German Supply Chain Act (LkSG): The importance of risk analysis incl. practical tips

The risk analysis is the foundation for fulfilling the due diligence obligations under the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz or LkSG for short). An effective risk analysis is the indispensable prerequisite for the establishment of risk management as required by the LkSG – with the aim of identifying human rights and environmental risks in the supply chain and minimizing them through appropriate measures.

We take a closer look at risk analysis in accordance with the LkSG: What role does it play? What is the difference between regular and ad hoc, abstract and concrete risk analysis? And what does your company need to know now in order to carry out a successful risk analysis?

Aim and importance of risk analysis in the LkSG

The German Supply Chain Due Diligence Act requires companies to establish an effective and appropriate risk management system. This should serve to identify, avoid, minimize, or eliminate potential risks or violations in the area of human rights or the environment. The aim of this risk-based approach is to gain an understanding of the relevant human rights and environmental risks within the company's own business area and in the supply chain and to prioritize these for subsequent processing.

The Supply Chain Act provides for a change of perspective in risk management. In contrast to traditional risk management, the focus of consideration is shifted away from risks that have an impact on business success. Instead, the interests of the company's own employees, employees within the supply chain, and those who may be affected in other ways by the economic activities of the company or a company in its supply chains come to the fore.

When is a risk analysis in accordance with the LkSG required?

The LkSG provides two forms of risk analysis with regard to the occasion for their execution: regular and ad hoc risk analysis. These vary both in their timing and frequency of implementation, as well as in the parts of the supply chain they are intended to cover.

Important note: The law differentiates between suppliers with whom a contractual relationship exists, the so-called direct suppliers, and indirect suppliers ("suppliers of suppliers") in the deeper supply chain.

The regular risk analysis according to the LkSG

The regular risk analysis must be carried out once a year. It includes the assessment of all risks both in the company's own business area and at its direct suppliers.

The ad hoc risk analysis according to the LkSG

The ad hoc risk analysis must be carried out when one of the following two triggers occurs:

1. In case of indications ("substantiated knowledge") of a possible violation of a human rights or environmental obligation at one or more indirect suppliers, e.g., via a complaint channel or information in the media

• Includes the assessment of all risks at indirect suppliers that have been reported
  

2. In case of a change in business activity that could give rise to new risks

• Following internal decisions, e.g. making an important investment or opening up a new procurement country
• Following external events, e.g. natural disasters or outbreak of war in the procurement country
• Includes the assessment of all risks in the entire supply chain – both in the company's own business area and at direct AND indirect suppliers

How to perform a risk analysis in accordance with the LkSG

The LkSG proposes a two-stage implementation of risk analysis: abstract and concrete risk analysis. While the abstract risk analysis can identify potential LkSG risks at suppliers by, e.g., evaluating industry indices or web crawling data, the concrete risk analysis requires an in-depth assessment of the identified suppliers with a high level of risk. In both the regular and the ad hoc risk analysis, the risks are first subjected to an abstract and then a concrete assessment.

The abstract risk analysis according to the LkSG

The aim of the abstract risk analysis is the initial abstract assessment of sector-specific and country-specific risks by comparing information and sources on human rights and environmental risks.

The focus is on identifying the following risk aspects:

• In the regular risk analysis:
  
  

  • Companies, branches and locations with an increased risk disposition in their own business area

  • Indirect high-risk suppliers in the supply chain

• In the ad hoc risk analysis:
  
  

  • Occasion 1: actual indications of a violation of human rights or environmental obligations

  • Occasion 2: Changed or added risks

A practical approach could be as follows:

As part of the abstract risk analysis, a risk level or risk score is determined for each supplier in the supply chain. This risk score is broken down into the categories "low risk", "medium risk" and "high risk". In order to understand how the respective supplier rating is obtained, it is necessary to determine the actual sources of risk for each supplier and to consider these at increasingly granular levels ("top-down approach"). This breakdown could take place as follows:

• The risk score of a supplier equals the sum of the risk scores of all the sites behind it

• The risk score of a site equals the sum of the risk scores of all the materials behind it

• The risk score of a material results from the assessment of the human rights and environmental risks

This step marks the end of the abstract risk analysis. Your company must now decide how to proceed with the treatment of human rights and environmental risks. Prioritization definitely makes sense, because the higher the risk score of a risk factor, the more important it is to investigate it further as part of the concrete risk analysis.

The concrete risk analysis according to the LkSG

The aim of the concrete risk analysis is to determine specific risks and to weight and prioritize identified high-risk suppliers alongside the regular risk analysis. In addition, stakeholders who may be affected by these risks are identified.

The focus is on identifying risks based on the following criteria

• Type and scope of business activity

• Probability of occurrence of the risk

• Severity of the violation in terms of degree, number of people affected, and irreversibility

• Possibilities of exerting influence

• Contribution of the company to individual risks or risk areas

The concrete determination of typical supply chain risks in accordance with the LkSG includes, among other things

5 tips to make your LkSG risk analysis a success

Prepare yourself early

The more complex your company's supply chains are and the higher the number of suppliers, the more time and personnel resources you should plan for carrying out the risk analysis. Often, the information required for the risk analysis is not available centrally and must instead be obtained from various departments or subsidiaries. It is, therefore, advisable to plan a lead time for collecting this information.

Implement an integrated risk management system

The implementation of an integrated risk management system is recommended in order to effectively share identified risks across all subsidiaries and departments. This enables comprehensive risk awareness throughout the company, which is essential for identifying and assessing potential risks that may be relevant across different areas of the company.

The introduction of standardized risk assessment methods that take financial and socio-ecological aspects into account plays a crucial role in this. This ensures a consistent and comprehensive assessment of risks, regardless of the department or subsidiary. A central coordination point for risk management, which monitors and coordinates the activities of various departments and subsidiaries, could also help to ensure that relevant information on risks is effectively shared and taken into account at company level.

Take into account the risk analysis of indirect suppliers

It is advisable for your company to check immediately whether there is an obligation to include indirect suppliers in its risk analysis. This applies in particular to the ad hoc risk analysis. In this context, a legal review is particularly necessary to determine whether information about an indirect supplier can be classified as "substantiated knowledge" (trigger 1 of the ad hoc risk analysis, see above).

In addition, your company should decide whether it wishes to follow the BAFA recommendation, which goes beyond the current requirements of the LkSG. According to this recommendation, companies should already proactively integrate indirect suppliers into their regular risk analysis, even if there is no substantiated knowledge. This approach could be particularly useful with regard to the requirements of the draft European Supply Chain Directive (Corporate Sustainability Due Diligence Directive, CSDDD). This is because the provisional agreement of the EU Parliament and the Council of the EU on the CSDDD shows that the due diligence obligations could also be extended to indirect suppliers in general.

Consider using a software solution

The integration of digital tools – such as ESG reporting or supply chain software – can make the risk analysis process much easier. In particular, the processing of large volumes of data, which are required for the necessary transparency in the risk analysis, is almost impossible without the timely integration of a suitable software solution. Automated and standardized data collection enables the reduction of errors, promotes the comparability of data, and ensures the availability of real-time data. In addition, suitable software helps to map complex organizational, product, and supply chain structures and thus creates a central overview of risks across departments and subsidiaries.

Monitor the further developments of the LkSG

Your company should keep a close eye on further developments regarding amendments and adjustments to the Supply Chain Act. It is to be expected that BAFA will publish further handouts – such as those already published on the topics of cooperation in the supply chain or risk analysis. The BAFA handouts contain important information and points of reference that can help your company to successfully implement the LkSG.