Supply Chain Mapping and Risk Assessment
A company cannot conduct meaningful human rights due diligence on risks it has not identified. Supply chain mapping - building a picture of who is in your supply chain, where they are, and what they do - is the foundation of effective HRDD. Yet for most companies, the supply chain beyond Tier 1 is largely invisible. This lesson covers the methods for mapping supply chains across tiers, the risk indicators used to prioritize due diligence efforts, and the approaches to conducting human rights risk assessments at the supply chain level.
Defining the Supply Chain and Its Tiers
The term "supply chain" refers to the full sequence of entities involved in producing a product or delivering a service - from raw material extraction through processing, manufacturing, and logistics to the end buyer. The OECD Due Diligence Guidance for Responsible Business Conduct defines "supply chain" as all upstream entities, including suppliers, subcontractors, and sub-suppliers, across multiple tiers.
- Tier 1: Direct suppliers - companies that have a direct commercial relationship with your company (e.g., a garment factory that sews your products)
- Tier 2: Suppliers to your Tier 1 suppliers (e.g., the fabric mill that supplies the garment factory)
- Tier 3: Suppliers to Tier 2 (e.g., the cotton gin that supplies the fabric mill)
- Tier N (raw material): The furthest upstream tier, including mining operations, farms, forestry operations, and fisheries
Human rights risks do not correlate with proximity to the buyer. Some of the most severe risks - forced labour, child labour, hazardous working conditions - concentrate in the upstream tiers where oversight is weakest, competition for margin is most intense, and workers are most vulnerable.
Why Supply Chains Are Hard to Map
Most companies have extensive visibility into Tier 1 suppliers through procurement contracts and regular business interaction. Tier 2 visibility is significantly lower - a typical study of global brands finds that only around 30-40% can name their Tier 2 suppliers. Beyond Tier 2, visibility drops dramatically, particularly for companies sourcing commodity inputs such as cotton, palm oil, soy, metals, or minerals.
Several factors contribute to this opacity:
- Subcontracting: Factories may subcontract work to other facilities to meet demand peaks, creating production relationships that are invisible to buyers
- Commodity aggregation: Agricultural and mineral commodities from many producers are mixed at aggregation points, making it impossible to trace finished goods to their origin without traceability systems
- Supplier confidentiality: Suppliers may regard their own supplier relationships as proprietary business information and resist disclosure
- Complexity and scale: A large retailer or consumer goods company may source from thousands of Tier 1 suppliers across dozens of countries, each of which has its own upstream supply chain
Analogy: The Roots of a Tree
A company's supply chain is like a tree. The visible trunk represents your business. The major branches are your Tier 1 suppliers - you can see and count them. The smaller branches are Tier 2 suppliers - you know roughly where they are. But the roots, spreading invisibly underground, represent the deeper tiers: the farms, mines, and informal processors that form the base of your supply chain. The tree depends entirely on its roots, yet most companies have almost no visibility into them. Supply chain mapping is the process of digging down to understand the root system.
Mapping Methodologies
Practical approaches to supply chain mapping include a combination of internal data gathering, supplier disclosure, and third-party data sources:
- Supplier questionnaires and disclosure requirements: Requiring Tier 1 suppliers to disclose their own key suppliers as a condition of the business relationship
- Spend data analysis: Using procurement system data to identify the universe of suppliers and the volume of spend with each
- Material flow tracing: Following the physical flow of specific inputs (e.g., a specific mineral or agricultural commodity) back to origin through the processing and trading chain
- Third-party databases and intelligence: Using commercial supply chain intelligence tools (e.g., Sourceability, Sourcemap, Sedex supply chain tools, Ulula) that aggregate supplier relationships
- Industry collaboration: Sharing supply chain mapping data with peer companies and industry initiatives that have invested in upstream traceability
Geographic and Sectoral Risk Indicators
Once a supply chain is mapped, the next step is risk prioritization. Not every supplier or sourcing location carries equal risk. Risk assessment uses a combination of geographic and sectoral indicators to identify where adverse human rights impacts are most likely to occur.
