1.2 Risk impact assessment

Article 8, Identifying and assessing actual and potential adverse impacts

Article 8.1  Member States shall ensure that companies take appropriate measures to identify and assess actual and potential adverse impacts arising from their own operations or those of their subsidiaries and, where related to their chains of activities, those of their business partners, in accordance with this Article.
 

Article 8.2 As part of the obligation set out in paragraph 1, taking into account relevant risk factors, companies shall take appropriate measures to: (a) map their own operations, those of their subsidiaries and, where related to their chains of activities, those of their business partners, in order to identify general areas where adverse impacts are most likely to occur and to be most severe; (b) based on the results of the mapping as referred to in point (a), carry out an in-depth assessment of their own operations, those of their subsidiaries and, where related to their chains of activities, those of their business partners, in the areas where adverse impacts were identified to be most likely to occur and most severe.

Recital 38 

In order to conduct appropriate human rights and environmental due diligence with respect to their operations, the operations of their subsidiaries, and the operations of their business partners in the chains of activities of the companies, companies covered by this Directive should integrate due diligence into their policies and risk management systems, identify and assess, where necessary prioritise, prevent and mitigate as well as bring to an end and minimise the extent of actual and potential adverse human rights and environmental impacts, provide remediation in relation to actual adverse impacts, carry out meaningful engagement with stakeholders, establish and maintain a notification mechanism and complaints procedure, monitor the effectiveness of the measures taken in accordance with the requirements that are provided for in this Directive and communicate publicly on their due diligence. In order to ensure clarity for companies, in particular the steps of preventing and mitigating potential adverse impacts and of bringing to an end, or when this is not possible, minimising the extent of actual adverse impacts, should be clearly distinguished in this Directive.

Recital 39

In order to ensure that due diligence forms part of companies’ policies and risk management systems, and in line with the relevant international framework, companies should integrate due diligence into their relevant policies and risk management systems and at all relevant levels of operation, and have in place a due diligence policy. The due diligence policy should be developed in prior consultation with the company’s employees and their representatives and should contain a description of the company’s approach, including in the long term, to due diligence, a code of conduct describing the rules and principles to be followed throughout the company and its subsidiaries, and, where relevant, the company’s direct or indirect business partners and a description of the processes put in place to integrate due diligence into the relevant policies and to carry out due diligence, including the measures taken to verify compliance with the code of conduct and to extend its application to business partners. The due diligence policy should ensure a risk-based due diligence. The code of conduct should apply in all relevant corporate functions and operations, including procurement, employment and purchasing decisions. For the purposes of this Directive, employees should be understood as including temporary agency workers, and other workers in non-standard forms of employment provided that they fulfil the criteria for determining the status of worker established by the CJEU.

Recital 40 

To comply with due diligence obligations, companies need to take appropriate measures with respect to the identification, prevention, bringing to an end, minimisation and remediation of adverse impacts, and the carrying out of meaningful engagement with stakeholders throughout the due diligence process. The term ‘appropriate measures’ should be understood to mean measures that are capable of achieving the objectives of due diligence, by effectively addressing adverse impacts in a manner commensurate to the degree of severity and the likelihood of the adverse impact, and reasonably available to the company, taking into account the circumstances of the specific case, including the nature and extent of the adverse impact and relevant risk factors. If necessary information, including information that is deemed to be a trade secret, cannot be reasonably obtained due to factual or legal obstacles, for instance because a business partner refuses to provide information and there are no legal grounds to enforce this, such circumstances cannot be held against the company, but it should be able to explain why such information could not be obtained and should take the necessary and reasonable steps to obtain it as soon as possible.

Recital 41

Under the due diligence obligations provided for in this Directive, a company should identify and assess actual or potential adverse human rights and environmental impacts. In order to allow for a comprehensive identification and assessment of adverse impacts, such identification and assessment should be based on quantitative and qualitative information, including the relevant disaggregated data that can be reasonably obtained by a company.
 

Companies should make use of appropriate methods and resources, including public reports. For instance, as regards adverse environmental impacts, the company should obtain information about baseline conditions at higher risk sites or facilities in its chain of activities.

As part of the obligation to identify adverse impacts, companies should take appropriate measures to map their own operations, those of their subsidiaries and, where related to their chains of activities, those of their business partners, in order to identify general areas where adverse impacts are most likely to occur and to be most severe. Based on the results of such mapping, companies should carry out an in-depth assessment of their own operations, those of their subsidiaries and, where related to their chains of activities, those of their business partners, in the areas where adverse impacts were identified to be most likely to occur and most severe.

Identification of adverse impacts should include assessing the human rights and environmental context in a dynamic way and at regular intervals: without undue delay after a significant change occurs, but at least every 12 months, throughout the life cycle of an activity or relationship, and whenever there are reasonable grounds to believe that new risks may arise.

Reasonable grounds to believe that there are new risks may arise in different ways, including learning about the adverse impact from publicly available information, through stakeholder engagement, or through notifications. If, despite having taken appropriate measures to identify adverse impacts, companies do not have all the necessary information regarding their chains of activities, they should be able to explain why that information could not be obtained and should take the necessary and reasonable steps to obtain it as soon as possible.