The German Supply Chain Due Diligence Act (German: LkSG) mandates that companies operating in Germany with at least 3,000 employees implement human rights due diligence in their supply chains. This law requires businesses to take all necessary steps to prevent human rights risks, report on their efforts, remediate risks, and retain documentation for seven years. In 2024, the law will extend to companies with over 1,000 employees.
Non-compliance can result in penalties of up to €800,000 for individuals and €400 million or 2% of the average annual turnover for companies. The LkSG aligns with global ESG regulations to safeguard human rights, emphasizing the importance of integrating its requirements into supplier risk management strategies.
This post examines the LkSG requirements—including those most applicable to supplier risk management—and recommends best practices for addressing them.
The Act requires companies to meet the following obligations. In this post, we will review only the bolded obligations.
Note: This section reviews only key attributes of the LkSG. For a complete list of requirements, please refer to the full Act.
Consider implementing the following best practices to address the key supplier risk management provisions in the LkSG.
Section 4, paragraph 1, states, "Enterprises must establish an appropriate and effective risk management system to comply with the due diligence obligation ... Risk management must be enshrined in all relevant business processes through appropriate measures.”
To address this requirement, begin by developing and refining the key components of your supplier risk management program, including:
These criteria should form the basis of a best-practice supplier risk management program that includes due diligence to meet the LkSG requirements and is extensible to additional risk categories, such as cybersecurity.
Managing ESG Risks Across the Extended Enterprise
This analyst report from GRC 20/20 uncovers best practices for including ESG in your third-party risk management program.
Section 5 states, "the enterprise must conduct an appropriate risk analysis … to identify the human rights and environment-related risks … at its direct suppliers ... [R]isks must be weighted and prioritized appropriately … The risk analysis must be carried out once a year and on an ad hoc basis."
To address this requirement, assess supplier practices using a centralized platform that enables the automatic calculation of risks based on supplier responses against acceptable risk thresholds, uploading of supporting evidence, and backed by workflow and built-in remediation recommendations and reporting – all of which make it easier to meet reporting requirements and deadlines.
An additional benefit of a central risk management platform is that you can assess suppliers against multiple risk types and correlate the data for a complete picture of supplier risk (instead of a siloed view).
Also, while annual assessments are critical to gaining an insider's view into a supplier's human rights practices, a lot can happen between yearly report submissions. That's why validating annual due diligence assessment results with continuous insights into reputational information, adverse media and negative news, regulatory and legal actions, sanctions, and more is essential. You can then correlate intelligence from continuous monitoring with periodic assessment results for more unified risk reporting. Consolidating all intelligence into a "single pane of glass" will optimize your risk analysis efforts.
Section 6, paragraph 4, states, "The enterprise must lay down appropriate preventative measures … [including] consideration of expectations when selecting a direct supplier … contractual assurances … and contractual control measures."
To address these requirements, recent business and reputational insights, legal filings, ESG scores, sanctions, and other related intelligence must be reviewed as part of new supplier evaluations. Instead of juggling multiple different sources of information, consolidate all insights into a single supplier profile that all teams in the organization can access. Also, intelligence gathering should be aligned with broader RFx management processes for more holistic supplier reviews.
Once you move into the contracting stage, build provisions into supplier contracts and track the supplier's reporting progress over time. Instead of treating the contracting process separately, integrate it into your supplier risk assessment process. Do this by centralizing all contract distribution, discussion, retention, and review processes and leveraging workflow throughout the supplier contract lifecycle. This will make reporting on contractual control measures such as key performance indicators (KPIs) and key risk indicators (KRIs) much more straightforward.
Section 7 says, "If the enterprise discovers that a violation of a human rights-related or an environment-related obligation has already occurred or is imminent … it must, without undue delay, take appropriate remedial action." One of the remedial actions included in the Act is terminating the supplier relationship.
Using the results of supplier assessments as explained in Section 5, make recommendations to the supplier, ask for policy clarifications, and be prepared to report any violations to authorities. Supplier risk management solutions will include built-in remediation suggestions for suppliers. Following through on this step is vital since it is essential for mandated reporting.
If it becomes necessary to terminate a supplier relationship, automate final contract assessments and offboarding procedures to reduce your organization's risk of post-contract exposure. Essential tasks to address here are:
Section 9, paragraph 3, states, "If an enterprise has actual indications that a violation of a human rights-related or an environment-related obligation at indirect suppliers may be possible ... carry out a risk analysis … lay down appropriate preventive measures … implement a prevention concept."
To address this obligation, it's crucial to identify fourth-party and Nth-party subcontracting relationships in your supplier ecosystem. An excellent way to start that process is by conducting a questionnaire-based assessment of your suppliers or by passively scanning the supplier's public-facing infrastructure. The relationship map depicts extended dependencies that could expose your organization to risk. Suppliers discovered through this process should be continuously monitored to identify ESG, business, and sanctions risks.
Section 10, paragraphs 1 and 2, state that "due diligence obligations … must be continuously documented … kept for at least seven years." Also, "The enterprise must prepare an annual report on fulfilling its due diligence obligations."
To address these requirements, centrally store and distribute supplier policy documents, assessment results, monitoring findings, and remediations for dialog and attestation during reporting. Supplier risk management solutions provide role-based access, enabling you to extend visibility to external auditors who may be examining your due diligence processes and consulting on annual reporting requirements.
Building and maintaining a centralized supplier database of record is essential to ensuring an effective supplier risk management (SRM) program and meeting the Act's reporting requirements. The database should include comprehensive supplier profiles and provide role-based access to company contacts, documentation, demographics, 4th-party and Nth-party connections, and risk intelligence.
The Prevalent Third-Party Risk Management Platform enables you to address human rights and environmental risks in your supply chain by automating survey-based assessments of supplier human rights policies and validating the results with continuous external monitoring of their real-world practices. With Prevalent, you can:
For more on how Prevalent's German Supply Chain Due Diligence compliance solution can help mitigate human rights and environmental risks in your supply chain, schedule a personalized demonstration today.
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024
Learn how integrating the NIST Privacy Framework with third-party risk management (TPRM) helps organizations enhance data...
09/12/2024
Consider these best practices to ensure third-party service providers adequately protect your customer NPI data.
09/04/2024