The German Supply Chain Due Diligence Act and Supplier Risk Management

Perform regular risk analyses

Section 5 states, “the enterprise must conduct an appropriate risk analysis … to identify the human rights and environment-related risks … at its direct suppliers ... [R]isks must be weighted and prioritized appropriately … The risk analysis must be carried out once a year as well as on an ad hoc basis.”

To address this requirement, assess supplier practices using a centralized platform that enables the automatic calculation of risks based on supplier responses against acceptable risk thresholds, uploading of supporting evidence, and backed by workflow and built-in remediation recommendations and reporting – all of which make it easier to meet reporting requirements and deadlines.

An additional benefit of a central risk management platform is that you can assess suppliers against multiple risk types and correlate the data for a complete picture of supplier risk (instead of a siloed view).

Also, while annual assessments are critical to gaining an insider’s view into a supplier’s human rights practices, a lot can happen between annual report submissions. That’s why it is important to validate annual due diligence assessment results with continuous insights into reputational information, adverse media and negative news, regulatory and legal actions, sanctions and more. You can then correlate intelligence from continuous monitoring with periodic assessment results for more unified risk reporting. Consolidating all intelligence into a “single pane of glass” will optimize your risk analysis efforts.

Implement preventative measures

Section 6, paragraph 4, states that, “The enterprise must lay down appropriate preventative measures … [including] consideration of expectations when selecting a direct supplier … contractual assurances … and contractual control measures.”

To address these requirements, reviewing recent business and reputational insights, legal filings, ESG scores, sanctions and other related intelligence as part of new supplier evaluations. Consolidate all insights into a single supplier profile that can be accessed by all teams in the organization, versus juggling multiple different sources of information. Also, align intelligence gathering with broader RFx management processes for more holistic supplier reviews.

Once you move into the contracting stage, build provisions into supplier contracts and track the supplier’s reporting progress over time. Instead of treating the contracting process separately, integrate it into your supplier risk assessment process. Do this by centralizing all contract distribution, discussion, retention and review processes and leveraging workflow throughout the supplier contract lifecycle. This will make it much more straightforward to report on contractual control measures such as key performance indicators (KPIs) and key risk indicators (KRIs).

Take remedial action

Section 7 says that, “If the enterprise discovers that a violation of a human rights-related or an environment-related obligation has already occurred or is imminent … it must, without undue delay, take appropriate remedial action.” One of the remedial actions included in the Act is terminating the supplier relationship.

Using the results of supplier assessments as explained in Section 5, make recommendations to the supplier, ask for policy clarifications, and be prepared to report any violations to authorities. Supplier risk management solutions will include built-in remediation suggestions for suppliers. It’s important to follow through on this step since it is essential for mandated reporting.

If it becomes necessary to terminate a supplier relationship, be sure to automate final contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure. Key tasks to address here are to:

• Report on system access, data destruction, access management, final payments, and more
• Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts
• Map assessment results to regulatory framework to simplify final reporting

Implement due diligence for indirect suppliers

Section 9, paragraph 3, states, “If an enterprise has actual indications that a violation of a human rights-related or an environment-related obligation at indirect suppliers may be possible ... carry out a risk analysis … lay down appropriate preventive measures … implement a prevention concept.”

To address this obligation, it’s important to identify fourth-party and Nth-party subcontracting relationships in your supplier ecosystem. A good way to start that process is by conducting a questionnaire-based assessment of your suppliers or by passively scanning the supplier’s public-facing infrastructure. The resulting relationship map depicts extended dependencies that could expose your organization to risk. Suppliers discovered through this process should be continuously monitored to identify ESG, business, and sanctions risks.

Document and report

Section 10, paragraphs 1 and 2, state that, “due diligence obligations … must be continuously documented … kept for at least seven years.” As well, “The enterprise must prepare and annual report on the fulfillment of its due diligence obligations.”

To address these requirements, centrally store and distribute supplier policy documents, assessment results, monitoring findings, and remediations for dialog and attestation at the time of reporting. Supplier risk management solutions provide role-based access, enabling you to extend visibility to external auditors who may be examining your due diligence processes and consulting on annual reporting requirements.

Building and maintaining a centralized supplier database of record is essential to ensuring an effective supplier risk management (SRM) program and meeting the Act’s reporting requirements. The database should include comprehensive supplier profiles and provide role-based access to company contacts, documentation, demographics, 4th-party and Nth-party connections, and risk intelligence.

Next Steps for Performing Supply Chain Due Diligence

The Prevalent Third-Party Risk Management Platform enables you to address human rights and environmental risks in your supply chain by automating survey-based assessments of supplier human rights policies and validating the results with continuous external monitoring of their real-world practices. With Prevalent, you can:

• Integrate RFx, contracting and due diligence processes into a single solution to address risks across the supplier lifecycle
• Build a central supplier inventory and calculate the inherent risks that suppliers introduce to your environment
• Assess and continuously monitor suppliers for human rights, environmental and other types of supply chain risks in a single solution
• Deliver automated remediation recommendations to suppliers to reduce residual risk exposure
• Measure suppliers against contractual key performance indicators (KPIs) and key risk indicators (KRIs)
• Leverage templates to simplify regulatory audit reporting to multiple internal and external stakeholders

For more on how Prevalent's German Supply Chain Due Diligence compliance solution can help mitigate human rights and environmental risks in your supply chain, schedule a personalized demonstration today.