Beginning on January 1, 2023, large companies based in or conducting business in Germany, and all their direct suppliers, need to comply with the German Supply Chain Due Diligence Act. Indirect suppliers also need to be aware of their obligations under SCDDA (or LkSG). All companies doing business in Germany with 3,000 employees (1,000 in 2024) and their direct suppliers will be affected but many may be ill-prepared to comply with the law.
Companies that have instituted effective human rights standards and risk management procedures may be able to respond to the requirements by adapting their processes to SCDDA’s reporting procedures. A gap analysis will address any shortcomings in existing third-party risk programs and provide guidance for further compliance.
Other businesses may not have the ability to prepare for the stringent SCDDA requirements. In particular, SMEs and companies in low-risk sectors with few compliance obligations may now find they need the resources and expertise of a compliance specialist to assess and manage their risk exposure. Failure to comply could result in large fines and a damaged reputation in addition to loss of German business and government contracts.
Wherever an impacted company falls on the compliance spectrum, there is a basic process for conforming with the due diligence law.
The Three-Stage Process for SCDDA Compliance
1. Assess compliance readiness with the SCDDA questionnaire.
German Federal Office for Economic Affairs and Export Control (BAFA) issued a [questionnaire](https://ethixbase.com/extensive-questionnaire-will-uncover-lieferkettengesetz-scdda-compliance-gaps) to help assess company readiness for SCDDA and streamline compliance for reporting. It covers a wide range of risk areas with 38 general questions, and up to 437 detailed questions if they apply. Questions are both mandatory and voluntary, multiple-choice and open-ended.
Questions address current resources, gaps in third-party risk policy, and whether a company has developed an effective compliance response plan. Responses will help companies self-evaluate and inform the government of the current status in a broad range of policy areas: strategy; risk analysis and preventive measures; violations and remedial action; complaints procedure; and risk management.
2. Prepare for submitting the first due diligence report.
To submit the first due diligence report no later than four months after the end of a fiscal year, organizations need to work through a comprehensive checklist of compliance items:
- Articulate a strong human rights policy and issue a clear policy statement to all employees, subcontractors, and suppliers. Make sure all parties understand the company’s expectations and actions to take if human rights violations occur.
- Review or establish an effective and thorough risk management program that clearly defines authority and responsibility.
- Map the company’s complete direct supply chain and conduct a rigorous analysis to identify any human rights and environmentally related risks. Include indirect suppliers if there are indications of risk. Strongly consider locations, types of employees and their working conditions.
- Implement preventive measures such as appropriate procurement strategies, purchasing practice and training of employees and suppliers. After a thorough selection process, onboard new suppliers that accept human rights contractual obligations and controls.
- Quickly take action to remediate past, present and potential violations in all business operations. Trained personnel must work with direct suppliers to address human rights issues or terminate the relationship if the supplier does not. If “substantial knowledge” of an indirect supplier’s misconduct is discovered, it must also be addressed.
- Ensure that reporting is “informed by the perspectives of those who may be negatively impacted.” Companies must implement worker-focused risk management systems that incorporate anonymous, unfiltered feedback and grievance systems, administered by independent personnel. SCDDA requires that all complaints procedures are easily accessible to employees, third-party workers and other stakeholders. Companies may need multilingual communication channels or conduct surveys designed for workers with limited access to technology.
3. Document, track and monitor compliance.
SCDDA requires that impacted companies document policies and processes with risks identified and measures taken, including all complaints and actions taken to address them. To ensure transparency, an annual report on due diligence performance must be published on the company’s website and made available to German authorities. The report must specifically highlight the effectiveness of a company’s risk management program on supply chains.
Conducting a yearly risk analysis is mandatory. Ongoing data collection such as key performance indicators (KPIs) will be essential for monitoring and quickly responding to any emerging risks. KPIs are vital for ensuring compliance processes are effective and for identifying questionable suppliers or emerging risks.
A Source for Compliance Expertise
The Ethixbase360 third-party risk management platform can help companies at every stage of SCDDA compliance. Our Human Rights Module continuously collects, records, analyzes, and organizes data for due diligence reporting. Supplier surveys based on our Modern Slavery Questionnaire, designed in partnership with Norton Rose Fulbright, have been expanded to cover SCDDA requirements. Our dedicated strategic teams collaborate with companies to configure tailored solutions. With our platform, companies are able to analyze results, manage third parties and produce required documentation all in one place. Efficient and complete third-party compliance is achieved with functions seamlessly integrated into compliance procedures and business operations. Contact Ethixbase360 for a demonstration of our capabilities.