Risk-based approach

Sustainability and Corporate Due Diligence

In this fourth post about Directive (EU) 2024/1760 on corporate sustainability due diligence ("CS3D”), we reflect on what the risk-based approach to corporate sustainability due diligence entails.

The CS3D refers to the risk-based approach by describing companies’ due diligence obligation in article 5.1 and when it establishes the obligation for companies to have a due diligence policy (article 7.1 and recital 39).

In this post, we examine what the risk-based approach is and how it aligns with the due diligence code of conduct. This reflection leads us to the obligations of means and to examining how the CSRD itself contains substantial regulation of the means to be applied by the obligated companies.

Access the previous publications in the series of posts on CS3D here:

Post | The CS3D in perspective

Post | Who does the CS3D affect?

Post | Legal interests protected by the CS3D

Risk-based due diligence

Article 5.1 of the CS3D describes the due diligence obligation as a risk-based obligation that must be implemented by companies through specific actions:

• its integration into policies and risk management systems (article 7);
• the identification and assessment of actual and potential adverse impacts (article 8) and their prioritization when necessary (article 9);
• the prevention and mitigation of potential adverse impacts (article 10);
• the bringing to an end, and the minimzing of, actual adverse impacts (article 11); and
• their remediation (article 12).

The European Commission’s FAQ on the CS3D clarifies the meaning of the risk-based approach in terms of appropriate measures and prioritization:

• the identificationand addressing of companies’ adverse impacts must be done through appropriate measures; and
• companies can prioritize their actions when it is not possible to address all their impacts simultaneously.

The combination of human/environmental considerations and the risk-based approach enables an operational approach to the legal obligation of due diligence in relation to the adverse external impacts of companies’ activities.

The very concept of due diligence itself includes the two processes that integrate the risk-based approach: on the one hand investigating the facts; and on the other, evaluating (or assessing) those facts considering the required standard of conduct to adopt appropriate measures, including, if necessary, the prioritization of actions.

We could say that risk-based due diligence entails implementing an ongoing process of identification (investigation) of facts that generate or may generate risk—understood as an actual or potential adverse impact on human rights or the environment—and adopting and implementing measures appropriate for the required code of conduct. 

Obligations of means

The CS3D highlights (in recital 19) that most of these obligations are of means. This means that their compliance will be assessed based on their alignment with the due diligence objectives.

We should not underestimate the obligations of means, especially in the context of the CS3D. In the obligations of means, the focus is on the judgment exercised by the obligated company in deciding which facts are relevant and which measures are appropriate to address them. The CS3D elaborates on both elements in great detail:

• The identification and assessment of facts are regulated in article 8, which indicates the tools and specific methods for mapping and carrying out an in-depth assessment of companies own operations, those of their subsidiaries and those within their value chain. 
• The prioritization of measures is regulated in article 9, and should be based on the severity and likelihood of the adverse impacts, and not on the complexity or proximity of the facts. Moreover, prioritizing certain actions does not exempt companies from undertaking other actions within a reasonable timeframe. 
• For assessing appropriate measures to be adopted, article 3(o) contains a definition of “appropriate measures” and articles 10 and 11 contain lists of specific measures, whose appropriateness in each case should be measured in relation to the objective governing each list: preventing potential adverse impacts or adequately mitigating any potential adverse impacts (article 10); and bringing actual adverse impacts to an end or mitigating them if the adverse impact cannot immediately be brought to an end (article 11).
• The process for investigating facts and determining appropriate measures includes consultation and effective engagement with stakeholders (article 13).
• Lastly, the directive contains well-defined obligations: the obligation to bring adverse impacts to an end (article 11) and the obligation to provide remediation (article 12).

In our next post, we will reflect on the obligations to bring adverse impacts to an end and to providing remediation beyond just financial compensation.