A risk-based approach to modern slavery supplier due diligence

The organisational response to modern slavery due diligence has matured considerably since the introduction of the Modern Slavery Act 2018 (Cth)

However, one common practice persists: sending the same questionnaire to every supplier in your register, regardless of risk. If your organisation is still doing this, you could be simultaneously over investing in low risk supplier relationships and under-investing where the exposure to forced labour risk is greatest. 

This article sets out why blanket supplier engagement approaches fall short, and how a robust risk-tiered methodology works in practice.

‍

What is a risk-based approach to supplier due diligence?

A risk-based approach to supplier due diligence means directing the intensity of your resources and efforts in proportion to where risk to people is most significant. It requires organisations to assess risk against significance and proximity before allocating resources, in recognition that not all suppliers represent equal risk exposure.

Significance is assessed as a function of severity first, and then likelihood. 

• Severity has the following dimensions: 
  
  • Scale: how serious is the adverse impact?
  • Scope: how far reaching is it? 
  • Irremediable character: how easy is it to reverse or make good?

Alongside significance, prioritisation also depends on proximity, meaning where your organisation's responsibility and leverage are highest. 

• Where you are causing or contributing to harm, the obligation to act is strongest and most direct. 
• Where you are directly linked to modern slavery through a supplier relationship, the obligation shifts toward finding or building leverage to influence practices further down the chain. 

‍

What the guidance materials say

The OECD Due Diligence Guidance for Responsible Business Conduct is explicit on the importance of triaging risk. Enterprises should "identify general areas where the risk of adverse impacts is most significant and, based on this risk assessment, prioritise suppliers for due diligence." 

The Commonwealth Modern Slavery Act 2018 Guidance for Reporting Entities (May 2023) operationalises this principle through four recognised risk dimensions: sector and industry, products and services, geography, and entity.

The UN Guiding Principles on Business and Human Rights, which is the foundational document from which both instruments draw, likewise frames due diligence as proportionate to the severity and likelihood of harm. 

‍

Why blanket supplier questionnaires fall short

The appeal of a uniform questionnaire approach is that it is relatively straightforward to administer. Send the same form to every supplier, collect responses, and file them away. But In practice, this is not a sufficiently robust and defensible approach to due diligence.

• Inefficient resource allocation. An example of a blanket approach would be directing equivalent effort toward a domestic office supplies vendor as one would a garment manufacturer operating in a high-risk jurisdiction. The former presents negligible modern slavery exposure. The latter may warrant on-site auditing, worker interviews, and ongoing monitoring. Treating them identically means neither receives appropriate scrutiny.
  
  
• Low response rates and tick-the-box outcomes. Suppliers who receive lengthy questionnaires often cannot meaningfully answer because the questions bear no relationship to their operations. They then quickly learn to complete them perfunctorily, or not at all. A 40% response rate on a generic questionnaire provides less insight than a 90% response rate on shorter, targeted ones calibrated to the supplier's actual risk profile.
  
  
• Failure to scale for supplier size and sophistication. A questionnaire designed for a multinational contractor is inappropriate for a small regional subcontractor with ten employees. The inverse is also true: asking a large, ASX-listed logistics provider to complete a basic self-assessment when their published modern slavery statement runs to thirty pages wastes everyone's time and signals that your program lacks rigour.
  
  
• Defensibility risk. Your methodology should demonstrate that risk to people drives prioritisation decisions. A blanket approach does not demonstrate that you understood your supply chain risks but merely shows that you applied a consistent process.
• ‍

The four dimensions of supplier risk assessment

The Commonwealth Guidance's four risk dimensions provide a practical framework for triage.

1. Sector and industry risk captures the structural characteristics of an industry that create vulnerability to modern slavery. These may include high labour intensity, fragmented supply chains, seasonal demand, subcontracting norms, and the use of migrant or temporary workers.
   
   Textiles, agriculture, construction, cleaning, and hospitality are consistently identified as elevated-risk sectors. This does not mean every supplier in these sectors presents the same exposure, but sector classification is a useful starting point.
   
   
2. Products and services risk looks at what is being procured. Cobalt, cotton, palm oil, and seafood carry well-documented supply chain risks supported by international research. Cleaning services and labour hire arrangements (where workers are particularly vulnerable to wage theft, debt bondage, and document confiscation) warrant attention regardless of the supplier's apparent sophistication.
   
   
3. Geographic risk considers the countries in which production occurs or workers are recruited. Countries with weak governance institutions, high prevalence of forced labour, significant migration flows, or active conflict present elevated risk. However, country-level prevalence indicators are not a substitute for industry-specific analysis. A jurisdiction may present low country-level risk but elevated risk within a specific sector. Geographic and industry risk should be assessed together.
   
   
4. Entity risk is the dimension most dependent on direct supplier engagement. It encompasses governance maturity, the existence and quality of internal policies and due diligence systems, any known history of labour rights violations, business ownership structures, and recruitment practices. A supplier operating in a lower-risk sector may still present elevated entity risk if its governance is immature or its recruitment model relies heavily on third-party labour brokers.

