Request Demo

The German Supply Chain Due Diligence Act and Supplier Risk Management

Follow these best practices to assess and remediate human rights and environmental risks in your supply chain.
By:
Scott Lang
,
VP, Product Marketing
May 23, 2024
Share:
Blog german supply chain due diligence act 0423

What is the German Supply Chain Due Diligence Act?

The German Supply Chain Due Diligence Act (German: LkSG) mandates that companies operating in Germany with at least 3,000 employees implement human rights due diligence in their supply chains. This law requires businesses to take all necessary steps to prevent human rights risks, report on their efforts, remediate risks, and retain documentation for seven years. In 2024, the law will extend to companies with over 1,000 employees.

Non-compliance can result in penalties of up to €800,000 for individuals and €400 million or 2% of the average annual turnover for companies. The LkSG aligns with global ESG regulations to safeguard human rights, emphasizing the importance of integrating its requirements into supplier risk management strategies.

This post examines the LkSG requirements—including those most applicable to supplier risk management—and recommends best practices for addressing them.

German Supply Chain Due Diligence Act Requirements

The Act requires companies to meet the following obligations. In this post, we will review only the bolded obligations.

  • Exercise due regard for human rights and environmental due diligence obligations in the supply chain (section 3)
  • Establish a risk management system (section 4, paragraph 1)
  • Designate a responsible person (section 4, paragraph 3)
  • Perform regular risk analyses (section 5)
  • Issue policy statements (section 6, paragraph 2)
  • Implement preventive measures in the own business area (section 6, paragraphs 1 and 3) and with direct suppliers (section 6, paragraph 4)
  • Take remedial action in the event of a human rights violation (section 7, paragraphs 1-3)
  • Establish a complaints procedure with regard to the notification of human rights violations (section 8)
  • Implement due diligence obligations for indirect suppliers (section 9)
  • Document and report (section 10, paragraphs 1-2)

6 Best Practices for Meeting German Supply Chain Due Diligence Act Requirements

Note: This section reviews only key attributes of the LkSG. For a complete list of requirements, please refer to the full Act.

Consider implementing the following best practices to address the key supplier risk management provisions in the LkSG.

1. Establish a risk management system

Section 4, paragraph 1, states, "Enterprises must establish an appropriate and effective risk management system to comply with the due diligence obligation ... Risk management must be enshrined in all relevant business processes through appropriate measures.”

To address this requirement, begin by developing and refining the key components of your supplier risk management program, including:

  • Governing policies, standards, systems and processes
  • Clear roles and responsibilities (e.g., RACI)
  • Supplier classification and categorization logic
  • Risk scoring thresholds based on your organization’s risk tolerance levels
  • Mapping of indirect suppliers to understand your organization’s extended ecosystem
  • Scoping the right assessments and sources of continuous monitoring data (e.g., business, reputational, financial)
  • Key performance indicators (KPIs) and key risk indicators (KRIs)
  • Compliance and contractual reporting requirements against service levels
  • Risk and internal stakeholder reporting
  • Risk mitigation and remediation strategies

These criteria should form the basis of a best-practice supplier risk management program that includes due diligence to meet the LkSG requirements and is extensible to additional risk categories, such as cybersecurity.

Managing ESG Risks Across the Extended Enterprise

This analyst report from GRC 20/20 uncovers best practices for including ESG in your third-party risk management program.

Read Now
Blog managing esg 1021

2. Perform regular risk analyses

Section 5 states, "the enterprise must conduct an appropriate risk analysis … to identify the human rights and environment-related risks … at its direct suppliers ... [R]isks must be weighted and prioritized appropriately … The risk analysis must be carried out once a year and on an ad hoc basis."

To address this requirement, assess supplier practices using a centralized platform that enables the automatic calculation of risks based on supplier responses against acceptable risk thresholds, uploading of supporting evidence, and backed by workflow and built-in remediation recommendations and reporting – all of which make it easier to meet reporting requirements and deadlines.

An additional benefit of a central risk management platform is that you can assess suppliers against multiple risk types and correlate the data for a complete picture of supplier risk (instead of a siloed view).

Also, while annual assessments are critical to gaining an insider's view into a supplier's human rights practices, a lot can happen between yearly report submissions. That's why validating annual due diligence assessment results with continuous insights into reputational information, adverse media and negative news, regulatory and legal actions, sanctions, and more is essential. You can then correlate intelligence from continuous monitoring with periodic assessment results for more unified risk reporting. Consolidating all intelligence into a "single pane of glass" will optimize your risk analysis efforts.

