Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Hero compliance german supply chain due diligence

German Supply Chain Due Diligence Act (LkSG) Compliance

Assess and remediate human rights risks in your supply chain

The German Supply Chain Due Diligence Act (LkSG) came into force on January 1, 2023 and introduced new human rights due diligence and reporting obligations for supply chains. Specifically, the law requires companies to prove that they have done everything in their power to prevent human rights-related risks in their supply chains, report on it, and maintain documentation for 7 years.

With applicability to all companies doing business in Germany with at least 3,000 employees and severe penalties of €800,000 for individuals (including company officers), and €400 million or up to 2% of the average annual turnover for companies, now is the time for organizations to understand their due diligence and reporting obligations.

Relevant Requirements

  • Establish a risk management system (section 4, paragraph 1)

  • Perform regular risk analyses (section 5)

  • Implement preventive measures with direct suppliers (section 6, paragraph 4)

  • Take remedial action in the event of a human rights violation (section 7, paragraphs 1-3)

  • Implement due diligence obligations for indirect suppliers (section 9)

  • Document and report (section 10, paragraphs 1-2)

Managing ESG Risks Across the Extended Enterprise

This analyst report from GRC 20/20 uncovers best practices for including ESG in your third-party risk management program.

Read Now
Blog managing esg 1021
  • Build a Best Practices SRM Program

    Develop and refine the key components of your supplier risk management (SRM) program, including:

    • Governing policies, standards, systems and processes
    • Clear roles and responsibilities (e.g., RACI)
    • Supplier classification and categorization logic
    • Risk scoring thresholds based on your organization’s risk tolerance levels
    • Mapping of indirect suppliers to understand your organization’s extended ecosystem
    • Scoping the right assessments and sources of continuous monitoring data (e.g., business, reputational, financial)
    • Key performance indicators (KPIs) and key risk indicators (KRIs)
    • Compliance and contractual reporting requirements against service levels
    • Risk and internal stakeholder reporting
    • Risk mitigation and remediation strategies

    These criteria should form the basis of a best practice supplier risk management program that not only includes the due diligence to meet the LkSG requirements but would also be extensible to additional risk categories such as cybersecurity.

  • Conduct Targeted Due Diligence Assessments

    Assess supplier practices using a centralized platform that enables the automatic calculation of risks based on supplier responses against acceptable risk thresholds, uploading of supporting evidence, and backed by workflow and built-in remediation recommendations and reporting – all of which make it easier to meet reporting requirements and deadlines.

  • Continuously Monitor Suppliers

    Validate annual due diligence assessment results with continuous insights into reputational information, adverse media and negative news, regulatory and legal actions, sanctions and more. Correlate intelligence from continuous monitoring with periodic assessment results for more unified risk reporting. Consolidating all intelligence into a “single pane of glass” will optimize your risk analysis efforts.

  • Evaluate Potential Suppliers on Human Rights

    Review recent business and reputational insights, legal filings, ESG scores, sanctions and other related intelligence as part of new supplier evaluations. Consolidate all insights into a single supplier profile that can be accessed by all teams in the organization, versus juggling multiple different sources of information. Align intelligence gathering with broader RFx management processes for more holistic supplier reviews.

  • Build Provisions into Supplier Contracts

    Build provisions into supplier contracts and track the supplier’s reporting progress over time. Integrate contracting into your supplier risk assessment process. Do this by centralizing all contract distribution, discussion, retention and review processes and leveraging workflow throughout the supplier contract lifecycle. This will make it much more straightforward to report on contractual control measure such as key performance indicators (KPIs) and key risk indicators (KRIs).

  • Remediate Findings

    Using the results of supplier assessments, make recommendations to the supplier, ask for policy clarifications, and be prepared to report any violations to authorities. Supplier risk management solutions will include built-in remediation suggestions for suppliers. It’s important to follow through on this step since it is essential for mandated reporting.

  • Offboard Suppliers

    If it becomes necessary to terminate a supplier relationship, be sure to automate final contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure. Key tasks to address here are to:

    • Report on system access, data destruction, access management, final payments, and more
    • Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts
    • Map assessment results to regulatory framework to simplify final reporting
  • Identify 4th- and Nth-Party Suppliers

    Identify fourth-party and Nth-party subcontracting relationships in your supplier ecosystem. Conduct a questionnaire-based assessment of your suppliers or passively scan the supplier’s public-facing infrastructure. The resulting relationship map depicts extended dependencies that could expose your organization to risk. Suppliers discovered through this process should be continuously monitored to identify ESG, business, and sanctions risks.

  • Build a Central Supplier Inventory

    Build and maintain a centralized supplier database of record to meet the Act’s reporting requirements. The database should include comprehensive supplier profiles and provide role-based access to company contacts, documentation, demographics, 4th-party and Nth-party connections, and risk intelligence.

  • Report

    Centrally store and distribute supplier policy documents, assessment results, monitoring findings, and remediations for dialog and attestation at the time of reporting. Extend visibility to external auditors who may be examining your due diligence processes and consulting on annual reporting requirements.

Align Your TPRM Program with Expanding ESG Regulations

Download this guide to review current and future ESG standards and legislation, and learn how to prepare your TPRM program for compliance.

Read Now
Featured resource compliance handbook esg
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo