Legislation and regulation to address environmental, social and governance (ESG) issues continue to grow — a new one to be aware of is the Lieferkettengesetz – German Supply Chain Due Diligence Act (Act). This Act joins the expanding list of global human rights due diligence regulations — the S in ESG — and the implementation deadline for it is 1 January 2023. Companies in scope will need to review their own business area and supply chain due diligence policies and processes to ensure compliance by this deadline, which is now less than a year away.
We have developed this Lieferkettengesetz compliance checklist to help impacted companies understand what the German Supply Chain Act is, which steps to take to ensure compliance, and how to accurately measure the effectiveness of the human rights and environmental due diligence programs within their supply chains.
What is the Lieferkettengesetz – German Supply Chain Act?
This legislation implements the UN Guiding Principles on Business and Human Rights, which were adopted in 2011. Other countries — including France, the Netherlands, Norway, the United Kingdom and Australia — have put in place similar supply chain due diligence acts. The Lieferkettengesetz demands that companies monitor and assess compliance with key human rights and related environmental requirements, within what are often complex, multi-tiered global supply chains.
The Act requires companies in Germany to take “appropriate measures” to respect human rights and related environmental issues within their own business area and their supply chains including those of their affiliated group companies “with the goal to prevent or minimise risks related to human rights or the environment or end the violation of duties related to human rights or the environment.” Essentially, companies will be held responsible for human rights violations within their own business area and their supply chains. They will also be responsible for environmental risks that lead to human rights violations, such as health hazards. The requirements were published in July 2021, and enforcement officially begins on 1 January 2023.
Companies in scope include those which have their central administration, principal place of business, administrative headquarters, statutory seat, or branch oﬃce in Germany and have 3,000 or more employees in Germany. Beginning on 1 January 2024, the number of employees will be reduced to 1,000.
Companies may already be using a variety of human rights standards, including amfori BSCI, Sedex, SA8000, PSCI Principles, Responsible Business Alliance, and the Ethical Trading Initiative. Organisations should perform a gap analysis to understand what compliance processes they may already have in place and what outstanding issues will need to be addressed.
Lieferkettengesetz Compliance Checklist: Steps to Take
Companies that are in scope for compliance with this Act need to put their policies and programs in place quickly to meet the enforcement deadline, which is less than a year away. Eight key steps companies should be taking are:
- Establish a risk management program – Companies need to put in place an appropriate and effective risk management system to comply with all due diligence obligations as provided by the Act. Such risk management must be embedded in all relevant processes through appropriate measures.
- Deﬁne responsibility – The Act requires that the executive board appoints a responsible party to monitor the risk management program.
- Carry out risk analysis – Companies need to conduct an appropriate risk analysis to identify the human rights and environment-related risks in its own business area and at its direct suppliers, as well as at all direct suppliers of its affiliated group companies. In exceptional cases, the company might even need to analyse risks related to indirect suppliers, even if they are tier-2 or tier-3 suppliers or even further down the supply chain. This review can be challenging to perform manually, with spreadsheets and email, given the number of suppliers and volumes of data, all of which may lead to the creation of potential compliance risks. Automating the analysis, boosts the quality and timeliness of the data and ensures proper data for further analysis, documentation, and reporting. The risk analysis must be carried out at least once a year.
- Adopt a policy statement that reflects the company’s human rights strategy – This policy statement must be communicated to employees, the works council, the relevant suppliers, and the public. Consequently, organisations may also need to modify existing policies, such as the company’s Code of Conduct. The policy statement must address how the company complies with its due diligence obligations, the human rights and environment-related risks identified during its risk analysis and the expectations placed by the company on its employees and suppliers based on the insights from the risk analysis. An example of a modification to the Code of Conduct can include actions employees should take if they encounter human rights issues at their workplace.
