Purpose of this guide: give you a practical, copy-and-use framework to evaluate, approve, and monitor downstream vendors under R2v3—so you can defend decisions to auditors and reduce real-world risk.

---

1) What “downstream due diligence” actually means in practice

In R2v3, “downstream” covers every organization that receives your material, components, or data-bearing devices after they leave your control—refurbishers, brokers, repairers, recyclers, data sanitizers, smelters, and final disposers. Due diligence is the repeatable process you use to:

• Assess risks before using a vendor
• Decide whether to approve them (and for which materials)
• Define controls in writing (contracts, specifications, reporting)
• Monitor performance and re-assess on a schedule or when conditions change

Think of it as a living file per vendor: risk score → approval scope → controls → evidence of monitoring → periodic re-approval.

---

2) Map your material flows first (scope drives effort)

Before scoring anyone, write a one-page map of what goes where:

• Material types: data-bearing devices, batteries, displays, PCBs, plastics, precious-metal fractions, whole units for reuse, non-hazardous residuals.
• Path: Your facility → Vendor A → Vendor B (if any) → final process (reuse, recycle, energy recovery, landfill).
• Jurisdictions touched: your location, vendor’s location, any transit countries.
• Disposition intent: reuse/resale vs. material recovery vs. disposal.

This map determines the risk profile and the depth of checks required. High-risk examples: data-bearing devices; export to unfamiliar jurisdictions; hazardous fractions (e.g., batteries); multi-hop chains.

---

3) A pragmatic risk model you can implement tomorrow

Use a 100-point scoring model so decisions are explainable. Score each vendor on the factors below, then classify:
0–24 Low, 25–49 Moderate, 50–74 High, 75–100 Critical. Calibrate thresholds to your risk appetite.

Factor	Guiding questions	Score (0=best, 20=worst)
Regulatory exposure	Hazardous materials? Export? Permits clearly in place?	0–20
Data protection	Handles data-bearing assets? Proven sanitization controls?	0–20
Process maturity	Certified systems? Documented SOPs? Training & QC?	0–20
Traceability	Can they provide serial/material tracking and mass balances?	0–20
Reputation/history	Incidents, sanctions, insolvency, frequent ownership changes?	0–20

How to score quickly and fairly:

• Start every new vendor at 30 (moderate) pending evidence.
• Add points for identified weaknesses; subtract when strong, verified evidence exists.
• Always record the why in 1–2 lines per factor.

Decision rules (example):

• Low risk (≤24): desktop review, standard contract clauses, annual monitoring.
• Moderate (25–49): desktop review + document sampling (permits, training, wipes logs), semi-annual monitoring.
• High (50–74): remote interview, sample lot trial, quarterly KPIs, on-site audit within 12 months.
• Critical (≥75): do not approve; require corrective actions; reassess later.

---

4) Vendor onboarding: checklist you can reuse

Create a standard DDQ (due diligence questionnaire) and request a small, defined document set. Keep it lean; quality beats bulk.

Core DDQ topics:

• Company identity (legal name, registration, facility addresses, contacts)
• Scope of services (what they do with your material, exact processes)
• Licenses/permits and scope codes
• EHS controls and training applicable to your material
• Data sanitization method(s), verification and chain-of-custody
• Downstream partners they use and how they vet them
• Record types kept, retention times, confidentiality practices
• Insurance coverage and limits
• Incident reporting and CAPA process

Document pack to request:

• Facility permit(s) or licenses applicable to your material and location
• Process flow or SOP excerpts for the operations you use
• Recent training record sample (titles, dates, attendees)
• Data sanitization SOP and a redacted wipe verification log (if applicable)
• Example of shipment documentation (BOL, manifest, serial list)
• Current insurance certificate
• Template monthly KPI or summary report (if they provide one)

Tip: ask for exactly one sample of each record type; auditors want to see that you reviewed evidence, not collect gigabytes of PDFs.

