New handout from the Federal Office for Economic Affairs and Export Control offers assistance in implementing risk analysis under the German Supply Chain Due Diligence Act.
On 17 August 2022, the Federal Office for Economic Affairs and Export Control (hereinafter “BAFA”), published a handout on performing risk analysis in accordance with the requirements of the German Supply Chain Due Diligence Act (Handreichung zur Umsetzung der Risikoanalyse nach den Vorgaben des Lieferkettensorgfaltspflichtengesetzes). In this handout, the BAFA outlines in concrete terms the requirements under the German Supply Chain Due Diligence Act in relation to preparing for and performing risk analysis, thereby providing companies with valuable assistance in implementing this Act (hereinafter referred to as the “LkSG”). For companies that fall within its scope of application, on the one hand, the handout provides a certain degree of clarity where the satisfaction of the legal requirements is concerned. On the other hand, however, it confirms that the performance of an LkSG-compliant risk analysis entails considerable (additional) effort and is indispensable for ensuring adequate and effective risk management within the company.
On 1 January 2023, the LkSG (also known as the “Supply Chain Act”) will come into force. For the first time, at the national level, the Act will provide for corporate responsibility for complying with human rights and environmental obligations in supply chains. From 1 January 2023 onwards, the LkSG will make it obligatory for companies based in Germany with at least 3,000 employees to comply with certain due diligence obligations along their supply chains. From 1 January 2024 onwards, the law will then also extend to companies with upwards of 1,000 employees. However, it should be noted here that small and medium sized companies (“SMEs”) that are below this threshold may also be affected by the LkSG, as there is a noticeable tendency for companies that are subject to obligations under the LkSG to pass their legal obligations on along their supply chains by way of contractual agreements (so-called “trickle-down-effect”). Smaller companies should therefore also review their customer contracts accordingly and, if necessary, prepare to comply with further-reaching obligations.
Furthermore, on 23 February 2022, the EU Commission also put forward a proposal for a Directive on due diligence in the supply chain. This proposal provides for significantly stricter regulations than the LkSG in many places (especially with regard to risk analysis in relation to indirect suppliers).
A key element of the LkSG is the implementation of a risk analysis (cf. Sec. 3, para. 1, no. 3 and Sec. 5 LkSG. According to these provisions, companies are obliged to conduct an appropriate (annual or event-related) risk analysis. The aim of this analysis is to gain valuable knowledge of risks in relation to human rights and the environment within the company's own business area as well as in the supply chain. Based on the risk analysis, companies must then take appropriate preventive and remedial measures (cf. Secs. 6 and 7 LkSG).
However, the LkSG does not contain any specific requirements regarding the exact implementation of a risk analysis. Rather, the law leaves its specific form to the company’s discretion and instead only requires an appropriate weighting and prioritisation of the identified risks (cf. Sec. 5 para. 2 LkSG). In addition, the analysis must enable the company to identify risks in relation to human rights and the environment (cf. Sec. 4 para. 2 LkSG). In view of the lack of clear legislative requirements for the performance of risk analysis, it has been largely unclear until now which exact measures are required to perform an LkSG-compliant risk analysis. The BAFA handout has (at least in part) shed light in this regard and, for the first time, provides companies with concrete indications as to how to conduct a risk analysis.
The BAFA handout contains a variety of information to help companies identify, weight, and prioritise risks. Furthermore, it also provides information on the steps of a risk analysis. The key points contained in the handout are outlined below:
The BAFA’s handout once again stresses the high importance of risk analysis within an LkSG-compliant risk management system and ultimately provides (at least some) answers to urgent questions arising in connection with the implementation of risk analysis according to Sec. 5 LkSG.
Although the handout solely represents a non-binding recommendation on the part of the supervisory authority and is not therefore a law, companies should examine the handout carefully and integrate the information it contains (where necessary) within their own risk management systems. In addition, companies should consider whether there is a need to adapt their own standard contracts (codes of conduct, general terms and conditions, etc.).
Companies should immediately evaluate the extent to which they are obliged to include indirect suppliers in their risk analysis on an ad hoc basis. Here it should be established above all in legal terms whether potential information regarding an indirect supplier should be classified as “substantiated knowledge”. In addition, companies should decide whether they should follow the BAFA’s recommendation (which goes beyond the LkSG) and already proactively include indirect suppliers in their annual (non-event related) risk analysis. This may well be a good idea for some companies (especially in view of the content of the European directive proposal of 22 February 2022).
Even though the revision of internal compliance structures is associated with a considerable additional burden, both financially and in terms of personnel, smaller companies / SMEs should also already be concerning themselves with the implementation of LkSG-compliant risk management because, as mentioned above, for some time now a marked tendency has been observed amongst larger companies and corporations to the effect of them ensuring that their contractual partners are guaranteeing comprehensive compliance with due diligence obligations in the area of human rights and environmental protection by way of various different provisions in their standard contracts. This means that many SMEs are contractually obliged to uphold the due diligence obligations of the LkSG irrespective of any legal obligation. Therefore, as a first step, SMEs should be checking their customer contracts for the assumption of any obligations to this effect.
Companies should continue to closely follow further events in connection with the entry into force of the LkSG from 1 January 2023 onwards. Over the next few weeks in particular, it is anticipated that the BAFA will be publishing further handouts, among other things on the topics of “Appropriateness in relation to company measures within the meaning of the LkSG” and “Complaints procedures”. They have namely already announced their intention to do this.
 According to Sec. 19 LkSG, the BAFA is responsible for monitoring and enforcing the due diligence obligations thereunder. For this purpose, the BAFA is vested with extensive powers. For example, it can use penalty payments to enforce the due diligence obligations (Sec. 23 LkSG) and/or penalize infringements by way of fines (Sec. 24 LkSG). Against this background, for instance, a fine may be imposed if the risk analysis is not carried out, not carried out correctly, not carried out fully or not carried out in due time (cf. Sec. 24, para. 1, no. 2 LkSG). According to Section 20, sentence 1 of the LkSG, however, the BAFA is also obliged to provide assistance and recommendations for compliance with the LkSG by means of “handouts”. The BAFA has now satisfied this obligation for the first time by publishing its first handout on the LkSG.