responsiblesourcing.io

9 min read

Run Risk-Based Prioritization

Move from equal treatment of all suppliers to a prioritization system that actually changes workload and intervention.

When to use this playbook

Use this when the supplier base is too large for equal treatment or when teams feel reactive despite having plenty of data.

Use it when annual audit planning or quarterly intervention planning needs a defensible prioritization model.

How this source informs this section

OECD Due Diligence Guidance for Responsible Business Conduct · p. 17

OECD is the main source here because it treats prioritization as a risk-based decision process, not a reporting exercise.

The measures that an enterprise takes to conduct due diligence should be commensurate to the severity and likelihood of the adverse impact.

Open cited page Open full document

Step-by-step guide

1. Define the risk factors that should matter, such as geography, labor profile, category, spend, leverage, historic issues, and grievance information.

2. Separate inherent risk from performance risk so the model can reflect both exposure and actual supplier behavior.

3. Decide what the risk bands change in practice: audit cadence, deeper review, supplier engagement, leadership visibility, or commercial decisions.

4. Refresh scores on a fixed cadence and when major trigger events occur.

5. Review the output with business owners so the model is understood as a decision tool, not just a reporting exercise.

6. Track whether high-risk suppliers are actually receiving differentiated action after scoring.

How this source informs this section

Disney Country-Specific Submission Requirements Supplement · p. 3

Disney is useful because it operationalizes prioritization by linking country context to audit requirements and additional submission conditions.

This supplement contains a list of countries... as well as where raw materials and components may be sourced.

Open cited page Open full document

Quality checks

The model changes workload or escalation in practice.

Scores are refreshed rather than left static for a year.

Worker or grievance information influence prioritization where available.

Business owners understand what each risk band requires.

How this source informs this section

OECD Due Diligence Guidance for Responsible Business Conduct · p. 32

OECD's tracking step is what keeps prioritization real: if the high-risk list never changes action, the model is not doing its job.

Track the implementation and effectiveness of the enterprise's due diligence activities... and use the lessons learned to improve these processes.

Open cited page Open full document

Failure modes

Using only country risk and ignoring supplier-specific information.

Scoring suppliers without linking the output to an actual decision.

Building a complex model no one updates or trusts.

How this source informs this section

UN Guiding Principles on Business and Human Rights · Principle 24

UNGP is the corrective here because teams should not treat lower-severity issues ahead of severe impacts just because they are easier to process.

Business enterprises should first seek to prevent and mitigate those that are most severe or where delayed response would make them irremediable.

Open cited page Open full document

Sources

OECD Due Diligence Guidance for Responsible Business Conduct

OECD · guidance PDF

OECD's due-diligence guidance is the main cross-cutting source here for prioritization, corrective action planning, leverage, and follow-up.

Open cited PDF

UN Guiding Principles on Business and Human Rights

OHCHR · framework

Used here for the baseline definition of human-rights due diligence, remedy, and grievance expectations.

Open cited PDF

Disney Country-Specific Submission Requirements Supplement

Disney · country controls PDF

Disney supplement showing which countries are permitted, when audits are required, and what extra submission conditions apply.

Open cited PDF