Approaching the Supply Chain Due Diligence Acts: The German LkSG as an example

1. A global Context The European Union (EU) is working [1] on a corporate sustainability due diligence Directive [2]. This directive aims to foster sustainable and responsible corporate behavior and anchor human rights and environmental considerations in companies’ business operations and corporate governance. The new rules will ensure that businesses address the adverse impacts of their actions, including in their value chains, inside and outside Europe. The directive establishes a corporate due diligence duty, which includes identifying, preventing, mitigating, ending, and accounting for adverse human rights and environmental impacts in the company’s operations, subsidiaries, and value chains. In addition, certain large companies need to have a plan to ensure that their business strategy is compatible with limiting global warming to 1.5 °C in line with the Paris Agreement. Directors are incentivized to contribute to sustainability and climate change mitigation goals. The directive also introduces duties for the directors of the EU companies covered. These duties include setting up and overseeing the implementation of the due diligence processes and integrating due diligence into the corporate strategy. In addition, when fulfilling their duty to act in the company's best interest, directors must consider the human rights, climate change, and environmental consequences of their decisions. The proposal of this directive, adopted by the EU Commission in February 2022, will harmonize the scattered legislations adopted by different EU countries, such as the French Duty of Vigilance Act of 2017 (Loi de Vigilance [3]) or the Norwegian Transparency and Human Rights Act [4] of 2021.

The Directive is not disconnected from the profound legislative and regulatory changes undertaken at the EU level since the first enactment of the Non-Financial Reporting Directive (NFRD[5]) in 2018 and after the European Green Deal agreement[6] (in 2020), the elaboration of the EU Taxonomy[7] (June 2020), its Delegated Acts[8], and other sustainability reporting requirements for sustainable Finance (CSRD[9], SFDR[10], the expected Social Taxonomy, etc.).

Though being the most advanced, the European context is in line with the global trends of laws and regulations impacting the entire value chain of a business. On the human rights side, for instance, the US Congress enacted in 2021 the US Uyghur Forced Labor Prevention Act of 2021, which aims to ensure that American entities do not fund forced labor among ethnic minorities in China’s Xinjiang Uyghur Autonomous Region (XUAR). Similarly, the United Kingdom enacted the Modern Slavery Act of 2015 to protect people against modern slavery better, and better coordinate response in fighting it. In the same context, the US Securities and Exchange Commission has been undertaking initiatives since 2021 to regulate and enhance environmental and human capital management disclosure controls and procedures, with multiple regulations to be issued during Fall 2023[11].

2. The Lieferkettensorgfaltspflichtengesetz or LkSG Law Considering the growing public interest in stronger accountability of corporations in protecting the environment and human rights, the German Parliament (Bundestag) voted on July 16, 2021, on the Supply Chain Due Diligence Act (LkSG [12]). Through this law, the German regulator intends to push corporations under its jurisdiction to better fulfill their human rights and environmental responsibilities. The LkSG’s objective is to motivate companies to change their perspective and focus on the interests of their employees, the employees within the supply chain, and any other persons whose lives may be impacted by their business activities or a company within its supply chain.

The Act covers the companies that: a. Are headquartered in Germany or b. Have their principal activities in Germany, or c. With branch offices in Germany, and d. Have 3,000 employees or more, including temporary workers. Starting from January 1, 2024, more entities will fall under the scope of the law when the number of employees threshold decreases from 3,000 to 1,000 employees.

3. Diligences required The Law requires organizations under its scope to take “appropriate measures” to respect human rights and the environment within their entire supply chain. The law defines supply chain as “all products and services of an Enterprise. It includes all steps in Germany and abroad necessary to produce the products and provide the services, starting from the extraction of the raw materials to the delivery to the end customer”. The Law obligates companies under its scope to conduct a risk analysis of their business operations, including their direct suppliers, on human rights and the environment. However, the Law did not define when such measures are deemed “appropriate.” The German Federal Bureau for Economic Affairs and Export Control (BAFA) clarified in December 2022 that enterprises have the discretionary power and scope of action to implement their due diligence obligations. In this regard, enterprises are not expected to do anything unreasonable. The intensity of their efforts may vary depending on the type and size of their business, the enterprise's ability to exert influence, the severity and likelihood of occurrence of violations, and the type of causation contribution[13].

