Find out today what the legal world will be talking about tomorrow.
The 1x1 of the supply chain due diligence law - Part 1
Part 1: The risk analysis
A large number of companies that are involved in various supply chains in their day-to-day business operations will have to comply with the strict requirements of the German Supply Chain Compliance Act (Lieferkettensorgfaltspflichtengesetz - LkSG) in the future. We have already published a brief presentation of the measures to be observed in the future in our article dated September 13, 2021. Depending on the number of persons employed in Germany, the respective requirements must be observed as early as January 01, 2023 (3,000 employees), or January 01, 2024 (1,000 employees). However, companies not directly addressed by the LkSG should also study the following explanations thoroughly, as it can be assumed that some of the envisaged obligations will ultimately be "passed on" to direct contractual partners.
In this context, the Federal Office of Economics and Export Control (hereinafter "BAFA") has published a first "Handreichung zur Umsetzung einer Risikoanalyse nach den Vorgaben des Lieferkettensorgfaltspflichtengesetzes" on August 17, 2022. We would like to take this as an opportunity to once again show you the most important aspects in an understandable way. This article is part of a series ("The 1x1 of the supply chain due diligence law"), which in the future will take a closer look at the LkSG and its concrete requirements, in particular to provide affected companies with an initial support.
What exactly requires a risk analysis?
Section 5 (1) of the LkSG first states verbatim:
"As part of risk management, the company shall conduct an appropriate risk analysis in accordance with paragraphs 2 to 4 in order to identify the human rights and environmental risks in its own business operations and those of its direct suppliers. In cases where a company has engaged in an abusive arrangement of the immediate supplier relationship or a circumvention transaction in order to circumvent the due diligence requirements with respect to the immediate supplier, an indirect supplier shall be deemed to be an immediate supplier."
The background to this approach is for the companies concerned to find out what human rights and environmental risks (may) exist in their own business area and in the respective supply chains, particularly with regard to so-called direct suppliers. The risk analysis is also intended to help prioritize identified risks according to their severity and weight.
Companies directly subject to the LkSG are therefore initially faced with the task of obtaining an overview of their own procurement processes, the structure and the players at direct suppliers as well as important groups of people who may be affected by the company's business activities.
According to Section 5 (4) LkSG, a corresponding procedure must be carried out once a year with regard to the company's own business area and the business area of its direct suppliers, and - in the case of so-called "substantiated knowledge" also with regard to merely indirect suppliers - on an ad hoc basis. Such an occasion can be assumed, for example, on the basis of media reports, reports via the complaints channel to be set up or in connection with particularly problematic (newly developed) sectors, wars or natural disasters.
The risk analysis is rightly regarded by BAFA as a "fundamental building block" of risk management, since ultimately the majority of the further measures to be taken are based on it, or at least start from it. This applies, for example, to the preparation of a policy statement on the company's own human rights strategy and the preventive and remedial measures to be taken.
As a brief reiteration, it should be noted at this point that the following human rights and environmental risks may be of particular relevance to the companies addressed:
- Child labor, forced labor or slavery,
- Occupational health and safety hazards,
- Danger of work-related health hazards,
- Disregard for freedom of association,
- Unequal treatment or discrimination in employment,
- Withholding a fair wage,
- Causing harmful soil, water or air pollution, noise emission or excessive water consumption,
- Unlawful eviction or unlawful deprivation of land, forests or waters,
- Hiring of private or public security forces to protect the entrepreneurial project,
- Environmental risks, e.g. using mercury, chemicals or waste.
How can a risk analysis be prepared in concrete terms?
The first step is, of course, to clarify how "effective risk management" (cf. § 3 LkSG) can be implemented as a superordinate process within the company. For this purpose, a clear circle of selected persons (e.g., management, compliance department and purchasing) must be determined, which will coordinate on the relevant topics at regular intervals. In addition, the LkSG provides (by way of example) for the appointment of a "human rights officer" who is responsible for monitoring risk management and for this reason should report directly to the management.
The "change of perspective" to be undertaken by the company is also of particular importance for understanding the risk analysis. In this context, it is not a matter of what financial losses or reputational damage the company itself is threatened with. The LkSG and the resulting obligations address solely the protection of the (potentially) affected persons.
The concrete form of the risk analysis is not specified in concrete terms, but is largely left to the discretion of the respective company. The only important point is that the chosen approach must be considered "appropriate". According to BAFA's guidelines, this means that the intended methodology must include, in particular, "comprehensible processes for identifying, weighting and prioritizing" corresponding risks.
Starting points for an effective risk analysis
As a first step, a risk analysis always requires a deep awareness of the company's own corporate structure and the respective procurement system. The core prerequisite is therefore that the company is aware of all relevant locations, product and service types, as well as the production steps carried out, or types of services within the respective sectors. There must also be clarity about which direct suppliers are used, in relation to which products and services this is done, and in which countries the respective contractual partners are located. In order to accomplish this task, it is imperative that a standardized procedure be selected that maps the aforementioned factors in a comprehensible manner, for example in the form of a "supply chain mapping".
Only when an appropriate mapping has been created and the respective supply chains have already been classified according to their relevance (e.g., on the basis of procurement or order volume) can the actual risk analysis begin. The procedure should be designed on a risk basis.
In the BAFA handout mentioned above, a two-stage procedure is recommended. In the first stage, the conceivable risks should first be considered in abstract terms. This can, for example, be assessed on a sector- or country-specific basis. Based on this, the actual existing risks should then be identified and prioritized.
When prioritizing the risks, the following criteria listed in Section 3 (2) of the LkSG must be taken into account in particular:
- Type and scope of business activity
- probability of occurrence
- Severity of the breach in terms of degree, number of people affected and irreversibility
- Possibilities of influence
- Causation contribution of the company to individual risks or risk areas
Despite the risk-based approach taken by the LkSG, it should be noted that companies must work towards successively extending a "concrete risk assessment" to all companies/branches/locations, at least in their own business area.
BAFA does not specify how the respective companies can obtain the necessary information in order to obtain more detailed information on the concrete existing risks, in particular in the case of direct suppliers. Annex II of the corresponding handbook only contains sources of information that can be used at least for the abstract risk assessment. For the concrete procurement of information, therefore, there is still a certain degree of legal uncertainty at the present time insofar as it has not been clearly clarified which (contractual) measures are legally permissible. Companies should seek good advice here, especially to avoid any legal pitfalls.
Support from SKW Schwarz
With the LkSG, companies are confronted with new challenges, which entail an undeniable effort. However, SKW Schwarz has developed a transparent consulting approach for these tasks, which will support companies in the future. This includes, among other things, developed sample documents, contract templates, etc.
In the further articles of this series, we will present the concept developed by SKW Schwarz in concrete terms and will be happy to assist you in complying with the legal requirements in the future.