Learn how to structure supplier due diligence under CSDDD: identify risks, prioritise suppliers and build a traceable, risk-based process.
Abstract
The Corporate Sustainability Due Diligence Directive (CSDDD) introduces a structured approach for companies to identify, prevent and manage environmental and human rights impacts across their value chain.
While the regulatory framework continues to evolve, the underlying logic is already clear: due diligence is based on a risk-based approach and requires companies to focus on the most relevant areas of their supply chain.
This article explains what due diligence means in practice and how companies can structure a consistent and scalable process, from identifying risk areas to prioritising suppliers, defining controls and building traceability over time.
Key Takeaways
-
Due diligence is based on a risk-based approach, not on reviewing every supplier in the same way.
-
Companies are expected to identify where risks are more likely to occur across their value chain.
-
Prioritisation is essential to make the process manageable and effective.
-
Documentation and traceability are key to ensure consistency and future readiness.
-
Supplier due diligence is not a one-off exercise, but a structured and repeatable process.
What the CSDDD requires in practice
The Corporate Sustainability Due Diligence Directive (CSDDD) establishes a framework for companies to identify, prevent, mitigate and account for adverse impacts on human rights and the environment across their operations and value chains.
Although implementation timelines are evolving, the directive confirms a broader direction already reflected in international standards such as the OECD Due Diligence Guidance and the UN Guiding Principles on Business and Human Rights. These frameworks emphasise that companies are not expected to eliminate all risks, but to demonstrate that they are identifying and managing them in a structured and proportionate way.
A key element of the CSDDD approach is that it is risk-based. This means that companies are expected to focus their efforts where impacts are more likely or more severe, rather than applying the same level of scrutiny to every supplier or activity.
In practical terms, due diligence involves a sequence of actions: understanding where risks may arise, prioritising areas of intervention, engaging with suppliers, and documenting the process over time.
For many organisations, the challenge is not understanding these principles, but translating them into internal processes. Due diligence requires coordination between procurement, risk management, compliance and sustainability functions, as well as the ability to work with structured and reliable data.
Seen in this way, due diligence is not only a regulatory requirement. It is a framework for organising how companies manage supplier-related risks in a consistent and repeatable way.
Step 1: Understand where supplier risk sits
The first step in building a due diligence process is understanding where risks are more likely to occur within the value chain.
Rather than starting from individual suppliers, companies benefit from taking a broader view. This includes analysing geographies, sectors and types of activities that may be associated with higher environmental or social risks. In many industries, risk is not evenly distributed. Certain regions or production processes may be more exposed to issues such as labour conditions, environmental impacts or regulatory gaps.
This step is closely connected to the materiality assessment introduced under the ESRS framework. Topics identified as material often indicate where impacts and risks are most relevant, including across the value chain. As a result, due diligence does not start from scratch, but builds on the priorities already identified.
Companies typically combine internal knowledge with external references, such as international risk indices, sector guidelines or publicly available datasets. The objective is not to achieve full visibility immediately, but to develop a structured understanding that can be refined over time.
Step 1 is about identifying where supplier-related risks may exist, so that due diligence efforts can be focused and proportionate.
Step 2: Prioritise suppliers and risk categories
Once risk areas have been identified, companies need to determine where to act first.
A central principle of due diligence is prioritisation. Not all suppliers require the same level of analysis, and attempting to assess all of them in the same way would quickly lead to inefficiencies.
Prioritisation allows companies to focus on suppliers that are more exposed to risk or more relevant to business operations. Criteria may include geographical exposure, type of activity, criticality of the supplier, or known ESG risks associated with specific sectors.
This approach is explicitly recognised in international guidance. The OECD framework highlights that companies should prioritise actions based on the severity and likelihood of impacts, ensuring that resources are allocated where they are most needed.
From an operational perspective, prioritisation helps transform due diligence into a manageable workflow. It clarifies which suppliers require deeper analysis, which require monitoring and which can be managed through lighter controls.
