The German Supply Chain Due Diligence Act and Supplier Risk Management

Follow these best practices to assess and remediate human rights and environmental risks in your supply chain.
Scott Lang
VP, Product Marketing
April 19, 2023
Blog german supply chain due diligence act 0423

The German Supply Chain Due Diligence Act (German: LkSG) came into force on January 1, 2023 and introduced new human rights due diligence and reporting obligations for supply chains. Specifically, the law requires companies to prove that they have done everything in their power to prevent human rights-related risks in their supply chains, report, and to maintain documentation for seven years.

The LkSG currently applies to all companies doing business in Germany with at least 3,000 employees. In 2024 the applicability of the law will be extended to companies with more than 1,000 employees. Penalties for non-compliance will be severe – €800,000 for individuals (including company officers), and €400 million or up to 2% of the average annual turnover for companies.

The LkSG is another in a long line of important environmental, social and governance (ESG) laws meant to protect human rights, such as the Canadian Fighting Against Forced Labour and Child Labour in Supply Chains Act; the EU Corporate Sustainability Reporting Directive (CSRD); and other modern slavery legislation. Therefore, it is essential that supplier risk management teams understand the Act’s obligations in relation to their organization’s overall risk management requirements.

This post examines the LkSG requirements – including those which are most applicable to supplier risk management – and recommends best practices to address the requirements.

German Supply Chain Due Diligence Act Requirements

The Act requires companies to meet the following obligations. In this post, we will review the bolded obligations only.

  • Establish a risk management system (section 4, paragraph 1)
  • Designate a responsible person (section 4, paragraph 3)
  • Perform regular risk analyses (section 5)
  • Issue policy statements (section 6, paragraph 2)
  • Implement preventive measures in the own business area (section 6 paragraphs 1 and 3) and with direct suppliers (section 6, paragraph 4)
  • Take remedial action in the event of a human rights violation (section 7, paragraphs 1-3)
  • Establish a complaints procedure with regard to the notification of human rights violations (section 8)
  • Implement due diligence obligations for indirect suppliers (section 9)
  • Document and report (section 10, paragraphs 1-2)

Best Practices for Meeting German Supply Chain Due Diligence Act Requirements

Note: In this section we review only key attributes of the LkSG. For a complete list of requirements, please refer to the full Act.

Consider implementing the following best practices to address the key supplier risk management provisions in the LkSG.

Establish a risk management system

Section 4, paragraph 1, states that, “Enterprises must establish an appropriate and effective risk management system to comply with the due diligence obligation ... Risk management must be enshrined in all relevant business processes through appropriate measures.”

To address this requirement, begin by developing and refining the key components of your supplier risk management program, including:

  • Governing policies, standards, systems and processes
  • Clear roles and responsibilities (e.g., RACI)
  • Supplier classification and categorization logic
  • Risk scoring thresholds based on your organization’s risk tolerance levels
  • Mapping of indirect suppliers to understand your organization’s extended ecosystem
  • Scoping the right assessments and sources of continuous monitoring data (e.g., business, reputational, financial)
  • Key performance indicators (KPIs) and key risk indicators (KRIs)
  • Compliance and contractual reporting requirements against service levels
  • Risk and internal stakeholder reporting
  • Risk mitigation and remediation strategies

These criteria should form the basis of a best practice supplier risk management program that not only includes the due diligence to meet the LkSG requirements, but also would be extensible to additional risk categories such as cybersecurity.

Managing ESG Risks Across the Extended Enterprise

This analyst report from GRC 20/20 uncovers best practices for including ESG in your third-party risk management program.

Read Now
Blog managing esg 1021

Perform regular risk analyses

Section 5 states, “the enterprise must conduct an appropriate risk analysis … to identify the human rights and environment-related risks … at its direct suppliers ... [R]isks must be weighted and prioritized appropriately … The risk analysis must be carried out once a year as well as on an ad hoc basis.”

To address this requirement, assess supplier practices using a centralized platform that enables the automatic calculation of risks based on supplier responses against acceptable risk thresholds, uploading of supporting evidence, and backed by workflow and built-in remediation recommendations and reporting – all of which make it easier to meet reporting requirements and deadlines.

An additional benefit of a central risk management platform is that you can assess suppliers against multiple risk types and correlate the data for a complete picture of supplier risk (instead of a siloed view).

