Updated May 15, 2026 · 10 platforms evaluated

Top 10 Compliance Management Software for Supply Chain in 2026: A Buyer-First Comparison

Honest 2026 ranking of the 10 best supply chain compliance platforms for UFLPA, C-TPAT, CSDDD, LkSG, Modern Slavery, sanctions, and supplier audits.

By RiskWatch Editorial · Supply Chain Compliance Software Research

Verdict

TL;DR

If you import into the United States, sell into the EU, or run a multi-tier supplier network and need one platform to cover UFLPA forced-labor due diligence, CBP C-TPAT MSC supplier flow-down, EU CSDDD value-chain due diligence, German LkSG human-rights and environmental risk analysis, UK Modern Slavery Act s.54 statements, California SB-657 transparency disclosures, OFAC + EU + UN sanctions and denied-party screening, AEO with C-TPAT mutual recognition, ISO 28000:2022 supply-chain security, and ESRS S2 value-chain workers under CSRD, RiskWatch ranks first on our weighted score for the mid-market buyer building a defensible due-diligence file because UFLPA, C-TPAT MSC, CSDDD, LkSG, Modern Slavery, ISO 28000, ESRS S2, and supplier code of conduct libraries are pre-mapped and a single-tenant deployment satisfies importer-of-record data residency. EcoVadis is the right pick when ESG and sustainability scoring across 150,000+ rated suppliers drive the brief. ISNetworld and Avetta fit when contractor and field-supplier qualification (oil-and-gas, utilities, construction, manufacturing) is the load-bearing requirement. Sphera SupplyShift wins for Scope-3 supplier emissions and LCA depth. Sedex fits Tier-1 retail and FMCG ethical-trade brands running SMETA audits. MetricStream and IBM OpenPages serve Tier-1 enterprises that need broadest regulatory content under one data model. Pick by UFLPA detention-defensibility, CSDDD value-chain reach, sanctions-screening cadence, and pricing transparency, not by analyst-quadrant placement, because seven of the ten vendors here will not publish a list price.

Pick by use case

Where each platform fits

Mid-market US importer or EU-listed manufacturer running UFLPA + CSDDD + LkSG + Modern Slavery + ISO 28000 in one tenant: RiskWatch: Pre-mapped UFLPA, C-TPAT MSC, CSDDD, LkSG, UK Modern Slavery Act, California SB-657, ISO 28000:2022, OFAC sanctions, and supplier code of conduct libraries; cross-mapping engine auto-detects shared controls; single-tenant deployment for importer-of-record data residency.
Global brand running supplier ESG scoring across 150,000+ rated suppliers for CSRD ESRS S2: EcoVadis: 150,000+ rated suppliers; 21 CSR criteria across environment, labor and human rights, ethics, and sustainable procurement; medal scorecards and corrective action plans recognised by 1,400+ buyer organisations including L'Oréal, Unilever, Johnson and Johnson, Salesforce.
Oil-and-gas, utilities, construction, or heavy-industrial owner-operator running contractor qualification at scale: ISNetworld: 70,000+ Hiring Clients and 80,000+ Contractor Members across oil-and-gas, utilities, construction, and heavy manufacturing; HSE statistics review, RAVS document audits, MSQ supplier qualification, and TRIR / DART benchmarking that owner-operators use for prequalification gates.
Commercial construction, facilities-management, retail, or property management running supplier safety + insurance + sustainability: Avetta: 130,000+ supplier network; strong in commercial construction, facilities management, telecom, and retail; insurance-certificate tracking, COI verification, OSHA log audits, and sustainability scorecards in one platform.
Tier-1 retail or FMCG brand running ethical-trade audits against SMETA, BSCI, or SA8000: Sedex: 85,000+ member businesses; SMETA (Sedex Members Ethical Trade Audit) is the most-used social audit globally; Risk Assessment Tool maps human-rights, labour, health-and-safety, environment, and business-integrity exposure across the supplier base.
Global shipper or manufacturer closing the Scope-3 supplier emissions and LCA gap before CSRD: Sphera (SupplyShift): Blackstone-owned since $1.4B Sept 2021; SupplyShift acquired January 2024 added 100,000-supplier network; deepest LCA and Scope 1-3 ESG; CSRD ESRS E1 and S2 readiness; Verdantix Green Quadrant Leader 2025.
Tier-1 enterprise running broadest regulatory content (UFLPA + CSDDD + LkSG + OFAC + AEO + ISO 28000): MetricStream: Late-stage private (Clearlake + Goldman); broadest regulatory content library covering UFLPA, CSDDD, LkSG, Modern Slavery, OFAC sanctions, AEO, ISO 28000; modular ConnectedGRC across TPRM + Compliance + Audit + BCM + OpRisk at G-SIB and Fortune 100 scale.
Public-company importer running SOX 404 + supplier audits + ESG + CSDDD value-chain due diligence together: Optro (formerly AuditBoard): Hg Capital owned since May 2024 $3B+; rebranded 9 March 2026; 1,585+ G2 reviews 4.6/5; CrossComply multi-framework module overlays UFLPA + CSDDD + LkSG + Modern Slavery + ISO 28000 on top of SOX 404 + ICFR; serves 50%+ of the Fortune 500.
Banking, insurance, and regulated-finance buyer needing AI-assisted regulatory-change tracking on the value chain: IBM OpenPages with watsonx: 30+ years of OpenPages heritage; watsonx Assistant for regulatory-change tracking against UFLPA + CSDDD + LkSG + OFAC + ESRS updates; runs on IBM Cloud and Azure; chosen by 6 of the 10 largest global banks.
Large enterprise running supply-chain investigations, denied-party screening, and supplier-fraud case management: Resolver (Kroll Business): Kroll-owned since March 2022; safeguards $6.5T in market cap across 1,000+ companies; supply-chain investigations workflow + threat intelligence; strongest case management for supplier fraud, sanctions hits, and forced-labour allegations.

Supply-chain compliance is its own buyer category, distinct from logistics compliance even though the two overlap. A US importer triaging a UFLPA detention has a different brief from a 3PL renewing a C-TPAT certification, even though both touch the Customs-Trade Partnership Against Terrorism Minimum Security Criteria. An EU-listed manufacturer building a CSDDD value-chain due-diligence file has a different brief from a German Tier-1 building an LkSG risk-analysis cycle under BAFA, even though both run on the same human-rights and environmental due-diligence skeleton. A retailer responding to a California SB-657 Transparency in Supply Chains Act disclosure request has a different brief from a UK plc publishing its Modern Slavery Act s.54 statement, even though both anchor on supplier code of conduct attestation. And a global FMCG closing the Scope-3 supplier emissions gap for its first CSRD report has a different brief from an oil-and-gas owner-operator running contractor prequalification at scale. The ten platforms in this ranking each fit at least one of those briefs; none fits all five equally well.

We considered 24 platforms across G2 Grid leaderboards for Supplier Risk, Third-Party Risk, GRC, and Supplier Sustainability; Capterra Shortlist for Supply Chain Compliance, Contractor Management, and ESG Reporting; Gartner Peer Insights for IT Risk Management; Verdantix Green Quadrant ESG 2025; and the CBP Forced Labor and UFLPA software landscape published with the 2025 Strategy update. We cut to ten by removing pure customs-brokerage transactional systems (Descartes, e2open Global Trade Management, Thomson Reuters ONESOURCE Global Trade) that handle HS-code classification and entry filing rather than due-diligence compliance, removing pure track-and-trace and traceability platforms (Sourcemap, Transparency-One, Authena, Z2Data) that capture supplier-of-supplier graphs rather than control evidence, removing pure forced-labour-screening point tools (Kharon, Sayari, Altana, Verisk Maplecroft, Visual Compliance) that score risk rather than manage the compliance programme, removing pure ethical-trade audit body offerings without a software backbone (BSCI alone, SA8000 alone, ICTI alone), and removing single-purpose contractor-only vendors (Veriforce, Browz) that compete with Avetta and ISNetworld but trail on supplier network density. The result is ten platforms a real supply-chain compliance buying committee would actually shortlist in 2026.

CBP detained 7,325 shipments under the UFLPA rebuttable presumption in FY 2025, a 51% increase from FY 2024 (4,850), per the 2026 CBP UFLPA Statistics Dashboard update; November 2024 set a monthly record at 648 detentions; automotive and aerospace detentions surged 1,580% between 2023 and 2024 under the expanded High-Priority Sector list (lithium, copper, steel, PVC, aluminium) introduced in the 2025 DHS Strategy update. The Ninestar Corp. v. United States precedent closed the judicial backdoor for rebuttal: importers must produce clear-and-convincing evidence (commercial invoices, payment records, bills of lading, factory records, and balance-of-materials reports) at every tier. The EU CSDDD Omnibus I reform (Directive 2026/470, adopted 24 February 2026) narrowed scope but locked in core value-chain due-diligence obligations for undertakings with 1,000+ employees and EUR 1.5B+ turnover; member states transpose by 26 July 2027 with full application 26 July 2029. The German LkSG BAFA audit cadence intensified in 2026 with fines up to 2% of global turnover or EUR 8M for ongoing breaches. Pricing transparency in this segment is poor. Seven of the ten platforms here gate pricing behind a demo. We have triangulated prices for the opaque vendors from at least two independent third-party sources and dated each estimate to 2026-05-14. Mid-market supply-chain-compliance buyers (200-2,000 employees, importing into US, EU, or UK markets) typically land at $30K-$150K per year on licence plus 15-25% implementation; Tier-1 enterprise picks (MetricStream, IBM OpenPages, Optro) start above $150K per year.

At-a-glance

Comparison table

The 10 platforms scored on the methodology weights at the bottom of this page. Pricing-transparency pill is the buyer-honesty signal.

Rank	Product	Best for	Pricing transparency	G2	Verdict
1	RiskWatch RiskWatch International	Mid-market US importers, EU-listed manufacturers, retailers, FMCG brands, and defence primes (200-5,000 employees) running UFLPA + C-TPAT + CSDDD + LkSG + Modern Slavery + California SB-657 + ISO 28000 in one tenant who also want supplier code of conduct attestation, supplier-site physical-security assessment, and first-class customer-audit response packs for Tier-1 buyers and regulators.	Partial	4.5/5 60+ reviews	Pre-built control libraries for UFLPA supplier due diligence and detention-response,...
2	EcoVadis EcoVadis SAS	Global brands and Tier-1 buyer organisations (1,000+ employees) using EcoVadis medals as supplier-onboarding gates and CSRD ESRS S2 value-chain workers evidence; procurement-led ESG programmes that need a defensible third-party score across thousands of suppliers.	Opaque	4.3/5 180+ reviews	Largest independent supplier-sustainability rating network globally with 150,000+...
3	ISNetworld ISN Software Corporation	Oil-and-gas operators, midstream pipeline owners, utilities, mining operators, chemical-plant owners, and large construction or manufacturing owner-operators running contractor prequalification at scale with HSE statistics, RAVS document audits, and COI tracking as the load-bearing brief.	Opaque	4.0/5 220+ reviews	70,000+ Hiring Clients and 80,000+ Contractor Members; deepest network density in oil...
4	Avetta Avetta, LLC	Commercial construction owner-operators, facilities-management providers, retail and property management chains, telecom infrastructure builders, and mid-Tier energy and resources buyers (1,000-50,000 employees) running supplier qualification with insurance, OSHA logs, EMR, SDS, and sustainability scorecards.	Opaque	4.1/5 280+ reviews	130,000+ supplier network; strong in commercial construction, FM, telecom, retail, and...
5	Sedex Sedex Information Exchange Limited	Tier-1 retail and FMCG brands and their suppliers running ethical-trade due-diligence via SMETA audits, UK Modern Slavery Act s.54 statements, California SB-657 disclosures, and BSCI / SA8000 social-audit programmes. Most powerful when the buying committee already mandates Sedex membership as a contract clause.	Opaque	4.0/5 120+ reviews	85,000+ member businesses across 180+ countries; deepest network in Tier-1 retail and...
6	Sphera (SupplyShift) Sphera Solutions, Inc.	Global shippers, manufacturers, oil-and-gas operators, chemicals, consumer-goods, and automotive enterprises (5,000-100,000 employees) running deepest LCA + Scope-3 supplier emissions + CSRD ESRS E1 climate + ESRS S2 value-chain workers + chemical compliance under one ESG and EHS platform.	Opaque	4.2/5 200+ reviews	Deepest LCA (Life-Cycle Assessment) bench in the category; GaBi LCA database supports...
7	MetricStream MetricStream, Inc.	Tier-1 global manufacturers, multi-brand FMCG holdings, G-SIB banks with supply-finance exposure, and Tier-1 import / export enterprises (5,000-100,000 employees) needing broad regulatory content across UFLPA, CSDDD, LkSG, Modern Slavery, OFAC, AEO, ISO 28000 in one platform.	Opaque	4.3/5 240+ reviews	Broadest regulatory content library of any platform in this ranking; pre-loaded...
8	Optro (formerly AuditBoard) Optro, Inc.	Public-company importers, global manufacturer holdings (Tier-1 retail, FMCG, automotive, electronics) running SOX 404 + ESG reporting + supplier audits + CSDDD value-chain due diligence; multi-business-unit enterprises that want one platform across internal audit, SOX, supplier risk, and ESG.	Opaque	4.6/5 1820+ reviews	1,585 G2 reviews at 4.6/5 (May 2026), the highest review volume in the category; named...
9	IBM OpenPages with watsonx IBM Corporation	G-SIB banks, top-20 insurance carriers, and large financial institutions with supply-finance exposure (10,000-200,000 employees) running OpenPages already and needing to extend GRC across UFLPA + CSDDD + LkSG + OFAC under the watsonx AI overlay. Also fits Tier-1 manufacturers and importers already standardised on IBM Cloud or Azure.	Opaque	4.2/5 90+ reviews	30+ years of OpenPages heritage; one of the longest-running GRC platforms in the...
10	Resolver (Kroll Business) Resolver Inc., a Kroll Business	Large retailers, financial-services holdings, energy operators, and manufacturers (2,000-100,000 employees) running supply-chain investigations, sanctions and watch-list hits, forced-labour allegations, and supplier-fraud workflow as a load-bearing brief. Strongest when paired with Kroll Risk Intelligence and adverse-media feeds.	Opaque	4.4/5 320+ reviews	Strongest case-management workflow in the category for supply-chain investigations,...

Calculator

Estimate the licence cost

Drag the slider to your headcount. Estimates use each vendor's published or triangulated tiers. Opaque vendors show Contact sales.

Employees500

11.3k2.5k3.8k5k

RiskWatch

Professional (≤ 1,000 employees)

$36,000/yr

EcoVadis

Buyer subscription (est.) (quote-only tier)

Contact sales

ISNetworld

Multi-Hiring-Client Contractor (est.) (quote-only tier)

Contact sales

Avetta

Supplier Premium (est.) (quote-only tier)

Contact sales

Sedex

AB Member buyer (est.) (quote-only tier)

Contact sales

Sphera (SupplyShift)

Mid-enterprise modular (est.) (quote-only tier)

Contact sales

MetricStream

Mid-enterprise modular (est.) (quote-only tier)

Contact sales

Optro (formerly AuditBoard)

Starter (est.) (quote-only tier)

Contact sales

IBM OpenPages with watsonx

Mid-enterprise (est.) (quote-only tier)

Contact sales

Resolver (Kroll Business)

Mid-enterprise (est.) (quote-only tier)

Contact sales

Estimates only. Opaque-pricing vendors do not publish list prices; bands are triangulated from public third-party sources dated 2026-05-15. Implementation services, module add-ons, and renewal escalators are extra.

Pick your own weights

Decision matrix

Default weights match the methodology at the bottom of this page. Drag the sliders to match your priorities and re-rank in real time.

Ease of use20%

How quickly a non-technical control owner reaches first value

Feature breadth20%

Module coverage across ERM, IT, audit, TPRM, BC

Value20%

Price to value ratio at mid-market

Customer support15%

Quality and responsiveness of vendor support

Scalability15%

Handling 5,000+ employees, multiple entities, regions

Integrations10%

Breadth of native connectors and APIs

Weights sum: 100%

1
RiskWatch
Editorial rank #1
8.64
2
Optro (formerly AuditBoard)
Editorial rank #8
8.46
3
EcoVadis
Editorial rank #2
8.33
4
MetricStream
Editorial rank #7
8.11
5
Sphera (SupplyShift)
Editorial rank #6
8.05
6
IBM OpenPages with watsonx
Editorial rank #9
8.03
7
Resolver (Kroll Business)
Editorial rank #10
7.99
8
Avetta
Editorial rank #4
7.75
9
Sedex
Editorial rank #5
7.71
10
ISNetworld
Editorial rank #3
7.68

Switching cost

Migration matrix

Read row-to-column. Row = today's platform, column = tomorrow's. Colour reflects realistic switching effort, not vendor sales pitches.

From / To	RiskWatch	EcoVadis	ISNetworld	Avetta	Sedex	Sphera	MetricStream	Optro	IBM OpenPages with watsonx	Resolver
RiskWatch	.	E	M	M	M	M	H	E	H	M
EcoVadis	E	.	M	E	M	M	M	E	M	E
ISNetworld	M	E	.	E	E	M	M	E	M	E
Avetta	M	E	E	.	E	M	M	M	M	E
Sedex	M	M	E	E	.	M	H	M	M	E
Sphera	E	E	E	E	E	.	E	E	E	E
MetricStream	E	E	E	E	E	E	.	E	E	E
Optro	E	E	M	M	M	M	H	.	H	M
IBM OpenPages with watsonx	E	E	E	E	E	E	E	E	.	E
Resolver	E	E	E	E	E	M	M	E	M	.

Easy (E)Moderate (M)Hard (H)Source: per-vendor migration field with radar-profile fallback. Treat as a directional guide, not a quote.

Methodology

How we scored and why you should trust it

The methodology is the only thing keeping this page honest. Read it carefully and apply your own weights in the decision matrix above.

RiskWatch published this ranking. RiskWatch accepts no affiliate fees, sponsorship money, or paid placements on this page. RiskWatch is also in the ranking, at #1, in the mid-market and regional supply-chain-compliance segment for which our platform is built. Readers should weigh that disclosure against the published evidence on this page. We scored each of the ten platforms on six axes using the playbook default weights: Ease of Use (20%), Feature Breadth (20%), Value (20%), Customer Support (15%), Scalability (15%), and Integrations (10%). Scores are 0-10 and calibrated within this supply-chain-compliance category (highest features 9.4, lowest 7.0). Ratings reference G2, Capterra, and Gartner Peer Insights figures pulled 2026-05-14. Pricing reflects the most-recent published or triangulated figures, also pulled 2026-05-14; where pricing is opaque we report a range based on two or more independent third-party sources (SmartSuite, ITQlick, Vendr, GetApp, Capterra, ComplianceQuest). Supply-chain-specific evaluation criteria layered on top: UFLPA rebuttable-presumption response packs and CBP detention defensibility, C-TPAT MSC supplier flow-down, CSDDD value-chain due-diligence workflow under Directive 2026/470 (Omnibus I), German LkSG risk analysis aligned with BAFA enforcement, UK Modern Slavery Act s.54 statement workflow, California SB-657 disclosure workflow, OFAC SDN + BIS Entity List + EU Consolidated + UN Security Council screening cadence, AEO with C-TPAT mutual recognition, ISO 28000:2022 supply-chain security control set, and ESRS S2 value-chain workers reporting under CSRD. We re-verify this page quarterly.

Weights used in the editorial ranking

Ease of use: 20%
Feature breadth: 20%
Value: 20%
Customer support: 15%
Scalability: 15%
Integrations: 10%

RiskWatch

RiskWatch International · Founded 1993 · Annapolis, MD, USA

Mid-market supply-chain compliance platform with UFLPA, C-TPAT, CSDDD, LkSG, and ISO 28000 pre-mapped.

