Risk analysis as a core element of the Supply Chain Due Diligence Act

On 17 August 2022, the Federal Office for Economic Affairs and Export Control (hereinafter “BAFA”)[1], published a handout on performing risk analysis in accordance with the requirements of the German Supply Chain Due Diligence Act (Handreichung zur Umsetzung der Risikoanalyse nach den Vorgaben des Lieferkettensorgfaltspflichtengesetzes). In this handout, the BAFA outlines in concrete terms the requirements under the German Supply Chain Due Diligence Act in relation to preparing for and performing risk analysis, thereby providing companies with valuable assistance in implementing this Act (hereinafter referred to as the “LkSG”). For companies that fall within its scope of application, on the one hand, the handout provides a certain degree of clarity where the satisfaction of the legal requirements is concerned. On the other hand, however, it confirms that the performance of an LkSG-compliant risk analysis entails considerable (additional) effort and is indispensable for ensuring adequate and effective risk management within the company.

The background to the BAFA handout / Entry into force of the LkSG on 1 January 2023

On 1 January 2023, the LkSG (also known as the “Supply Chain Act”) will come into force. For the first time, at the national level, the Act will provide for corporate responsibility for complying with human rights and environmental obligations in supply chains. From 1 January 2023 onwards, the LkSG will make it obligatory for companies based in Germany with at least 3,000 employees to comply with certain due diligence obligations along their supply chains. From 1 January 2024 onwards, the law will then also extend to companies with upwards of 1,000 employees. However, it should be noted here that small and medium sized companies (“SMEs”) that are below this threshold may also be affected by the LkSG, as there is a noticeable tendency for companies that are subject to obligations under the LkSG to pass their legal obligations on along their supply chains by way of contractual agreements (so-called “trickle-down-effect”). Smaller companies should therefore also review their customer contracts accordingly and, if necessary, prepare to comply with further-reaching obligations.

Furthermore, on 23 February 2022, the EU Commission also put forward a proposal for a Directive on due diligence in the supply chain. This proposal provides for significantly stricter regulations than the LkSG in many places (especially with regard to risk analysis in relation to indirect suppliers).

Risk analysis as a key element of the LkSG

A key element of the LkSG is the implementation of a risk analysis (cf. Sec. 3, para. 1, no. 3 and Sec. 5 LkSG. According to these provisions, companies are obliged to conduct an appropriate (annual or event-related) risk analysis. The aim of this analysis is to gain valuable knowledge of risks in relation to human rights and the environment within the company's own business area as well as in the supply chain. Based on the risk analysis, companies must then take appropriate preventive and remedial measures (cf. Secs. 6 and 7 LkSG).

However, the LkSG does not contain any specific requirements regarding the exact implementation of a risk analysis. Rather, the law leaves its specific form to the company’s discretion and instead only requires an appropriate weighting and prioritisation of the identified risks (cf. Sec. 5 para. 2 LkSG). In addition, the analysis must enable the company to identify risks in relation to human rights and the environment (cf. Sec. 4 para. 2 LkSG). In view of the lack of clear legislative requirements for the performance of risk analysis, it has been largely unclear until now which exact measures are required to perform an LkSG-compliant risk analysis. The BAFA handout has (at least in part) shed light in this regard and, for the first time, provides companies with concrete indications as to how to conduct a risk analysis.

Key contents and advice given in the handout

The BAFA handout contains a variety of information to help companies identify, weight, and prioritise risks. Furthermore, it also provides information on the steps of a risk analysis. The key points contained in the handout are outlined below:

