Additional guidance on compliance with the German Supply Chain Act published

Official guidance from the competent German regulator and new technical tools are intended to make the tasks easier, but also raise new questions.

A company's supply chain poses numerous compliance risks. Particularly in the environmental, social and governance (ESG) space, companies are increasingly confronted with sometimes significant changes and a multitude of new regulatory requirements, obliging them to monitor their supply chains and the way companies operate within them more closely.

In Germany, the Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, LkSG) will come into force in 2023. It obliges large German companies as well as foreign companies with a branch office in Germany to take certain measures to ensure that both they and their suppliers from Germany and abroad comply with certain environmental and social standards. To this end, the companies must, among other things, carry out a risk analysis, set up a complaints management system and also report annually on their compliance with the law. The German Federal Office of Economics and Export Control (BAFA), which is responsible for implementing and monitoring the new law, recently published extensive guidance on how to comply with these obligations.

Risk analysis

The LkSG requires companies to establish an appropriate and effective risk management system. The core of this is a regular as well as incident-related ad hoc risk analysis. In this way, they should identify and minimise human rights or environmental risks. By this, violations of human rights and environmental protection standards are also to be recognised and stopped. According to BAFA, the "risk-based approach" of the law allows companies to "target their resources and address the most important and urgent issues first".

Transparency in the business and with direct suppliers

Creating transparency in a company’s own business operations and with direct suppliers is a prerequisite for an appropriate risk analysis and, in BAFA's view, should be carried out beforehand. This includes, among other things, the determination of comprehensive relevant data on the corporate structure, procurement structure as well as the type and scope of business activities, in each case related to all group companies over which the obligated company exercises a determining influence, their suppliers as well as all "high-risk suppliers". In addition to general information, this also includes the operating sites and locations, products or services, procurement categories, countries of activity and procurement, turnover and order volumes as well as aggregated visualisations of the supply chains.

In its guidance on risk analysis [available only in German language], BAFA also explains the differences between regular and incident-related risk analysis. The regular risk analysis must be carried out once a year and must look at all risks in the company's own business area and at its direct suppliers. The event-related ad hoc risk analysis, on the other hand, must be carried out whenever the company has indications of a possible violation of human rights or environmental obligations. Such indications can, for example, be received by the company through the complaint channels to be set up or come from media reports and reports by civil society. Furthermore, an incident-related ad hoc risk analysis is also necessary if the company makes relevant changes to its business activities, such as opening up new product fields or purchasing markets.

Abstract and specific risk assessment

In its guidance, BAFA recommends at least two levels of risk assessment:

• an "abstract risk assessment" based on general risks in the countries and sectors in which the company is active or in which it has suppliers - for this purpose, the handbook lists an extensive catalogue of possible sources of information in its Annex II; and
• a "specific" determination and weighting of risks, which takes into account the specific risks at the company's locations and companies as well as its suppliers, and the statutory adequacy criteria such as type and scope of business activity, probability of occurrence, severity of the violation, possibilities of influence and contribution to causation.

"Companies that initially rely on an abstract risk assessment as part of the risk-based approach and only carry out the specific risk assessment for prioritised companies, branches and locations are obliged to gradually arrive at an improved information situation on their own business area as a whole and thus extend the process of specific risk assessment as part of the risk analysis to all companies, branches and locations in their own business area," BAFA said. With regard to the supply chain, BAFA believes that companies should initially be able to limit themselves to those with a high risk, but must then also gradually increase transparency in the supply chain over time.

Perspective in the risk assessment

In addition to explanations of the text of the law, BAFA's guidance contains further points worthy of attention, taking into account the explanatory memorandum to the law. For example, companies should explicitly not consider their own financial disadvantages or damage to their reputation in the event of violations when assessing the risk, but rather change their perspective and focus primarily on the interests of the protected groups of persons. These include, in particular, the company's own employees and employees in the supply chain. The abstract risk assessment should therefore identify those affected by violations, including "particularly vulnerable groups of people". This methodology deviates considerably from common risk management systems and makes it clear that the legislator is transferring state tasks, including development aid and foreign policy, to the private sector.

Complaint management

From 1 January 2023, every company covered by the LkSG must have at least one complaints procedure through which it can receive both internal and external notifications of risks or breaches of duty in relation to human rights and environmental standards in order to remedy them. In its guidance on the complaints procedure [available only in German language], BAFA clarifies that companies can "use an internal procedure, participate in an equivalent external procedure or combine internal and external complaints procedures". According to BAFA, this can also be based on existing or planned complaints procedures. For example, an established complaints procedure could simultaneously fulfil the requirements of the LkSG and the new Whistleblower Protection Act that was recently passed by the German parliament.