---

5) Approval scope: the secret to passing audits smoothly

Approval is not all-or-nothing. Approve by material type and process. Your approval memo should include:

• Vendor name and facility address
• Approved materials/processes (e.g., “SSD wipe & resale,” “Li-ion battery consolidation and export to smelter X”)
• Prohibited materials/processes (e.g., “No CRT glass”)
• Risk score and date of assessment
• Required controls (reporting, labeling, packaging, data logs, EHS conditions)
• KPIs and monitoring frequency
• Review/expiry date

This memo becomes the master control your shipping and sales teams use when choosing outlets.

---

6) Contractual controls that actually reduce risk

Bake your requirements into the agreement or purchase order terms. Keep clauses short and enforceable:

• Compliance warranty: vendor affirms compliance with applicable laws and required standards for the approved scope.
• Use-of-downstream restriction: vendor may not change downstream processors for your material without prior written notice and updated due diligence.
• Data protection: specific sanitization methods, verification, and reporting obligations; immediate notice of any data incident.
• Traceability & reporting: serial lists or mass-balance summaries per lot; monthly KPI (on-time reports, nonconformities, yields).
• Right to audit: reasonable access for remote or on-site reviews; cooperation in investigations.
• Incident & CAPA: timelines for notification, containment, corrective action, and closure evidence.
• Termination trigger: conditions that immediately suspend shipments (permit lapse, KPI failure trend, incident severity).

---

7) Ongoing monitoring: cadence, KPIs, and evidence to keep

Cadence by risk:

• Low: annual check-in + license renewal check
• Moderate: semi-annual KPI review + annual document refresh
• High: quarterly KPI review + annual on-site or remote audit
• Triggered review: any incident, regulatory change, ownership change, change in downstream path, or material type

KPIs that matter:

• Reporting timeliness: % shipments with complete documentation within X days
• Data sanitization validation: % lots with verification logs, % failures detected and resolved
• Material accountability: variance between shipped mass and processed/received mass within agreed tolerance
• Nonconformities: count and severity; closure time for CAPA
• Safety/environment: reported incidents related to your lots; trend over time

Evidence to keep in the vendor file:

• KPI summaries and your review notes
• Updated permits/licenses (or screenshots of public registry entries)
• Training matrix snapshot (roles related to your material)
• Any incident reports and CAPA closure evidence
• Re-approval memo with updated risk score and next review date

---

8) How to run a remote or on-site audit without wasting a day

Pre-audit (1–2 weeks before):

• Send scope: which processes and materials you will review
• Request a single recent lot involving your material for document tracing
• Share a 10–12 point agenda and timebox to 3–4 hours

During the audit:

• Walk the material flow in order: receiving → storage → processing → staging → outbound
• Trace one lot: BOL → receiving log → processing log → output documentation → downstream shipment proof
• Interview process owner(s) for data wiping, hazardous handling, and packing
• Sample PPE, labeling, segregation, and spill kits in the areas used for your material

Common findings to watch for:

• Mismatch between SOP and actual practice
• Incomplete wipe verification fields (e.g., missing operator ID or date/time)
• Containers missing labels or date
• Mass/serial reconciliation gaps
• Expired permits on the wall vs. current in the file

Close-out:

• Classify findings (minor/major)
• Agree on CAPA owners and due dates
• Record updated risk score if warranted

---

9) Handling multi-hop downstreams (beyond your first vendor)

If your vendor sends material to a further processor, you still need adequate assurance that the final path is legitimate. Practical approach:

• Require your vendor to disclose the named downstream for your material and keep an internal list.
• For low-risk streams, review the downstream’s public credentials and a sample invoice/BOL showing the path.
• For higher-risk streams (data-bearing, hazardous, export), perform at least a desktop review of the downstream, or obtain your vendor’s documented vetting results and sample permits.
• If the downstream changes, treat as a triggered review and pause shipments until reassessed.

