On 25 June 2021, the German Supply Chain Due Diligence Act [Lieferkettensorgfaltspflichtengesetz – LkSG], better known by the less unwieldy term "Supply Chain Act", was also approved by the Bundesrat. Thus, as of 1 January 2023, initially companies with their registered office or a branch office in Germany and over 3,000 domestic employees will be obliged to observe human rights and environmental due diligence obligations in their supply chains in an appropriate manner. From 1 January 2024 onwards, the obligation also extends to companies with over 1,000 employees.
The Act is also expected to have an impact on companies that fall below these thresholds. It is highly likely that companies directly falling under the obligation will want to tie the award of contracts to their suppliers in future to the latter’s observance of corresponding compliance standards and to negotiate the corresponding contractual requirements.
The essential question now is: how can the new requirements be dealt with appropriately?
In terms of their structure and systematics, the requirements of the Supply Chain Act are not new in all respects. Rather, they reflect concepts already known from many other areas of compliance, particularly in relation to business partners or third parties. It is important that the requirements under the Supply Chain Act are integrated into existing compliance management systems (CMS). This will be easier for companies that already have a well-established CMS. These synergies will keep down the "costs" triggered by the Supply Chain Act in terms of additional effort.
Due diligence along the supply chain
The statutory due diligence catalogue comprises the familiar general elements of compliance management: risk management, risk analysis, policy statement ("tone from the top"), preventive measures, remedial measures, complaint procedures and documentation and reporting requirements. The latter go beyond the scope known from other areas of compliance, as the Act provides graduated requirements for the due diligence obligations of companies, depending on whether the supply chain involves the company's own business division, direct or indirect suppliers.
In future, risk analyses are to be carried out in the company's own business division and at the direct supplier in order to identify human rights-related and environmental risks. In addition, a risk management system - including the appointment of responsible officers - and a complaints mechanism have to be set up.
If a breach occurs or is imminent in its own business division, the company must take prompt and appropriate remedial action to prevent, terminate or minimise the breach. If its own business division is affected, the remedial measure necessarily has to lead to the termination of the breach.
If the breach occurs at the direct supplier and cannot be terminated in the foreseeable future, the company must draw up and implement a concrete concept for terminating or minimising the breach. This is based on the principle of “empowerment rather than withdrawal”, that is to say, all ways and means to achieve a remedy together with the supplier must first be exhausted. Termination of the business relationship is only required as a last resort.
In the event of a breach at the indirect supplier, on the other hand, cause-related due diligence obligations apply. First of all, the company must have factual indications (substantiated knowledge) that would suggest a possible breach of a human rights-related or environmental obligation at indirect suppliers, for example through a complaint. It must then immediately carry out a risk analysis, establish appropriate preventive measures vis-à-vis the perpetrator and implement a concept to minimise and prevent breaches.
Severe sanctions in case of breaches
Breaches of the obligations arising from the law constitute an administrative offence that is punishable by a fine of up to two per cent of the worldwide consolidated annual turnover. This at least applies to companies with an annual turnover of more than EUR 400 million. For companies with a turnover below this threshold, fines of up to EUR 800,000 are possible - depending on the type and severity of the breach. The Federal Office of Economics and Export Control [Bundesamt für Wirtschaft und Ausfuhrkontrolle - BAFA], as the competent authority, will monitor compliance with the Act.
Furthermore, exclusion from public contract awards for up to three years is possible in cases where a fine of at least EUR 175,000 has been imposed. As of this level of fine, there is the threat of the company receiving an entry in the newly created Competition Register. This is already conceivable if a company fails to set up a complaints procedure or fails to take a preventive measure in good time.
NGOs and trade unions based in Germany can judicially assert the rights of aggrieved parties resulting from a violation of a predominantly important protected legal position under § 2 (1). However, the breach of duties does not give rise to any civil liability. This is one of the key deviations from the original draft.
What is to be done?
Affected companies will now have to give some thought to how they can prepare themselves for the Act’s entry into force. The effort required will depend on whether the company has already taken measures of this kind in the past or is addressing the issue for the first time. Compliance and HR departments should prepare themselves for the increased internal utilisation of their services. During implementation, the co-determination rights of the relevant works council may have to be taken into consideration.
In terms of risk management, it will probably be advisable to make use of the existing resources of business-partner compliance or third-party risk assessment. In this area of compliance, the compliance department deals with the risks that are "brought" into the company by third parties, for example under the aspect of money laundering, anti-corruption and/or sanctions. Hence, these departments already have an in-depth knowledge about the business contacts. The work in this area now "just" needs to be supplemented by the aspects of the Supply Chain Act. In individual cases, this may be time-consuming. However, this task can be assigned to staff who are already familiar with the identification and assessment of third-party risks.
Risk analysis and preventive measures
The risk analysis and the preventive measures to be derived from it must be specific to the supply chain. In this respect, additional work is required in terms of content and material.
To this end, the required supplier standards first need to be defined and reviewed. Subsequently, the company should analyse and prioritise where in the supply chains - including obvious risks with indirect suppliers - the risks of a breach of the law are already inherent. The next step should be to identify preventive measures that will lead to an improved situation along the entire supply chain. Contractual relationships that are likely to cause problems with regard to social and ecological criteria also need to be checked from the outset. This process should lead to an appropriate supplementation of the code of conduct.
Concrete preventive measures can be derived from the risk analysis, which should also be reflected in the drafting of contracts with suppliers, for example in clauses on termination rights and the performance of audits.
Furthermore, the findings of the risk analysis must be reflected in the design of training and control measures, both internally and with contractual partners.
All of the above are compliance standards that now have to be applied to the requirements under the Supply Chain Act.
Remedial action must be taken in the event of identified non-compliance with the requirements of the Supply Chain Act. To this end, companies must examine how remedial measures can be fitted into the existing system.
Clarification is also needed on how to deal with indications of compliance breaches at (indirect) suppliers. An approach is required to avoid such breaches or, if the breach cannot be terminated, to minimise the impact. The escalation mechanisms of compliance departments should put a timely focus on "preventive crisis management". At the latest when the Act comes into force, they will be responsible for imposing the appropriate sanctions and consequences in the event of breaches and for preventing damage to the company's reputation.
Companies must also set up an internal complaints procedure or participate in an external complaints procedure. If a whistleblowing system has been set up in the company, this can be used. If such a system does not yet exist in the company, it may be useful to establish such a whistleblowing system. This is particularly true against the background of the EU Whistleblower Directive.
Policy statement and documentation and reporting requirements
The Supply Chain Act provides for a policy statement regarding procedures, risks and the expectations placed on employees and suppliers. At a minimum, it must specify the procedural steps that have been implemented to comply with the standard of human rights, describe the risks that have been identified and contain the expectations placed on employees and suppliers with regard to their respect for human rights. This declaration must be communicated to employees, suppliers and the relevant works council.
Timely preparations should also be made with regard to the reporting obligation provided for in the Due Diligence Act, which actually goes beyond what is required in other compliance areas: once in force, companies will have to prepare an annual report on the fulfilment of their due diligence obligations in the previous business year and publish this on their website free of charge for a period of seven years.