According to BAFA, it is important that the complaints procedures are easily accessible for the essential target groups and tailored to their situation. It must, among other things, be known to all target groups and offer sufficient support in the case of special access barriers, for example due to language barriers, illiteracy or lack of access to the internet or telephone. A company can identify the relevant target groups on the basis of its risk analysis. They include the company's own employees as well as employees of suppliers, but also residents around company sites. The complaints procedure must also be available to other persons or institutions that do not directly belong to these target groups, such as trade unions, the media or NGOs. Companies can also set up several channels for their complaints procedures, such as a free telephone hotline, a web-based solution, local contact persons or at least an on-site complaints box. Relevant target groups should be sufficiently informed about this and should, in the opinion of BAFA, even be involved in the design of the complaints procedure.

Companies must draw up processing rules for the complaints procedure and make them publicly available. The guidance provides further details on what information the rules of procedure must contain.

BAFA also specifies a number of requirements for the complaints procedure, including, for example, that the identity of the persons submitting the complaints must be protected and that the persons handling the complaints internally must be able to act impartially. BAFA also explains how the complaints should then be dealt with. This includes, among other things, discussing the facts with the whistleblower and involving them in finding a solution.

If a complaint is confirmed, companies must take remedial and also preventive measures. BAFA also states that the company must provide feedback to the whistleblower on the remedial action taken and that the whistleblower should be asked about their satisfaction with the process and the results. The company should also offer the aggrieved party amicable dispute resolution or make amendments, which, according to BAFA, can be "positively taken into account in the assessment of fines in the event of an established administrative offence".

Companies should be obliged to report publicly on the complaints they receive and their resolution. They must also review the effectiveness of the procedure once a year. BAFA's guidance provides suggestions on how such a review can be carried out, for example using appropriate key performance indicators (KPIs). Finally, findings from complaints must be included in the company's risk analysis and also taken into account in the other due diligence obligations under the LkSG.

The requirements of the law as read by BAFA go far beyond what existing whistleblowing systems at companies usually require. For companies with an international supply chain, including in problematic countries, it is unlikely that offers to relevant target groups in accordance with these requirements can be made efficiently without participation in multi-stakeholder initiatives at the industry or product level, coupled with a corresponding expansion of the company's whistleblowing system, especially in the scope of application and the design in detail.

Questionnaire for annual reports

All companies that fall directly under the scope of the LkSG must prepare an annual report on the fulfilment of their due diligence obligations in the previous business year and submit it to BAFA no later than four months after the end of the business year. In addition, the reports must be publicly available free of charge on the company's website for at least seven years.

Reports must be based on a catalogue of questions recently published by BAFA, which contains a total of 437 both open and closed questions and also multiple choice options.

The questionnaire requires very detailed information, for example on all affiliated companies over which decisive influence is exercised, as well as on the procurement structure in the company's own business area, the specific risks identified - in each case separately for the company's own business area, direct suppliers and indirect suppliers, insofar as these were also recorded on the basis of an incident-related risk analysis - as well as the specific preventive or remedial measures taken, including the company functions involved. The required information on the complaints procedure also appears to be extensive and reflects the requirements that BAFA places on complaints management.

Implementation in enterprise groups

BAFA highlights that all direct suppliers of "decisively influenced group companies" are also considered direct suppliers of the parent company. These must therefore be fully included in the risk analysis, preventive measures and complaint management measures. In addition, BAFA has clarified that each group company within the scope of application of the law also remains fully and independently obligated and needs to self-report despite any attribution to a parent company in scope of the law. However, the decisive question for a lawful implementation of the law in groups of companies, how the "determining influence" is to be determined, remains open.

Compliance remains a Herculean task

Despite BAFA's assistance, compliance with the LkSG remains a difficult task for many companies. The risk analysis in particular is likely to pose difficulties for many companies - especially given the short time left for preparation. It remains unclear whether the risk analysis must already be carried out at the beginning of the first application period (2023 or 2024) due to its fundamental importance for the further due diligence obligations, in particular the declaration of principles and the preventive measures. At the very latest, by the end of the first reporting period, the annual risk analysis must have been carried out completely at least once. This requires significant resources and sufficient time, especially for companies that are part of business groups with a global division of tasks, which quickly have tens of thousands of direct suppliers alone.

Effective risk analysis requires a high degree of transparency with regard to the company's own business operations and its supply chains. The company must have all essential information not only about its own business units, but also about the relevant suppliers, in order to be able to adequately identify risks at all. Secondly, an appropriate and comprehensible system is needed to quantify risks. Likewise, procedures must be established to identify and assess concrete risks - for example, through risk-based and structured questionnaires and their automated or manual evaluation as well as audits. It is already becoming apparent that most companies will have to rely on IT-based solutions to meet these challenges efficiently.