Human rights analysis should include areas such as: · Child Labors, · Forced labor, oppressing work, slavery, or similar, · Freedom of association, · Discrimination, · Health and Safety.

On the environmental side, the law included the following environmental aspects: · The manufacture, handling, and use of mercury and mercury-added products, compounds, or waste, · Ban on the handling, collection, storage, and disposal of certain chemical products, compounds, or waste, · Ban the export of hazardous waste, · Production and use of certain chemicals. 4. Sanctions The law introduces significant civil sanctions for violators who might incur severe fines and penalties as follows: · Large companies with a three-year average global turnover of 400 million euros or more can be fined up to 2% of their annual average global turnover, · Penalties of up to 500 thousand euros, · Bar from public bids for up to three years, · Be sued by a non-governmental agency or a trade union on behalf of any person with a legal interest of paramount importance.

Any other liability arising independently from the act remains unaffected. 5. Risk-based approach Companies are required to adopt a risk-based approach. This includes identifying risks to human rights and the environment, assessing those risks, prioritizing them, and taking appropriate steps to prevent or minimize them or end the violation regardless of their location. The risk profile differs between entities and sectors and depends on the adopted strategies and business choices. Sectors such as agriculture, mining, and chemicals might be more exposed to others. Organizations operating or using subcontractors in jurisdictions characterized by poor legal protections, lack of public awareness, or weak rule of law might also incur a higher risk.

Within the spirit of the law, responsibilities no longer stop at the factory gate but clearly expand to parts of the value chain located outside Germany. They include the actions taken by the company and its direct subcontractors. The law extends the analysis to indirect subcontractors whenever actual indications suggest a human rights-related or an environment-related obligation is violated. The law cites an existing “substantiated knowledge.” Such knowledge might exist in multiple circumstances, such as following media reports, reports from human rights associations, governments, competition, or other organizations. The knowledge may also have internal sources, such as following an internal audit report or corporate security analysis. In this context, the Law requires companies to designate a Human Rights Officer (HRO) and implement a whistleblower procedure to report potential violations. Such reporting is not limited to the direct vendors but may also relate to any vendor within the Supply Chain.

The law refers to due diligence procedures that must be implemented to cover the designated companies' organizations and any party in which these companies exert a “decisive influence” on their Global Supply Chain. It is, therefore, expected that the law’s requirements will be cascaded down to subcontractors downstream of the value chain. Smaller suppliers who are willing to maintain business relations with the organizations designated by the law would have to apply the law themselves and provide a certain level of assurance for their clients. Such requirements might be transferred from one layer to the other in various ways, through Contractual obligations, KPIs covenants, Suppliers' Code of Conduct (SCoC), or third-party audits, to name just a few. The Law distinguishes between “Regular” and “Ad hoc” risk analysis. A regular analysis must be conducted yearly, while the ad hoc analysis must be completed when substantiated knowledge of the violation exists. An ad hoc analysis must also be triggered whenever concrete significant changes in risks or emerging new risks along the supply chain are expected. These risks can cover both direct and indirect business relationships. However, the law does not specify how a risk analysis must be conducted or what it should cover.

In August 2022, BAFA issued a “guidance on conducting a risk analysis as the German Supply Chain Due Diligence Act” (LkSG). In its guidance, the Federal Office clarified how a risk analysis should be conducted for effective and appropriate risk management. It also recognized that having a transparent view was a foundation for any analysis. This transparency begins with obtaining and maintaining sufficient information about the company’s structure within its circle of influence, procurement policies, and the nature and scope of the business activities. This information needs to be kept complete, relevant, and accurate.

The Table below includes the expected data collected:

Based on the information obtained, companies should undergo “Abstract” and “Concrete” risk analyses. An abstract risk analysis includes sector and country-specific risks. It identifies companies, branches, and sites with increased risk exposure and the communities impacted by the risks (individuals or groups). In the concrete risk analysis, companies assess and prioritize their criteria. This comprises a plausibility evaluation (likelihood and impact) covering all business activities within its circle of decisive influence.

