The components in a product you sell were probably touched by people you will never meet, working for companies you have never contracted with, in countries you may never have visited. Some of those people are not free to leave. The question for a leader is not whether your supply chain could contain modern slavery, at any real scale, it almost certainly touches risk somewhere, but whether you would know, and what you would do if you did.

The quick version

  • Modern slavery is an umbrella term for forced labour, debt bondage, human trafficking and similar coercion. The ILO, Walk Free and IOM estimate 49.6 million people were living in modern slavery on any given day in 2021, including 27.6 million in forced labour.
  • An ethical supply chain means taking responsibility for human rights not just in your own operations but across the suppliers, and their suppliers, who make what you sell.
  • The global standard is human rights due diligence, a continuous cycle of finding, preventing and remedying harm, set out in the UN Guiding Principles on Business and Human Rights (2011).
  • The trap is treating a published "modern slavery statement" as the goal. The law asks you to report; the point is to actually reduce risk. A glossy statement over an unchecked supply chain is worse than nothing, because it manufactures false comfort.

The idea in depth: this is a scale problem, not an edge case

Start with the size of it, because the instinct is to assume slavery is a historical or far-away problem. It is neither. The most authoritative count comes from the Global Estimates of Modern Slavery (ILO, Walk Free and IOM, 2022): 49.6 million people in modern slavery on any given day in 2021, of whom 27.6 million were in forced labour, a rise of about 10 million since the previous 2017 estimate. This is not a fringe of the economy. The ILO's Profits and Poverty report (2024) puts the illegal profits from forced labour at around US$236 billion a year, up roughly 37% in a decade.

Where to start: drop the assumption that your business is too clean, too local, or too small to be exposed. Forced labour concentrates in the early, invisible tiers of a supply chain, raw materials, agriculture, low-margin manufacturing, precisely the tiers most companies have never mapped. The first practical act is not a policy; it is a map. List your direct (tier-one) suppliers, then ask each of them where their inputs come from. You cannot manage a risk you cannot see, and most of the risk lives below the line of sight.

The law asks you to report on modern slavery. The point is to reduce it. Those are not the same thing.

The standard everything else is built on: human rights due diligence

The reference point for what a company owes is the UN Guiding Principles on Business and Human Rights, authored by Harvard's John Ruggie and unanimously endorsed by the UN Human Rights Council in June 2011. Its thirty-one principles rest on three pillars, the state's duty to protect, the company's responsibility to respect, and the shared need to provide remedy when harm occurs. The engine inside the corporate pillar is human rights due diligence: an ongoing process to identify, prevent, mitigate and account for how a company addresses its impacts on people, across its own operations and its business relationships, not just inside its four walls.

The crucial design choice in the framework is that it is a cycle, not a checklist. You assess risk, act on what you find, track whether your actions worked, and communicate honestly, then you do it again, because suppliers, countries and conditions change. A 2011 audit tells you almost nothing about 2026.

flowchart LR
  A(["Assess
where is the risk?"]) --> B(["Act
prevent & mitigate"])
  B --> C(["Track
did it work?"])
  C --> D(["Communicate
report honestly"])
  D --> A
Human rights due diligence is a loop, not a one-off audit, the UN Guiding Principles' core cycle. Leaders Loop

So change the question. Stop asking "are we compliant?" and start asking "when did we last go round the loop, and what did we change because of it?" Pick your highest-risk product line and run a single, honest pass: where could forced labour realistically enter, what have we done about the worst of it, and how would we know if it worked. One serious cycle beats a binder full of supplier codes nobody has tested.

An honest limitation. Due diligence reduces risk; it does not abolish it, and the dominant tool for checking, the social audit, is widely criticised. Audits are usually announced in advance, snapshot a single day, and can be gamed by suppliers who coach workers and keep two sets of books. Some of the worst documented abuses occurred at facilities that had passed audits. Treat an audit as one weak signal among several, not as proof of a clean chain. Worker voice, confidential grievance lines, worker surveys, trusted local NGOs, often surfaces what an audit is structured to miss.

Why the law made this a board-level issue

For years, respecting human rights in a supply chain was voluntary. A wave of "transparency" legislation changed that by making companies say, in public and on the record, what they were doing. The UK Modern Slavery Act 2015 (section 54) requires commercial organisations carrying on business in the UK with turnover of £36 million or more to publish an annual modern slavery statement, board-approved, director-signed, and linked from the homepage. Australia's Modern Slavery Act 2018 set a similar duty for entities with consolidated revenue of at least AUD$100 million, in force from 1 January 2019. The European Union has since gone further than disclosure: its Corporate Sustainability Due Diligence Directive (adopted May 2024) obliges large companies to actually conduct due diligence across their chain of activities, with phased national implementation later this decade.

