With the latest updates to the SFI, FSC, and PEFC Chain of Custody standards, the subject of Due Diligence has become more universally applicable for certified companies.  This – of course – means more questions about practical application and how the standards differ.

Due Diligence Systems (DDS) follow a widely applied international, 3-part norm:

  1. Information Gathering
  2. Risk Assessment
  3. Risk Mitigation

They require a bit more defining detail when applied as part of certified Chain of Custody programs. Here is a summary of how the FSC, PEFC, and SFI programs approach Due Diligence.


In general, a CoC-certified company will need to apply Due Diligence System (DDS) procedures to all of their inputs, with a few limited exceptions:

  • FSC specifically exempts inputs received with verified and valid claims from another FSC-certified company. Be careful, however, of the legality requirement (40-004, 6.1) that applies even for certified material.
  • PEFC exempts recycled inputs, with some DDS required for everything else.
  • SFI also exempts recycled inputs and provides a broad exemption for inputs received with claims from other SFI-certified companies. In conjunction with the SFI Certified Sourcing program, this exemption will likely limit the full application of DDS procedures in many cases.


The three programs provide similar definitions for the legally and ethically undesirable materials that Due Diligence Systems (DDS) are designed to avoid.  These ‘Controversial’ or ‘Unacceptable’ sources are:

  • Illegal Sources (PEFC, SFI, FSC) – defined similarly as failing to comply with applicable local, national, or international laws and regulations.
  • Genetically Modified (GMO) Trees (PEFC, SFI, FSC) – are defined similarly and are not yet commercially relevant.
  • Conversion Products (PEFC, SFI, FSC) – cited & defined similarly by all three programs, this subject is explicitly addressed in very different ways.
  • Violations of Human Rights (PEFC, SFI, FSC) – a complex subject addressed broadly by PEFC and SFI and in somewhat more detail by FSC. Includes Indigenous Rights, Labor Rights, Traditional & Civil Rights, and ILO Conventions.
  • Threats to Biodiversity and Conservation Values (PEFC, SFI, FSC) – situations where forest management threatens habitats, species of concern, or other ‘high’ conservation values.
  • Conflict Timber (PEFC & SFI only) – defined by the United Nations Environment Program (UNEP) as wood products associated with armed conflict and warfare.
  • Threats to Sustained Yield (PEFC only) – situations or regions where harvest levels are not supported by forest growth.


A structured approach to Information Gathering is employed similarly by all three programs.  Key information includes:

  • Tree Species – in theory, all tree-based input products should be identified using botanical terminology. This often includes species groups (spruce-pine-fir) or species lists.
  • Country/Region of Origin – this is defined consistently as the location where trees are harvested. The level of precision required varies somewhat by program.  FSC utilizes Origin as a key part of its Risk Assessment protocol.

FSC, PEFC, and SFI also require recording and sharing basic DDS information.  The clear intent is for companies with direct access to key information to pass it along the supply chain as needed.

In addition to gathering and sharing basic sourcing information, certified companies must monitor and assess external comments and complaints that they may receive about their raw materials.  All three programs require formal protocols for processing and responding to inputs they may receive from stakeholders.


CoC programs conventionally address Risk Assessment in two broad categories:

  • Geographic (origin) Risk
  • Supply Chain Risk

The three programs’ detailed requirements differ considerably and must be considered separately.

FSC Risk Assessment

FSC approaches geographic Risk Assessment with a published document called a ‘National Risk Assessment’ (NRA).  NRAs include evaluations and ranking of a wide selection of risk indicators related to the key categories of Unacceptable (Controversial) sources.  Risks are identified as either “low” or “specified.”  In the case of specified risk, the NRA also identifies acceptable mitigation requirements.  While very comprehensive in their treatment of geographic risk, the NRAs do not address Supply Chain risk.

FSC-certified companies are generally required to use published NRAs for geographic risk, adopting their risk rankings and implementing mitigation measures – termed ‘Control Measures’ – when applicable.  Assessing Supply Chain Risk, however, is done individually by each company.

PEFC Risk Assessment

Each certified company is required to conduct Due Diligence on their inputs, using criteria found in Appendix 1 of the standard.  Risk rankings are either “significant” or “negligible.”  Ranking criteria for origin are found in Tables 1 & 2.  These criteria allow for abbreviated assessment for short, well-documented supply chains or when other verifiable protocols (like FSC) are in place.  Ranking criteria for Supply Chain Risk are also provided in Table 3.

The Table 2 criteria (for geographic risk assessment) include a variety of independent and objective criteria for ranking risk.  Many companies will nonetheless require expert assistance to complete their assessments.

SFI Risk Assessment

Unlike FSC and PEFC, the SFI standard omits any reference to Supply Chain Risk and treats Risk Assessment generically.  Risk ranking is required into “high” and “low” risk categories.  Guidance for the assessment is limited to the Controversial Source’s definition.

It appears likely that claim-based exemptions (described above) will limit the use of DDS Risk Assessment for most SFI-certified companies.  For this reason and a general lack of guidance, many will require specialized support to implement independent SFI Risk Assessments.


DDS Mitigation is required when a DDS Risk Assessment concludes a Significant/Specified/High risk of sourcing from Controversial/Unacceptable Sources.   It is the last step in the 3-part DDS protocol and is generally avoided whenever possible.  As with Risk Assessment, differences among the programs require separate consideration.

Mitigation for FSC (Control Measures)

The published FSC National Risk Assessments (NRA) include findings of “specified” risk where mitigation is required.  The term “Control Measures” is used, and details are included in the NRA.  Control Measures take many forms around the world.  In the United States, it is typical for companies to provide targeted communications materials (Education & Outreach) to suppliers and others, raising awareness about specified risk topics and encouraging measures to reduce threats.

Mitigation for PEFC & SFI

Mitigation of significant (high) risk inputs for PEFC and SFI is essentially similar and implemented individually and locally by certified companies.  The PEFC standard provides more details, but both require sample-based field inspections designed to produce direct evidence of either avoidance or substantive risk reduction of Controversial Sources.  Inspections will require direct or indirect access to information about forest management at the point of harvest.

In theory, mitigation requirements apply globally.  But in practice, their use is rare in low-risk regions (N. America, Europe, etc.).


Due Diligence Systems (DDS) are documented and audited as part of a company’s CoC Management System.  As with other system functions, they require maintenance, including, at a minimum, annual review and occasional updates.  FSC requires a DDS Public Summary that is updated annually and posted online on the FSC certificate database.