One year of the Supply Chain Act: interim results and practical tips

To what extent are companies complying with the requirements of the Supply Chain Due Diligence Act (LkSG) - and which aspects may need to be adjusted in particular? The Federal Office of Economics and Export Control (BAFA), which is responsible for monitoring and enforcing the LkSG, has taken stock one year after the new regulations came into force (1 January 2023). We analyse the results, provide recommendations for compliance and highlight the crucial role that third-party risk management can play.

The good news is that BAFA considers the implementation of measures required by the LkSG to be largely successful. Nevertheless, BAFA also identified room for improvement with regard to the fulfilment of some due diligence obligations.

Firstly, when implementing the requirements for the complaints procedure, the accessibility, comprehensibility, visibility and involvement of potentially affected parties in the design of the complaints procedure were criticised. Secondly, BAFA found that some companies transfer their due diligence obligations to suppliers through contractual obligations. In this context, BAFA emphasised that this is inadmissible.

As long as there is no standardised regulation at European level, many companies based in Germany associate the provisions of the LkSG with a disadvantage in terms of their own competitiveness in a European comparison. Critics also point out that the LkSG entails too much bureaucracy. Furthermore, the protection of human rights is already ensured by existing measures and it is impossible for individual companies to scrutinise the entire global supply chain.

All of these points are incentives to disregard or disregard the provisions of the LkSG in business practice. However, neglecting due diligence obligations under the LkSG harbours serious risks. Fines of up to 800,000 euros can be imposed for violations of due diligence obligations under the LkSG. For legal entities and associations of persons with an average annual turnover of 400 million euros, a fine of up to 2 per cent of the average annual turnover is also possible. In addition, the company may lose out on profits, as a breach of obligations can also result in the company being excluded from public contracts for several years. Potential reputational risks should also not be underestimated.

In addition to the weaknesses identified by BAFA in the implementation of measures to fulfil the LkSG requirements, the time required for the reporting and documentation obligations of the LkSG represents a major challenge for many companies.

Monitoring third parties and responding appropriately can also be a major challenge for a company. In integrated business partner management, the risks under the LkSG are also taken into account. They are incorporated into general risk management and minimisation and must be assessed as part of the compliance and legal risks in the risk management system. The management of the various risk types is facilitated by a Third Party Risk Management (TPRM) system.

TPRM support in the context of the LkSG

A TPRM makes it possible to identify, assess, monitor and manage risks within the supply chain. In doing so, the TPRM ensures compliance with various regulatory ESG provisions, such as those of the LkSG. Continuous monitoring, a structured assessment of third parties and the definition of reporting channels and escalation levels can ensure that the company fulfils the LkSG requirements.

The advantage of an integrated solution is that numerous modules are already available for new regulatory requirements, such as the Deforestation Ordinance or the extension of requirements to the downstream activity chain, and no new processes need to be set up.

In addition to fulfilling the LkSG requirements, the implementation of a TPRM also offers other advantages and added value for a company:

• Decision-making: A structured and continuous supplier assessment and the potential risks associated with this enables the company to make informed decisions about which suppliers are possible to work with without conflicting with applicable legal requirements.
• Transparency: Transparency in the supply chain can be increased through continuous monitoring and a structured assessment of third parties.
• Reputation: An effective and robust TPRM helps to enhance reputation.

• Early detection: By continuously monitoring third parties, potential risks within the supply chain can be recognised and mitigated at an early stage before they result in financial or reputational damage for the company.
• Effort: The time and financial effort required by companies to fulfil the LkSG reporting and documentation obligations can also be reduced by an efficient TPRM. Within the TPRM, it is possible to create automated standardised reports and display key findings via dashboards

A TPRM tailored to the company makes it possible to organise cooperation with business partners in such a way that the requirements of the LkSG are met. In this way, violations can be prevented, the company's reputation protected and legal consequences avoided.

The Corporate Sustainability Due Diligence Directive (CSDDD, a European supply chain directive) was formally adopted on 24 May 2024 and must now be transposed into national law within two years.

Even though some of the original requirements of the CSDDD were watered down in the member states' compromise, the directive is stricter in some respects compared to the LkSG. With regard to the due diligence obligations, in contrast to the LkSG, the CSDD does not only apply to the upstream supply chain, but also to the chain of activities and therefore, in certain cases, to the downstream supply chain. In contrast to the LkSG, the sanctions are also more significant. Fines of up to 5 per cent of global net turnover will be possible in the event of violations. In this context, the CSDDD also introduces civil liability, which could pose a significant threat to companies. Those affected - including trade unions and NGOs - will then be able to assert their claims against the company within five years.