/upright-copy/images/Upryt-Logo-5.png "Upright logo"){kind=logo}
BOOK A DEMO
From Regulatory Obligation to Strategic Prioritisation
Human rights risk assessments are no longer a “nice to have.” For large and mid-sized groups operating across multiple jurisdictions, they are both a regulatory requirement and a core governance responsibility. But beyond compliance, they are a strategic tool: they allow organisations to understand where they may cause, contribute to, or be directly linked to harm, and to prioritise action accordingly.
This article outlines:
We focus primarily on assessing risks within a company’s own operations across the group. Supply chain actors must also be examined, and are required under several laws, but starting with your own operations is both a regulatory expectation and the logical first step. It is where companies have the greatest control, the best access to information, and the strongest ability to prevent and remediate harm.
In several jurisdictions, conducting a human rights risk assessment is not optional.
Germany - LKSG
Under the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz – “LKSG”), companies must conduct regular risk analyses to identify human rights and environmental risks within:
The law requires:
Importantly, the LKSG embeds the concept of proportionality: companies must act according to the severity of risk and their capacity to influence the entity involved.
France - Duty of Vigilance
France’s Loi de vigilance requires large companies to establish and implement a vigilance plan including:
Unlike the LKSG, the French law does not prescribe a specific scoring methodology. It is outcome-based and leaves methodological design largely to companies, which increases the importance of having a defensible and well-documented approach.
The EU Framework
At EU level, the Corporate Sustainability Due Diligence Directive further strengthens due diligence expectations, requiring companies to identify, assess, prioritise, prevent and mitigate adverse human rights and environmental impacts across their value chains.
The Directive emphasises prioritisation based primarily on severity, not business risk, reinforcing the principles established in the UN Guiding Principles on Business and Human Rights (UNGPs) and the OECD Due Diligence Guidance for Responsible Business Conduct.
The Corporate Sustainability Due Diligence Directive was formally adopted in 2024 and must now be transposed into national law by July 2026, with phased application for large companies beginning between 2027 and 2029.
Human rights risk assessments is fundamentally about risk to people, not risk to the company. This distinction is critical. Traditional enterprise risk management focuses on financial, reputational or operational risk to the business. Human rights assessments or due diligence focuses on:
Under the UNGPs, companies must prioritise based on the severity of impact on people, even if the business probability is low. A structured assessment allows companies to:
Running human rights risk assessments in large, complex groups is rarely straightforward. What starts as a structured exercise can quickly turn into a coordination nightmare: endless email chains, scattered spreadsheets, inconsistent scoring, and significant time spent chasing responses. The challenge is not only logistical, it’s also about making sure the assessment captures the true picture of risk across diverse geographies, business units, and operational realities.
Large groups typically operate multiple business units and dozens if not hundreds of subsidiaries across both high-risk and low-risk jurisdictions, often within decentralised governance structures.
Each entity has a distinct risk profile shaped by local labour markets, the quality of regulatory enforcement, sector-specific exposure, workforce composition, and business model characteristics.
Coordinating risk inputs across this level of complexity can be challenging. It often results in endless email exchanges, manual questionnaires, inconsistent scoring approaches, time-consuming consolidation, and limited traceability for both coordinators and regulators. These factors make it difficult to produce a reliable, actionable view of human rights risk across the group.
Human rights risk categories are extensive.
The LKSG alone lists risks such as child labour, forced labour, slavery, occupational health and safety violations, discrimination, wage violations, environmental contamination, unlawful eviction, security force abuses, and mercury or hazardous waste violations.
When these risks are considered across multiple countries, legal entities and business activities, the resulting data volume becomes substantial.
The real challenge is not simply identifying possible risks, but determining which are the most severe and salient, and therefore require prioritised action.
C. How to Conduct a Human Rights Risk Assessment Step by Step
The following approach aligns with internationally recognised standards and regulations, including the UN Guiding Principles on Business and Human Rights (UNGPs), OECD Due Diligence Guidance, the German LKSG, the French Duty of Vigilance, and the EU Corporate Sustainability Due Diligence Directive (CSDDD).
Begin by building a structured catalogue of potential risks, drawing on multiple sources. This should include the annexed risk categories under the LKSG, relevant international conventions such as ILO standards and UN treaties, sector-specific risk analyses, country risk indices, internal incident data, and insights gathered from stakeholders within your own organisation.
This comprehensive approach ensures that your risk universe reflects both regulatory requirements and the real operational context of your group. Below some of the most common risks, grouped by categories:
Labour and Human Rights Risks
These reflect ILO conventions and are explicitly referenced under German law.
Environmental harm becomes relevant when it leads to or risks human rights violations (e.g., loss of access to water, health impacts, displacement).
