You need to get ready for Germany’s Supply Chain Due Diligence Law. Here’s how!

An interview with Agnes Erben, Partner & Head of Sustainability Advisory, H&Z

Q. Very briefly, what is this new law, which came into force on January 1, all about?

Agnes: Companies overwhelmingly accept that they have a moral obligation to take care of their employees, and in various countries there are laws in place imposing minimum standards. But what happens in their supply chain, that’s another story. Until now. With the new Supply Chain Due Diligence Act (in German, the Lieferkettensorgfaltspflichtengesetz, known in short as LkSG or SCDDA) companies doing business in Germany will be legally required to take responsibility for the observation of basic human rights in their supply chain. It’s also a head-up for companies as this Act will likely provide a blueprint for even stricter legislation across the EU as a whole.

Q. What in practice must companies do to meet the specific obligations stipulated by the LkSG?

Agnes: Companies will need to put risk management processes in place to identify human rights-related and environmental malpractice in their own business area and their supply chain. Typically risk management puts more focus on financial or operational risks, to avoid insolvency cases or delivery interruptions, for example. H&Z has supported clients in upgrading their process and risk management systems to cover human rights and environmental issues in the supply chain as well. In addition, the LkSG requires companies to assign responsibilities within the organization to monitor the effectiveness of prevention measures and continuously improve the due diligence approach.

Q. Picking up on that last point, who should be appointed to this role? Is it a new one?

Agnes: Good point. It’s not just a matter of picking someone and defining a suitable title such as “Chief Human Rights Officer”. You need to clarify responsibilities across the different functions, describe a human rights strategy and ensure regular risk analyses and reporting.

Q. OK, so you have a strategy. How do you implement and enforce it internally?

Agnes: Writing the statement might be an easy task because you can refer to the wording of the LkSG. It is the implementation that can be more difficult. For implementation, you should proactively reach out to your suppliers to ensure that there are no ESG-related risks. And if there are any potentials risks, you need to ensure that such risks are being mitigated professionally. This is where solution providers, such as JAGGAER and Riskmethods come into play to automate the activities needed to comply with the law in practice.

Companies need to perform a regular risk assessment and communicate the findings to senior management. Note that the law requires companies to document risks and any possible breaches and keep the records for seven years. You also need to publish an annual report on supply chain due diligence.

Most companies already have a mechanism for “whistle-blowers” to report on breaches of company policy or general malpractice. This must now be extended to the supply chain. For example, if an employee learns that a supplier (or a supplier’s supplier) is exploiting child labor, there must be an opportunity for that employee to communicate this easily, for example through the company intranet.

Q. What if, despite your best efforts, bad things still happen in the supply chain?

Agnes: The law of course distinguishes between preventive measures and action to take should you be notified of an issue. You also need to establish mechanisms for case management, ensuring that any issues are followed up and not forgotten, such as a ticketing system. This could be a manual system, or it could be triggered automatically and then processed through various stages of remediation. The law distinguishes between your immediate, Tier 1 suppliers, and the deeper supply chain. In practice this means that if something is reported to your organization you might need to look further than your direct business partners to get to the root causes of violations and determine the appropriate remedies.

Q. What does the risk analysis involve and what data do you need to perform it?

Agnes: Risk analysis involves building transparency into your supply chain and this needs to be communicated via structured reports on what you are buying. So, you must set out what categories of goods and materials you are buying and from whom you are sourcing them, as well as the spend volumes involved. In some categories there are specific risks. The analysis should be carried out on two levels, first abstract and then concrete. On the abstract level, this means identifying any indices or common knowledge of risks in your supply categories. You might, for example, read in news reports about working conditions in certain sectors in certain countries. Or you might learn about issues such as the use of child labor or corrupt business practices in the extractive industries. You then need to go into the concrete details, the specifics that relate to your company’s sourcing within this context, and what you are doing about it. Perhaps you are working with an international organization that is actively pursuing transparency within these sectors to ensure that you only buy from ethical suppliers. You need to document this information.

Q. All of this relates to companies with operations in Germany. What about other countries?

Agnes: That’s true, but this is also about where regulation is headed. There is an EU Directive currently under discussion. It will eventually lead to legislation across the EU. One of the points at issue is whether it will be mandatory to carry out due diligence for the entire, extended supply chain, i.e., not just Tier 1 but Tier n. This would be considerably stricter than the German law as it stands.

Q. Finally, based on your experience to date, are there any pitfalls or mistakes companies should look out for?

A big mistake is when companies see the words “supply chain” and then assume it is a matter that only concerns procurement or supply chain management. Really, this extends much further across the organization. Compliance and corporate risk managers should certainly be involved, together with ESG, HR and IT. Of course, procurement is going to play a central role, but it should not be left alone. By involving your corporate risk managers and other relevant personnel you don’t need to start from scratch but can build upon what already exists in the organization.

About H&Z

H&Z is a business consultancy based in Munich specialized in Procurement, Strategy & Performance, Sustainability and Transformation. It provides consultancy support on organizational and process design, including risk management, to jointly solve issues with its clients – many of which have implemented (or are in the process of implementing) solutions such as risk scorecards and supplier due diligence within JAGGAER. We will explore these in a future article.