6. Integrating the LkSG within the company’s Enterprise Risk Management The law requires management to design and implement a Due Diligence Program (DDP) around nine obligations and monitor it to ensure each portion works effectively and operates as expected. The nine elements are as follows: 1. A Risk Management System 2. Designation of roles and responsibilities 3. Performance of regular analyses 4. Issuing a policy statement 5. Implementation of preventive measures 6. Taking remedial actions 7. Establishing complaints procedures 8. Implementing Due Diligence procedures targeting indirect suppliers 9. Documentation and reporting

In their efforts to comply, organizations should integrate the risks addressed by the law within their risk management system. The Committee of Sponsoring Organizations (COSO) Enterprise Risk Management (ERM) framework[14], updated in 2017, constitutes a good reference for companies in setting objectives, identifying and evaluating risks, and addressing them. It provides guidance in integrating risk management throughout the entity to accelerate growth and performance. Organizations can consider how the LkSG requirements interact with each ERM element already in place. In doing so, companies need to identify how the law affects their Governance structure, their current strategy, and how requirements may impede or enforce its performance. Companies should start by embedding human rights and respect of the environment within their core values and in what they genuinely want to achieve. For instance, the organization would need to adjust its whistleblower policy, or create a new one, and determine how it will oversee its implementation. Also, the company should designate its HRO and determine his/her level in the organization. Many of today’s corporations already have designated board members or established committees to oversee Environmental, Social, and Governance (ESG) topics. In this case, it is relevant that the HRO reports to the ESG responsible board member or committee.

Perhaps the entity has already embedded sustainability objectives in its strategy in line with its mission and vision and designed policies and procedures that reflect those objectives. In identifying and addressing any material compliance risks, it is important to start building a culture of compliance and commitment to the corporate sustainability values. Management should select a strategy that supports these core values and stakeholders' expectations. The LkSG mandates the implementation of a human rights strategy. To be effective, such a strategy should reflect the corporate culture and be strongly stressed to vendors across the value chain.

Under the oversight of the Board of Directors, management can align its objectives with those of the legislator. This includes setting clear human rights and environmental strategic and business objectives and identifying potential deviations at different levels, inside or outside the organization but within its circle of decisive influence. Response to these deviations should be tight to the Risk Appetite and Risk Tolerance levels. As the COSO ERM highlights, risk influences and aligns strategy and performance across the organization. For instance, considering its sector of activity and geographical presence, a company may define a low-risk tolerance and consequently select to adjust its Supplier's Code of Conduct (SCOC) and only work with those that comply with the LkSG requirements. Companies may also select to require regular compliance representation letters from their subcontractors or to audit them for compliance regularly within a given timeframe. The risk appetite might be embedded within a “Risk Statement” shared with the internal and external partners.

Further, the strategy must be transposed into relevant policies, procedures, targets, and metrics. The company should be able to collect useful and meaningful data on each of the law requirements. This will depend on the adequacy of the company's information systems and reporting processes as well as its vendors' information systems and reporting processes within the supply chain.

7. Considering the COSO Internal Control Integrated Framework Organizations must build controls to ensure the accuracy, completeness, and timeliness of the information obtained to properly manage their compliance risk. They can select using the COSO’s Internal Controls Integrated Framework or ICIF. The ICIF complements the ERM Framework but is narrower as it focuses on the means for carrying out objectives throughout the organization. An effective Internal Control System (ICS) allows management to deploy activities to reach objectives and mitigate risks to human rights and environmental impacts in the company’s operations, subsidiaries, and value chains. It will also allow management to issue reliable and useful reports for investors, government, and other stakeholders, including the public. It is important that companies view the different elements, activities, and steps in the ICS as integrated processes mutually interacting and reinforcing each other.

The COSO ICIF was updated in 2013[15]. The updated framework brought more clarity to the principles for an effective ICS. The update emphasizes the broader coverage of the “Cube” to include non-financial reporting, such as Sustainability Reporting (ICSR), for both internal and external purposes.

Robust controls around each of the LkSG requirements must be designed, implemented, and operated effectively. To ensure compliance with the law, entities should dive deep into the ICIF and consider all 17 COSO principles affecting the objectives set as per the law’s due diligence requirements. Companies should build a coherent ICS covering human rights and environmental protection risks by reflecting the principles within each IC element in their structure and processes.

