Large companies in Germany looking to comply with the German Supply Chain Due Diligence Act (SCDDA) may quickly find themselves overwhelmed. This new regulation, brought about by the German Federal Office for Economic Affairs and Export Control (BAFA), increases the level of responsibility on these companies. While the BAFA offers a comprehensive questionnaire to assess company readiness, this list of 437 questions shouldn’t be a company’s first step.
Earlier this month, Ethixbase360’s James Swenson, managing director of research, joined Norton Rose Fulbright’s compliance experts Michael Wiedmann and Hannes Lubitzsch in discussing these new obligations and the 10 actions organizations can take right now to ease the potential burden of this new regulatory framework.
The Ten Things Companies Can do Right Now for SCDDA Compliance
1. Establish a Human Rights Officer
Organizations should start with the appointment of a Human Rights Officer. Not only is this step important for assigning direct responsibility for staying compliant, but it is also outlined specifically in the SCDDA. This position should be internal and can take the form of either a single person or a committee. While organizations may already have employees that fit this mold, any legacy position should be made to match the responsibilities outlined in the legislation.
2. Establish a whistleblowing mechanism with published procedures
Companies are required to create a whistleblowing mechanism that allows for complaints to be made. It doesn’t forbid the use of any existing whistleblower or grievance mechanism, but it may require companies to merge the requirements of the SCDDA and the European Whistleblower Directive with any existing setup. This can be an internal procedure, and the complaints received should be considered when checking the effectiveness of your company’s compliance procedures.
3. Start documenting the set-up of your Supply Chain Act risk management
One of the biggest drivers behind the SCDDA is the need for clarity and transparency from companies. This includes documentation of procedures, which companies they work with, and what measures everyone involved takes to remain compliant. While the SCDDA can seem overwhelming, one of the easiest steps organizations can take is to begin documenting the transition. What is important, especially regarding avoiding fines, is that companies have the ability to prove there were mechanisms in place and steps taken to avoid any violation.
4. Get an overview of your subsidiaries where you have a decisive influence
Start compiling a list of your company’s subsidiaries and note where your company has a decisive influence. The SCDDA assigns partial responsibility to parent companies when it comes to these entities. The organization needs to conduct a risk analysis of its own operations as well as those subsidiaries and take preventative action. The more influence your company has over a supplier, the more responsibility you have in this regulation. Sending a questionnaire to these subsidiaries to improve your company’s knowledge should be considered.
5. Identify the direct suppliers for your own operations as well as those of your subsidiaries
Going a step further, the SCDDA asks companies to bear at least part of the responsibility for suppliers. It is therefore an important step to investigate upstream and identify which suppliers fall under the umbrella of responsibility established by the SCDDA. The responsibility for companies is much higher for suppliers your company has a more influential relationship with and these organizations should be a part of your overall risk analysis.
6. Consider those indirect suppliers whom you have substantiated knowledge of risk
A final extension of responsibility extends to indirect suppliers to your company and your company’s subsidiaries. If it can be proven that your company knew of the potential violations of indirect suppliers, the SCDDA may assign responsibility and repercussions to your company. This step may be a bit more challenging than investigating your own operations and your direct suppliers, but it is no less important.
7. Appropriate technology to manage risk assessments
Companies must establish an appropriate and effective risk management system. The system itself should comply with relevant due diligence obligations and can be monitored by the Human Rights Officer. Risk assessments, however, can take a significant amount of time to manage if companies don’t dedicate the right technology to handling them. As such, it is recommended that companies invest in technology capable of assessing any potential risks when it comes to the framework of the SCDDA.
8. Establish a policy statement
A policy statement is an important and straightforward step in this regulation. Companies need to outline and describe the procedure they have put in place for fulfilling the SCDDA and the expectations employees must meet internally. To further protect against violations and penalties, companies should help subsidiaries and suppliers establish policy statements regarding this act as well.
9. Apply preventative measures
As previously mentioned, this legislation applies responsibility to a company for its direct suppliers and this should prompt preventative measures. This can take the form of creating training procedures internally and offering these courses to suppliers. Contracts with outside organizations should also include specific regulatory obligations from this point on to prevent future responsibility.
10. Document levels of due diligence appropriate to the risks identified
Not only must your company identify the risks, but it must also weigh and prioritize these risks according to certain criteria listed in the SCDDA. These include the nature and extent of the business’s activities as well as the severity of the violation. This step may require a specialized service provider to conduct an ESG due diligence or human rights impact assessment. Regardless of the path chosen toward becoming compliant, the SCDDA is clear in that risks must be identified and sorted.
A Source for Compliance Expertise
The Ethixbase360 third-party risk management platform can help companies at every stage of SCDDA compliance. With our platform, companies are able to analyze results, manage third parties and produce required documentation all in one place. Efficient and complete third-party compliance is achieved with functions seamlessly integrated into compliance procedures and business operations. Contact Ethixbase360 for a demonstration of our capabilities.