3. Implement preventative measures

Section 6, paragraph 4, states, "The enterprise must lay down appropriate preventative measures … [including] consideration of expectations when selecting a direct supplier … contractual assurances … and contractual control measures."

To address these requirements, recent business and reputational insights, legal filings, ESG scores, sanctions, and other related intelligence must be reviewed as part of new supplier evaluations. Instead of juggling multiple different sources of information, consolidate all insights into a single supplier profile that all teams in the organization can access. Also, intelligence gathering should be aligned with broader RFx management processes for more holistic supplier reviews.

Once you move into the contracting stage, build provisions into supplier contracts and track the supplier's reporting progress over time. Instead of treating the contracting process separately, integrate it into your supplier risk assessment process. Do this by centralizing all contract distribution, discussion, retention, and review processes and leveraging workflow throughout the supplier contract lifecycle. This will make reporting on contractual control measures such as key performance indicators (KPIs) and key risk indicators (KRIs) much more straightforward.

4. Take remedial action

Section 7 says, "If the enterprise discovers that a violation of a human rights-related or an environment-related obligation has already occurred or is imminent … it must, without undue delay, take appropriate remedial action." One of the remedial actions included in the Act is terminating the supplier relationship.

Using the results of supplier assessments as explained in Section 5, make recommendations to the supplier, ask for policy clarifications, and be prepared to report any violations to authorities. Supplier risk management solutions will include built-in remediation suggestions for suppliers. Following through on this step is vital since it is essential for mandated reporting.

If it becomes necessary to terminate a supplier relationship, automate final contract assessments and offboarding procedures to reduce your organization's risk of post-contract exposure. Essential tasks to address here are:

  • Report on system access, data destruction, access management, final payments, and more
  • Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs, and contracts
  • Map assessment results to regulatory framework to simplify final reporting

5. Implement due diligence for indirect suppliers

Section 9, paragraph 3, states, "If an enterprise has actual indications that a violation of a human rights-related or an environment-related obligation at indirect suppliers may be possible ... carry out a risk analysis … lay down appropriate preventive measures … implement a prevention concept."

To address this obligation, it's crucial to identify fourth-party and Nth-party subcontracting relationships in your supplier ecosystem. An excellent way to start that process is by conducting a questionnaire-based assessment of your suppliers or by passively scanning the supplier's public-facing infrastructure. The relationship map depicts extended dependencies that could expose your organization to risk. Suppliers discovered through this process should be continuously monitored to identify ESG, business, and sanctions risks.

6. Document and report

Section 10, paragraphs 1 and 2, state that "due diligence obligations … must be continuously documented … kept for at least seven years." Also, "The enterprise must prepare an annual report on fulfilling its due diligence obligations."

To address these requirements, centrally store and distribute supplier policy documents, assessment results, monitoring findings, and remediations for dialog and attestation during reporting. Supplier risk management solutions provide role-based access, enabling you to extend visibility to external auditors who may be examining your due diligence processes and consulting on annual reporting requirements.

Building and maintaining a centralized supplier database of record is essential to ensuring an effective supplier risk management (SRM) program and meeting the Act's reporting requirements. The database should include comprehensive supplier profiles and provide role-based access to company contacts, documentation, demographics, 4th-party and Nth-party connections, and risk intelligence.

Next Steps for Performing Supply Chain Due Diligence

The Prevalent Third-Party Risk Management Platform enables you to address human rights and environmental risks in your supply chain by automating survey-based assessments of supplier human rights policies and validating the results with continuous external monitoring of their real-world practices. With Prevalent, you can:

  • Integrate RFx, contracting, and due diligence processes into a single solution to address risks across the supplier lifecycle
  • Build a central supplier inventory and calculate the inherent risks that suppliers introduce to your environment
  • Assess and continuously monitor suppliers for human rights, environmental, and supply chain risks in a single solution.
  • Deliver automated remediation recommendations to suppliers to reduce residual risk exposure.
  • Measure suppliers against contractual key performance indicators (KPIs) and key risk indicators (KRIs)
  • Leverage templates to simplify regulatory audit reporting to multiple internal and external stakeholders

For more on how Prevalent's German Supply Chain Due Diligence compliance solution can help mitigate human rights and environmental risks in your supply chain, schedule a personalized demonstration today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

Related Posts
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo