Playbook: Adopting Ethical sourcing & human rights due diligence in 90 days

More than 80% of companies surveyed by the Business & Human Rights Resource Centre in 2025 acknowledged salient human rights risks in their supply chains, yet fewer than 30% had operational due diligence programs capable of identifying, preventing, or remediating those risks. With the EU Corporate Sustainability Due Diligence Directive (CSDDD) entering force, Germany's LkSG already in effect, and US Customs and Border Protection enforcing the Uyghur Forced Labor Prevention Act (UFLPA), the compliance window is closing. This playbook provides a 90-day framework for standing up an ethical sourcing and human rights due diligence (HRDD) program from decision to operational deployment.

Why It Matters

Ethical sourcing is no longer a corporate social responsibility aspiration: it is a regulatory mandate with enforcement teeth. German authorities issued more than 50 formal compliance notices under the LkSG in its first 18 months. US CBP detained over $2 billion in goods under UFLPA Withhold Release Orders in 2024 alone. The EU CSDDD will apply to companies with 1,000+ employees and EUR 450 million in net turnover starting 2027, with civil liability provisions enabling affected communities to sue for damages in European courts.

Beyond compliance, the business case is measurable. Companies with mature HRDD programs report 15-25% fewer supply disruptions from labor-related shutdowns, 20-35% improvement in supplier retention rates, and stronger access to sustainability-linked financing. Investors increasingly treat human rights governance as a proxy for supply chain resilience and management quality.

Key Concepts

Human Rights Due Diligence (HRDD) is the process by which companies identify, prevent, mitigate, and account for adverse human rights impacts in their operations and value chains. The framework originates from the UN Guiding Principles on Business and Human Rights (UNGPs), adopted in 2011.

Salient Human Rights Issues are the rights at risk of the most severe negative impact through a company's activities and business relationships. Salience is determined by scale, scope, and irremediability, not by financial materiality to the company.

Grievance Mechanisms are processes through which affected workers and communities can raise concerns, seek information, and access remedy. Effective mechanisms must be legitimate, accessible, predictable, equitable, transparent, rights-compatible, and a source of continuous learning.

Traceability refers to the ability to identify and track products, components, and raw materials through each stage of the supply chain, from extraction to finished goods. Traceability is foundational to HRDD because risks concentrate in upstream tiers that brands rarely see directly.

The 90-Day Framework

Days 1-15: Governance and Stakeholder Alignment

Week 1: Establish ownership and mandate.

Appoint a cross-functional HRDD steering committee with representatives from procurement, legal, compliance, sustainability, and operations. Assign an executive sponsor at SVP level or above. Define the program's scope: which business units, geographies, product lines, and supply chain tiers will be covered initially.

Week 2: Conduct a rapid landscape assessment.

Map existing policies, contractual clauses, supplier codes of conduct, and audit programs. Identify gaps against the UNGPs framework and applicable regulations (CSDDD, LkSG, UFLPA, Modern Slavery Acts). Interview 5-10 internal stakeholders across procurement, quality, and legal to surface known risks and existing informal practices.

Deliverables by Day 15:

• Steering committee charter with roles, decision rights, and meeting cadence
• Gap analysis document comparing current state to UNGP requirements
• Prioritized list of 3-5 salient human rights issues based on sector and geography
• Board-level briefing summarizing regulatory exposure and program roadmap

Days 16-45: Risk Assessment and Vendor Selection

Weeks 3-4: Perform supply chain risk mapping.

Segment your supplier base by risk level using a combination of country risk indices (ITUC Global Rights Index, US Department of Labor List of Goods Produced by Child Labor), commodity risk profiles, and existing supplier performance data. Focus on Tier 1 and critical Tier 2 suppliers initially; plan for deeper-tier mapping in subsequent phases.