Partial pricingG2 4.5 · Capterra 4.6 · 60+ reviews

Summary

RiskWatch ships a compliance assessment platform built around pre-mapped control libraries for 40+ regulatory frameworks including UFLPA (Uyghur Forced Labor Prevention Act) supplier-due-diligence and detention-response workflow, C-TPAT (Customs-Trade Partnership Against Terrorism Minimum Security Criteria) supplier flow-down, EU CSDDD (Corporate Sustainability Due Diligence Directive) value-chain workflow under Directive 2026/470, German LkSG (Lieferkettensorgfaltspflichtengesetz) risk analysis aligned with BAFA, UK Modern Slavery Act s.54 statement workflow, California SB-657 Transparency in Supply Chains Act disclosure workflow, AEO with C-TPAT mutual recognition, ISO 28000:2022 supply-chain security management, ESRS S2 value-chain workers reporting, OFAC + BIS + EU + UN sanctions screening, and supplier code of conduct attestation. The platform runs on a survey-based assessment engine plus an evidence vault and a cross-mapping engine that auto-detects shared controls across UFLPA, C-TPAT, CSDDD, LkSG, and ISO 28000. First-party physical-security assessment for supplier sites, warehouses, distribution centres, and cross-docks runs in the same tenant. Customers include US importers, EU-listed manufacturers, retailers, FMCG brands, and defence primes. The product has been in the field since 1993; single-tenant deployment is available for importer-of-record data residency.

Strengths

Pre-built control libraries for UFLPA supplier due diligence and detention-response, C-TPAT MSC supplier flow-down, EU CSDDD under Directive 2026/470, German LkSG, UK Modern Slavery Act s.54, California SB-657, ISO 28000:2022, AEO + WCO SAFE Framework, ESRS S2 value-chain workers, OFAC + BIS + EU + UN sanctions, and supplier code of conduct in one tenant
Cross-mapping engine auto-detects shared controls across UFLPA, C-TPAT, CSDDD, LkSG, and ISO 28000 so import compliance, ESG, procurement, and security teams all draw from the same evidence vault
UFLPA rebuttable-presumption response pack workflow: commercial invoices, payment records, bills of lading, factory records, and balance-of-materials evidence assembled in the format CBP examiners request after a detention
33-year operating history with US state, federal, and regulated-industry customers; customer-audit export packs are first-class output, useful when a Tier-1 buyer requests a UFLPA, CSDDD, LkSG, or Modern Slavery evidence pack on 48-hour notice
Vendor and supplier risk management with multi-tier supplier attestation; supplier code of conduct distribution and acknowledgement tracking at scale
Single-tenant deployment with customer-owned data residency, an advantage for ITAR / EAR controlled defence supply chains, EU data-locality, and importer-of-record CUI handling under DFARS 252.204-7012
Survey-based assessment engine works for non-technical control owners (procurement managers, supplier-quality engineers, customs analysts) without a workflow-builder learning curve
Published support tier ladder; not gated demos before buyers see what is included with each tier

Weaknesses

No native multi-tier supplier-graph at the Sayari, Altana, Kharon, or Z2Data depth; RiskWatch is a compliance platform, not a forensic supplier-of-supplier traceability engine. Pair if the brief is UFLPA tier-N forensic tracing rather than attestation evidence.
No native sustainability-scoring network at the EcoVadis or Sphera SupplyShift depth; manual supplier-ESG attestation rather than a 150,000-supplier rated network for benchmark scoring.
No native contractor-prequalification network at the ISNetworld or Avetta depth; not the right pick if the load-bearing brief is owner-operator contractor qualification at oil-and-gas, utilities, or heavy-industrial scale.
No native ethical-trade audit body certification programme at the Sedex SMETA, BSCI, or SA8000 depth; pair with a SMETA-affiliated audit body if your Tier-1 retail brand requires the SMETA badge.
Public pricing is partial; typical contract bands published but Enterprise is quote-only because deployment topology varies materially across multi-supplier, multi-country importer networks.
Brand awareness on G2 and Capterra is lower than MetricStream, Optro, EcoVadis, or Sedex for the enterprise supply-chain buyer cohort; total third-party review volume sits below 100.

Best for

Mid-market US importers, EU-listed manufacturers, retailers, FMCG brands, and defence primes (200-5,000 employees) running UFLPA + C-TPAT + CSDDD + LkSG + Modern Slavery + California SB-657 + ISO 28000 in one tenant who also want supplier code of conduct attestation, supplier-site physical-security assessment, and first-class customer-audit response packs for Tier-1 buyers and regulators.

Worst for

Tier-1 OEMs whose dominant requirement is sub-tier-N forensic supplier-graph forensics; Sayari, Altana, or Kharon fit that brief better. Also wrong for owner-operators whose dominant requirement is contractor prequalification at oil-and-gas or utilities scale; ISNetworld or Avetta fit that brief better. Also wrong for the buyer whose primary need is the EcoVadis medal badge on a corporate scorecard; that is a network-effect outcome RiskWatch does not replicate.

Key features

Pre-built control libraries for UFLPA, C-TPAT MSC, CSDDD, LkSG, UK Modern Slavery Act, California SB-657, AEO + WCO SAFE, ISO 28000:2022, ESRS S2, OFAC + BIS + EU + UN sanctions
Cross-mapping engine that auto-detects shared controls across UFLPA, C-TPAT, CSDDD, LkSG, and ISO 28000
UFLPA rebuttable-presumption response pack workflow with CBP-format evidence assembly
Supplier code of conduct distribution, acknowledgement tracking, and multi-tier attestation
Evidence vault with versioning and customer-audit-ready export packs
Vendor and supplier risk management with sanctions, SOC 2, ISO 27001, and BAA tracking
Survey-based assessment engine for non-technical control owners (procurement managers, supplier-quality engineers, customs analysts)
Single-tenant deployment for ITAR / EAR, EU data-locality, and CUI under DFARS 252.204-7012

Integrations

25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API.

Target size

200 to 25,000 employees · US · Canada · EU · UK · AU

Radar score

Pricing

Standard$99/month
Up to 250 employees
- · Up to 3 frameworks (typical: UFLPA + Modern Slavery + supplier code of conduct, or C-TPAT + CSDDD + LkSG)
- · 1 importer / supplier compliance workspace
- · Supplier-attestation module
- · Email + named-CSM support
Professional$36,000/year
Up to 1,000 employees
- · Up to 10 frameworks (adds AEO + WCO SAFE, ISO 28000:2022, ESRS S2, California SB-657, OFAC sanctions, ISO 27001:2022)
- · Unlimited assessments across multiple importer entities
- · SSO + SAML
- · API access + custom reports
- · Phone + dedicated CSM
EnterpriseContact sales
- · All 40+ frameworks
- · Single-tenant deployment with customer-owned data residency
- · 24/7 support
- · Solutions architect on retainer
- · Multi-country importer rollout services

Watch for

· Implementation services billed separately (typical 1-time fee 15-25% of first-year licence)
· Custom framework additions outside the 40+ library are scoped per request
· Multi-country importer or multi-brand retailer rollout services scoped per entity count

Public list-price pages are coming. For now we publish typical contract bands above; the Enterprise tier is quote-only because deployment topology varies materially across multi-country importer networks.

EcoVadis

EcoVadis SAS · Founded 2007 · Paris, France

Global supplier-sustainability ratings network for ESG, CSRD ESRS S2, and value-chain due diligence.

Opaque pricingG2 4.3 · Capterra 4.4 · 180+ reviews

Summary

EcoVadis was founded in 2007 in Paris by Pierre-François Thaler and Frédéric Trinel and has built the largest independent business-sustainability rating network in the market with 150,000+ rated companies across 200+ industries and 175+ countries. The platform scores suppliers on 21 CSR criteria across four pillars (environment, labour and human rights, ethics, sustainable procurement) and issues a Bronze / Silver / Gold / Platinum medal. 1,400+ multinational buyer organisations including L'Oréal, Unilever, Johnson and Johnson, Salesforce, Mars, and Schneider Electric use the medal scorecards as supplier-onboarding gates. For CSRD ESRS S2 value-chain workers reporting and CSDDD due-diligence evidence reuse, EcoVadis is the de-facto standard buyer-side score. Pricing is subscription per supplier rated; opaque but typically lands $5K-$15K per buyer-subscription plus per-rating fees.

Strengths

Largest independent supplier-sustainability rating network globally with 150,000+ rated suppliers across 200+ industries; network effect means most of your suppliers are already rated
21 CSR criteria scoring across environment, labour and human rights, ethics, and sustainable procurement aligned to UN Global Compact, ILO, GRI, and ISO 26000; defensible methodology
1,400+ multinational buyer organisations use EcoVadis scorecards including L'Oréal, Unilever, Johnson and Johnson, Salesforce, Mars; medal recognition reduces supplier-onboarding friction
Medal scorecards (Bronze / Silver / Gold / Platinum) with corrective action plans give procurement teams a defensible audit trail for CSRD ESRS S2 value-chain workers reporting
EcoVadis Academy training for suppliers, EcoVadis IQ Plus continuous-monitoring AI for adverse-media and 360-degree risk, EcoVadis Carbon Action Module for Scope-3 reduction
Verdantix Green Quadrant Leader for Supplier Sustainability ratings 2024 and 2025; G2 Leader in Supplier Risk and Supplier Sustainability

Weaknesses

EcoVadis is a scoring service, not a compliance management platform; if you need a UFLPA detention-response pack, a Modern Slavery Act s.54 workflow, or a CBP C-TPAT MSC binder you will still need a GRC backbone underneath
Pricing is opaque and dual-sided: buyers pay a subscription, suppliers pay to be rated; small and mid-market suppliers complain the per-rating fee gates participation
Medal score reflects what the supplier discloses, not forensic supplier-of-supplier traceability; EcoVadis is not a substitute for UFLPA tier-N forensics from Sayari, Altana, or Kharon
Rating refresh is annual; for fast-moving sanctions events or UFLPA Entity List additions, the medal is stale until the next cycle
G2 and Capterra reviews note long onboarding cycles for newly rated suppliers and inconsistent rating quality across industries; some categories (apparel, electronics) are deeper than others (construction inputs)
Implementation requires procurement-team change management; suppliers must complete a questionnaire and upload evidence which can take 4-12 weeks per supplier

Best for

Global brands and Tier-1 buyer organisations (1,000+ employees) using EcoVadis medals as supplier-onboarding gates and CSRD ESRS S2 value-chain workers evidence; procurement-led ESG programmes that need a defensible third-party score across thousands of suppliers.

