Official guidelines for Germany’s Supply Chain Due Diligence Act (SCDDA), or Lieferkettengesetz Act, are now available. Released on 14 October 2022 by the competent authority, the Federal Office for Economic Affairs and Export Control (BAFA), and published in the form of a questionnaire, companies will now have an opportunity to assess their readiness for SCDDA.
The process of answering questions will provide compliance teams with a solid assessment of their current resources, reveal gaps in their third-party risk policy and provide the basis for a robust compliance response plan, even while guidance is still evolving.
The structure of the questionnaire
The extensive questionnaire covers a wide range of risk areas and totals 437 questions. Should no risk be identified, some questions fall away, but even one red flag will require a response to all questions.
There is a mix of multiple-choice and open-ended questions structured into sections as well as free text when questions need to be explained that include1:
- Strategy: provide information on risk management, policy statements on human rights, and how strategy is embedded throughout the organization.
- Risk analysis and preventive measures: describe the implementation procedure and the management of risk analysis in the company, direct suppliers, and indirect suppliers. Explain how risk analysis results will be communicated to key team members. How will a review of the analysis procedure be managed for effectiveness?
- Violations and remedial action: how will violations be managed in the company, direct suppliers, and indirect suppliers?
- Complaints procedure: provide a detailed description of the implementation of the complaints procedure.
- Risk management assessment and conclusion: describe how risk management will be reviewed for effectiveness and the interests of potentially affected parties will be considered.
Organizations can access the online questionnaire in Spring 2023; responses must be submitted in German.
The complexity of compliance obligations continues to increase
SCDDA is intended to strengthen and protect human and environmental rights in global supply chains. Described as the most robust law in Europe against worker exploitation, its implementation will align and possibly surpass Germany’s legislation with global legislative leaders such as the UK, Australia, and the Netherlands. SCDDA represents a broadening of regulatory scope in line with global trends, and compliance will require a new focus and intelligence set compared to financial regulatory compliance.
Preparing for implementation will require organizations to construct and implement risk management systems that match the complexity and spread of their supply chains. This needs a comprehensive understanding of human and environmental rights in the context of the SCDDA, as well as a detailed assessment of several workplace environments to identify risk.
Organizations should also prepare to apply appropriate preventative measures if risk or human and environmental rights violations are identified within the company or a direct supplier.
Should an indirect supplier be flagged as a heightened risk, the company is expected to work with the supplier to ensure the development of appropriate measures. In the past, organizations have tended to ‘de-risk’ rather than manage a complex third-party environment, but with SCDDA, the regulator is keen to discourage de-risking as a compliance strategy. Organizations are expected to work with suppliers and stakeholders rather than terminate the relationship.
The company must establish a clear line of accountability and responsibility, and every action needs to be documented and reported.
Substantial risks of non-compliance
Fines for non-compliance can be as high as EUR 8 million, or two per cent of annual turnover where turnover exceeds EUR 400 million. Companies can also be excluded from public contracts for up to three years, depending on the violation.
Secondary risks, however, are potentially more damaging than regulatory penalties.
Widespread access to cameras and recording devices empower people with the ability to document human and environmental rights abuse in so many remote and isolated places. Social media allows a narrative to be amplified rapidly, mobilizing perceptions that can be challenging to reclaim. Human and environmental rights are emotive topics for many people, and there has been a growing call for businesses to take more responsibility. In this environment, reputational risk should not be underestimated. For example, a global survey of nearly 30,000 consumers in 35 countries showed that 62 percent of respondents want companies to take a stand on current and broadly relevant issues such as sustainability, transparency, and fair employment practices. More than half of respondents, 53 percent, said they would complain if they were disappointed with a brand’s words or actions on a social issue, but more importantly, a substantial number of respondents, 47 percent, said they would walk away from the company, with 17 percent never returning.2
Another survey reveals that a poor reputation in environmental credentials will reduce a company’s attractiveness to top talent, with two in five businesses struggling to fill positions.
The same survey also shows that 61 percent of businesses have lost work due to poor ESG credentials. The pressure on organizations is illustrated by a letter sent to the PR agency responsible for COP27 on the first day of the event. Four hundred scientists wrote to Hill+Knowlton urging the agency to cut ties with its fossil fuel clients, a challenging situation for an organization tasked with managing the image of the environmental event.
Companies can also be sued by suppliers’ employees. Under the new legislation, any affected person can authorize German trade unions and non-governmental organizations (NGOs) to bring civil proceedings in their capacity. The law of the location, however, will apply.
The risks of non-compliance are onerous and can impact a company’s ability to continue trading. We expect oversight to be rigorous. In an interview in October 2022, BAFA’s president, Torsten Safarik, stated that the agency is ready to crack down on anyone not complying with the Lieferkettengesetz Act.3
Working through the questionnaire will provide comprehensive guidance on intelligence, resources, and expertise.
Formulating a compliance response to the new regulation is often less complex than first feared, but some preparation tasks can be more time-consuming than others. For example, if a compliance resource audit reveals a need for more critical skills and personnel, this can take time to resolve. While there are still some months before the first SCDDA reports are due, regulators tend to look more favorably at companies that are proactive in their compliance approach and can demonstrate efforts to align procedures.
Companies with headquarters or a branch in Germany with 3,000 or more employees are to present reports no later than four months after the end of the financial year 2023, followed by companies with 1,000 or more employees in 2024.
While not in regulatory sights, small and medium-sized companies that produce for supply chains will also be impacted, as they need to increase the transparency of operations or risk jeopardizing crucial commercial relationships and opportunities. There is no official implementation date for SME suppliers but the sooner their policies are adjusted to fit within the SCDDA framework, the higher their competitiveness.
The need for compliance expertise
Working through the questionnaire will undoubtedly assist organizations in formulating a comprehensive compliance response to the SCDDA.
While SCDDA due diligence reports will rely on information from a different source than financial regulation compliance reports, companies with extensive compliance experience may find that they have most of the required resources and expertise. All that is needed is the assimilation of an intelligence subset, for example, and a set of new reporting procedures. Some organizations could be pleasantly surprised to find that they are closer than they realize to SCDDA readiness.
On the other side of the spectrum, there will be organizations that need more expertise and ability to initiate preparation plans for SCDDA. This is likely to include companies that have fewer reporting obligations. In such cases, working with compliance specialists who will assess their requirements and obligations and construct a framework can effectively reduce time and costs over the long term. Whatever the current situation, if they have not already done so, organizations should understand the timeline for implementation and plan accordingly.
The Ethixbase360 and Norton Rose Fulbright Collaboration
Ethixbase360 entered into an exclusive license and collaboration agreement with a global top 10 law firm Norton Rose Fulbright in 2020 to develop a modern slavery supply chain risk assessment questionnaire for third parties. The questionnaire is offered by Ethixbase360 via its Ethixbase360 360 Third-Party Risk Management platform and is an integral component of the Ethixbase360 Human Rights Module.
The questionnaire applies the know-how developed by Norton Rose Fulbright using its global expertise in identifying and assessing modern slavery and human rights risks, to provide an indicative risk rating. The rating can be used to assist organizations to manage supply chains, modern slavery, and human rights reporting obligations in multiple jurisdictions. Other components of the Ethixbase360 Human Rights Module include Risk-Based Due Diligence, Policy and Code Management, and Third-Party Training.
The partnership between Norton Rose Fulbright and Ethixbase360 was expanded in 2022 to capture the Lieferkettengesetz requirements with the Lieferkettengesetz Questionnaire launched in mid-2022 to enable organizations to prepare for their 1 January 2023 obligations.