In the Weeds is a series addressing the real, operational challenges faced by the people responsible for human rights due diligence (HRDD), ESG and ethical trade inside organisations. If you have a problem you’d like addressed in a future post, share it via our contact form.
This post follows directly from the first in the series, which addressed the challenge of limited budget and resource. One of the most common follow-up questions that comes with that territory is this: if I’m supposed to take a risk-based approach and focus where the risks are most severe – how do I know where that is when I don’t have enough resource to do a proper assessment in the first place?
It’s a genuine catch-22. And before getting to the practical answer, it’s worth addressing a conceptual point that often gets in the way, because understanding what risk-based prioritisation actually means in the HRDD context changes how you approach the problem.
HRDD Is Basically a Risk Management System – With One Critical Difference
Most organisations already have risk management systems – operational risk, financial risk, reputational risk, regulatory risk. The logic is familiar: identify what could go wrong, assess how likely and how serious it is, prioritise accordingly, put mitigation in place, monitor.
HRDD follows the same basic architecture. It is, at its most fundamental, a risk management system. The tools, the logic, the escalation structures – these are all recognisable to anyone who has worked with enterprise risk management (ERM). Which means that for a practitioner trying to make the case internally for HRDD, or trying to integrate it into existing business processes, the ERM framing is genuinely useful. You are not asking the business to do something alien. You are asking it to apply a familiar discipline to a different question.
And that is where the critical difference lies. In standard enterprise risk management, the question being asked is: what is the risk to the business? Prioritisation is determined by the severity of harm to the business, balanced against the likelihood of that harm occurring. In HRDD, the primary question is different: what is the risk to people? Severity is measured by the scale, scope and irremediability of harm to workers, communities and individuals in or connected to the value chain, not by financial exposure for the company.
This is not a subtle distinction. It is a fundamental re-orientation of what you are measuring and why. And it has direct practical consequences for how you prioritise.
Why the Difference Matters
Risk to people and risk to business are not unrelated (the first post in the HRDD 2026 series made the commercial case at length find it here). Litigation exposure, regulatory liability, supply chain disruption, reputational damage – these are all, ultimately, business consequences of human rights harm. Understanding HRDD as a resilience and risk management tool is both legitimate and useful.
But the sequence matters. In HRDD, you identify and assess risk to people first. The business risk implications are considered afterwards, as a consequence of what the human rights risk/impact assessment finds and to inform the proportional response; not as the primary filter through which you decide where to look.
Why does this matter in practice? Because if you start with “what is the risk to us,” you will systematically underassess impacts on people that don’t immediately translate into visible business exposure. And those are precisely where the most serious harms tend to sit – in lower tiers of the supply chain, in geographies with weak enforcement, in communities with limited access to legal remedy, among workers with no channel to raise concerns. The harms that are hardest for the business to see are often the most severe for the people experiencing them.
The mindset shift — from risk to business to risk to people — is not just a values question. It is a methodological one. It determines what you find.
The Four Dimensions of Severity
Once you have made that shift, the next question is: how do you assess severity of harm to people in practice? The UN Guiding Principles give us four dimensions that together form the prioritisation filter.
- Scale: how serious is the potential harm to the individual(s) experiencing it? For example, forced labour, loss of life, serious physical injury and destruction of livelihood sit at the most severe end. The more serious the harm to the individual or group, the higher it should sit in your prioritisation regardless of how many people are affected.
- Scope: how many people are affected or potentially affected? A harm affecting thousands of workers across multiple factories in a high-volume commodity supply chain warrants more urgent attention than the same harm affecting a small number of people in a low-volume relationship — even if the harm to each individual is equally serious.
- Irremediability: how reversible is the harm? Death, serious injury, displacement, loss of livelihood – these are hard or impossible to remedy after the fact. The UNGPs are explicit on this: where delayed response would make impacts irremediable, that should drive prioritisation even if the likelihood seems lower. The irreversibility of a harm is a reason to act earlier, not later.
- Connection to the cause of the issue — what is the nature of your organisation’s relationship to the (potential) harm? Whether you caused it directly, contributed to it through your own practices — including your buying behaviour — or are linked to it through a business relationship with a third party determines both the urgency of your response and what kind and extent of response is appropriate. Harms your own commercial conduct is generating sit differently from harms occurring several tiers removed from your direct relationships. Critically, this dimension requires honest reflection on whether your own purchasing practices are part of the problem — a point we explored in the first In the Weeds post.
These four dimensions together are your prioritisation framework. When you are working through available evidence about where risks exist, the question you are asking about each one is: what do I know about the scale, scope, irremediability and connection to this issue — and what does that tell me about where to focus first?
What This Means for Prioritising With Limited Resource
With that framework in mind, here is how to start building a severity assessment when you don’t have the budget or capacity for a comprehensive original assessment.
(This won’t give you a complete picture – nothing replaces genuine engagement with affected people and direct assessment of your specific value chain – but it will give you a principled, evidence-based starting point. And a documented, reasoned starting point is considerably more defensible – legally, ethically and operationally – than either paralysis or guesswork.)