‍

The triage framework

Once suppliers have been assessed across these four dimensions, they can be allocated to tiers that determine the nature and intensity of due diligence.

• Elevated risk suppliers require substantive, direct engagement. This may include on-site auditing, structured worker interviews, third-party certification against relevant standards, and the development of long-term supplier partnerships focused on remediation and capability uplift.
  
  
• Moderate risk suppliers are suited to desktop-based assessment. This includes targeted disclosure requests calibrated to the specific risk dimensions identified, collaborative engagement to address gaps, and periodic monitoring. Where issues emerge, the response should be cooperative before it is contractual.
  
  
• Low risk suppliers can be managed through lightweight self-assessment questionnaires, focused on confirming the basis for the low-risk classification and periodic monitoring that flags material changes in the supplier's operations or supply chain.

‍

Calibrating to supplier size and sophistication

An often-overlooked dimension of a risk-tiered approach is calibrating the form of engagement to the supplier's size and sophistication, not just their risk profile.

Large and sophisticated entities

Where the supplier is itself a reporting entity, such as a major bank, a national telco, a large logistics provider, the starting point should be a review of their published modern slavery statement. Under the Act, they are required to report on their own due diligence systems. Requesting that they complete your questionnaire before reviewing what they have already disclosed publicly signals a lack of rigour in your own process, and frequently produces responses that simply replicate their statement in a different format.

Small and medium entities

Where the supplier is small, low-sophistication, or operating in a high-risk sector, a heavyweight self-assessment questionnaire may produce responses that are aspirational rather than accurate, or may end up being beyond their capacity to complete. It’s rare that suppliers that do this act in bad faith, but because they themselves may lack the information and systems to answer with confidence. In these cases, direct engagement, such as a conversation, a site visit, or a structured interview, will generate more reliable intelligence than a written disclosure. The due diligence framework should accommodate both.

Embedding due diligence across the procurement lifecycle

The most progressive and effective risk-tiered due diligence is embedded at every stage of the procurement lifecycle.

At the planning stage, category managers should identify the risk profile of the spend category before going to market. Draw on sector, product, and geographic risk indicators to inform the level of due diligence that will be required and the supplier characteristics that will be evaluated.

At the sourcing stage, due diligence requirements should be incorporated into tender documents and evaluated as part of supplier selection. For elevated-risk categories, this may mean requiring evidence of third-party certification or audit history as a prequalification condition.

At the contracting stage, modern slavery obligations should be reflected in contract terms. This may include clauses around audit rights, disclosure requirements, and remediation processes. Blanket termination rights are rarely appropriate; cooperative engagement and graduated consequences better reflect the guidance's emphasis on remediation over disengagement.

At onboarding, suppliers should complete a tiered assessment calibrated to their risk profile, with follow-up proportionate to the responses received.

During relationship management, monitoring should be ongoing and trigger-responsive. Changes in the supplier's ownership, geographies, subcontracting arrangements, media status, or sector classification may warrant reassessment between cycles.

Common errors 

Several errors appear consistently in how organisations implement supplier due diligence programmes. These include:

• Sending the same questionnaire to every supplier regardless of risk
• Treating questionnaire completion as the end of due diligence without reviewing, follow-up, and monitoring
• Implementing blanket termination rights for non-compliance. Guidance materials consistently emphasise that organisations should endeavour to work with suppliers to address issues before withdrawing business.
• Not having a documented methodology for risk-tiering decisions. Without documentation, it is impossible to demonstrate to an auditor, investor, or regulator how prioritisation decisions were made and justified. 

Conclusion

Ultimately, it comes down to proportionality. The best practice approach is a tiered one that takes into account the appropriate risk dimensions, is calibrated to supplier size and sophistication, and is proactively embedded across the procurement lifecycle.

The OECD Guidance, the Commonwealth Guidance, and the UN Guiding Principles all clearly state the importance of having a risk-based approach to modern slavery management. Reporting entities should ensure the methodology they have in place is genuinely proportionate, documented, and capable of generating genuinely useful insights that are needed to identify and address modern slavery risk where it is most likely to occur.

‍

How Fair Supply helps

Operationalising a risk-based approach across hundreds or thousands of suppliers is a practical challenge most reporting entities face. Determining how to triage suppliers, and then manually managing response rates, maintaining audit trails, and producing reporting that satisfies board and investor scrutiny can very quickly be unscalable.

Fair Supply's modern slavery assessment platform supports organisations in streamlining tiered risk assessment and automates the sending, tracking and analyses of supplier responses. Fair Supply also provides advisory services for procurement and sustainability leaders on framework design, supplier engagement strategy, and the integration of modern slavery obligations into the procurement lifecycle. 

If you are ready to move beyond a blanket questionnaire approach, talk to our team about building a risk-tiered due diligence programme that's proportionate, defensible, and built to scale.

‍