Worst for

Buyers who need an end-to-end compliance management platform (UFLPA + CSDDD + LkSG + Modern Slavery workflow with evidence vault, control mapping, and audit-pack export). EcoVadis is the supplier scorecard, not the GRC backbone. Also wrong if you need forensic supplier-of-supplier tracing (use Sayari / Altana / Kharon).

Key features

Supplier sustainability scoring across 21 CSR criteria aligned to UN Global Compact, ILO, GRI, ISO 26000
Bronze / Silver / Gold / Platinum medal scorecards with corrective action plans
EcoVadis IQ Plus continuous-monitoring AI for adverse-media and 360-degree risk
Carbon Action Module for Scope-3 supplier emissions reduction
EcoVadis Academy supplier training
Industry-benchmarked scoring across 200+ industries and 175+ countries
API access for embedding scorecards into procurement workflow
CSRD ESRS S2 value-chain workers reporting evidence

Integrations

40+ native. Notable: SAP Ariba, Coupa, Oracle Procurement Cloud, JAGGAER, Ivalua, Microsoft Entra ID, Workday.

Target size

500 to 2,00,000 employees · US · Canada · EU · UK · AU · APAC · LATAM · MEA

ISNetworld

ISN Software Corporation · Founded 2001 · Dallas, TX, USA

Contractor-prequalification network for oil-and-gas, utilities, construction, and heavy-industrial owner-operators.

Opaque pricingG2 4.0 · Capterra 4.1 · 220+ reviews

Summary

ISN Software Corporation launched ISNetworld in 2001 in Dallas as a contractor prequalification platform purpose-built for owner-operator industries with heavy contractor exposure. The platform serves 70,000+ Hiring Clients and 80,000+ Contractor Members across oil and gas, utilities, mining, chemicals, construction, manufacturing, transportation, and forestry. ISNetworld is the de-facto standard for HSE (health, safety, environment) prequalification in upstream and midstream energy and in regulated-industry contractor management. Core workflow covers MSQ supplier qualification, RAVS document audits, HSE statistics review, TRIR and DART benchmarking, and insurance certificate (COI) tracking. Pricing is opaque and dual-sided: contractors pay an annual subscription to participate; owner-operators pay a separate Hiring Client subscription.

Strengths

70,000+ Hiring Clients and 80,000+ Contractor Members; deepest network density in oil and gas, utilities, mining, and heavy construction in North America
RAVS (Review and Verification Services) document audit team verifies contractor-submitted safety, training, insurance, and HSE documents; not self-attestation, a third-party verification step
TRIR (Total Recordable Incident Rate) and DART (Days Away, Restricted, or Transferred) benchmarking against industry peers; defensible HSE prequalification metric
MSQ (Management System Questionnaire) covers HSE management, training, sub-contractor management, drug and alcohol programmes, and 15+ regulatory categories
COI (Certificate of Insurance) tracking with carrier verification; eliminates expired or fraudulent COI exposure
Established 24-year operating history; deepest customer references in upstream energy (ExxonMobil, Chevron, Shell, BP, Occidental) and midstream pipeline (Enterprise, Energy Transfer, Williams)

Weaknesses

Onboarding can span several weeks to several months depending on documentation quality and client-specific requirements; maintaining acceptable grades demands ongoing weekly attention from the contractor
Pricing for contractors starts $875+ per subscription per year and rises with multi-Hiring-Client subscriptions; smaller subcontractors complain the fee is gate-keeping rather than value-add
Limited fit outside the contractor / HSE prequalification brief; ISNetworld is not a GRC platform, not a UFLPA workflow, not a CSDDD workflow, not a CBP C-TPAT MSC binder
Network effect is asymmetric across industries; deep in oil and gas and utilities, thinner in commercial construction, FM, telecom, and retail where Avetta dominates
Reporting and dashboard UX is dated relative to newer contractor-management platforms; G2 reviewers cite navigation friction and report-export limitations
No native CSDDD, LkSG, UFLPA, or Modern Slavery framework libraries; the social-due-diligence layer is not the product

Best for

Oil-and-gas operators, midstream pipeline owners, utilities, mining operators, chemical-plant owners, and large construction or manufacturing owner-operators running contractor prequalification at scale with HSE statistics, RAVS document audits, and COI tracking as the load-bearing brief.

Worst for

Brand-name retail or FMCG buyers whose dominant brief is supplier-ESG scoring or ethical-trade audits; EcoVadis or Sedex fit that brief better. Also wrong as a GRC backbone for UFLPA + CSDDD + LkSG + Modern Slavery compliance evidence (ISN is contractor-HSE prequalification, not multi-framework compliance management).

Key features

MSQ (Management System Questionnaire) prequalification
RAVS document audits by ISNetworld review team
HSE statistics review and TRIR / DART benchmarking
COI (Certificate of Insurance) tracking with carrier verification
Training and competency tracking
Drug and alcohol programme verification
Sub-contractor management
Owner-operator custom MSQ configuration

Integrations

30+ native. Notable: SAP Ariba, Oracle Procurement Cloud, Coupa, Maximo, SAP S/4HANA, Custom REST API.

Target size

50 to 1,00,000 employees · US · Canada · UK · AU · LATAM

Avetta

Avetta, LLC · Founded 2003 · Lehi, UT, USA

Contractor and supplier-management network for commercial construction, FM, retail, and telecom.

Opaque pricingG2 4.1 · Capterra 4.2 · 280+ reviews

Summary

Avetta was founded in 2003 (originally as PICS Auditing) and has grown into one of the largest contractor and supplier management networks alongside ISNetworld. The platform serves 130,000+ suppliers and connects them to 500+ Tier-1 buyer clients across commercial construction, facilities management, telecom, retail, property management, oil and gas, utilities, and food and beverage. Where ISNetworld leads in upstream energy and heavy-industrial HSE prequalification, Avetta is stronger in commercial construction, FM, retail, telecom, and property management with deeper ESG and sustainability functionality. Core workflow covers PreQual supplier qualification, insurance-certificate tracking, OSHA log audits, MSDS / SDS chemical safety management, sustainability scorecards, and worker-management visibility.

Strengths

130,000+ supplier network; strong in commercial construction, FM, telecom, retail, and property management where ISNetworld is thinner
PreQual supplier qualification with insurance-certificate (COI) verification, OSHA log audits, EMR (Experience Modification Rate) verification, and chemical-safety SDS management
Sustainability scorecards with Scope-1, Scope-2, and Scope-3 supplier emissions data; ESG functionality stronger than ISNetworld
Worker-management visibility for site-access control (badge issuance, training verification, watch-list screening) where the buyer owns the site
500+ Tier-1 buyer clients including Shell, BHP, Estee Lauder, Hershey, Carnival, AECOM, Skanska; broad recognition outside upstream energy
Pricing for suppliers $450-$900 per subscription per year, lower entry than ISNetworld $875+ per ITQlick 2026 teardown

Weaknesses

Like ISNetworld, Avetta is a contractor / supplier qualification network, not a GRC platform; no native UFLPA + CSDDD + LkSG + Modern Slavery framework libraries
Acquisition history (BROWZ 2019, Mind Click 2022, Pegasus 2023) creates platform-integration debt; G2 reviewers cite UI inconsistency across acquired modules
Pricing is opaque on the buyer (Hiring Client) side; pricing teardowns show $50K-$200K+ buyer subscriptions but no published list
Sustainability scoring depth trails EcoVadis and Sphera SupplyShift for buyers running CSRD ESRS S2; Avetta scorecards are buyer-private rather than industry-recognised medals
Customer-support response times reported as inconsistent across G2 and Capterra reviews; suppliers cite ticket-resolution times of 5-10 business days
No native UFLPA rebuttable-presumption response pack or CBP detention-response workflow; not the right pick if the load-bearing brief is import-compliance evidence

Best for

Commercial construction owner-operators, facilities-management providers, retail and property management chains, telecom infrastructure builders, and mid-Tier energy and resources buyers (1,000-50,000 employees) running supplier qualification with insurance, OSHA logs, EMR, SDS, and sustainability scorecards.

Worst for

Upstream-energy and midstream-pipeline owner-operators whose dominant brief is RAVS audits and HSE statistics; ISNetworld fits that brief better. Also wrong for buyers needing UFLPA + CSDDD + LkSG GRC backbone (Avetta is a network, not a compliance management platform). Also wrong for buyers whose primary need is the industry-recognised EcoVadis medal scorecard.

Key features

PreQual supplier qualification
Insurance-certificate (COI) verification and tracking
OSHA log audits and EMR verification
Chemical-safety SDS / MSDS management
Sustainability scorecards with Scope-1, Scope-2, Scope-3 supplier emissions
Worker-management visibility for site-access control
Sub-contractor management
Buyer-side dashboard with supplier-risk heatmap

Integrations

35+ native. Notable: SAP Ariba, Coupa, Oracle Procurement Cloud, Maximo, Workday, Microsoft Entra ID, Salesforce.

Target size

50 to 1,00,000 employees · US · Canada · UK · EU · AU · LATAM

Sedex

Sedex Information Exchange Limited · Founded 2004 · London, UK

Ethical-trade member network for Tier-1 retail and FMCG running SMETA, BSCI, and SA8000.

Opaque pricingG2 4.0 · Capterra 4.1 · 120+ reviews

Summary

Sedex (Supplier Ethical Data Exchange) was founded in 2004 in London as a not-for-profit, member-owned ethical-trade collaboration platform. The platform has 85,000+ member businesses across 180+ countries and is best known for SMETA (Sedex Members Ethical Trade Audit), the most-widely-used social audit globally with 350,000+ audits completed. Core workflow covers ethical-trade self-assessment (SAQ), SMETA audit results, Risk Assessment Tool (RAT), and supplier-data exchange across labour standards, health and safety, environment, and business integrity. Retail and FMCG brands (Tesco, Sainsbury's, M&S, Walmart, Ahold Delhaize, Coca-Cola, PepsiCo, Mars, Unilever) use Sedex to manage their ethical-trade supplier base.