A practical risk matrix combines three dimensions:

Risk Dimension	Low Risk	Medium Risk	High Risk
Country	ITUC rating 1-2	ITUC rating 3	ITUC rating 4-5+
Commodity	Low labor intensity	Moderate labor intensity	High labor intensity (agriculture, mining, garments)
Supplier relationship	Long-term, audited	Moderate tenure	New, subcontracted, or informal

Weeks 4-5: Select technology and service partners.

Evaluate HRDD platforms across four criteria: risk intelligence coverage (country, commodity, and supplier-level data), grievance mechanism capabilities, audit management and corrective action tracking, and regulatory reporting automation. Leading platforms in the market include Sedex (250,000+ supplier profiles), EcoVadis (130,000+ rated companies), and specialized solutions such as Ulula (worker voice technology) and Sourcemap (supply chain mapping).

Request demonstrations from 3-4 vendors. Prioritize platforms that integrate with your existing ERP and procurement systems. Budget $50,000-150,000 annually for mid-market solutions; $200,000-500,000+ for enterprise-grade platforms with deep-tier mapping and real-time monitoring.

Deliverables by Day 45:

• Supplier risk segmentation with at least 80% of Tier 1 spend categorized
• Vendor shortlist with evaluation scorecards
• Technology selection decision and contract initiation
• Updated supplier code of conduct reflecting UNGP expectations

Days 46-75: Pilot Design and Launch

Weeks 7-8: Design the pilot program.

Select 20-30 suppliers representing a cross-section of risk levels, geographies, and commodity categories. The pilot should include at least 5 high-risk suppliers to test the program's ability to identify and address real issues. Define success metrics: assessment completion rates, issue identification rates, corrective action plan acceptance, and time to remediation.

Pilot components to deploy:

1. Self-assessment questionnaires (SAQs): Use standardized frameworks such as the Sedex Members Ethical Trade Audit (SMETA) or the Responsible Business Alliance (RBA) Self-Assessment Questionnaire. Customize for your salient issues.

2. Worker voice channels: Deploy anonymous worker feedback mechanisms through mobile-based platforms. Ulula, WOVO, or Laborlink enable SMS and app-based surveys in local languages. Target a minimum 30% worker participation rate.

3. Desktop risk screening: Run pilot suppliers through risk intelligence databases to cross-reference against forced labor indicators, environmental violations, and sanctions lists.

4. On-site verification: Schedule 3-5 announced audits during the pilot period for highest-risk suppliers. Use the ILO forced labor indicators as a structured assessment framework.

Weeks 9-10: Execute and iterate.

Launch SAQs and worker voice channels simultaneously. Track response rates daily and follow up with non-responsive suppliers within 5 business days. Analyze incoming data for patterns: are certain geographies or commodities generating more red flags? Are worker voice responses consistent with supplier self-assessments?

Deliverables by Day 75:

• Pilot launch across 20-30 suppliers
• Worker voice mechanism operational with baseline participation data
• Initial findings report identifying issues and remediation priorities
• Refined assessment methodology based on pilot learnings

Days 76-90: Operationalize and Scale

Weeks 11-12: Build operational processes.

Translate pilot findings into standard operating procedures. Define escalation pathways: what triggers a deeper investigation, a supplier corrective action plan, or supplier disengagement. Establish remediation timelines: critical issues (forced labor indicators, child labor) require 48-hour escalation; serious issues (excessive overtime, wage violations) require 30-day corrective action plans; improvement opportunities (policy gaps, training needs) can follow 90-day improvement cycles.

Create the ongoing monitoring cadence:

• Quarterly: Risk intelligence updates and SAQ refreshes for high-risk suppliers
• Semi-annually: Worker voice pulse surveys across all monitored suppliers
• Annually: Full reassessment of supplier risk segmentation and program effectiveness
• Continuous: Media monitoring, sanctions screening, and grievance channel review

Weeks 12-13: Prepare for scale.