The pattern across these laws matters more than any single threshold. The first generation asked companies to disclose; the newer generation asks them to act. The direction of travel is from "tell us what you do" to "do it, or be liable."

Which is the whole point: treat the statement as the output of real work, not a substitute for it. A board reviewing a modern slavery statement should be able to ask: what did we find this year, what changed because we looked, and where are we still blind? If the only honest answer is "we updated the date," the document is a liability, not a defence. (Specific obligations and thresholds vary by jurisdiction and change over time, confirm what applies to you with qualified counsel rather than relying on a general explainer.)

A worked example

Take a mid-sized apparel brand, call it Meridian, sourcing finished garments from a handful of factories in South and Southeast Asia. (Illustrative figures and scenario throughout; this is a teaching example, not a real company.) Meridian crosses a reporting threshold and, in year one, does what most first-timers do: it asks its tier-one factories to sign a supplier code of conduct, commissions an announced audit at each, and publishes a confident statement. Every factory passes. The statement says all the right things.

Then a journalist traces the cotton. Two tiers below Meridian's contracted factories sits a spinning mill, and below that a farm using bonded labour, workers held against debts they can never clear. Meridian had never mapped past tier one. Its audits, announced and shallow, were structured to miss exactly this. The statement that looked like protection is now evidence that Meridian claimed assurance it did not have.

flowchart TD
  A(["Meridian (brand)"]) --> B(["Tier 1: garment factory
audited, 'passed'"])
  B --> C(["Tier 2: spinning mill
never mapped"])
  C --> D(["Tier 3: cotton farm
bonded labour, the real risk"])
  B -.->|"announced audit
snapshot, gameable"| E(["False comfort"])
  C -.->|"worker grievance line
+ trusted local NGO"| F(["Risk actually surfaces"])
The risk lives below the line of sight, and the announced audit was built to miss it. Leaders Loop

The better version of Meridian runs the due-diligence loop instead of the compliance ritual. It maps beyond tier one to find where its cotton grows, concentrates effort on that highest-risk tier, and adds a confidential worker grievance channel and a local labour NGO so problems surface from the people who experience them. When it finds the bonded-labour farm, it does not cut and run, exiting quietly just moves the harm out of sight and strands the workers. It uses its leverage to drive remediation: clearing the debts and changing the practice, and exiting only if nothing improves. That sequence, find, fix, remedy, leave responsibly as a last resort, is what "respect" in the UN framework requires. The honest statement Meridian publishes the next year is shorter, less glossy, and worth far more.

Frequently asked questions

What exactly counts as "modern slavery"?

It is an umbrella term, not a single legal offence. It covers forced labour (work extracted under threat or coercion), debt bondage (work to repay a debt that is structured to be unpayable), human trafficking, forced marriage, and the worst forms of child labour. The common thread is that a person cannot freely refuse or leave. The ILO's measurement focuses on forced labour and forced marriage; national laws define the criminal offences, which differ by country.

We're a small company. Does any of this apply to us?

The disclosure laws have revenue thresholds, so the smallest firms may have no reporting duty, but the human rights responsibility in the UN Guiding Principles applies to all businesses regardless of size, and your large customers increasingly pass their obligations down to you in contracts. Being below a legal threshold is not the same as being free of risk or free of expectations. If you sell into bigger companies, expect to be asked.

Aren't supplier audits enough?

On their own, no. Announced social audits capture a single day, can be coached and falsified, and have repeatedly failed to detect serious abuse, some sites where forced labour was later exposed had passing audit reports. Audits are one input. They work best combined with unannounced checks, worker-voice channels that let employees report safely, and credible local partners who know the context. Treat a clean audit as a question, not an answer.

If we find forced labour in our chain, shouldn't we cut the supplier immediately?

Usually not as a first move. Cutting and running can leave the affected workers worse off and simply hides the problem from you. The UN framework expects you to use your leverage to remediate first, help fix the practice and provide remedy to those harmed, and to disengage responsibly only if there is no realistic prospect of change. Responsible exit is a last resort, not a reflex.

Who owns this inside a company?

Accountability sits with the board, because the laws require board sign-off and because human rights risk is also legal, financial and reputational risk. Day-to-day it usually runs through procurement, sustainability or legal, but the failure mode is diffusion, everyone assumes someone else is watching the third tier. Name an owner with real authority and a direct line to the board, and tie it to the wider risk and ESG agenda rather than parking it in a single function.

Related in the Toolkit

This sits inside the broader question of how a company defines right conduct (business ethics & ethical frameworks) and how it reports its non-financial performance (ESG strategy & reporting), modern slavery is where high-minded values meet the unglamorous reality of a purchase order three tiers deep.

Where to go next