The due diligence requirements of the Supply Chain Act in detail

The German Supply Chain Due Diligence Act or LkSG (from German Lieferkettensorgfaltspflichtengesetz) specifically lists 9 obligations. You can find out exactly what these mean in this brief overview.

1. Setting up risk management

Companies must establish appropriate and effective risk management to comply with their human rights and environmental due diligence obligations. This can be done through standardized auditing processes, guidelines and internal responsibilities. It is recommended that a human rights officer be appointed to be responsible for the effectiveness of risk management. The adequacy of risk management depends on the nature and scale of the business, the company’s ability to influence the risk, the severity of the violation, and the contribution to causing the risk. If, nevertheless, human rights or environmental standards are violated within the business activity or by suppliers, the company must be able to demonstrate reasonable efforts to avoid them.


2. Defining a responsible person or team

One person or team should be responsible for LkSG due diligence compliance, depending on the size and focus of the company. This person does not necessarily have to be a lawyer, but it is recommended that the responsibility be placed in related areas such as Compliance, Legal, Corporate Responsibility or Sustainability to ensure effective risk management.


3. Conducting a risk analysis

The LkSG prescribes a risk analysis in which companies must identify, assess and prioritize human rights and environmental risks in their business activities and with direct suppliers. A first step is to create transparency about the supply chains and get an overview of the structure and actors. Risks are captured and assessed from the perspective of potentially affected parties, not from the company’s perspective. Risk analysis is sometimes the most comprehensive part of due diligence. Use our LkSG module directly to analyze your risk analysis, or start with our How-To Guide and our free Excel tool.


4. Issuance of a policy statement

The LkSG requires companies to issue a policy statement on their human rights strategy. This must be signed by management and include information on risk management, identified high-priority human rights and environmental risks, and expectations for employees and suppliers. The policy statement must be publicly available and known to employees, direct and indirect suppliers, and the public. It may be part of a Group-wide code or consist of multiple documents, as long as all required elements are included and it is known to all relevant persons and communicated to the public.


5. Implementation of preventive measures

If risks are identified in the company’s own business area or at suppliers, appropriate preventive measures must be taken. The aforementioned declaration of principles represents a preventive measure, but the law also lists other specific measures, such as training, process adjustments, contractual agreements or, in general, the consideration of human rights or environmental impacts in the procurement process/the selection of suppliers.

Documentation and follow-up of the measures are important. Their effectiveness must also be reviewed annually or on an ad-hoc basis.


6. Implementation of remedial measures

If it is determined that a violation of a human rights or environmental due diligence obligation has already occurred or is imminent in the company’s own business area or at a supplier, remedial measures must be taken immediately to prevent or end the violation or at least minimize its extent. If the violation at a supplier cannot be ended in the foreseeable future, the company should work with the supplier to establish a specific timetable for remediation. Termination of the business relationship should only be used as a last resort. Again, it is important to document and track the remedial actions and verify their effectiveness.


7. Establishment of a complaints procedure

Companies must establish a complaints procedure so that possible violations of human rights or environmental obligations can be reported. This procedure is similar to the whistleblower systems that have already been implemented at many companies. Here, specific requirements are set: there must be confirmation that the whistleblower has received the report, procedural rules must be published, processing must be carried out by impartial and independent persons, access to the reporting system must be easy, and the company must provide information about the reporting channel. Importantly, reporting should also be enabled along the entire supply chain; this may also require expanding the languages and reporting channels offered.


8. Response to risks in the extended supply chain (indirect suppliers)

The LkSG requires companies to also investigate possible violations of human rights or environmental obligations at indirect suppliers if they have “substantiated knowledge” of them. This knowledge can be obtained through reports on the complaints procedure or industry and media reports. In this case, the company must conduct a risk analysis, implement appropriate preventive measures and, if necessary, update the policy statement.


9. Documentation and reporting

The LkSG requires companies to comprehensively document their due diligence obligations, including processes, risk analyses, preventive measures, breaches, remedial measures and incoming notices. This documentation must be retained for at least seven years. Companies must prepare an annual report on the fulfillment of their due diligence obligations in the past fiscal year, which is publicly available and must be submitted to the Federal Office of Economics and Export Control. The report must contain the identification of risks or violations, the measures taken, the evaluation of the impact and effectiveness of the measures, and conclusions for the future. If no risks or violations are identified, the report must explain how the company reached this conclusion. You can find out more about specific reporting at the The Federal Office for Economic Affairs and Export Control (Bundesamt für Wirtschaft und Ausfuhrkontrolle, or BAFA) page.