Here is what that looks like in practice:
1. Start With What the Evidence Already Tells You
- Use publicly available risk intelligence – but read it through the severity lens: A significant amount of relevant risk data exists and is freely accessible. Global and country-level datasets that are relevant as proxy human rights indicators – covering issues like gender equality, freedom of association, migrant labour vulnerability, child labour prevalence, enforcement capacity and conflict – are published by a range of organisations including UN agencies, the World Bank, NGOs and CSOs, and government or multilateral sources. Sector and commodity-level risk profiles (identifying which industries and supply chain stages carry the highest risk of specific harms) exist for most of the sectors your organisation is likely to be sourcing from. These are not a substitute for your own assessment but they are a legitimate and proportionate input to a first-cut severity analysis. They tell you where, in general, the conditions for serious harm are most likely to be present, and reading them through the lens of scale, scope and irremediability helps you move from “this geography is high risk” to “here is why, and here is what that means for how urgently I need to focus there.”
- Use your regulatory obligations as a severity signal: Legal instruments don’t just create compliance obligations, they signal where legislators and enforcement bodies have assessed the risks to people as most severe – look at the commodities subject to UFLPA rebuttable presumption, the sectors covered by sector-specific OECD guidance, the geographies flagged in import ban enforcement activity. These are all evidence-based risk signals that a practitioner can use to inform prioritisation without doing original research. Using regulatory scope as an input to your severity assessment is both practical and defensible.
- Draw on published HRIAs, sector assessments and peer company disclosures: Published human rights impact assessments from companies operating in similar contexts show you how other practitioners have already assessed severity across the four dimensions in comparable situations — what the salient issues were, who was most affected, what made certain harms particularly severe or irremediable. Where companies in your sector or adjacent industries have published salient issues lists (increasingly common as HRDD reporting expectations rise) these are a particularly useful shortcut. A salient issues list represents another organisation’s considered judgement, informed by assessment and stakeholder engagement, about where the most severe risks are concentrated in a comparable operating context. It is not your assessment, but it is credible, evidence-based input into yours. Similarly, sector-level risk analyses produced by industry bodies, multi-stakeholder initiatives (MSIs) and similar groups provide a picture of where the most significant and systemic harms are occurring in your industry that would take significant resource to replicate independently.
- Start with what you already know – including about your own practices: Most practitioners have more relevant knowledge than they give themselves credit for. Procurement and sourcing teams know which supplier relationships are under commercial stress, which geographies have historically produced serious findings, which commodities carry known risks. A structured internal conversation about where risk is most likely to be concentrated is a rapid, low-cost starting point. It is also the beginning of the cross-functional relationship-building that effective HRDD requires anyway. Crucially, it should also include an honest conversation about your own buying practices – lead times, pricing, order change frequencies – because these may directly affect the scale and scope of potential harm in your supply chain. If your commercial conduct is generating risk, that is both a severity signal and a connection-to-issue indicator.
- Use your ecosystem for collective severity intelligence: The multi-stakeholder initiatives and peer networks in your sector often have shared risk intelligence, sector-specific risk mapping tools, and access to collective knowledge about where the most serious issues are occurring across the industry. If you are a member, use them. If you are not, their publicly available publications and guidance documents may still be a valuable source of sector-level risk intelligence.
2. Document Your Reasoning
Whatever conclusions you arrive at from your severity assessment, document how you got there. Record what sources you used, what they told you about potential scale, scope, irremediability and connection,, what assumptions you made, and where the gaps in your knowledge are. This matters for three reasons:
- First, it makes your prioritisation defensible to leadership, to regulators, to any external scrutiny. You are not claiming to have done a comprehensive assessment. You are demonstrating that you have applied a principled, evidence-based approach to the resource you have.
- Second, it creates the foundation for your next iteration. HRDD is a cyclical, ongoing process. Your first-cut prioritisation will be imperfect – that is expected and acceptable. What matters is that you can show how it will be refined as you learn more, engage more deeply with affected stakeholders, and build your evidence base over time.
- Third, it protects you. In the event of a finding, a complaint, or a legal challenge, a documented reasoning process – even an imperfect one – demonstrates that you took the question seriously and acted proportionately and in good faith on the information available to you. That is a very different position from having no documented rationale at all.
Finally
There is no clean solution to this catch-22…and it is worth being direct about why. A risk assessment, however well-resourced and carefully constructed, is always an informed estimate. It is based on the best available evidence at a point in time, in this case filtered through the four dimensions of severity, and subject to the limitations of what you can know from the outside looking in. No risk assessment is complete. No prioritisation is final.
What matters is that you apply a principled framework in good faith to the information you have, focus your limited resource on addressing the issues where the evidence suggests harm is most severe, most widespread and hardest to remedy, and document your reasoning transparently. An imperfect, evidence-informed prioritisation that is honest about its limitations is not a failure of HRDD. It is HRDD working as it is designed to work under real-world constraints.
Prioritisation is also not a one-off exercise. The UNGPs explicitly acknowledge that where it is not possible to address all identified risks simultaneously, you begin with those that are most severe – and you return to the others as capacity allows and as your understanding develops. Your first prioritisation is the beginning of an iterative process, not a definitive answer. It will be refined as you engage more deeply with affected stakeholders, build your evidence base, and learn more about what is actually happening in your value chain.
That next step – genuine engagement with the people most likely to be affected – is where the picture becomes more accurate and where the real work begins. It is also the subject of a future post in this series.
What’s your biggest operational challenge as a practitioner responsible for HRDD, ESG or ethical trade? Share it with us at info@clairelynchconsulting.com (or via the contact form) and it may become the subject of a future post in this series.
Claire Lynch Consulting is a business and human rights advisory practice specialising in social impact, human rights due diligence and responsible sourcing. We help organisations move from insight to impact.