Strengths

85,000+ member businesses across 180+ countries; deepest network in Tier-1 retail and FMCG ethical-trade
SMETA (Sedex Members Ethical Trade Audit) is the most-widely-used social audit globally with 350,000+ completed; defensible audit evidence for UK Modern Slavery Act s.54 statements and California SB-657 disclosures
Risk Assessment Tool (RAT) maps human-rights, labour, health-and-safety, environment, and business-integrity exposure across the supplier base; updated against Walk Free Global Slavery Index and ILO indicators
Member-owned not-for-profit governance reduces commercial-conflict concerns versus PE-owned competitors
Tight integration with audit bodies (Bureau Veritas, Intertek, ELEVATE, SGS, TUV Rheinland, ALGI); SMETA reports are portable across buyers in the network
Strong fit for retail and FMCG buying committees that already mandate Sedex membership on suppliers as a contract clause

Weaknesses

Sedex has no certifications, scores, or medals; the platform is a data-exchange not a rating service. If the buying committee wants a Bronze / Silver / Gold scorecard, EcoVadis fits better
SMETA audits are point-in-time and rely on auditor quality; G2 reviewers note inconsistent audit rigor across audit bodies and geographies
Pricing for suppliers is tiered by turnover but climbs fast above GBP 50M / EUR 60M revenue; smaller suppliers cite onboarding friction
UFLPA Entity-List or CBP detention-response is not the workflow; Sedex provides the ethical-trade audit evidence but the GRC workflow lives elsewhere
Reporting and dashboard UX is dated; Sedex Advance (the current platform) is a step forward but G2 reviewers cite navigation and search friction
Network effect is asymmetric across industries; deep in retail / FMCG, thinner in industrials, electronics, automotive, energy

Best for

Tier-1 retail and FMCG brands and their suppliers running ethical-trade due-diligence via SMETA audits, UK Modern Slavery Act s.54 statements, California SB-657 disclosures, and BSCI / SA8000 social-audit programmes. Most powerful when the buying committee already mandates Sedex membership as a contract clause.

Worst for

Industrials, energy, and heavy-construction buyers whose suppliers do not use Sedex / SMETA (ISNetworld or Avetta fit better). Also wrong if you need an ESG medal scorecard (EcoVadis) or a GRC backbone for UFLPA + CSDDD + LkSG workflow (RiskWatch, MetricStream, Optro fit better).

Key features

Sedex Advance ethical-trade data exchange
SAQ (Self-Assessment Questionnaire) for suppliers
SMETA (Sedex Members Ethical Trade Audit) results upload
Risk Assessment Tool (RAT) mapping labour, health-and-safety, environment, and business-integrity exposure
BSCI and SA8000 audit-result interoperability
Modern Slavery and forced-labour indicator screening
Supplier-data exchange across buyer organisations
API access for embedding ethical-trade data into procurement workflow

Integrations

25+ native. Notable: SAP Ariba, Coupa, Oracle Procurement Cloud, Microsoft Entra ID, Custom REST API.

Target size

50 to 2,00,000 employees · UK · EU · US · Canada · AU · APAC · LATAM · MEA

Sphera (SupplyShift)

Sphera Solutions, Inc. · Founded 2016 · Chicago, IL, USA

ESG, LCA, and Scope-3 supplier-emissions depth for CSRD ESRS E1 and S2 reporting.

Opaque pricingG2 4.2 · Capterra 4.3 · 200+ reviews

Summary

Sphera was formed in 2016 from the combination of IHS Operational Excellence and Risk Management with PSC software; Blackstone acquired Sphera in September 2021 for $1.4 billion. SupplyShift, acquired in January 2024, added a 100,000+ supplier network for sustainability and supplier-engagement workflows. The platform leads on lifecycle assessment (LCA) depth, Scope-1, Scope-2, and Scope-3 supplier emissions, and CSRD ESRS E1 climate and S2 value-chain workers reporting. SpheraCloud serves global shippers, manufacturers, and oil-and-gas operators that need an integrated ESG, EHS, and product-stewardship platform. Verdantix Green Quadrant Leader 2024 and 2025 in EHS and ESG.

Strengths

Deepest LCA (Life-Cycle Assessment) bench in the category; GaBi LCA database supports thousands of product-level cradle-to-gate calculations
Scope-1, Scope-2, and Scope-3 supplier emissions accounting aligned to GHG Protocol Categories 1-15; CSRD ESRS E1 climate-disclosure readiness
ESRS S2 value-chain workers reporting with SupplyShift supplier-questionnaire network of 100,000+ suppliers
Verdantix Green Quadrant Leader 2024 and 2025 in EHS and ESG; G2 Leader in Environmental Health and Safety
Product-stewardship module covers chemical compliance (REACH, CLP, GHS, TSCA, K-REACH, China REACH); strong for chemicals, consumer-goods, automotive, electronics
On-prem and hybrid-cloud deployment options for data-residency constraints

Weaknesses

SpheraCloud dashboard performance and UX flagged by G2 reviewers as slower and more dated than Workiva or Optro for board-ready visualisation
Acquisition portfolio (rfxcel, riskmethods, SupplyShift) creates platform-integration debt; G2 reviewers cite inconsistent UX across acquired modules
Pricing is opaque and high; SpheraCloud landed-cost typically $100K-$500K+ annually depending on modules; not the right pick for sub-1,000-employee buyers
Steep learning curve flagged by G2 reviewers; multi-quarter implementation with named SI partner support typical
No native UFLPA detention-response, C-TPAT MSC binder, or CBP examiner walk-in workflow; Sphera is ESG-and-LCA-first, not import-compliance-first
ESG-medal recognition trails EcoVadis on the buyer-side scorecard front; SupplyShift scores are buyer-private rather than industry-recognised medals

Best for

Global shippers, manufacturers, oil-and-gas operators, chemicals, consumer-goods, and automotive enterprises (5,000-100,000 employees) running deepest LCA + Scope-3 supplier emissions + CSRD ESRS E1 climate + ESRS S2 value-chain workers + chemical compliance under one ESG and EHS platform.

Worst for

Mid-market US importers whose dominant brief is UFLPA detention-response and CBP-format evidence assembly; RiskWatch fits that brief better. Also wrong for buyers needing the industry-recognised EcoVadis medal scorecard for procurement-gate use. Also wrong for sub-1,000-employee single-brief buyers; over-built and over-priced for that scale.

Key features

GaBi LCA (Life-Cycle Assessment) database
Scope-1, Scope-2, Scope-3 supplier emissions accounting aligned to GHG Protocol
SupplyShift supplier-network of 100,000+ companies
CSRD ESRS E1 climate and ESRS S2 value-chain workers reporting
Product-stewardship for REACH, CLP, GHS, TSCA, K-REACH, China REACH
EHS module (incident management, JSA, audits, observations)
Operational risk module with bowtie analysis
On-prem and hybrid-cloud deployment for data-residency

Integrations

100+ native. Notable: SAP Ariba, SAP S/4HANA, Oracle EBS, Workday, Microsoft Entra ID, ServiceNow, Salesforce.

Target size

2,000 to 2,00,000 employees · US · Canada · EU · UK · AU · APAC · LATAM · MEA

MetricStream

MetricStream, Inc. · Founded 1999 · San Jose, CA, USA

Broadest regulatory content library for Tier-1 enterprises running UFLPA + CSDDD + LkSG + OFAC at G-SIB scale.

Opaque pricingG2 4.3 · Capterra 4.2 · 240+ reviews

Summary

MetricStream was founded in 1999 in San Jose and is one of the longest-running enterprise GRC platforms in the market. The ConnectedGRC platform covers IT GRC, ERM, third-party risk, regulatory compliance, audit, business continuity, and operational risk in one data model. Supply-chain-relevant content includes pre-loaded mappings for UFLPA, C-TPAT MSC, CSDDD, German LkSG, UK Modern Slavery Act, California SB-657, OFAC SDN List, BIS Entity List, EU Consolidated List, UN sanctions, AEO + WCO SAFE Framework, and ISO 28000:2022. The platform serves G-SIB banks, top-20 pharma, and Tier-1 global manufacturers; SoftwareReviews 2026 placed MetricStream in the upper-right Champion quadrant. Pricing is opaque and typically lands $75K-$1M+ annually depending on module count.

Strengths

Broadest regulatory content library of any platform in this ranking; pre-loaded coverage of UFLPA, C-TPAT, CSDDD, LkSG, Modern Slavery, California SB-657, OFAC, BIS Entity List, AEO, ISO 28000
Modular ConnectedGRC covers IT GRC, ERM, TPRM, Compliance, Audit, BCM, and Operational Risk under one data model; useful when a Tier-1 enterprise needs every GRC discipline in one tenant
G-SIB banks, top-20 pharma, and Tier-1 manufacturer references; scales to 50,000+ user deployments without falling over
25-year operating history and deep regulatory-content team that publishes update alerts when standards (UFLPA Entity List, CSDDD Omnibus I, LkSG BAFA guidance) change
AI features (M7 platform, AiSPIRE, advisor agents) for control evidence summarisation and regulatory-change impact analysis
On-prem and private-cloud deployment options for buyers with data-residency constraints (ITAR, GDPR, China data sovereignty)

Weaknesses

G2 and Capterra reviewers consistently flag steep learning curve, long implementation cycles, and total cost of ownership that climbs fast; expect 9-15 month deployment for a full ConnectedGRC rollout
Multiple G2 reviewers note the platform is rigid for custom changes once deployed; the application contains many locks by default and navigation through large data sets is reported as painful
Executive dashboards and chart and graph functionality are reported as limited compared with newer platforms; the Compliance and Survey modules in particular trail Optro and Workiva on board-ready visualisation
Pricing is opaque and high; typical contract lands $75K-$1M+ annually; not the right pick for sub-1,000-employee single-brief buyers
Some users report platform-speed issues, occasional outages, and data-import limitations (Excel pull-through into workflows is awkward)
Implementation is consultant-heavy; named SI partners (Deloitte, PwC, KPMG) are typically required for go-live which adds 25-40% on top of first-year licence

Best for

Tier-1 global manufacturers, multi-brand FMCG holdings, G-SIB banks with supply-finance exposure, and Tier-1 import / export enterprises (5,000-100,000 employees) needing broad regulatory content across UFLPA, CSDDD, LkSG, Modern Slavery, OFAC, AEO, ISO 28000 in one platform.