Develop internal training modules for procurement teams. Every buyer should understand the HRDD policy, know how to interpret supplier risk scores, and be capable of conducting basic supplier conversations about labor rights. Plan the Phase 2 rollout to cover 100% of Tier 1 suppliers and critical Tier 2 suppliers within 12 months.

Deliverables by Day 90:

• Operational HRDD program covering pilot suppliers
• Standard operating procedures for risk assessment, escalation, and remediation
• Procurement team training completed
• Phase 2 scaling plan with timeline and resource requirements
• Board report documenting program status, key findings, and resource needs

What's Working

Patagonia's Responsible Sourcing Program has mapped suppliers to Tier 4 (raw material level) across its supply chain, covering 100% of Tier 1 and 75% of Tier 2 suppliers. The company publishes a complete supplier list and conducts over 300 audits annually. Its worker voice program, launched in 2015, has resolved over 2,000 worker grievances and identified systemic issues that traditional audits missed, including recruitment fee repayment affecting migrant workers in Taiwan.

Unilever's Human Rights Acceleration Plan deployed a risk-based approach covering 62,000 suppliers across 190 countries. The company invested in worker voice technology through partnerships with Ulula, reaching 300,000+ workers with mobile-based feedback channels. Since 2020, Unilever reports a 40% reduction in serious labor rights findings across monitored suppliers.

Apple's Supplier Responsibility Program conducts over 1,100 supplier assessments annually and has driven $32 million in wage repayments to workers since 2008. Apple publishes detailed supplier responsibility reports and has pioneered the use of third-party recruitment fee repayment requirements across its electronics supply chain.

What's Not Working

Audit fatigue remains a systemic problem. Suppliers serving multiple brands may undergo 10-20 social audits per year from different buyers, each with slightly different standards. The duplication costs suppliers $5,000-15,000 per audit while producing diminishing returns on issue identification. Mutual recognition of audit frameworks (SMETA, RBA, SA8000) is improving but remains inconsistent.

Deep-tier visibility is limited. Most programs cover Tier 1 and some Tier 2 suppliers effectively, but Tier 3+ visibility (where many of the most severe risks concentrate) remains below 20% even for leading companies. Minerals supply chains, agricultural commodities, and subcontracted manufacturing are particularly opaque.

Remediation versus disengagement tension persists. When serious issues are identified, companies face pressure to cut ties with suppliers. However, abrupt disengagement can worsen conditions for workers by eliminating the economic leverage that drives improvement. The UNGPs explicitly call for responsible disengagement only after remediation efforts have failed and ongoing engagement is not feasible.

Key Players

Established Leaders

• Sedex: Global platform with 250,000+ supplier profiles across 180 countries. Hosts the SMETA audit methodology used by 40,000+ companies.
• EcoVadis: Sustainability ratings platform covering 130,000+ companies across 220 industries. Provides scorecards on labor, ethics, environment, and procurement practices.
• Bureau Veritas: Global testing, inspection, and certification company offering social audits, supply chain assurance, and HRDD advisory services across 140 countries.
• SGS: World's largest testing, inspection, and certification company. Conducts thousands of social compliance audits annually across all major manufacturing regions.

Startups and Innovators

• Ulula: Worker voice technology platform enabling real-time worker engagement via SMS and mobile app in 100+ languages. Used by Unilever, Mars, and the IFC.
• Sourcemap: Supply chain mapping and traceability platform. Provides deep-tier visibility through supplier network mapping and risk analytics.
• Altana AI: AI-powered supply chain intelligence platform mapping global trade networks. Used by US Customs for UFLPA enforcement.
• FairAgora Asia: Technology platform for ethical sourcing in Asian agricultural and seafood supply chains, combining satellite monitoring with worker surveys.

Key Investors and Organizations

• International Labour Organization (ILO): Sets international labor standards and provides technical guidance on forced labor indicators and decent work.
• Business & Human Rights Resource Centre: Tracks corporate human rights performance across 10,000+ companies. Publishes the Corporate Human Rights Benchmark.
• Shift: Leading center of practice on the UNGPs. Provides implementation guidance and convenes multi-stakeholder initiatives.

