The German Supply Chain Due Diligence Act (LkSG) came into force on January 1, 2023 and introduced new human rights due diligence and reporting obligations for supply chains. Specifically, the law requires companies to prove that they have done everything in their power to prevent human rights-related risks in their supply chains, report on it, and maintain documentation for 7 years.
With applicability to all companies doing business in Germany with at least 3,000 employees and severe penalties of €800,000 for individuals (including company officers), and €400 million or up to 2% of the average annual turnover for companies, now is the time for organizations to understand their due diligence and reporting obligations.
Establish a risk management system (section 4, paragraph 1)
Perform regular risk analyses (section 5)
Implement preventive measures with direct suppliers (section 6, paragraph 4)
Take remedial action in the event of a human rights violation (section 7, paragraphs 1-3)
Implement due diligence obligations for indirect suppliers (section 9)
Document and report (section 10, paragraphs 1-2)
Managing ESG Risks Across the Extended Enterprise
This analyst report from GRC 20/20 uncovers best practices for including ESG in your third-party risk management program.
Build a Best Practices SRM Program
Develop and refine the key components of your supplier risk management (SRM) program, including:
These criteria should form the basis of a best practice supplier risk management program that not only includes the due diligence to meet the LkSG requirements but would also be extensible to additional risk categories such as cybersecurity.
Conduct Targeted Due Diligence Assessments
Assess supplier practices using a centralized platform that enables the automatic calculation of risks based on supplier responses against acceptable risk thresholds, uploading of supporting evidence, and backed by workflow and built-in remediation recommendations and reporting – all of which make it easier to meet reporting requirements and deadlines.
Continuously Monitor Suppliers
Validate annual due diligence assessment results with continuous insights into reputational information, adverse media and negative news, regulatory and legal actions, sanctions and more. Correlate intelligence from continuous monitoring with periodic assessment results for more unified risk reporting. Consolidating all intelligence into a “single pane of glass” will optimize your risk analysis efforts.
Evaluate Potential Suppliers on Human Rights
Review recent business and reputational insights, legal filings, ESG scores, sanctions and other related intelligence as part of new supplier evaluations. Consolidate all insights into a single supplier profile that can be accessed by all teams in the organization, versus juggling multiple different sources of information. Align intelligence gathering with broader RFx management processes for more holistic supplier reviews.
Build Provisions into Supplier Contracts
Build provisions into supplier contracts and track the supplier’s reporting progress over time. Integrate contracting into your supplier risk assessment process. Do this by centralizing all contract distribution, discussion, retention and review processes and leveraging workflow throughout the supplier contract lifecycle. This will make it much more straightforward to report on contractual control measure such as key performance indicators (KPIs) and key risk indicators (KRIs).
Using the results of supplier assessments, make recommendations to the supplier, ask for policy clarifications, and be prepared to report any violations to authorities. Supplier risk management solutions will include built-in remediation suggestions for suppliers. It’s important to follow through on this step since it is essential for mandated reporting.
If it becomes necessary to terminate a supplier relationship, be sure to automate final contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure. Key tasks to address here are to:
Identify 4th- and Nth-Party Suppliers
Identify fourth-party and Nth-party subcontracting relationships in your supplier ecosystem. Conduct a questionnaire-based assessment of your suppliers or passively scan the supplier’s public-facing infrastructure. The resulting relationship map depicts extended dependencies that could expose your organization to risk. Suppliers discovered through this process should be continuously monitored to identify ESG, business, and sanctions risks.
Build a Central Supplier Inventory
Build and maintain a centralized supplier database of record to meet the Act’s reporting requirements. The database should include comprehensive supplier profiles and provide role-based access to company contacts, documentation, demographics, 4th-party and Nth-party connections, and risk intelligence.
Centrally store and distribute supplier policy documents, assessment results, monitoring findings, and remediations for dialog and attestation at the time of reporting. Extend visibility to external auditors who may be examining your due diligence processes and consulting on annual reporting requirements.
Align Your TPRM Program with Expanding ESG Regulations
Download this guide to review current and future ESG standards and legislation, and learn how to prepare your TPRM program for compliance.