In the Weeds is a series addressing the real, operational challenges faced by the people responsible for human rights due diligence (HRDD), ESG and ethical trade inside organisations. If you have a problem you’d like addressed in a future post, share it via our contact form.
This post follows directly from the first in the series, which addressed the challenge of limited budget and resource. One of the most common follow-up questions that comes with that territory is this: if I’m supposed to take a risk-based approach and focus where the risks are most severe – how do I know where that is when I don’t have enough resource to do a proper assessment in the first place?
It’s a genuine catch-22. And before getting to the practical answer, it’s worth addressing a conceptual point that often gets in the way, because understanding what risk-based prioritisation actually means in the HRDD context changes how you approach the problem.
HRDD Is Basically a Risk Management System – With One Critical Difference
Most organisations already have risk management systems – operational risk, financial risk, reputational risk, regulatory risk. The logic is familiar: identify what could go wrong, assess how likely and how serious it is, prioritise accordingly, put mitigation in place, monitor.
HRDD follows the same basic architecture. It is, at its most fundamental, a risk management system. The tools, the logic, the escalation structures – these are all recognisable to anyone who has worked with enterprise risk management (ERM). Which means that for a practitioner trying to make the case internally for HRDD, or trying to integrate it into existing business processes, the ERM framing is genuinely useful. You are not asking the business to do something alien. You are asking it to apply a familiar discipline to a different question.
And that is where the critical difference lies. In standard enterprise risk management, the question being asked is: what is the risk to the business? Prioritisation is determined by the severity of harm to the business, balanced against the likelihood of that harm occurring. In HRDD, the primary question is different: what is the risk to people? Severity is measured by the scale, scope and irremediability of harm to workers, communities and individuals in or connected to the value chain, not by financial exposure for the company.
This is not a subtle distinction. It is a fundamental re-orientation of what you are measuring and why. And it has direct practical consequences for how you prioritise.
Why the Difference Matters
Risk to people and risk to business are not unrelated (the first post in the HRDD 2026 series made the commercial case at length find it here). Litigation exposure, regulatory liability, supply chain disruption, reputational damage – these are all, ultimately, business consequences of human rights harm. Understanding HRDD as a resilience and risk management tool is both legitimate and useful.
But the sequence matters. In HRDD, you identify and assess risk to people first. The business risk implications are considered afterwards, as a consequence of what the human rights risk/impact assessment finds and to inform the proportional response; not as the primary filter through which you decide where to look.
Why does this matter in practice? Because if you start with “what is the risk to us,” you will systematically underassess impacts on people that don’t immediately translate into visible business exposure. And those are precisely where the most serious harms tend to sit – in lower tiers of the supply chain, in geographies with weak enforcement, in communities with limited access to legal remedy, among workers with no channel to raise concerns. The harms that are hardest for the business to see are often the most severe for the people experiencing them.
The mindset shift — from risk to business to risk to people — is not just a values question. It is a methodological one. It determines what you find.
What This Means for Prioritising With Limited Resource
Once you understand that severity of harm to people is your primary filter, the prioritisation question becomes more manageable, even with limited resource. You are asking: where are people most likely to be seriously harmed, in ways that are hard to reverse, potentially affecting large numbers of people?
That question can be partially answered before you do any original assessment at all. It won’t give you a complete picture (nothing replaces genuine engagement with affected people and direct assessment of your specific value chain) but it will give you a principled, evidence-based starting point. And a documented, reasoned starting point is considerably more defensible – legally, ethically and operationally – than either paralysis or guesswork.
Here is what that looks like in practice:
1. Start With What the Evidence Already Tells You
- Use publicly available risk intelligence: A significant amount of relevant risk data exists and is freely accessible. Global and country-level datasets that are relevant as proxy human rights indicators – covering issues like gender equality, freedom of association, migrant labour vulnerability, child abour prevalence, enforcement capacity and conflict – are published by a range of organisations (like the UN agencies, the World Bank, NGOs and CSOs and government or multilateral sources). Sector and commodity-level risk profiles – identifying which industries and supply chain stages carry the highest risk of specific harms – exist for most of the sectors your organisation is likely to be sourcing from. These are not a substitute for your own assessment but they are a legitimate and proportionate input to a first-cut prioritisation. They tell you where, in general, the conditions for serious harm are most likely to be present.