When considering these principles, organizations would have to determine the scope and the boundaries of their objectives and risks on their control design and implementation. For instance, entities should include their suppliers when considering their structure (Principle 3[16]). To achieve their objectives in line with the law, organizations need to wisely cascade their goals to their suppliers of goods and services (Principle 6[17]). Similarly, they should include in their risk assessments, the risks due to vendors’ violations, whether it is due to lack of controls (Principle 10[18]), insufficient reported information (Principle 13[19] and Principle 15[20]), or due to Fraud (Principle 8[21]). Moreover, companies should consider proper Segregation of Duties (SoD) across their processes (principle 10) as well as IT General Controls (ITGC) around the relevant systems (Principle 11)[22]. Furthermore, organizations should not disregard the risks of management override of controls and potential conflicts of interest.

These are a few examples of the connections that an organization might have to consider when selecting to use the ICIF as a relevant source of guidance to manage the risk of non-compliance with LkSG.

The law requires due diligence obligations to be continuously documented within the enterprise. BAFA indicated that companies should perform their diligence in a “transparent and Traceable” way and recommended they adopt a proactive approach when identifying and assessing their risks. Such an approach might involve internal audit, corporate security, compliance, other relevant departments, or external professional service providers.

Finally, the law obliges companies to prepare and publish an annual report on fulfilling their due diligence obligations not later than four months after the end of the financial year for a period of seven years. The report should include a description of the diligences performed, the identified violations, including those resulting from reported complaints, and the actions taken by the organization to address them.

8. Final Word

The Due Diligence laws, such as the LkSG, constitute an additional legislative piece in the sustainability area. It reflects an overall and global trend of governments’ growing commitment to regulate ESG areas and render corporations more responsible towards the environment in which they operate and the local communities they integrate. However, this growing commitment reflected in a growing number of initiatives might be counterproductive if not harmonized at the global level to allow interoperability and keep compliance costs within reasonable levels.

Within this continuously evolving depiction, companies could reduce their compliance costs by leveraging best practices, designing and implementing adequate processes, and integrating their Risk Management and ICS to keep better prepared and resilient in front of new requirements.

At BAK Global Risk Management, we help our clients create value through a robust and resilient risk management system, mitigating risks and creating opportunities. We provide advisory, assurance, and fraud investigation services to organizations in the private, public, and non-profit sectors. We can help you comply with legal requirements affecting your Supply Chain in designing and implementing due diligence procedures, particularly in high-risk markets.

For more information about how we can help, give us a call at +49 152 51 04 19 81 or +1 (954) 496-0464 or visit our website and book your free consultation directly online at www.bak-grm.com

[1] As at the date of issuance of this article. [2] Corporate Sustainability Due Diligence - CSDD [3] Loi n° 2017-399 du 27 mars 2017 relative au devoir de vigilance des sociétés mères et des entreprises donneuses d'ordre. [4] Act relating to enterprises' transparency and work on fundamental human rights and decent working conditions (Transparency Act). [5] EUR-Lex - 32014L0095 - EN - EUR-Lex (europa.eu) [6] The European Green Deal (europa.eu) [7] EU Taxonomy Navigator (europa.eu) [8] Taxonomy Regulation (europa.eu) [9] Corporate Social Responsibility Directive - CSRD (EUR-Lex - 32022L2464 - EN - EUR-Lex (europa.eu)). [10] Sustainable Finance Disclosure Regulation - SFDR (EUR-Lex - 32019R2088 - EN - EUR-Lex (europa.eu)). [11] KPMG US, ESG 2023 Regulatory Agenda [12] Gesetz über die unternehmerischen Sorgfaltspflichten zur Vermeidung von Menschenrechtsverletzungen in Lieferketten (Lieferkettensorgfaltspflichtengesetz – LkSG) [13] Appropriateness: Handout on the principle of appropriateness according to the requirements of the Act on Corporate Due Diligence Obligations for the Prevention of Human Rights Violations, BAFA, 2022 [14] Enterprise Risk Management | COSO [15] Internal Control | COSO [16] Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. [17] The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives (Operations, Reporting, and Compliance). [18] The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. [19] The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal controls. [20] The organization communicates with external parties regarding matters affecting the functioning of other components of internal control. [21] The organization considers the potential for fraud in assessing risks to the achievement of objectives. [22] The organization selects and develops general control activities over technology to support the achievement of objectives.

For more information on the German Due Diligence Law:

Disclaimer:

This communication contains general information only and should not considered or relied on as professional, legal, or financial advice or service. By using or viewing the attached document, you agree that BAK Global Risk Management, or any of its related individuals or entities, cannot be held liable for the use of this document made open and how it may circulate.