• Risk analysis represents an essential foundation for implementing an effective risk management system: The handout emphasises the point that risk analysis represents the foundation for satisfying the due diligence obligations under the LkSG and that it is an indispensable element in the establishment of an appropriate and effective risk management system. This shows how essential the BAFA considers risk analysis to be and implies that, as the authority entrusted with enforcing the LkSG, the BAFA will pay particular attention to whether companies have implemented an adequate risk analysis when monitoring their compliance with the LkSG.
• Event-related risk analysis / proactive action taken by the company: In addition to an annual risk analysis in relation to the company’s own business area and direct suppliers, the LkSG also prescribes event-related risk analysis in two particular cases, namely with respect to an analysis of indirect suppliers and a change in terms of business activity. In practice, the event-related risk analysis for indirect suppliers according to Sec. 9, para. 3, no. 1, and Sec. 5 LkSG should prove to be of great relevance. According to the LkSG, this event-related analysis must be carried out if the company gains “substantiated knowledge” of due diligence breaches on the part of the indirect supplier. Until now, it has remained unclear what exactly is meant by this undefined legal term. The BAFA has now given some indications in this regard and established an extremely low standard regarding the existence of “substantiated knowledge”. Media reports or discussions of problems in the context of current sector initiatives are likely to suffice as “substantiated knowledge” and thus as grounds for triggering an event-related risk analysis in relation to an indirect supplier. Under certain circumstances, this can even lead to the extent that discussions in internet forums, social networks, etc. would provide sufficient occasion in this regard. The BAFA furthermore recommends proceeding “proactively” in this context and (even without the existence of a legal obligation) extending the regular (annual) risk analysis to also include indirect suppliers and the “deeper supply chain” tiers.
• “Change of perspective” / potential damage to reputation is not an “excuse”: The BAFA recommends that companies “change perspective” when conducting the risk analysis. The risk analysis should focus on the interests of the company’s own employees, the employees within the supply chain and on people who may be affected in other ways by the company’s commercial activities. In their risk analysis, companies should therefore also address those risks that may jeopardise their business success or reputation.
• Multi-step implementation of the risk analysis: The handout also contains specific advice on how to conduct the risk analysis. In addition, the BAFA also provides companies with various overviews and diagrams, from which a lot of information can be gleaned for the risk analysis. In principle, the BAFA recommends proceeding with the risk analysis (including preparations for it) in several steps:
  • In a preliminary step (“preparation for the risk analysis”), the company should strive to gain a detailed understanding of its own business relationships within the supply chain. Companies are therefore required to gather basic information on their own corporate and procurement structure and their own supply chains and business relationships, thus creating transparency along the supply chain. According to the BAFA, this is useful in determining the areas in which risk analysis must be initiated and the extent to which this should be done.
  • In a first step of the actual risk analysis (“abstract risk assessment”), an abstract assessment of the respective risks should then be carried out on the basis of the undertaken preparations. This can, for instance, be done in the form of “risk mapping” according to business areas, locations, products, raw materials or countries of origin.
  • For a second step of the actual risk analysis (“concrete risk assessment”), the BAFA then recommends individually determining and evaluating the abstractly identified risks in relation to the company’s own supply relationships and, if necessary, prioritising the risks. The handout thus does indeed also confirm the basic possibility of prioritising risks within the risk analysis in so far as the company is not able to analyse all risks at the same time (a “risk-based approach”). However, the BAFA explicitly stresses that, within their own business area, companies must strive towards extending the concrete consideration of risk and the risk assessment to include all risks potentially existing in their own business area as a whole. Furthermore, as a basic principle, the BAFA emphasises that it is a mandatory requirement that the “concrete risk assessment” be carried out within the company’s own business area and that an assessment based solely on an “abstract risk assessment” is not deemed sufficient to satisfy the due diligence obligations under the LkSG. However, in view of the admissibility of the risk-based approach, the BAFA is likely to allow companies a certain transitional period in this regard.
• Discretionary scope of the company regarding individual (analysis) measures: Even though the BAFA outlines the individual steps of the risk analysis quite specifically in its handout, neither the LkSG itself nor the handout contain any concrete information as to which exact measures are permissible (e.g. in order to obtain information). Therefore, it remains the case that companies have a wide margin of discretion regarding the individual measures to be carried out, as long as the measures make it possible to identify and appropriately weight environmental and human rights risks.
• Implementation of effective preventive measures: Regarding the implementation of preventive and remedial measures according to Secs 6,7 LkSG, which follow on directly from the actual risk analysis, the guideline also contains some (although not very many) indications. In particular, the BAFA emphasises in this regard that, when developing preventive measures, companies should build on the results of their risk analysis. The BAFA furthermore deems it sufficient if the preventive measures address any risks that the company itself has caused or to which it has contributed.

Conclusions / Further actions

High importance of risk analysis must be accounted for

The BAFA’s handout once again stresses the high importance of risk analysis within an LkSG-compliant risk management system and ultimately provides (at least some) answers to urgent questions arising in connection with the implementation of risk analysis according to Sec. 5 LkSG.

Examine the contents of the handout and implement where necessary

Although the handout solely represents a non-binding recommendation on the part of the supervisory authority and is not therefore a law, companies should examine the handout carefully and integrate the information it contains (where necessary) within their own risk management systems. In addition, companies should consider whether there is a need to adapt their own standard contracts (codes of conduct, general terms and conditions, etc.).

Risk analysis in relation to indirect suppliers should not be neglected

Companies should immediately evaluate the extent to which they are obliged to include indirect suppliers in their risk analysis on an ad hoc basis. Here it should be established above all in legal terms whether potential information regarding an indirect supplier should be classified as “substantiated knowledge”. In addition, companies should decide whether they should follow the BAFA’s recommendation (which goes beyond the LkSG) and already proactively include indirect suppliers in their annual (non-event related) risk analysis. This may well be a good idea for some companies (especially in view of the content of the European directive proposal of 22 February 2022).

Smaller companies also subject to obligations

Even though the revision of internal compliance structures is associated with a considerable additional burden, both financially and in terms of personnel, smaller companies / SMEs should also already be concerning themselves with the implementation of LkSG-compliant risk management because, as mentioned above, for some time now a marked tendency has been observed amongst larger companies and corporations to the effect of them ensuring that their contractual partners are guaranteeing comprehensive compliance with due diligence obligations in the area of human rights and environmental protection by way of various different provisions in their standard contracts. This means that many SMEs are contractually obliged to uphold the due diligence obligations of the LkSG irrespective of any legal obligation. Therefore, as a first step, SMEs should be checking their customer contracts for the assumption of any obligations to this effect.

Observing the situation as it unfolds

Companies should continue to closely follow further events in connection with the entry into force of the LkSG from 1 January 2023 onwards. Over the next few weeks in particular, it is anticipated that the BAFA will be publishing further handouts, among other things on the topics of “Appropriateness in relation to company measures within the meaning of the LkSG” and “Complaints procedures”. They have namely already announced their intention to do this.