What Is ESG Due Diligence? Process and Best Practices

For most of the past decade, supplier audits were the operating standard for ESG risk management. What that model could not account for was everything that changed between audits: ownership transfers, shifts in subcontracting, labor incidents, and environmental violations. 

ESG due diligence, as regulators now define it, is no longer considered ‘an audit program.’ It is now seen as a continuous cycle of identification, assessment, action, monitoring, and remedy. Audits still play a role in that cycle, but organizations treating them as the finish line are working against a standard that the frameworks they report against have moved well past.

What ESG due diligence actually means

ESG due diligence is a risk-based management process that identifies, prevents, mitigates, and accounts for adverse environmental, social (including human rights), and governance impacts connected to a company’s operations and business relationships.

Modern ESG due diligence (as applied to suppliers) aligns closely with the due diligence model in the OECD Due Diligence Guidance for Responsible Business Conduct, which positions due diligence as the operational backbone for responsible business conduct across supply chains, subsidiaries, and contracted partners.

ESG due diligence is not the same as ESG reporting. Reporting can disclose what happened; due diligence is the governance, workflow, and evidence trail that demonstrates how risks were identified, prioritized, acted on, tracked, and escalated—ideally before they become incidents, disruptions, import holds, or legal exposure.

Why ESG due diligence has become a procurement obligation

Three converging forces have placed ESG due diligence at the center of procurement’s mandate: 

• regulatory divergence across jurisdictions
• commercial cascade from large customers and investors
• an execution gap that procurement functions have not yet closed

The EU’s Corporate Sustainability Due Diligence Directive (Directive 2024/1760) explicitly connects compliance obligations to operational decisions (including procurement and purchasing decisions). 

The Omnibus amending directive (Directive 2026/470) has materially adjusted the scope and timelines: due diligence now applies to organizations with more than 5,000 employees and €1.5 billion in net worldwide turnover, with application deferred to July 2029. The concept of a corporate due diligence duty, however, remains intact.

Beyond the EU, a patchwork of supply-chain-oriented laws is expanding the procurement obligation across jurisdictions:

• Germany (LkSG): Requires in-scope companies to implement a risk management system, run regular risk analyses, take preventive and remedial measures with direct suppliers, and document due diligence performance.
• Norway’s Transparency Act: Treats due diligence as an ongoing duty covering human rights and decent working conditions across supply chains.
• UK Modern Slavery Act: Requires qualifying organizations to publish annual statements detailing steps taken to prevent modern slavery in their operations and supply chains, with statutory guidance signalling expectations for outcome-oriented improvement.
• US UFLPA: Forces procurement-grade traceability and evidence across upstream inputs — country of origin for finished goods is no longer a sufficient control when shipments can be detained or denied on forced labor grounds.

Operational realities make this a procurement obligation even without legal scope pressure. In McKinsey & Company’s 2024 Global Supply Chain Leader Survey, nine in ten respondents reported that only 60% reported comprehensive tier-one visibility, deep-tier visibility declined, and only 9% said their supply chains were currently compliant with new supply chain rules, with 30% admitting they were behind or significantly behind.

Only 9 percent of organisations consider their supply chains currently compliant with new supply chain rules. Thirty percent admit they are behind or significantly behind.

ESG due diligence checklist

A procurement-grade ESG due diligence program is most effectively operationalized when it follows a recognized process model and translates each step into sourcing, onboarding, contracting, performance management, and supplier development controls. 

The most widely used reference structure is the OECD six-step due diligence process. 

Embed due diligence into governance and procurement policy

Sustainability considerations must be embedded into procurement policy and category management from the outset, consistent with ISO 20400’s framing of sustainability as an integration requirement. Programs that begin as sustainability-team projects and attempt to retrofit procurement later consistently underdeliver on coverage, data quality, and enforcement.

Map and prioritize suppliers by risk

Full due diligence across every supply chain node is rarely feasible. A risk-based model concentrates effort where impacts are most severe or likely, using country- and sector-level risk, combined with supplier-specific signals (such as spend or criticality), to prioritize assessment depth. 

EU amendments reinforce this logic for business partners with fewer than 5,000 employees; information requests should be limited to what cannot reasonably be obtained otherwise. Procurement must be targeted in what it asks for, and must rely on scalable information sources where possible.

Full due diligence across every supply chain node is rarely feasible. A risk-based model concentrates effort where impacts are most severe or likely.

Prevent and mitigate through contractual and commercial leverage

Supplier codes, ESG clauses, audit rights, corrective action obligations, and consequence frameworks are the mechanisms through which due diligence expectations become enforceable. 

Research on integrating human rights due diligence into supply contracts emphasizes that clauses should not use generic “comply with law” language that provides no actionable standard or remediation pathway.