Worst for

Mid-market importers under 1,000 employees with a single-framework brief (UFLPA only, or LkSG only); over-built and over-priced for that scale. Also wrong for buyers wanting fast-deploy SaaS; this is a consultant-heavy multi-quarter implementation.

Key features

Pre-loaded content for UFLPA, C-TPAT, CSDDD, LkSG, Modern Slavery, California SB-657, OFAC, BIS Entity List, AEO, ISO 28000
Modular ConnectedGRC (IT GRC + ERM + TPRM + Compliance + Audit + BCM + OpRisk)
Regulatory-change alerts when standards update (UFLPA Entity List additions, CSDDD Omnibus reform, LkSG BAFA guidance)
Third-party risk management with supplier scoring
Business continuity and operational resilience workflow
AI evidence summarisation (M7 platform, AiSPIRE)
On-prem and private-cloud deployment for data-residency
Audit management with planning, fieldwork, and committee-ready reports

Integrations

150+ native. Notable: ServiceNow, SAP, Oracle, Microsoft Entra ID, Workday, Salesforce, Tableau, Power BI.

Target size

2,000 to 1,00,000 employees · US · Canada · UK · EU · AU · APAC · LATAM · MEA

Optro (formerly AuditBoard)

Optro, Inc. · Founded 2014 · Cerritos, CA, USA

Internal-audit-first GRC suite for public-company importers running SOX + supplier audits + CSDDD + ESG.

Opaque pricingG2 4.6 · Capterra 4.7 · 1820+ reviews

Summary

Optro is the new name for AuditBoard, announced 9 March 2026 at the IIA Great Audit Minds conference. The company was founded in 2014 by Daniel Kim and Jay Lee as SOXHUB, rebranded to AuditBoard in November 2017, and was acquired by Hg Capital in May 2024 for over $3 billion. The platform leads the category on internal-audit and SOX-controls testing depth, with strong third-party / supplier risk and ESG modules. For public-company importers and global manufacturers running SOX 404 alongside UFLPA + CSDDD + Modern Slavery evidence and Scope-3 supplier emissions, Optro is the natural pick when the corporate internal-audit team owns the buying brief. G2 carries 1,585 verified reviews at 4.6/5 as of May 2026; serves 50%+ of the Fortune 500.

Strengths

1,585 G2 reviews at 4.6/5 (May 2026), the highest review volume in the category; named to G2's 2026 Best Software Awards lists
Deepest SOX 404 controls testing and ICFR workflow of any platform here, born from the original SOXHUB product; critical for public-company importers
Strong internal-audit workflow with planning, fieldwork, issue tracking, and committee-ready reports tuned to public-company filers under PCAOB AS 2201
CrossComply multi-framework module overlays UFLPA + C-TPAT + CSDDD + LkSG + Modern Slavery + ISO 28000 control sets; useful when the same control evidence must satisfy several frameworks
Connected-risk model ties operational risk, supplier risk, and ESG into one data layer; ESG module supports Scope-3 supplier emissions and CSRD ESRS E1 and S2
2025 Gartner Magic Quadrant Leader for GRC Tools; serves 50%+ of the Fortune 500 and seven of the Fortune 10

Weaknesses

Hg Capital ownership since May 2024 raises typical PE-owned price-uplift risk; users report 10-15% renewal increases at year 2 and year 3
Brand-rebrand churn (March 2026 Optro launch) means a year of customer-comms work and URL / SSO / integration re-pointing that distracts from product velocity
Pricing remains opaque; SmartSuite and ComplianceRated triangulate $30K-$80K+ entry, scaling to mid-six-figures for enterprise; no published list price
No native UFLPA, C-TPAT MSC, CSDDD, LkSG, AEO, or ISO 28000 pre-mapped libraries; supply-chain-specific compliance is configurable via CrossComply rather than turnkey
No native sanctions-screening, denied-party screening, or CBP detention-response workflow; not the right pick if the load-bearing brief is import-compliance evidence rather than corporate SOX + supplier-audit
Implementation is consultant-heavy; expect 8-16 week deployment with named SI partner support; not the fast-deploy SaaS some buyers expect

Best for

Public-company importers, global manufacturer holdings (Tier-1 retail, FMCG, automotive, electronics) running SOX 404 + ESG reporting + supplier audits + CSDDD value-chain due diligence; multi-business-unit enterprises that want one platform across internal audit, SOX, supplier risk, and ESG.

Worst for

Private mid-market importers and EU-listed manufacturers whose load-bearing brief is UFLPA + C-TPAT MSC + CSDDD + LkSG operational compliance; Optro does not ship those libraries pre-mapped and the SOX-heavy architecture is over-built for that buyer.

Key features

SOX 404 controls testing and ICFR workflow
Internal audit planning, fieldwork, and reporting under PCAOB AS 2201
CrossComply multi-framework control mapping (UFLPA / C-TPAT / CSDDD / LkSG / Modern Slavery / ISO 28000)
Third-party / supplier risk management with vendor scoring
ESG and sustainability reporting workflow including Scope-3 supplier emissions
Optro AI for evidence summarisation and control narratives
Connected-risk dashboards for board reporting
SOC 1 / SOC 2 / ISO 27001 framework support

Integrations

60+ native. Notable: Workday, NetSuite, SAP, Microsoft Entra ID, Okta, Jira, ServiceNow, Salesforce.

Target size

500 to 1,00,000 employees · US · Canada · UK · EU · AU · APAC

IBM OpenPages with watsonx

IBM Corporation · Founded 1996 · Armonk, NY, USA

Enterprise GRC with watsonx Assistant for regulatory-change tracking on UFLPA + CSDDD + LkSG + OFAC.

Opaque pricingG2 4.2 · Capterra 4.0 · 90+ reviews

Summary

OpenPages was founded in 1996 in Waltham, MA and was acquired by IBM in 2010. The platform now ships as OpenPages with watsonx, with the watsonx Assistant AI overlay added in 2024 for regulatory-change tracking, control-test summarisation, and risk-event triage. OpenPages covers operational risk, regulatory compliance, third-party risk, internal audit, business continuity, IT GRC, financial controls, model risk, and ESG in one platform. Supply-chain-relevant content includes UFLPA, CSDDD, LkSG, Modern Slavery, OFAC, BIS Entity List, and ESRS S2 mappings. The platform serves 6 of the 10 largest global banks and Tier-1 financial institutions with supply-finance exposure. Pricing is opaque and runs on IBM Cloud or Azure.

Strengths

30+ years of OpenPages heritage; one of the longest-running GRC platforms in the market with deep operational-risk and financial-controls credentials
watsonx Assistant AI overlay for regulatory-change tracking across UFLPA, CSDDD, LkSG, OFAC, BIS Entity List, ESRS S2; updates surface in the control-mapping workflow within days of regulatory publication
Serves 6 of the 10 largest global banks and Tier-1 financial institutions; defensible at the BCBS, OCC, FRB, ECB regulator-walk-in level
Modular architecture covers Operational Risk, Regulatory Compliance, TPRM, Internal Audit, BCM, IT GRC, Financial Controls, Model Risk, and ESG under one data model
Runs on IBM Cloud or Azure; FedRAMP authorised on IBM Cloud GovCloud at Moderate impact level for federal-contractor use
Workflow engine handles complex multi-stage approvals required for G-SIB three-lines-of-defence risk governance

Weaknesses

OpenPages user experience consistently flagged on G2 and Gartner Peer Insights as dated, complex, and consultant-heavy; expect 9-18 month deployment with IBM Consulting or named SI
Pricing is opaque and high; OpenPages entry-tier landed cost typically $150K-$500K+ annually; not the right pick for sub-2,000-employee buyers
Implementation is consultant-heavy; IBM Consulting, Deloitte, PwC, KPMG, or EY typically required for go-live; ecosystem of OpenPages consultants is narrower than Optro or MetricStream
watsonx Assistant AI features require IBM Cloud or Azure tenancy and add a separate compute SKU; total cost of ownership climbs fast
Mid-market buyers and consumer-goods importers are not the target; the platform optimises for financial-services and G-SIB scale, not mid-market import compliance
No native UFLPA detention-response pack format or CBP examiner walk-in workflow; OpenPages provides the framework mapping but the CBP-format export lives outside the platform

Best for

G-SIB banks, top-20 insurance carriers, and large financial institutions with supply-finance exposure (10,000-200,000 employees) running OpenPages already and needing to extend GRC across UFLPA + CSDDD + LkSG + OFAC under the watsonx AI overlay. Also fits Tier-1 manufacturers and importers already standardised on IBM Cloud or Azure.

Worst for

Mid-market US importers (under 2,000 employees) running a single-framework brief; over-built and over-priced. Also wrong for buyers wanting fast-deploy SaaS; this is a consultant-heavy multi-quarter implementation typical of IBM enterprise software.

Key features

Operational risk, regulatory compliance, TPRM, internal audit, BCM, IT GRC, financial controls, model risk, ESG under one data model
watsonx Assistant AI overlay for regulatory-change tracking
Pre-loaded content for UFLPA, CSDDD, LkSG, Modern Slavery, OFAC, BIS Entity List, ESRS S2
Workflow engine for three-lines-of-defence risk governance
Risk-event taxonomy aligned to Basel and ISO 31000
FedRAMP authorised on IBM Cloud GovCloud at Moderate
IBM Cloud or Azure hosting
REST API for embedding GRC data into enterprise BI

Integrations

130+ native. Notable: SAP, Oracle EBS, Workday, ServiceNow, Microsoft Entra ID, Splunk, Tableau, IBM Cognos.

