Home
Internal
published on 25 October 2023 | reading time approx. 5 minutes
The “Act on Corporate Due Diligence to Prevent Human Rights Violations in Supply Chains” (Supply Chain Due Diligence Act – German: Lieferkettensorgfaltspflichtengesetz, short: “LkSG”) obliges companies to comply with human rights and environmental standards in their global supply chains. The international implementation of a corresponding risk management system (RMS) poses major challenges for German companies. This applies in particular to the implementation of risk analyses.
The “Act on Corporate Due Diligence to Prevent Human Rights Violations in Supply Chains” (Supply Chain Due Diligence Act – German: Lieferkettensorgfaltspflichtengesetz, short: “LkSG”), which came into force on 1 January 2023, obliges companies to comply with human rights and environmental standards in their global supply chains. To this end, extensive action, monitoring and reporting obligations are to be implemented. The LkSG will initially apply to companies in Germany that employ at least 3,000 people. From 1 January 2024, the extended scope of the Act will also extend to companies with 1,000 employees. Affected companies are obliged to take reasonable steps to prevent human rights violations and breaches of environmental regulations. This includes both their own business operations and direct suppliers. Indirect suppliers have so far only been affected by the due diligence obligations if a company has actual indications of possible human rights violations or violations of environmental regulations.Risk analysis plays a key role in the implementation of due diligence obligations in the LkSG. It serves to identify potential risks and develop appropriate risk mitigating measures, which contributes to the fulfilment of the legal requirements.Not least because of an expected extension of due diligence to indirect suppliers, as envisaged in the EU draft directive [1], indirect suppliers should already be considered in the risk analysis.
Although the law currently only introduces an obligation to make an effort and provides neither an obligation to succeed nor a liability guarantee for human rights compliance in the supply chain, German companies face considerable challenges. This applies in particular to German Small and Mid-sized Enterprices (SME), which will be affected to a large extent, at least indirectly, due to their high share of value creation in international supply chains and their globalised business models.
Risk management is tasked with ensuring that companies identify, assess and appropriately manage risks in their supply chains regarding potential violations of human rights and environmental standards. Another key focus is to ensure compliance with due diligence requirements by embedding appropriate measures in all relevant business processes.The effectiveness of a risk management system (RMS) depends on these anchored measures, whereby the LkSG does not provide any detailed specifications on the concrete design of the measures. According to § 4 para. 2 LkSG, "effective are those measures that make it possible to identify and minimise human rights and environmental-related risks and to prevent, end or minimise the extent of human rights-related or environment-related obligations if the enterprise has caused or contributed to these risks or violations within the supply chain".These measures must be internalised in all relevant business processes and responsibilities must be defined. Relevant standards such as ISO 31000 and IDW PS 981 are used by companies to guide the implementation of an RMS. The latter describes the structure of an RMS on the basis of eight fundamental components: Figure 1 - Risk Management System according to IDW PS 981
However, it is crucial to reconsider the definition of what is meant by these eight elements in the context of the RMS according to the LkSG. Because at this point a change of perspective takes place. While risk management according to IDW PS 981 is geared towards identifying, assessing, and controlling risks that affect the company itself, whether financially, operationally or in other areas, the LkSG, on the other hand, calls on companies to turn their gaze away from the consideration of risks to the company's business success. Instead, they should adopt a human rights and environmental perspective that focuses on the impact of the company's activities on the environment and affected stakeholders such as employees along the supply chain.
Risk analysis is used to precisely identify risks within the company's own business unit and its immediate suppliers.The results of the analysis provide companies with information on the extent to which human rights and environmental risks occur in their own business and in the supply chain. This forms the basis for decisions regarding required resources, expertise, allocation of responsibilities and integration into key business processes as part of risk management.The risk analysis must be carried out at least once a year, as well as on an ad hoc basis if the company must expect a significantly changed or significantly expanded risk situation in the supply chain, and additionally if the company has concrete information indicating that human rights violations or violations of environmental regulations are likely to occur at an indirect supplier.In general, it is advisable to consider the following steps in risk analysis:
For the implementation of the risk analysis according to the LkSG, the Federal Office for Economic Affairs and Export Control (BAFA) has published a guidance [2], explaining the requirements of the LkSG and providing assistance for implementation.
International companies face a variety of challenges when implementing international risk analyses, which have to be taken into account when identifying and assessing risks.This starts with the identification of risks in different departments and subsidiaries. A problem often encountered in practice is that risk identification is not complete. This is often only noticed when different subsidiaries realise that risks reported by other subsidiaries would also have been or are relevant for their own subsidiary. An example of this is that information received in the whistleblowing system may only have been taken into account by one subsidiary. This can be remedied by sharing all recorded risks with all subsidiaries and departments.Another challenge is the uniform assessment of identical risks. This is a prerequisite for companies to be able to aggregate these risks, as is also required by IDW PS 981.Risk aggregation is intended to help present the overall risk situation of a company. However, or precisely for this reason, the individual risks must not simply be added up - because there could be risk interdependencies. Risk interdependence means that risks are interdependent. Risks can reinforce each other and thus correlate positively, or they can weaken each other or exclude each other and thus correlate negatively. Risk aggregation can thus be a complex issue, which can be further exacerbated by the international nature of groups.In order to ensure that the results of the risk analysis are sufficiently taken into account in the risk management system, communication of the results to the decision-makers is essential. International groups are faced with the challenge of selecting which information is of purely local significance and which has an influence on global decisions.
In order to ensure a comprehensive understanding of risks in the supply chain, different disciplines must be linked in risk management.First and foremost are the legal requirements of the LkSG, which require a comprehensive understanding of the relevant regulations and compliance requirements. In addition to the LkSG itself, it is important to be familiar with the BAFA guidelines as well as the ISO 31000 and IDW PS 981 standards.It takes an interdisciplinary team to develop the appropriate guidelines and processes to analyse supply chain risks in a comprehensive and sound manner. By bringing in experts from these different disciplines to share their knowledge and perspectives, they can leverage synergies and better understand the complexities of risk.In addition, the use of best practices plays a crucial role, as does the continuous development of best practices in day-to-day operations in order to disseminate them on a company-wide level. Valuable know-how is already available in many areas of the company and should be captured and promoted in a targeted manner.
German SMEs, which are particularly affected by the LkSG due to their high share of value creation in international supply chains and their globalised business models, face major challenges in implementing internationally effective risk management systems and risk analyses. The implementation of the LkSG requires a broad understanding of the legal requirements, the implementation of effective risk management systems and cooperation between different disciplines and departments to ensure compliance with human rights and environmental standards in the supply chain.
Simultaneously with the introduction of the German Supply Chain Act short: “LkSG”, many other countries in and outside the EU have already enacted similar regulations. The EU is also working on a framework to regulate global supply chains. This legislative proposal already indicates that the legal requirements in Germany could become stricter in the future. In order to continue to operate safely within their supply chains, German companies must therefore pay increased attention to effective risk management in their international business relationships.
Simone Bausch
Associate Partner
Send inquiry
Julius Wunderle
Head of Forensic Services