---

10) Red flags and what to do immediately

Immediate holds on new shipments if you see any of the following:

• Claim of capacity far above the facility’s apparent scale
• Refusal to provide even basic evidence (permits, sample logs)
• Frequent name changes, shell companies, or mismatched addresses
• Export offers that seem too cheap relative to market recovery value
• Repeated delays in providing data wipe logs or mass balances

Action: escalate, notify management, log a potential nonconformity, and require corrective actions before resuming shipments.

---

11) Recordkeeping: how long and how to organize

Keep at least:

• Risk score sheets and approval memos for each vendor
• DDQ responses + sample evidence reviewed
• Contract or PO terms containing your controls
• Monitoring artifacts (KPI reviews, email approvals, meeting notes)
• Audit checklists, findings, and CAPA closures
• Shipment-level traceability records (serials or mass balances)

Organization tip: one folder per vendor with subfolders: 01_Approval, 02_Contract, 03_Monitoring, 04_Audits, 05_Traceability. Keep a master index spreadsheet with vendor name, scope, risk tier, next review date, downstreams, and notes.

---

12) Typical nonconformities—and how to prevent them

• Approval too generic: Fix by issuing material-specific approval scopes and updating shipping instructions.
• Evidence not reviewed: Fix by adding a short checklist to every review (what you checked, date, initials).
• No trigger reviews: Fix with a one-page SOP listing triggers and responsible person; add a simple email template: “Triggered review opened because X.”
• Great policy, weak practice: Fix by training process owners on the exact documents auditors will ask for and doing quarterly internal spot checks.

---

13) Step-by-step SOP you can adopt

1. Initiate: business owner requests a new vendor; due-diligence lead opens a file and assigns provisional risk 30.
2. Collect: send DDQ and document pack list; receive samples.
3. Assess: score the five risk factors; write 1–2 lines rationale per factor.
4. Decide: draft approval memo with scope, controls, KPIs, cadence.
5. Contract: include control clauses; communicate packaging/labeling and reporting requirements.
6. Onboard: run a trial shipment (if applicable); validate documentation flow.
7. Monitor: review KPIs per cadence; log outcomes; adjust controls if needed.
8. Audit: schedule remote/on-site per risk or when triggered.
9. Re-approve: update risk score annually or after major changes; re-issue approval memo.
10. Retire: if terminated, record final status, reason, and where remaining material will go.

---

14) Quick templates (copy into your documents)

Risk score notes (per factor, 1–2 lines):

• Regulatory exposure: Handles Li-ion only; domestic processing; permits verified 2025-09—score 12.
• Data protection: No data handling for our scope—score 0.
• Process maturity: ISO-like system, training records sampled—score 8.
• Traceability: Mass balance reports monthly, variances <2%—score 6.
• Reputation/history: Stable ownership since 2017; no adverse media—score 4.
  Total: 30 → Moderate. Decision: approve for Li-ion consolidation; quarterly KPI review.

Triggered review email:
Subject: Triggered Review — [Vendor], [Reason]
Body: A change was reported: [permit expired/ownership change/downstream change/incident]. Shipments paused for this stream. We will reassess documents and confirm approval scope within [X] business days.

---

15) Final checklist (use before you ship)

• Material flow map updated; jurisdictions understood
• DDQ and sample evidence reviewed; risk score documented
• Approval memo with specific scope and expiry date issued
• Contract terms include downstream change notice, reporting, audit rights, data/EHS clauses
• KPI set and monitoring cadence scheduled on calendar
• Shipping/warehouse teams briefed on scope and packaging/labeling requirements
• Vendor file complete and indexed

---

Bottom line

Downstream due diligence under R2v3 is not about collecting the biggest binder—it’s about clear scope, justified risk decisions, and fresh evidence that shows your controls work in the real world. If you maintain a living vendor file with a logical risk score, material-specific approval, and consistent monitoring, you’ll satisfy auditors and, more importantly, keep your supply chain trustworthy.