The risk assessment process can be difficult to grasp. Different systems use different terms for risks, and understand risks in different ways – below we will try to provide a clear overview of how risk assessments and Forestry Risk Profiles can be used effectively to avoid illegal timber in your supply chain.
The EU Timber Regulation (EUTR) requires that you have sufficiently identified and “mitigated” risks of illegal timber entering your supply chain. This means that you need to be able to access information about the origin of the material, as well as assess and mitigate any risks of illegality.
To grade risk, the EUTR applies the term “negligible risk”. Whenever a supply chain is concluded to have “negligible risk” of illegal harvesting, no further action is required. Conversely, anything that cannot be concluded to have “negligible risk” must undergo risk mitigation before placement on the market.
NEPCon uses somewhat different terms, trying to make the risk identification and mitigation more efficient. The idea behind the approach is to be more specific when identifying risk in order to pin-point the exact issues and causes of risk that warrants further action. We use the term “specified risk” to denote risk that cannot be concluded to be “negligible” while also describing specifically what the risk is and what causes it. Conversely, we use the term “low risk” when we have concluded that no serious threats are present. Here is why those terms are used and why we do not use further grading of risk like “medium”.
What is “low” and what is “specified” risk?
It is actually very simple. When concluding a risk is “low”, it simply means that there may be some level of risk, but not a level of seriousness that warrants further action. If the conclusion of the risk assessment is that there is a risk, we specify what it is and thus denotes this “specified risk”. When you look at the relevant Forestry Risk Profile for the timber product you are assessing, you will learn about which specified risks are present when sourcing timber from a certain country. You will then take that information to assess your supply chain and filter for this type of specified risk “down-stream” in your supply chain.
Specified risk can both be medium or high. Either way, you have to mitigate it. Therefore, adding “medium” or “high” to the pile of terminology does not add any value or make it easier for the company who is doing the risk assessment. You have to take action and mitigate the specified risk regardless of the severity of the risk found.
Christian Sloth, Forest Legality Expert at NEPCon, added, “I understand the urge to work with low, medium and high risk. Intuitively, it makes sense. But the problem is that it does not make sense to work with risk in this way. In the risk assessment process, it is not critical if the risk is medium, medium-high or high.
“What is important is that you are able to identify what the risk is, and how to mitigate it. Trying to categorise the risk in levels of severity does not help that process,” explained Mr Sloth.
To exemplify further, below is a quick tour through the risk assessment process and how you work with low and specified risk. You can also investigate further in this thirty-minute video-tutorial about the EUTR and due diligence, and access relevant tools for all the steps in the risk assessment process here.
Supply chain mapping: Access to information
The risk assessment process is actually not linear but iterative. You need to continuously go through the different steps several times in order to learn more about the risks and how to mitigate them as shown in the figure 2. However, the first step is almost always to map your supply chain. This means you need to get an overview of who your suppliers and sub-suppliers are.
The level of detail of the information will depend on the risk - meaning the riskier the situation is, the more information is required. If a supply chain has specified risks that require onsite evaluation, then a full supply chain overview is necessary. If there are only risks identified further down-stream, but not at forest level, the information will only be critical to the level where specified risk is concluded.
This can be an easy task with very few tiers (levels) or a very complicated one with an intricate and complicated network of suppliers and sub-suppliers. It depends on how far up-stream or down-stream you are in the supply chain and the complexity of the timber product you trade.
In the process of mapping out your supply chain, you can identify missing or dubious information. At this point you have already moved into the risk identification phase of the risk assessment process.
As soon as there is missing, dubious or contradicting information in you supply chain, then you have already identified risk. You will get an idea of what to look for by assessing the relevant Forestry Risk Profile and checking which areas that are marked with specified risk.
For example, if you are assessing a timber product which country of harvest is China, you might find in the Forestry Risk Profile that there are specified risks detected in Trade and Transport, related to risk of mixing. You now know that you have to investigate further into these documents when analysing your supply chain for risks further down-stream. Common areas of concern when identifying risk besides from risk of mixing, could also be armed conflict. Once complete information has been collected, the final stage of the risk assessment process can be conducted.
In the next phase you will specify risk in the supply chain. This means to further collect information about the identified risks. Sometimes you will conclude that the identified risk is actually low after investigating it further in the risk specification process. Other times, you find further information, or just conclude lack of information that underlines and clarifies the risk or even identifies more risks.
In the risk specification process, you should have a good idea of the supply chain and origin, as well as the documents needed to indicate legality. As such you will be able to pin-point the risks associated directly with the type of forest that the material originates from. After completing this stage, you have a line of specified risks that are well researched and justified. Now you need to mitigate them.
After you have identified and specified your risks, you can begin to minimise these risks in the risk mitigation phase. The simplest way to avoid risk is to terminate the relationship with the supplier and find a new one, who can provide you with the information you need or with material that has confirmed low risk. It is also common to mitigate the risk by choosing certified products or change species or supplier country.
If such a risk avoidance approach is not possible, you may have to work directly with your supply chain in order to actively mitigate the risks that have been specified. You might need to perform an onsite verification of your supplier to make sure that all risks are mitigated sufficiently. For each specified risk there is a number of control measures and verifiers that can be used to manage the specific risk.
Once you have decided and applied the mitigation action that will work best in your supply chain, you have effectively mitigated risks in your supply chain. You now have a proper due diligence system in compliance with the EUTR.
You can find more detailed guidance about the EUTR, due diligence and risk assessment here.
Click here for tools and guidance on FLEGT and EUTR.