- Look at what your regulatory obligations are already flagging: CSDDD, the UFLPA, the EU Forced Labour Regulation, sector-specific legislation – these proliferating legal instruments don’t just create obligations, they also signal where legislators and enforcement bodies consider the risks to be most severe: the commodities subject to UFLPA rebuttable presumption, the sectors covered by sector-specific OECD guidance, the geographies flagged in import ban enforcement activity – these are all evidence-based risk signals that a practitioner can use to inform prioritisation without doing original research.
- Draw on published HRIAs and sector assessments in your industry: One of the most underused resources available to practitioners is the body of human rights impact assessments that companies and multi-stakeholder initiatives have already published in your sector. A published HRIA from a company operating in a similar context tells you what rigorous assessment of that context found – the salient issues, the affected groups, the systemic risk factors. It is not your assessment, but it is credible evidence about the risk landscape you are operating in. Similarly, sector-level risk analyses produced by industry bodies, multi-stakeholder initiatives (MSIs) and similar groups provide a picture of where the most significant and systemic harms are occurring in your industry.
- Start with what you already know: Most practitioners have more relevant knowledge than they give themselves credit for. Your procurement and sourcing teams know which supplier relationships are under commercial stress, which geographies have historically produced audit findings, which commodities carry known risks. A structured internal conversation with procurement, legal, sustainability and any others with relevant knowledge is a rapid, low-cost way of building a first picture of where the risks are likely to be most concentrated. It is also the beginning of the cross-functional relationship-building that effective HRDD requires anyway.
- Use your ecosystem: The multi-stakeholder initiatives and industry bodies relevant to your sector often have shared risk intelligence, sector-specific risk mapping tools, and access to collective knowledge about where the most serious issues are occurring across the industry. If you are a member, use them. If you are not, their publicly available publications and guidance documents may still be a valuable source of sector-level risk intelligence.
2. Document Your Reasoning
Whatever starting point you arrive at, document how you got there. Record what sources you used, what they told you, what assumptions you made, and where the gaps in your knowledge are. This matters for three reasons:
- First, it makes your prioritisation defensible to leadership, to regulators, to any external scrutiny. You are not claiming to have done a comprehensive assessment. You are demonstrating that you have applied a principled, evidence-based approach to the resource you have.
- Second, it creates the foundation for your next iteration. HRDD is a cyclical, ongoing process. Your first-cut prioritisation will be imperfect – that is expected and acceptable. What matters is that you can show how it will be refined as you learn more, engage more deeply with affected stakeholders, and build your evidence base over time.
- Third, it protects you. In the event of a finding, a complaint, or a legal challenge, a documented reasoning process – even an imperfect one – demonstrates that you took the question seriously and acted proportionately and in good faith on the information available to you. That is a very different position from having no documented rationale at all.
Finally
There is no clean solution to this catch-22. Limited resource means your first prioritisation will be based on incomplete information. What matters is that you start somewhere credible and principled, document your reasoning, and treat the first prioritisation as the beginning of an iterative process rather than a definitive answer. An imperfect, documented, evidence-informed starting point is not a failure of HRDD. It is HRDD working as it is designed to work under real-world constraints.
The next step, once you have a working prioritisation, is genuine engagement with the people most likely to be affected. That is where the picture becomes more accurate, and where the real work begins. It is also the subject of a future post in this series.
What’s your biggest operational challenge as a practitioner responsible for HRDD, ESG or ethical trade? Share it with us at info@clairelynchconsulting.com (or via the contact form) and it may become the subject of a future post in this series.
Claire Lynch Consulting is a business and human rights advisory practice specialising in social impact, human rights due diligence and responsible sourcing. We help organisations move from insight to impact.
