Know your exposure - The risk analysis under the German Supply Chain Act

The German Lieferkettensorgfaltspflichtengesetz (Supply Chain Act - LkSG) will enter into force in January 2023. The law seeks to improve the international human rights situation by setting due diligence standards for responsible management of supply chains. But what are the specific requirements of the new due diligence obligations?

A central component of risk management under the LkSG is the obligation to carry out a risk assessment concerning human rights and environmental risks. The law only sets out the general obligation to conduct such a risk analysis. Just recently, the competent authority, the Federal Office of Economics and Export Control (BAFA), has published a handout further specifying the requirements. This blog post provides for an overview of the risk analysis before diving into the specification laid out in the BAFA handout and analysing potential need for further clarification.

Fundamental requirements for risk analysis

A risk analysis is the starting point for all comprehensive compliance measures. Only after assessing their risk profile companies are in a position to implement rules and procedures to effectively mitigate the identified risks. The LkSG requires companies to gain knowledge of the human rights and environmental risks not only in their own organisation, but also in the supply chain. Based on the gathered information companies have to prioritise identified risks and tackle the most important risks first. The LkSG grants broad discretion as to the design and choice of methods for identifying, evaluating, and prioritising risks – provided the chosen approach is appropriate and systematic.

Regular risk analysis and ad-hoc risk analysis

The LkSG distinguishes between two forms of risk analyses: a regular risk analysis and a risk analysis on an ad-hoc basis. According to the law, subject of the regular, annual risk analysis are all risks in the company's own organisation and at their direct suppliers. Contrary, risks at the level of indirect suppliers are not to be included in the regular risk analysis.

Besides the regular, annual risk analysis, the law requires companies to conduct an ad-hoc risk analysis concerning indirect suppliers in cases of substantiated knowledge of a violation of a human rights or environment related duty. Indications of such a violation can arise from various sources: reports to complaints channels, information in the media or civil society reports, as well as discussions amongst industry players. It is worth noting that the BAFA recommends going beyond the requirements of the LkSG in this regard. The authority considers it more effective to preventively monitor expected high risks than having to take wide-ranging measures when a human rights violation is imminent or has already occurred. The handout therefore suggests proactively including the relevant parts of the supply chain into the annual regular risk analysis once a company is aware of certain high risks.

In addition, all risks along the entire supply chain (i.e. own organisation, direct and indirect suppliers) are subject to an ad-hoc assessment in case such risks have changed significantly or have emerged due to new circumstances. Such an ad-hoc risk analysis may be prompted by a change in business activity like entering a new procurement country.

 

How to implement the risk analysis?

According to the BAFA handout, the assessment should be conducted in three steps:

• First, a company is required to obtain a general understanding of its business activities and the relationships in its supply chain.
• After gathering the aforementioned information, the company has to conduct an abstract risk analysis.
• Finally, the risk analysis is to be completed with a specific analysis including the evaluation and prioritisation of the risks.

Companies should strive to gain an overview of their own procurement processes and make their supply chains transparent as the starting point for the risk analysis. A suitable method can be risk mapping by business sectors, locations, products, raw materials, or countries of origin.

To this end, companies should compile information on:

• their corporate structure, including the names, sectors, and basic information of all group companies,
• their procurement structure, including procurement categories, procurement countries, order volume and number of direct suppliers per category,
• the type and scope of their business activity.

In a second step, publicly available sources like indices, rankings, UN or OECD guidelines and NGO reports are considered to identify branches, locations, and suppliers with an increased risk profile.

Based on the results of this abstract risk assessment, companies have to determine specific risks along their supply chains in a third step. Subsequently, they need to decide which risks they will address first. Relevant criteria for this prioritisation are:

• type and scope of business activity,
• probability of occurrence,
• severity of the violation,
• ability to exert influence,
• companies’ causal contribution to the emergence of a risk.

The risks identified in the specific risk assessment must be systematically documented, for example in a risk inventory.

The legislator acknowledges that companies cannot perform a fully comprehensive risk analysis from the outset. Therefore, the BAFA handout suggests a risk-based approach. Companies can initially rely on an abstract risk analysis and only carry out the specific risk analysis for prioritised branches, locations and supply relationships. If a company is already aware of high-risk branches or suppliers, it should focus its data collection on the corporate and procurement structures of these entities first. However, companies are obliged to gradually improve transparency in their supply chains and thus to extend the process of specific risk analysis to all branches, locations, and direct suppliers.

In developing preventive measures, companies can build on and relate to the results of regular and ad-hoc risk analyses.

Questions left unanswered

Although the handout is a valuable resource for companies, open questions remain. For example, it is unclear if the annual risk analysis can be carried out collectively for a group of companies (similar questions concern the soon-to-be-implemented EU Whistleblower Directive, see our colleagues’ blog post for further information). In many cases, there are large overlaps in supply chains within corporate groups.

In light of companies’ discretion with regard to the risk analysis, detailed best practices will evolve over time. For example, the timing of the risk analysis can be debatable, given that in many industries contracts are awarded with a long lead time. It remains to be seen whether authorities and courts will expect companies to conduct the risk analysis for the supplier when the contract is concluded or only when the service or product is delivered. Similarly, best practice on which media and platforms companies should monitor to gather information about their indirect suppliers will only progressively emerge.

The handout also raises new questions, for instance regarding the definition of a company's causal contribution to risks and due diligence violations. The LkSG differentiates between risks and breaches of a human rights or environment related duty, whereas the handout defines causation only as enabling or facilitating the breach of a particular duty. Yet, it is unlikely that the handout intended to exclude causal contributions to risks.

Another ambiguity stems from the BAFA’s suggestion to proactively include certain indirect suppliers in the annual risk analysis. If companies do not follow the BAFA recommendation but only comply with the legal requirement to perform an ad-hoc risk analysis when the violation of a human rights or environment related duty is indicated, the authority may be tempted to open an investigation in case of subsequent violations. Though, against the backdrop that the law does not empower the BAFA to extent the legal obligations, fines may not be imposed as long as companies comply with the LkSG.

Industry dialogues and additional BAFA handouts are expected to bring further clarification. We will closely monitor the developments and continue to report on this blog.