| Risk Dimension | Indicators | Sources |
|---|---|---|
| Country-level governance | Rule of law, corruption, government effectiveness, civil liberties | World Bank Governance Indicators, Freedom House, Transparency International CPI |
| Conflict and fragility | Active armed conflict, presence of armed groups, political instability | Fund for Peace Fragile States Index, ACLED conflict data |
| Labour rights | ILO Conventions ratified and effectively implemented, freedom of association restrictions, labour inspection capacity | ILO NORMLEX, ITUC Global Rights Index |
| Forced labour prevalence | Known forced labour hotspots, trafficking routes, prevalence estimates | ILO global estimates, US State Department TIP Report, KnowTheChain Benchmark |
| Child labour prevalence | Child labour rates by country and sector | ILO IPEC data, UNICEF country profiles, US DOL ILAB list |
| Indigenous peoples' presence | Mapping of indigenous territories and protected areas | RAISG, Rainforest Foundation, national cadastral data |
| Sector-specific risk | Known risk profiles for mining, agriculture, garments, fishing, construction | OECD sector-specific due diligence guidance, NGO reports |
The Human Rights Impact Assessment at Supply Chain Level
A Human Rights Impact Assessment (HRIA) systematically identifies, analyzes, and assesses the actual and potential impacts of business activities on human rights. At the supply chain level, an HRIA involves:
- Scoping: Defining which parts of the supply chain to assess, based on the risk prioritization exercise
- Stakeholder engagement: Consulting workers, communities, civil society, and other affected stakeholders to understand their experience of impacts
- Impact identification: Using the international human rights framework - the UDHR, ILO core conventions, and other instruments - as the reference standard to identify which rights are at risk
- Severity assessment: Evaluating impacts against the UNGP severity criteria: scale (how many people affected), scope (how grave the harm), and remediability (how reversible or irreversible the harm is)
- Causal analysis: Determining whether the company causes, contributes to, or is directly linked to each identified impact
- Prioritization: Ranking impacts by severity and the company's degree of involvement to guide the allocation of due diligence resources
Example: Prioritizing Coffee Supply Chain Risks
A European coffee roaster sources green coffee from Ethiopia, Honduras, and Vietnam. A supply chain mapping exercise reveals that Ethiopian coffee is predominantly sourced from smallholder farms through cooperatives (Tier 3), that Honduran sourcing includes some large estates (Tier 1) with a history of documented labour violations, and that Vietnamese sourcing involves a single large exporter (Tier 1) but with opaque upstream sourcing from diverse smallholders. A risk prioritization exercise identifies the Honduran estates - where the roaster has direct commercial relationships and documented historical issues - as the highest-priority focus for enhanced due diligence. The Ethiopian smallholder network, while presenting structural poverty risks, involves thousands of small farms with no direct relationship; collaboration with industry certification bodies and cooperative development programs is identified as the appropriate response here. This illustrates how risk prioritization allows companies to allocate limited due diligence resources where they can have the greatest impact.
Proportionality in Risk Assessment
The OECD Due Diligence Guidance emphasizes that the depth of supply chain due diligence should be proportionate to the severity of the risk and the company's ability to influence outcomes. A company is not expected to conduct a full HRIA of every supplier in its global supply chain. Resources should focus on the highest-severity risks in the parts of the supply chain where the company has the most leverage and where its due diligence can make the most difference. Risk-based prioritization is not a way to avoid due diligence - it is the responsible way to make due diligence effective.
Key Takeaways
- 1Supply chain mapping is the foundation of human rights due diligence: you cannot manage risks you have not identified, and most companies have very limited visibility beyond Tier 1 suppliers
- 2Human rights risks are often most severe in upstream tiers - raw material extraction, artisanal processing, and agricultural smallholders - where oversight is weakest and workers are most vulnerable
- 3Risk prioritization uses geographic indicators (governance quality, conflict, labour rights) and sectoral indicators (known hotspot industries) to identify where to focus due diligence resources
- 4Human Rights Impact Assessments evaluate the scale, scope, and remediability of potential impacts and the company's causal role (causing, contributing to, or directly linked) to guide prioritization
- 5Supply chain mapping efforts are more effective when companies collaborate within industry initiatives to share traceability data and spread the cost of upstream visibility