Action Checklist

• Appoint HRDD steering committee with executive sponsor
• Complete gap analysis against UNGPs and applicable regulations
• Identify 3-5 salient human rights issues for your sector and supply chain
• Segment Tier 1 suppliers by risk level (country, commodity, relationship)
• Select and contract HRDD technology platform
• Update supplier code of conduct with UNGP-aligned expectations
• Launch pilot with 20-30 suppliers across risk segments
• Deploy worker voice mechanism with target 30%+ participation
• Conduct on-site audits for highest-risk pilot suppliers
• Define escalation pathways and remediation timelines
• Train procurement teams on HRDD policy and risk interpretation
• Establish quarterly monitoring cadence and annual reassessment
• Prepare Phase 2 scaling plan for full Tier 1 coverage within 12 months
• Report findings and resource needs to board

FAQ

What is the minimum viable HRDD program for a mid-size company? At minimum, a company needs a human rights policy statement, a supplier risk assessment covering Tier 1 suppliers, a grievance mechanism accessible to affected stakeholders, and a documented process for addressing identified issues. Under the EU CSDDD, companies must also integrate due diligence into corporate strategy and report publicly on effectiveness. Budget $100,000-300,000 for the first year including technology, staffing, and audit costs.

How do we handle suppliers that refuse to cooperate with assessments? Start with clear contractual requirements: include HRDD cooperation clauses in all new and renewed contracts. For existing suppliers, communicate expectations with 6-12 months of lead time. If a supplier refuses after engagement efforts, assess whether the relationship is commercially critical. For non-critical suppliers, disengagement may be appropriate. For critical suppliers, escalate engagement through joint industry initiatives or buyer coalitions that increase leverage.

Should we audit suppliers ourselves or use third-party auditors? Most companies use a combination. Third-party auditors (SGS, Bureau Veritas, Intertek) provide independence and credibility, while internal assessments build organizational capability and deeper supplier relationships. For high-risk suppliers, unannounced third-party audits combined with worker voice channels provide the most reliable picture. Budget $3,000-8,000 per third-party social audit depending on complexity and geography.

How do we prioritize when resources are limited? Follow the UNGPs severity framework: prioritize by scale (how grave the impact), scope (how many people affected), and irremediability (how difficult it is to restore affected people to their prior situation). In practice, this means forced labor, child labor, and safety risks always come first, followed by wages and working hours, then freedom of association and discrimination. Geographically, focus on countries rated 4 or 5 on the ITUC Global Rights Index.

What regulations should North American companies prepare for now? The UFLPA is already in full enforcement. Canada's Fighting Against Forced Labour and Child Labour in Supply Chains Act (S-211) requires annual reporting. The EU CSDDD will apply to non-EU companies with significant EU revenue. California's Transparency in Supply Chains Act applies to companies with $100 million+ in gross worldwide receipts. Prepare for convergence: building a UNGPs-based program satisfies the common foundation across all of these frameworks.

Sources

1. Business & Human Rights Resource Centre. "Corporate Human Rights Benchmark 2025." BHRRC, 2025.
2. European Commission. "Corporate Sustainability Due Diligence Directive: Implementation Guidance." EC, 2025.
3. International Labour Organization. "Hard to See, Harder to Count: Guidelines on Forced Labour Indicators." ILO, 2024.
4. US Customs and Border Protection. "UFLPA Enforcement Statistics." CBP, 2025.
5. Shift. "UNGPs 10+: From Implementation to Impact." Shift Project, 2025.
6. German Federal Office for Economic Affairs and Export Control. "Supply Chain Due Diligence Act: First Year Enforcement Report." BAFA, 2025.
7. EcoVadis. "Global Supply Chain Sustainability Performance Report." EcoVadis, 2025.