Track implementation and closure performance

Tracking is the control mechanism that demonstrates a due diligence program is active, and the output that regulators and auditors are now specifically requesting. A credible program tracks both implementation and results. The metrics that matter:

• Corrective action closure rate and cycle time by severity
• Recurrence rate of key findings
• Supplier performance improvement between assessment cycles
• Evidence that suppliers improved in the areas most material to their risk profile

Communicate with audit-ready evidence

Communication, in a due diligence context, is a consistent, defensible evidence trail linking risk identification to decisions taken, supplier actions and verification, and outcomes. The evidence chain must be traceable, controlled, and consistent across reporting cycles—structured to reduce manual error and maintain assurance-quality documentation. 

Platforms focused on sustainability reporting and data governance position auditability and controlled data collection as necessary infrastructure, not optional enhancement.

Provide for remediation and responsible disengagement

Remediation must exist for harms caused or contributed to. Procurement must have defined escalation routes for remedy and for responsible suspension or exit decisions where remediation is not possible. 

A program that identifies severe findings but lacks a documented remediation pathway, grievance mechanism, or disengagement process is, from a regulatory standpoint, incomplete, regardless of how well it performs on coverage and tracking metrics.

Common failure modes in ESG due diligence programs

Across sectors and geographies, the same failure modes recur. The organizations that have faced the most significant consequences share a recognizable set of program design gaps:

Over-reliance on audit programs without continuous controls

Social auditing has well-documented structural limitations. When the supplier pays for its own audit, the firm conducting it has a financial reason to return a passing result and keep the business. Documented audit deception practices mean that a cleared audit is not equivalent to a verified control.

Human Rights Watch has noted that social audits often miss systemic issues entirely. According to Harvard Business Review, codes of conduct and periodic audits alone are insufficient to identify and manage high-risk suppliers.

A cleared audit is not always equivalent to a managed risk.

In 2020, an investigation found that suppliers producing garments for Boohoo were paying workers below minimum wage and operating under unsafe conditions in Leicester, UK. 

Several of those suppliers had passed social audits shortly before the abuses were reported. Boohoo faced significant reputational and regulatory fallout despite having an audit-based compliance program in place.

Tier-one visibility without deep-tier controls

McKinsey’s 2024 Global Supply Chain Leader Survey shows that tier-one transparency is improving while deep-tier visibility is declining. 

Major disruptions and severe human rights or environmental harms consistently originate deeper in the chain, where most procurement programs have no systematic presence. The same survey reports that only 9 percent of organizations consider their supply chains currently compliant with new supply chain rules, with 30 percent admitting they are behind or significantly behind.

Forced labor trade enforcement makes the commercial consequence of deep-tier blind spots concrete. Since 2022, US Customs and Border Protection has reviewed more than 9,000 shipments valued at over USD 3.5 billion under UFLPA-related controls, denying entry to nearly 4,000. In 2024 alone, the value of detained shipments exceeded USD 1.63 billion. 

Shipments can be detained even when the country of export is not China, because upstream inputs trigger enforcement regardless of the country of origin of the finished goods. 

Procurement needs upstream traceability and documentation beyond immediate suppliers. The country of origin for finished goods no longer has sufficient control.

Governance that is not procurement-operational

Due diligence fails when it is owned by either sustainability or compliance—and has no operational connection to sourcing decisions, onboarding processes, contract requirements, or corrective action management. The result is a disclosure exercise rather than a management system.

W.R. Grace provides a counterexample worth examining. Recognized by EcoVadis for its Sustainable Procurement Leadership, the specialty chemicals company built a program explicitly designed to cascade sustainability criteria across functions and processes. Key attributes include:

• A Global Responsible Sourcing Committee with cross-functional program leadership
• Top management support is embedded into program governance, not delegated to compliance alone
• Alignment with OECD Due Diligence standards through the Grace Responsible Mineral Approach
• Supplier engagement structured to drive transparency and supply chain resilience

How EcoVadis supports ESG due diligence at scale

ESG due diligence at enterprise scale is a data and workflow problem. Most companies have disconnected tools, manual processes, and blind spots that grow as their supplier base expands.

EcoVadis closes that gap across a network of more than 150,000 rated companies in 185 countries, with risk identification, assessment, action, tracking, and communication built into a single platform:

• IQ Plus maps risk at the country, industry, and supplier level in real time, giving procurement teams the intelligence to prioritize before problems surface
• Vitals brings your entire supply base into the due diligence process through a structured self-assessment, not just the suppliers you’ve already rated
• Ratings delivers evidence-based supplier assessments, and 360° Watch keeps monitoring active between cycles

Procurement programs are already using it as a due diligence control. Request a demo to see how EcoVadis closes the gap between supplier risk identification and supplier risk remediation.