German Supply Chain Due Diligence Act (LkSG) Compliance

Develop and refine the key components of your supplier risk management (SRM) program, including:

• Governing policies, standards, systems and processes
• Clear roles and responsibilities (e.g., RACI)
• Supplier classification and categorization logic
• Risk scoring thresholds based on your organization’s risk tolerance levels
• Mapping of indirect suppliers to understand your organization’s extended ecosystem
• Scoping the right assessments and sources of continuous monitoring data (e.g., business, reputational, financial)
• Key performance indicators (KPIs) and key risk indicators (KRIs)
• Compliance and contractual reporting requirements against service levels
• Risk and internal stakeholder reporting
• Risk mitigation and remediation strategies

These criteria should form the basis of a best practice supplier risk management program that not only includes the due diligence to meet the LkSG requirements but would also be extensible to additional risk categories such as cybersecurity.

Assess supplier practices using a centralized platform that enables the automatic calculation of risks based on supplier responses against acceptable risk thresholds, uploading of supporting evidence, and backed by workflow and built-in remediation recommendations and reporting – all of which make it easier to meet reporting requirements and deadlines.

Validate annual due diligence assessment results with continuous insights into reputational information, adverse media and negative news, regulatory and legal actions, sanctions and more. Correlate intelligence from continuous monitoring with periodic assessment results for more unified risk reporting. Consolidating all intelligence into a “single pane of glass” will optimize your risk analysis efforts.

Review recent business and reputational insights, legal filings, ESG scores, sanctions and other related intelligence as part of new supplier evaluations. Consolidate all insights into a single supplier profile that can be accessed by all teams in the organization, versus juggling multiple different sources of information. Align intelligence gathering with broader RFx management processes for more holistic supplier reviews.

Build provisions into supplier contracts and track the supplier’s reporting progress over time. Integrate contracting into your supplier risk assessment process. Do this by centralizing all contract distribution, discussion, retention and review processes and leveraging workflow throughout the supplier contract lifecycle. This will make it much more straightforward to report on contractual control measure such as key performance indicators (KPIs) and key risk indicators (KRIs).

Using the results of supplier assessments, make recommendations to the supplier, ask for policy clarifications, and be prepared to report any violations to authorities. Supplier risk management solutions will include built-in remediation suggestions for suppliers. It’s important to follow through on this step since it is essential for mandated reporting.

If it becomes necessary to terminate a supplier relationship, be sure to automate final contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure. Key tasks to address here are to:

• Report on system access, data destruction, access management, final payments, and more
• Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts
• Map assessment results to regulatory framework to simplify final reporting

Identify fourth-party and Nth-party subcontracting relationships in your supplier ecosystem. Conduct a questionnaire-based assessment of your suppliers or passively scan the supplier’s public-facing infrastructure. The resulting relationship map depicts extended dependencies that could expose your organization to risk. Suppliers discovered through this process should be continuously monitored to identify ESG, business, and sanctions risks.

Build and maintain a centralized supplier database of record to meet the Act’s reporting requirements. The database should include comprehensive supplier profiles and provide role-based access to company contacts, documentation, demographics, 4th-party and Nth-party connections, and risk intelligence.