Target size

5,000 to 5,00,000 employees · US · Canada · UK · EU · AU · APAC · LATAM · MEA

#10

Resolver (Kroll Business)

Resolver Inc., a Kroll Business · Founded 2000 · Toronto, ON, Canada

Investigations-first GRC for supplier fraud, sanctions hits, and forced-labour allegations.

Opaque pricingG2 4.4 · Capterra 4.3 · 320+ reviews

Summary

Resolver was founded in 2000 in Toronto and was acquired by Kroll in March 2022; the platform now sits inside Kroll's risk-and-investigations practice that safeguards $6.5 trillion in market capitalisation across 1,000+ companies. The platform leads on case management for supply-chain investigations, sanctions and watch-list hits, forced-labour allegations, and supplier-fraud workflow. Core modules cover Investigations, Risk Intelligence (Kroll-fed adverse-media and sanctions screening), Compliance Management, Internal Audit, Incident Management, and Corporate Security. For brands triaging a UFLPA detention, a Modern Slavery allegation, or an OFAC sanctions hit on a supplier, Resolver is the case-management backbone that ties intake to investigation to remediation.

Strengths

Strongest case-management workflow in the category for supply-chain investigations, sanctions hits, forced-labour allegations, and supplier-fraud incidents
Kroll Risk Intelligence integration provides adverse-media and watch-list screening across OFAC SDN, BIS Entity List, EU Consolidated, UN sanctions, and Kroll-proprietary watch-lists
Investigation chain-of-custody and evidence-handling workflow that holds up to regulator scrutiny; designed for corporate-security and ethics-and-compliance teams
Threat intelligence and adverse-media feeds tuned for forced-labour, Tier-N supplier-fraud, and sanctions-evasion patterns
Compliance Management and Internal Audit modules cover standard GRC workflow alongside the case-management heritage
Kroll backing safeguards $6.5T in market cap across 1,000+ companies; strong references in retail, financial services, healthcare, and energy

Weaknesses

Kroll ownership since March 2022 creates services-revenue overhang; G2 reviewers note pressure to bundle Kroll investigation services with platform renewals
Investigations-first heritage means the GRC compliance-management workflow trails MetricStream, Optro, and IBM OpenPages on framework-library depth
Pricing is opaque; SmartSuite and Vendr triangulate $30K-$120K entry; no published list price
No pre-mapped UFLPA detention-response pack format, C-TPAT MSC binder, or CBP examiner walk-in workflow; Resolver assembles evidence inside the case file, not in a CBP-format export
Implementation requires named SI partner support for full multi-module deployment; not a fast-deploy SaaS
Limited ESG-medal recognition for buyer-side procurement scorecards (the EcoVadis or SupplyShift role); Resolver is investigations-first, not supplier-sustainability-first

Best for

Large retailers, financial-services holdings, energy operators, and manufacturers (2,000-100,000 employees) running supply-chain investigations, sanctions and watch-list hits, forced-labour allegations, and supplier-fraud workflow as a load-bearing brief. Strongest when paired with Kroll Risk Intelligence and adverse-media feeds.

Worst for

Mid-market US importers whose dominant brief is pre-mapped UFLPA + CSDDD + LkSG framework libraries; RiskWatch fits that brief better. Also wrong for buyers needing the EcoVadis medal scorecard or the Sedex SMETA audit network; Resolver does not replicate those network effects.

Key features

Investigations case-management workflow
Kroll Risk Intelligence adverse-media and sanctions screening (OFAC, BIS, EU, UN)
Compliance Management module with framework mapping
Internal Audit module with planning and fieldwork
Incident Management for forced-labour allegations and supplier-fraud
Corporate Security module for site-level investigations
Workflow engine for ethics-and-compliance hotline intake
Evidence chain-of-custody for regulator-defensible cases

Integrations

50+ native. Notable: SAP, ServiceNow, Microsoft Entra ID, Okta, Salesforce, Workday, Splunk.

Target size

1,000 to 2,00,000 employees · US · Canada · UK · EU · AU · APAC · LATAM · MEA

Step by step

Buying guide

Walk these steps in order. The shortlist falls out of step 1, the negotiation moves come together in step 6, and step 8 closes the deal.

Map your regulatory exposure to your import / export footprint

List the jurisdictions you import into (US, EU, UK, Canada, AU) and the obligations each carries. A US importer faces UFLPA + C-TPAT + OFAC. An EU-listed manufacturer faces CSDDD + ESRS S2. A German Tier-1 faces LkSG. A UK plc faces Modern Slavery Act s.54. A California-doing-business retailer faces SB-657. Most multinational importers face four or more simultaneously; the right platform must cover all four with one evidence vault.

Score the seven high-impact frameworks for pre-mapped coverage

For each candidate platform, score Y/Partial/N on UFLPA detention-response pack, C-TPAT MSC supplier flow-down, CSDDD value-chain due diligence, LkSG risk analysis, UK Modern Slavery Act s.54 workflow, California SB-657 disclosure, and ISO 28000:2022. Pre-mapped (turnkey) saves 4-12 weeks of consultant configuration time per framework versus configurable (build-it-yourself). The math compounds at 5+ frameworks.

Decide whether you need a supplier network or a GRC backbone

EcoVadis, Sedex, ISNetworld, Avetta, and SupplyShift are networks; their value is the medal score, the SMETA audit, the contractor prequalification cohort, the LCA database. RiskWatch, MetricStream, Optro, IBM OpenPages, and Resolver are GRC backbones; their value is the evidence vault, the framework mappings, the audit-pack export. Most mature programmes run one of each: a GRC backbone for the regulatory file plus a supplier network for the third-party score.

Stress-test pricing transparency with a 3-year TCO model

Seven of the ten platforms in this ranking gate pricing behind a demo. Build a 3-year TCO that includes year-1 licence, implementation services (15-50% of licence), per-module add-ons, renewal escalators (10-15% typical for PE-owned platforms), regulatory-content subscriptions, and integration costs. Compare against the published RiskWatch Standard $99/month and Professional $36K/year benchmarks. Insist on a renewal-escalator cap in writing.

Run a UFLPA detention dry-run on the shortlist

Ask each candidate platform to produce a UFLPA rebuttable-presumption response pack for a hypothetical detained shipment in 48 hours using sample data. The pack must include commercial invoices, payment records, bills of lading, factory records, and balance-of-materials evidence in the format CBP examiners request. Platforms that cannot deliver in 48 hours from sample data will not deliver in 48 hours when the actual detention happens.

Score sanctions-screening cadence against your real exposure

Score each platform on screening cadence (continuous, daily, weekly, on-onboarding-only) against OFAC SDN, BIS Entity List, EU Consolidated, UN Security Council, and proprietary watch-lists. A multinational importer with 10,000+ suppliers requires continuous screening; a mid-market importer with 200 suppliers can run weekly. Resolver (Kroll Risk Intelligence), MetricStream, IBM OpenPages, and EcoVadis IQ Plus are the deep-screening picks.

Insist on a 30-day working pilot with real supplier data

Pilots with vendor-sample data hide the integration friction and supplier-onboarding pain that breaks programmes in month 2. A real-data pilot with 50-200 of your suppliers using your evidence-export formats surfaces the workflow gaps before contract. Most platforms will agree; the ones that refuse are the ones whose product cannot survive your real data.

Document the exit clause before you sign

Most supply-chain compliance contracts are 3-year terms with auto-renew. Document the exit clause: data export format, retention period after termination, supplier-attestation portability, and integration teardown responsibilities. Buyers who lose 3-year deals always lose them on data portability and exit friction, not on feature coverage. Insist on a documented exit clause in writing before signing.

Frequently asked

Buyer questions, answered

The eight questions our pre-sales team hears the most often when buyers compare this category.

Which platforms ship pre-mapped UFLPA libraries for CBP detention response?

RiskWatch is the only platform in this ranking that ships a pre-mapped UFLPA rebuttable-presumption response pack workflow: commercial invoices, payment records, bills of lading, factory records, and balance-of-materials evidence assembled in the format CBP examiners request after a detention. MetricStream and IBM OpenPages provide UFLPA framework mappings inside their broader regulatory-content libraries but the CBP-format export is configurable rather than turnkey. EcoVadis, Sedex, ISNetworld, Avetta, Sphera, Optro, and Resolver do not ship a pre-mapped UFLPA library; they cover adjacent workflows (supplier scoring, ethical-trade audits, contractor prequalification, ESG-and-LCA, SOX, investigations) that feed into a UFLPA defence but do not assemble the CBP-format pack on their own. The Ninestar Corp. v. United States precedent raised the rebuttal bar to clear-and-convincing evidence so the export format matters.

How do these platforms handle EU CSDDD and German LkSG due diligence under the 2026 Omnibus I reform?

EU CSDDD (Directive 2024/1760) was reshaped by Directive (EU) 2026/470 (Omnibus I) adopted 24 February 2026 which narrowed scope to undertakings with 1,000+ employees and EUR 1.5B+ turnover, extended member-state transposition to 26 July 2027, and locked in the value-chain due-diligence duty. German LkSG retains its due-diligence obligations with the reporting obligation removed by reform and BAFA fines up to 2% of global turnover or EUR 8M. RiskWatch ships CSDDD and LkSG libraries pre-mapped with cross-mapping to ISO 28000, Modern Slavery Act, and UFLPA so one evidence vault serves multiple obligations. MetricStream and Optro support CSDDD and LkSG via configurable workflow inside CrossComply or ConnectedGRC. EcoVadis and Sedex provide the supplier-due-diligence data layer that feeds CSDDD evidence reuse but are not the GRC backbone. IBM OpenPages with watsonx tracks regulatory-change updates against CSDDD and LkSG within days of publication.

Which platforms cover OFAC, BIS Entity List, EU, and UN sanctions screening at supplier-onboarding cadence?