- Implement preventive measures in the company’s own business area and vis-à-vis its direct suppliers – In its own business area, the company needs (i) to implement its human rights strategy in all relevant business processes as set out in its policy statement, (ii) develop and implement appropriate procurement strategies and purchasing practices, (iii) train its employees in the relevant business areas and (iv) implement risk-based controls to check the effectiveness of its measures to prevent or minimise identified risks. Similarly, the company has to size measure vis-à-vis its direct suppliers. When onboarding new suppliers, it has to ensure that the newly selected suppliers know and contractually accept to comply with the human rights strategy of the company and cascade it down along the value chain. The company has also to ensure that the supplier is being trained on the strategy and that the supplier accepts appropriate controls to verify the supplier’s compliance with the human rights strategy of the company. The onboarding and continuous control of suppliers requires thorough and robust risk analysis through automated processes.
- Take remedial actions if a violation has already occurred or is imminent – Companies should have processes in place for managing a violation if one should occur to address the situation as quickly as possible. If a violation is identified in its own business area, the company must bring the violation to an end. In case such a situation happens at a direct supplier and the violation cannot end in the foreseeable future, the company must put in place a written program that identifies how the situation will be resolved and the timetable for doing so. If required, the company might cooperate with others to increase its influence on the supplier and if necessary, terminate the relationship if no other means are available to end the serious violation.
- Set up an internal complaints process – The Act also requires an easily accessible complaints procedure enabling even interested third parties, such as NGOs, unions and employees’ representatives, to file complaints without being afraid of any type of retaliation. The personnel running the process must be independent and not bound by instructions from senior management. Such a process can be of great benefit to a company, as it can alert management to issues in a direct way. Having a robust process is also important because it is one of the first things regulators look for. Companies need to keep good records about the complaints raised and how they were handled. This information should be shared with senior management and the company’s governing body on a regular basis.
- Document the program – Companies need to keep robust records of their due diligence obligations and the related policies and processes. In addition, they need to record their due diligence processes and outcomes, risks identified, measures taken, and other activities. The company will need to publish a yearly report on its website and have the material ready for examination by the competent authority, the Federal Office for Economic Affairs and Export Control (BAFA). A supply chain risk management software solution can help companies continuously collect, record, analyse, and organise risk and due diligence data for these reporting purposes.
In summary, companies need to ensure they have a full Lieferkettengesetz program in place to guarantee they are complying with the Act.
KPIs to Track & Monitor Compliance
As part of their program, companies should be tracking key performance indicators (KPIs) to ensure their processes are working correctly, identify potentially problematic suppliers, and scan the horizon for emerging risk issues. Some important KPIs are:
- Percentage of total suppliers screened, and partnerships evaluated on the basis of human rights and environmental performance
- Employee survey results that reflect the importance of human rights due diligence throughout the company. This will help the company benchmark the robustness of its human rights culture and enhance that culture where necessary
- Number of human rights and environmental lawsuits against the company, its subsidiaries, and its supply chain partners
- Number of complaints, the nature of the complaints, and how they were resolved
- Successful reporting initiatives completed by the company to its relevant governing agencies
Tracking KPIs proactively is essential to be able to respond to any emerging risks quickly. Manually imputing KPIs into spreadsheets kept on shared drives can eventually result in a lack of timely data and other data governance issues later.
Get Started with
In short, the new German Supply Chain Act is one of several new sets of rules that are being put in place around the globe that require human rights due diligence. Companies that are in scope for Lieferkettengesetz need to effectively track, analyse, record and report compliance data about their suppliers.
Failure to comply with these new rules can result in stiff penalties — the legislation provides for fines of up to 2% of the yearly global turnover of the company, as well as potential exclusion from public tender processes. Activities by unions and non-governmental organisations, such as human rights and anti-corruption bodies — as well as potential media coverage, social media activity, and litigation — increase the potential for significant reputational and financial damage.
To see how Ethixbase360 can help you navigate these new requirements that come with Lieferkettengesetz, request a demo today.
Find out more about the Questionnaire and Risk Assessment