The new German Supply Chain Due Diligence Act (LkSG) comes into force at the beginning of next year and is causing unease among some companies. The reason: Failure to comply with the due diligence and information requirements, as well as violations of the obligation to take measures to implement the due diligence requirements, can result in heavy fines – up to 800,000 euros or up to 2 percent of average annual sales for large companies. Only recently, the responsible authority, the Federal Office of Economics and Export Control (BAFA), published a handout that further specifies the requirements.
The Supply Chain Act at a glance
The Supply Chain Act obliges companies to observe human rights and certain environmental due diligence obligations in their supply chains in an appropriate manner. The obligations to be fulfilled are graded according to the actual scope of influence, depending on whether the company is dealing with its own business unit, a direct contractual partner or a more indirect supplier.
The law will apply from January 1, 2023 to companies with at least 3,000 employees. From January 1, 2024, companies with at least 1,000 employees will be affected.
The due diligence obligations of companies include:
- Establishment of a risk management system and performance of a risk analysis
- Adoption of a policy statement of the corporate human rights strategy
- Anchoring of prevention measures
- Immediately take corrective action when violations are identified.
- Establishment of a complaints procedure
- Documentation and reporting requirements for the fulfillment of due diligence obligations
Basic requirements for risk analysis
Risk analysis is the basis of appropriate and effective risk management. Only after assessing their risk profile are companies in a position to implement rules and procedures to effectively mitigate the identified risks. The LkSG requires companies to gather information about human rights and environmental risks not only within their own organization, but also in the supply chain. Based on the information gathered, companies must prioritize the risks identified and address the most significant risks first. The LkSG grants some discretion in the design and choice of methods for identifying, assessing and prioritizing risks – provided that the approach chosen is appropriate and systematic.
Regular risk analysis and ad hoc risk analysis
The LkSG distinguishes between two forms of risk analysis: a regular risk analysis and a risk analysis on an ad hoc basis. According to the law, the subject of the regular, annual risk analysis is all risks within the company’s own organization and at its direct suppliers. Risks at the level of indirect suppliers, on the other hand, are not to be included in the regular risk analysis.
In addition to the regular, annual risk analysis, the law requires companies to conduct an ad hoc risk analysis with respect to indirect suppliers if they have reasonable knowledge of a violation of a human or environmental obligation. Evidence of such a violation may arise from a variety of sources: Reports to grievance bodies, information in the media or reports from civil society, and discussions among industry representatives. It is worth noting that BAFA recommends going beyond the requirements of the LkSG in this regard. The authority considers it more effective to preventively monitor expected high risks than to have to take far-reaching measures when a human rights violation is imminent or has already occurred. The handout therefore suggests proactively involving the relevant parts of the supply chain in the annual regular risk analysis as soon as a company is aware of certain high risks.
In addition, all risks along the entire supply chain (i.e., own organization, direct and indirect suppliers) are subject to an ad hoc assessment if these risks have changed significantly or have arisen due to new circumstances. Such an ad hoc risk analysis may be triggered by a change in business activity, e.g. entry into a new sourcing country.
How is the risk analysis performed?
According to the BAFA manual, the assessment should be carried out in three steps:
- First, a company needs to get a general picture of its business activities and the relationships in its supply chain.
- After collecting the above information, the company must perform an abstract risk analysis.
- Finally, the risk analysis must be completed by a specific analysis including the evaluation and prioritization of risks.
Companies should strive to gain an overview of their own procurement processes and make their supply chains transparent as a starting point for risk analysis. A suitable method can be risk mapping by business unit, location, product, raw material or country of origin.
To this end, companies should compile information on:
- its corporate structure, including the names, sectors and basic information of all Group companies,
- its procurement structure, including procurement categories, procurement countries, order volume and the number of direct suppliers per category,
- the nature and scope of its business activities.
In a second step, publicly available sources such as indices, rankings, UN or OECD guidelines and NGO reports are taken into account to identify subsidiaries, sites and suppliers with an elevated risk profile.
Based on the results of this abstract risk assessment, companies must identify the specific risks along their supply chains in a third step. They must then decide which risks they want to address first. Relevant criteria for this prioritization are:
- Nature and scope of business activities,
- Probability of occurrence,
- Severity of the violation,
- the ability to influence,
- the causal contribution of the company to the occurrence of a risk.
The risks identified in the specific risk assessment must be systematically documented, for example in a risk inventory.
The legislation recognizes that companies cannot conduct a fully comprehensive risk analysis from the outset. Therefore, the BAFA handout suggests a risk-based approach. Companies can initially rely on an abstract risk analysis and perform the specific risk analysis only for prioritized industries, locations and supplier relationships. If a company is already aware of high-risk subsidiaries or suppliers, it should initially focus its data collection on the corporate and sourcing structures of these entities. However, companies are required to gradually improve the transparency of their supply chains and thus extend the specific risk analysis process to all subsidiaries, sites and direct suppliers.
When developing preventive measures, companies can build on and refer to the results of regular and ad hoc risk analyses.