These relate to international conventions such as Minamata and Basel, incorporated into European due diligence frameworks. At this stage, you are constructing your structured risk universe.
A robust and credible human rights risk assessment cannot be purely desk-based. Under the UNGPs and OECD guidance, companies should actively seek input from workers and trade unions, employee representatives, potentially affected communities, civil society organisations, and local experts. Engaging stakeholders in this way improves the accuracy of risk identification, lends legitimacy to the prioritisation of risks, and enables early detection of emerging issues. It also strengthens the defensibility of the assessment under both German and French law.
A. Assess Likelihood
When assessing likelihood, companies should consider not only past incidents but also broader contextual factors, including country risk exposure, sector-specific inherent risks, workforce vulnerability, and elements of the business model that may increase exposure. Likelihood can then be categorised to guide prioritisation: High for risks that are frequent or structurally inherent, Medium for risks that are likely based on contextual exposure, and Low for risks with limited structural exposure.
B. Assess Severity
Under the UNGPs, severity is the primary factor for prioritising human rights risks and is assessed based on three dimensions: scale (the gravity of the impact), scope (the number of people affected), and irremediability (the extent to which the harm can be remedied) (UNGPs, Commentary to Principle 14).
Scale refers to the severity of the impact. A high scale includes outcomes such as death or serious health impairments that lead to a significant reduction in quality of life or longevity.
Medium scale encompasses concrete human rights violations affecting access to basic necessities, such as education or livelihood, severe impacts on cultural, economic, or social infrastructure, and significant ecosystem damage that affects livelihoods.
Low scale applies to all other impacts that do not meet the criteria for high or medium severity.
Scope considers how many people are affected by a given risk. This may range from a small group within an organisation, to an entire community, a large workforce, or even multiple communities, depending on the nature and reach of the adverse impact.
Irreversibility assesses whether the harm can be remedied.
High irreversibility refers to impacts that are difficult or impossible to remediate, such as death, permanent health damage, or irreversible environmental contamination, while low irreversibility describes harm that can be easily corrected or restored.
Many organisations evaluate scale, scope, and irreversibility separately and then combine them into an overall severity score.
Crucially, high-severity impacts must be prioritised even if their likelihood is low, a principle that sets human rights risk assessments apart from traditional enterprise risk management approaches.
Once risks have been assessed, they can be plotted on a matrix with likelihood on the X-axis and severity on the Y-axis. However, it is important to remember that high-severity risks should not be deprioritised simply because their probability appears low. The matrix serves as a management tool to visualise and organise risks, rather than as a mechanical decision-maker dictating prioritisation.
Prioritisation should result in a clear set of top risks for each entity, a consolidated group-level overview, assigned ownership for each risk, and documented justification for all decisions. Under the LKSG and French Duty of Vigilance, companies must be able to demonstrate how risks were identified, how prioritisation was carried out, and how decisions were made. Thorough documentation and traceability are therefore critical to ensure regulatory compliance and support defensibility.
A human rights risk assessment is not a one-off exercise. Under the LKSG, it must be conducted annually and updated on an ad hoc basis whenever circumstances change, such as entering new markets, completing acquisitions, launching new product lines, or making significant changes to suppliers.
To deploy the assessment effectively across a group, organisations should standardise the methodology, define responsibilities at the entity level, centralise oversight, maintain version control and audit trails, and provide training to local teams. In practice, strong governance architecture becomes just as important as the legal methodology itself.
For each prioritised risk, organisations should implement a combination of preventive, detective, and remedial measures. Preventive measures may include policy updates (including the formal policy statement required under LKSG §6) training, supplier contractual clauses, and pre-qualification screening. Detective measures include audits, monitoring indicators, and whistleblowing mechanisms, which are mandatory under LKSG §8. Remedial measures involve grievance mechanisms, corrective action plans, engagement with stakeholders, and remediation wherever harm has occurred.
A human rights risk assessment is only meaningful if it leads to action: identifying risks alone is not sufficient.
Human rights risk assessments are legally required under the LKSG, the French Duty of Vigilance, and increasingly under EU law. But beyond compliance, they provide strategic clarity, defensible prioritisation, stronger governance, and better protection for people.
The challenge is not designing a methodology, it is deploying it consistently across entities, with stakeholder input, full traceability, and without drowning in spreadsheets.
Crucially, a risk assessment exercise is just the start of the work.
It helps identify your most salient risks and directly informs your group’s roadmap for the year, guiding where to allocate resources, which mitigation measures to implement first, and how to engage stakeholders most effectively. A structured, centralised platform can standardise scoring, integrate inputs, automate reminders, consolidate group-level insights, and maintain defensible audit trails, allowing compliance and sustainability teams to focus on what truly matters: preventing harm.
Ultimately, the goal of human rights risk assessment is not reporting, but rather meaningful, measurable impact prevention.