Resolver (via Kroll Risk Intelligence) and MetricStream ship the deepest sanctions-screening cadence among GRC platforms in this ranking with continuous screening against OFAC SDN, BIS Entity List, EU Consolidated, UN Security Council, and proprietary Kroll watch-lists. IBM OpenPages with watsonx adds regulatory-change tracking on the sanctions update cadence. RiskWatch covers OFAC + BIS + EU + UN screening at supplier-attestation time. EcoVadis IQ Plus adds continuous-monitoring adverse-media for sanctions risk on rated suppliers but is not a primary sanctions-screening engine. ISNetworld, Avetta, Sedex, Sphera, and Optro typically pair with a dedicated sanctions-screening tool (Refinitiv World-Check, Dow Jones Risk Center, LSEG World-Check, Visual Compliance, Kharon) for the continuous-screening function.

Which platform is the right pick for UK Modern Slavery Act s.54 statements and California SB-657 disclosures?

Sedex is the de-facto pick for UK Modern Slavery Act s.54 statements and California SB-657 disclosures when your suppliers are in retail, FMCG, or apparel; SMETA audits and the Risk Assessment Tool produce defensible audit evidence that feeds directly into the public statement. RiskWatch provides Modern Slavery Act and California SB-657 framework libraries with statement-format export packs and cross-mapping to UFLPA and supplier code of conduct. EcoVadis Labour and Human Rights scoring feeds Modern Slavery and SB-657 statements via supplier scorecards. Optro CrossComply can configure Modern Slavery and SB-657 frameworks on top of SOX 404 for public-company filers. MetricStream and IBM OpenPages cover Modern Slavery and SB-657 inside broader regulatory-content libraries.

What does a supply-chain compliance programme cost in 2026 for a mid-market US importer?

A mid-market US importer (200-2,000 employees, $50M-$500M revenue, importing into US and EU) typically spends $30K-$150K per year on supply-chain compliance software licence plus 15-25% one-time implementation. RiskWatch Standard at $99/month is the published low-end; RiskWatch Professional at $36K/year and Enterprise quote-only land in the typical mid-market band. EcoVadis runs $12K-$50K buyer subscription plus per-rating supplier fees. ISNetworld Hiring Client and Avetta Hiring Client subscriptions land $50K-$200K depending on contractor count. Sedex buyer subscription runs $12K-$50K. Sphera, MetricStream, IBM OpenPages, and Optro start above $100K and climb to $500K+ for full-suite enterprise rollouts.

How do contractor-management networks (ISNetworld, Avetta) compare to supplier-sustainability networks (EcoVadis, Sedex)?

Contractor-management networks (ISNetworld, Avetta, Veriforce, BROWZ) focus on field-contractor prequalification with HSE statistics, RAVS or PreQual document audits, insurance-certificate (COI) verification, OSHA log audits, EMR verification, and chemical-safety SDS management. The dominant use case is owner-operator industries (oil-and-gas, utilities, mining, construction, manufacturing) gating contractor site access. Supplier-sustainability networks (EcoVadis, Sedex, SupplyShift) focus on Tier-1 supplier scoring with ESG, ethical-trade, labour, environment, and ethics evaluation aligned to CSRD ESRS S2, UN Global Compact, ILO, and GRI. The dominant use case is retail, FMCG, electronics, and consumer-goods brands gating supplier onboarding on sustainability scorecards. Many large enterprises run both: contractor-management for field-services exposure and supplier-sustainability for upstream Tier-1 ingredient or component suppliers.

Is RiskWatch the right pick at #1 given that it publishes this ranking?

RiskWatch publishes this ranking, is at #1, and accepts no affiliate fees, sponsorship money, or paid placements. Readers should weigh that disclosure against the published evidence. RiskWatch is positioned at #1 for the mid-market supply-chain-compliance buyer running multi-framework due-diligence (UFLPA + C-TPAT + CSDDD + LkSG + Modern Slavery + California SB-657 + ISO 28000) where pre-mapped libraries, cross-mapping, and importer-of-record data residency are the load-bearing brief. RiskWatch is not the right pick for the buyer who needs an industry-recognised EcoVadis medal scorecard, a SMETA-audit-body Sedex membership, a contractor-prequalification network at ISNetworld or Avetta scale, deepest LCA at Sphera depth, or G-SIB regulatory-content depth at MetricStream or IBM OpenPages scale. The methodology block opens with this disclosure; the weights are published; readers can disagree with the rank and arrive at a different first pick honestly.

How does ESRS S2 (value-chain workers) reporting under CSRD affect supplier-compliance software selection?

CSRD ESRS S2 (own workforce already covered in S1; value-chain workers covered in S2; affected communities in S3) requires EU-listed undertakings to report on value-chain workers including labour-rights, working-conditions, equal-treatment, and other-work-related-rights material impacts. First-wave reports are due in 2026 for large EU-listed undertakings. EcoVadis and Sedex provide the supplier-data layer (medal scorecards, SMETA audits) that EU-listed buyers cite as ESRS S2 evidence. Sphera SupplyShift adds Scope-3 supplier emissions reporting that pairs with ESRS E1 climate disclosure alongside S2. RiskWatch ships an ESRS S2 framework library that cross-maps to UFLPA, Modern Slavery, and supplier code of conduct so one evidence vault serves the ESRS reporting requirement. Optro CrossComply and MetricStream support ESRS S2 inside broader CSRD module work; IBM OpenPages with watsonx tracks ESRS update cycles.

Definitions

Glossary

Definitions for the acronyms and jargon used on this page. Useful for sharing with non-specialist stakeholders on the buying committee.

UFLPA (Uyghur Forced Labor Prevention Act): US law signed December 2021 in force June 2022 establishing a rebuttable presumption that any goods mined, produced, or manufactured wholly or in part in the Xinjiang Uyghur Autonomous Region of the People's Republic of China, or by entities on the UFLPA Entity List, are made with forced labour and prohibited from entry into the United States. CBP detained 7,325 shipments in FY 2025 (+51% vs FY 2024). High-Priority Sectors expanded in 2025 to lithium, copper, steel, PVC, aluminium.
C-TPAT MSC (Customs-Trade Partnership Against Terrorism Minimum Security Criteria): Voluntary CBP supply-chain security programme with a Minimum Security Criteria framework (2020 update) covering physical access controls, personnel security, procedural security, cybersecurity, education, conveyance tracking, agricultural security, and seal security. C-TPAT certification reduces CBP inspection rates and provides AEO mutual-recognition with EU, UK, Canada, Japan, Korea, Mexico, Australia, New Zealand, Singapore, Israel, Dominican Republic, Taiwan, and others.
CSDDD (Corporate Sustainability Due Diligence Directive): EU Directive 2024/1760 entered into force 25 July 2024; reshaped by Directive (EU) 2026/470 (Omnibus I) adopted 24 February 2026 narrowing scope to undertakings with 1,000+ employees and EUR 1.5B+ turnover. Establishes a corporate due-diligence duty across value chains for actual and potential adverse impacts on human rights and environment. Transposition by member states extended to 26 July 2027 with full application 26 July 2029.
LkSG (Lieferkettensorgfaltspflichtengesetz, German Supply Chain Due Diligence Act): German Supply Chain Due Diligence Act effective 1 January 2023 for 3,000+ employee undertakings and 1 January 2024 for 1,000+ employee undertakings. Requires risk management, responsible-person designation, regular risk analyses, policy statement, preventive and remedial measures, and complaints procedure. BAFA enforces with fines up to 2% of global turnover or EUR 8M. Reporting obligation removed by 2026 reform; due-diligence obligations remain.
ESRS S2 (Value-Chain Workers): European Sustainability Reporting Standard S2 under CSRD covering material impacts on value-chain workers including working conditions, equal treatment and opportunities, and other work-related rights. Requires EU-listed undertakings to disclose due-diligence processes, material risks, and metrics on value-chain workers. Companion standards: S1 (own workforce), S3 (affected communities), S4 (consumers and end-users).
OFAC SDN List + BIS Entity List + EU + UN sanctions: Four overlapping sanctions and denied-party lists screened at supplier onboarding and continuously thereafter. OFAC SDN (Specially Designated Nationals) and Sectoral Sanctions Identifications List published by US Treasury. BIS Entity List published by US Commerce Department restricts export-controlled items. EU Consolidated List published by the European Commission. UN Security Council Sanctions List published by the UN. Continuous screening cadence (daily or near-real-time) is the supply-chain-compliance standard.
ISO 28000:2022 Supply Chain Security Management Systems: International Organization for Standardization standard for security management systems applied to the supply chain. 2022 revision aligned ISO 28000 to Annex SL high-level structure (shared with ISO 27001, ISO 14001, ISO 45001, ISO 9001). Covers risk assessment and treatment, security operations, asset management, business continuity, and continuous improvement across logistics, warehousing, and supplier networks.

Final word

So which one should a supply-chain compliance buyer pick?

If you read this page top to bottom and one platform stood out for your buyer profile (mid-market US importer running UFLPA + Modern Slavery + ISO 28000, EU-listed manufacturer running CSDDD + LkSG + ESRS S2, retail or FMCG brand running SMETA audits and California SB-657 disclosures, owner- operator running contractor prequalification at scale, or Tier-1 enterprise running broadest regulatory content with continuous sanctions screening), that is your answer. The methodology is on this page so a VP Supply Chain, a Chief Procurement Officer, a Chief Compliance Officer, a Head of Responsible Sourcing, or a customs and trade compliance director can disagree with the rank and arrive at a different first pick honestly. We did not move our own product down to look unbiased; we did not move it up to sell the brief. The position reflects our weights and the public evidence as of 2026-05-15.

Whatever you shortlist, insist on three contract terms before you sign: a 30-day working pilot with your real supplier data (not vendor-sample data and not a choreographed demo), a renewal-escalator cap written into the master subscription agreement, and a documented exit clause covering data-export format, retention, and supplier-attestation portability. The supply-chain buyers we see lose three-year deals lose them on those three terms, not on feature coverage. PE ownership across six of these vendors makes the renewal cap the load-bearing term.

If you would like the RiskWatch demo specifically tuned to UFLPA + C-TPAT + CSDDD + LkSG + Modern Slavery + California SB-657 + ISO 28000 in one tenant, request it at riskwatch.com/request-a-demo. If you would like a no-strings second-opinion on one of the other nine, email sales@riskwatch.com with the vendor name in the subject line and we will share what we know.