EUTR due diligence made simple

Based on nearly a decade of experience the Timber Trade Federation (TTF) understands due diligence. Indeed, its Responsible Purchasing Policy [due diligence system]was the model for the EU Timber Regulation (EUTR). As we get closer to the implementation of the latter on March 3, however, it is clear that some companies are still struggling with the basic due diligence concept. So, I'm grateful to the TTJ for giving me an opportunity to try to address some of the fundamental misconceptions I have encountered over the past year or so.

Due diligence is not a new concept. In fact, companies taking on a new customer will already be doing it in some form. It is simply a question of finding out as much as possible about the customer and double checking those facts, by, for example, a credit check. This is risk assessment. If you are uncomfortable, but still wish to do business, you may get some further reassurance, or arrange particular terms of supply. This is risk mitigation.

Perhaps a better example is health and safety. Legislation exists which, in principle, is just like the EUTR. It stipulates that a business must assess the likelihood an accident will occur and the severity should it do so. It should then take action to reduce the risk and the harm it could cause. The level of action will depend upon the likely occurrence and the severity of the harm. And all this assessment must be written down.

The EUTR is very similar. It requires anyone first placing timber on the EU market to assess the likelihood that it is from an illegal source, based on information it has obtained about the product, its origin and supply chain. On the basis of that information the company must decide what it should do to lower the risk associated with future shipments from the same source.

Due diligence must happen before a purchase is made, otherwise it is not due diligence. Retrospectively assessing the risk profile of products already purchased and sold does not constitute compliance with the law.

Only CITES or EU Forest Law Enforcement, Governance and Trade licences remove the need for it. In all other circumstances a company must assess and record the risk of the product it is intending to buy. This is the evidence, should it be required, that due diligence has been undertaken.

FSC, PEFC or any other form of legality verification provides very good evidence that a product is low risk, and in most cases will comprise de facto sufficient risk mitigation. However, it is still necessary to double check the certificate's credentials on the scheme's website to ensure it is both in date and fully covers the products and species being purchased in scope.

In addition in some countries where fraud, or misuse of certification is known to occur, additional evidence should be sought provide assurance to an importer that the product is not likely to be illegal.

Some have wanted to claim and label their products as EUTR-compliant. They can't. The statement is meaningless. Only companies can be EUTR-compliant by doing their due diligence, which, in any case, is simply the law. Saying a product is compliant might be construed as misrepresentation.

And the EUTR does not require you to prove a product is legal, but to assess and mitigate the risk that it is. If you can get credible evidence of legality then your job is done and this is what you should strive for.

But just because you can't get proof does not mean the product cannot be placed on the market. Different companies will have different attitudes to risk, both reputational and legal. If a company is comfortable with the level of risk to which it is exposed after it has done its due diligence properly, then it has complied with the law. If the product then turns out to be illegal, the operator will be guilty of the criminal offence of possessing illegal timber, but not for lacking due diligence.

I have heard many companies saying that they have been told that to comply with the law they must undertake a full legality check list on the product, supplier, species and supply chain, often involving auditing. This is a real belt and braces job, and is to be applauded if done, but it is not necessary. The process you choose to undertake to assess your risk will need to be as robust as it needs to be according to your attitude to risk and the level of risk you have identified.