Also, while annual assessments are critical to gaining an insider’s view into a supplier’s human rights practices, a lot can happen between annual report submissions. That’s why it is important to validate annual due diligence assessment results with continuous insights into reputational information, adverse media and negative news, regulatory and legal actions, sanctions and more. You can then correlate intelligence from continuous monitoring with periodic assessment results for more unified risk reporting. Consolidating all intelligence into a “single pane of glass” will optimize your risk analysis efforts.

Implement preventative measures

Section 6, paragraph 4, states that, “The enterprise must lay down appropriate preventative measures … [including] consideration of expectations when selecting a direct supplier … contractual assurances … and contractual control measures.”

To address these requirements, reviewing recent business and reputational insights, legal filings, ESG scores, sanctions and other related intelligence as part of new supplier evaluations. Consolidate all insights into a single supplier profile that can be accessed by all teams in the organization, versus juggling multiple different sources of information. Also, align intelligence gathering with broader RFx management processes for more holistic supplier reviews.

Once you move into the contracting stage, build provisions into supplier contracts and track the supplier’s reporting progress over time. Instead of treating the contracting process separately, integrate it into your supplier risk assessment process. Do this by centralizing all contract distribution, discussion, retention and review processes and leveraging workflow throughout the supplier contract lifecycle. This will make it much more straightforward to report on contractual control measures such as key performance indicators (KPIs) and key risk indicators (KRIs).

Take remedial action

Section 7 says that, “If the enterprise discovers that a violation of a human rights-related or an environment-related obligation has already occurred or is imminent … it must, without undue delay, take appropriate remedial action.” One of the remedial actions included in the Act is terminating the supplier relationship.

Using the results of supplier assessments as explained in Section 5, make recommendations to the supplier, ask for policy clarifications, and be prepared to report any violations to authorities. Supplier risk management solutions will include built-in remediation suggestions for suppliers. It’s important to follow through on this step since it is essential for mandated reporting.

If it becomes necessary to terminate a supplier relationship, be sure to automate final contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure. Key tasks to address here are to:

  • Report on system access, data destruction, access management, final payments, and more
  • Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts
  • Map assessment results to regulatory framework to simplify final reporting

Implement due diligence for indirect suppliers

Section 9, paragraph 3, states, “If an enterprise has actual indications that a violation of a human rights-related or an environment-related obligation at indirect suppliers may be possible ... carry out a risk analysis … lay down appropriate preventive measures … implement a prevention concept.”

To address this obligation, it’s important to identify fourth-party and Nth-party subcontracting relationships in your supplier ecosystem. A good way to start that process is by conducting a questionnaire-based assessment of your suppliers or by passively scanning the supplier’s public-facing infrastructure. The resulting relationship map depicts extended dependencies that could expose your organization to risk. Suppliers discovered through this process should be continuously monitored to identify ESG, business, and sanctions risks.

Document and report

Section 10, paragraphs 1 and 2, state that, “due diligence obligations … must be continuously documented … kept for at least seven years.” As well, “The enterprise must prepare and annual report on the fulfillment of its due diligence obligations.”

To address these requirements, centrally store and distribute supplier policy documents, assessment results, monitoring findings, and remediations for dialog and attestation at the time of reporting. Supplier risk management solutions provide role-based access, enabling you to extend visibility to external auditors who may be examining your due diligence processes and consulting on annual reporting requirements.

Building and maintaining a centralized supplier database of record is essential to ensuring an effective supplier risk management (SRM) program and meeting the Act’s reporting requirements. The database should include comprehensive supplier profiles and provide role-based access to company contacts, documentation, demographics, 4th-party and Nth-party connections, and risk intelligence.

Next Steps for Performing Supply Chain Due Diligence

The Prevalent Third-Party Risk Management Platform enables you to address human rights and environmental risks in your supply chain by automating survey-based assessments of supplier human rights policies and validating the results with continuous external monitoring of their real-world practices. With Prevalent, you can:

  • Integrate RFx, contracting and due diligence processes into a single solution to address risks across the supplier lifecycle
  • Build a central supplier inventory and calculate the inherent risks that suppliers introduce to your environment
  • Assess and continuously monitor suppliers for human rights, environmental and other types of supply chain risks in a single solution
  • Deliver automated remediation recommendations to suppliers to reduce residual risk exposure
  • Measure suppliers against contractual key performance indicators (KPIs) and key risk indicators (KRIs)
  • Leverage templates to simplify regulatory audit reporting to multiple internal and external stakeholders

For more on how Prevalent's German Supply Chain Due Diligence compliance solution can help mitigate human rights and environmental risks in your supply chain, schedule a personalized demonstration today.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo