Risk Analysis under the German Supply Chain Due Diligence Act (“Lieferkettengesetz”)

by Alice Homuth

A little over two months before the German Supply Chain Due Diligence Act – Supply Chain Act for short – is due to enter into force for the first group of companies (those with at least 3,000 employees) in 2023, the implementing agency BAFA (Federal Office for Economic Affairs and Export Control) has published its first implementation guidelines (“Handreichung”) on a crucial part of any risk management system: risk analysis.

Risk analysis lies at the heart of any management system that aims to prevent, end or minimise potential adverse impacts on rightsholders or the environment. Further steps, such as defining appropriate and effective preventative and remedial action, greatly depend on a solid understanding of any potential impact the business activities of a company might have on rightsholders. The better a company’s understanding of a risk, the more effective the countermeasures it can implement. Risk analysis is relevant when it comes to any potential impact a company’s own operations may have, any risks associated with direct business partners’ activities as well as the activities of indirect business partners further upstream along the supply chain.

Companies that fall within the scope of the new German Supply Chain Act are only legally required to act on risks in the deeper upstream supply chain if they have “substantiated knowledge” of concrete risks or violations occurring at indirect suppliers. However, due to the current vagueness of the term “substantiated knowledge,” we strongly advise our clients to proactively include upstream supply chain risks in their risk analyses even without “substantiated knowledge” of risks.

Based on our day-to-day experience implementing risk analyses for our clients, we greatly appreciate that BAFA has now further clarified some of the legal requirements. Below is a summary of the key insights provided in the BAFA implementation guidelines on human rights risk analysis:

  • A multi-step approach to risk identification: Before moving to a more concrete assessment of risk levels regarding specific locations, activities and rightsholder groups, companies could start with an abstract, rather general risk assessment based on publicly available information.
  • Foresight: The guidelines propose the recommendation that lower tiers already be included in regular risk analysis, in addition to analysing a company’s own operations and those of their direct suppliers. This way, widely known risks can be proactively addressed, preventing the need to deal with “substantiated knowledge” later on.
  • Scope of one’s own operations: The guidelines clearly state that a company’s own operations fall within the scope of the due diligence expectations, including, for example, last-mile delivery service providers.
  • Definition of “direct suppliers”: A supplier company’s controlled subsidiaries qualify as direct suppliers even if they are not strategic suppliers of the company’s central purchasing department.
  • Resource efficiency: The guidelines affirm the importance of including existing knowledge and datapoints on risks (e.g. internal grievance mechanism data, H&S data, audit results) into companies’ regular risk analysis as well as refining this risk analysis.
  • Openness in methodology: Companies can choose their own tools and methods for carrying out risk analyses. However, sources, weighting and prioritisation etc. must be documented adequately.
  • Risk prioritisation: A company’s prioritisation of risks for taking subsequent steps are based on severity and likelihood as well as other appropriateness criteria.

Over the next few weeks, we will be publishing further helpful information on the implementation of the Supply Chain Act as part of our Löning LkSG Insights series. To stay up-to-date with future articles on this topic, follow us on LinkedIn or subscribe to our monthly briefing.

For the full text of the BAFA implementation guidelines (in German):

If you need support for implementing risk analyses or for any other requirement under the Supply Chain Act, or if you have any other questions concerning human rights in your company, get in touch: