated SAQ deployment, and uniform audit processes (SMETA, RBA VAP, LkSG, or proprietary). It also covers CAPA management from finding to verified closure and aggregated risk dashboards. Certainty integrates with ERP and procurement systems and creates the audit-trail evidence that LkSG, CSDDD, modern slavery acts, and CSRD regulators expect.

12. Can Certainty help with CSDDD and LkSG compliance?

Notably, yes. For LkSG, Certainty supports the annual risk analysis cycle, preventive and remedial measure tracking, and grievance mechanism logging. It also handles CAPA management and creates the audit trail documentation for the annual BAFA report. For CSDDD, Certainty supports multi-tier supplier mapping, value chain risk assessment, and corrective action processes. It also maintains the evidence repository needed to demonstrate adequate due diligence. The platform is configurable to your specific regulatory scope and adapts as CSDDD transposition proceeds through 2026–2028 under the Omnibus I amended timeline.

Ready to operationalize your supplier risk program?

Certainty is used by DNV and other leading organizations to run global, multi-regulation supplier risk programs from a single source of truth. See how Certainty standardizes supplier assessments, tracks corrective actions, and produces regulator- and customer-ready reporting on CSDDD, LkSG, UFLPA, and CSRD.