Step 2 is about focusing efforts where they matter most, ensuring that due diligence remains effective without becoming unnecessarily complex.
Step 3: Define controls, engagement and remediation
Once priorities are defined, the next step is translating them into concrete actions.
Due diligence is not limited to identifying risks. It requires companies to define how they will engage with suppliers, what information they need to collect and how they will respond when issues are identified.
In practice, this often includes structured data collection through questionnaires, the definition of minimum requirements or expectations, and follow-up actions to address gaps or inconsistencies.
Engagement with suppliers is a key component. Rather than acting only as a control mechanism, due diligence is increasingly seen as a process of collaboration, where companies support suppliers in improving practices over time.
Remediation is also part of the process. When adverse impacts are identified, companies are expected to take appropriate action, which may range from corrective measures to changes in the business relationship, depending on the severity of the issue.
Step 3 is where due diligence becomes operational, moving from analysis to action.
Step 4: Build traceability and ensure consistency
A defining element of effective due diligence is the ability to document and track actions over time.
Companies are expected to demonstrate not only that they have identified risks, but also how they have managed them. This requires a consistent approach to documentation, including data sources, assessment criteria, supplier responses and follow-up actions.
Traceability is essential for several reasons. It supports internal governance, enables continuity across reporting cycles and prepares companies for potential regulatory or stakeholder scrutiny.
Importantly, documentation does not need to be excessive. What matters is consistency. Processes should be applied in a comparable way over time, and any changes should be clearly explained.
This step reinforces a broader principle: due diligence is not a one-off exercise, but a process that evolves as the company’s understanding of its value chain improves.
Step 4 ensures that due diligence is not only performed, but also demonstrable.
From due diligence to supplier governance
When structured properly, due diligence becomes part of a broader supplier governance system.
Rather than being treated as a standalone compliance activity, it can be integrated into procurement processes, risk management frameworks and performance monitoring systems. This integration helps reduce duplication, improve internal coordination and make ESG considerations more actionable.
Over time, companies that embed due diligence into their governance processes are better positioned to respond to evolving expectations from regulators, customers and financial stakeholders.
In this context, due diligence is not only about compliance. It supports a more informed and structured approach to managing supplier relationships and long-term business risks.
Mini-checklist: starting your supplier due diligence process
-
Start by understanding where risks are more likely to occur across your value chain.
-
Focus your efforts by prioritising suppliers based on their level of risk exposure and business relevance.
-
Define how you will collect ESG data and engage with suppliers in a consistent way.
-
Ensure that actions, decisions and follow-ups are properly documented over time.
-
Finally, integrate due diligence into your existing governance and risk management processes.
Explore related ESG Guides
To further explore how ESG data, reporting and governance support effective decision-making, you may find these ESG Guide articles useful:
ESRS explained: what companies must report and how to prepare
https://www.synesgy.com/en/esg-guide/enesg-guideesrs-readiness-how-to-prepare/
ESG data collection: how and where to take action
https://www.synesgy.com/en/esg-guide/esg-data-collection-how-and-where-to-take-action/
ESG beyond compliance: governance in a fragmented climate era
https://www.synesgy.com/en/esg-guide/esg-beyond-compliance-governance-in-fragmented-climate-era/
Struggling with ESG insights? Automation makes ESG data actionable
https://www.synesgy.com/en/esg-guide/struggling-with-esg-insights-automation-makes-esg-data-actionable/
FAQ
Does due diligence require assessing all suppliers in the same way?
No. Due diligence is based on a risk-based approach. Companies are expected to focus on areas where impacts are more likely or more severe.
What is a risk-based approach in practice?
It means prioritising suppliers and activities based on exposure to environmental and social risks, rather than applying uniform controls across the entire supply chain.
What kind of information should companies collect from suppliers?
Companies typically collect ESG-related data, including information on environmental practices, labour conditions and governance aspects, depending on the level of risk.
Why is documentation important in due diligence?
Because companies need to demonstrate how risks were identified and managed over time. Documentation supports consistency, transparency and potential assurance requirements.
