In the wake of a year that rocked the world, national governments in the journey towards sustainable business practices are taking a stand to ensure that corporations, and suppliers alike, are held accountable for their impact on the world around them. Leading the charge, Germany has embedded this focus into new legislation that applies to all businesses operating within the country’s borders. While this new legislation comes from one country, it still bears global impact. The companies who are directly affected must undertake significant due diligence on their entire supply chains, regardless of where vendors are located. Furthermore, other European countries have indicated interest in enacting similar national regulations. As globalized efforts to protect vulnerable communities and the environment heighten, more countries are likely to follow suit.
What is the German Supply Chain Act?
Germany’s new Supply Chain Act, Lieferkettensorgfaltspflichtengesetz, often shortened to “Lieferkettengesetz,” mandates companies to fulfill their due diligence obligations by monitoring their supply chains for human rights violations and compliance with certain environmental standards. The legislation comes into effect on January 1, 2023 and it will initially apply to companies with a registered office or branch in Germany and 3,000 or more employees. By 2024, the law will extend to companies that have more than 1,000 employees. Should the applicable corporations violate their due diligence and reporting obligations, they will face fines of up to EUR 8 million depending on the nature and gravity of the violation. Companies with an average annual turnover of more than EUR 400 million may be fined up to 2% of their average turnover for breaches of the law. In addition to harsh monetary fines and negative publicity, companies who breach the act also face exclusion from entering into contracts with German public entities.
What is required of companies in order to comply?
Corporations must align with their suppliers, and third-/fourth-/fifth-party companies across their multi-tier supply chain, to ensure that the appropriate steps are taken to monitor, aggregate, and report the relevant documentation to verify compliance. In addition, companies must publish their internal policies detailing their due diligence practices and annually report the measures taken, and any breaches, to the German Federal Office for Economic Affairs and Export Control. The below chart shows the difference in the requirements for direct suppliers versus indirect suppliers.
Companies may face challenges in meeting these requirements
With this comprehensive law going into effect in just a year’s time, the clock is ticking for companies who may not even know where to begin as they prepare to meet these compliance measures. One thing is for certain — it will require time, effort, and commitment to collaborate across the supply chain.
Business leaders are likely to encounter challenges that could range from establishing effective external reporting systems, to proper training and development of personnel. There is also the need to define and act upon appropriate preventative measures in a manner that can stretch across increasingly globalized supply and value chains. This will require companies to overcome the intentional obscurity of n-tier suppliers by improving third-party risk management. Germany’s Supply Chain Act requires that corporations have the necessary complaint processing procedures to facilitate the identification and reporting of supply chain risks and compliance breaches.
Some suppliers may be unable to comply with Lieferkettengesetz in time, and may face removal from several supply chains. In order to avoid such disruption, supply chain planners need improved visibility into risk and compliance data to quickly assess where action is needed so that they can respond in a timely manner. Ultimately, companies will need to seek comprehensive tools to assist in both short-term and long-term compliance efforts.
4 best practices businesses can employ to overcome challenges with the German Supply Chain Act before time is up!
- Get support from all levels of leadership and centralize control of risk management initiatives. Top performing companies make sure their senior leaders and directors fully understand the importance of a strong risk management program. Having centralized control allows businesses to save on costs and avoid duplicating efforts for activities like vendor approval and vetting.
- Vet providers early in the sourcing and selection process and include performance in risk criteria. Third-party risk management should be incorporated into vetting and sourcing criteria when awarding new business. Vendors should be required to vet their own suppliers and third parties for security, compliance, and ethical concerns. Once awards are made, contracts should include the proper clauses to address risk. Qualitative information gathered from employees — preferably immediately after a service is rendered — adds to quantitative data on partner performance.
- Provide buyers and supply chain planners with visibility into amplified risk and conduct periodic in-depth audits. Properly assessing third-party risk is of limited value if employees buy from unvetted or risky suppliers. Visibility matters because risk can be compounded by a fourth party appearing multiple times, or where products flow across multi-tier supply chains. In-depth audits can identify problems missed by an automated process, as well as changes in the external environment that require process changes.
- Digitize third-party risk management processes in order to continually monitor third-party behavior. Annual or periodic assessments help companies detect risks, but continuous monitoring can help them detect problems and adapt to changes in technology and personnel. Moving from spreadsheets or legacy systems to a modern platform for third-party risk and supply chain planning allows real-time data collection and threat detection, improving risk-management outcomes and reducing costs.
Successful companies integrate third-party risk management with a business spend management (BSM) solution. Third-party risk management should be part of the company’s mindset and operational processes or systems, not a last-minute endeavor. As you take the time to improve your business processes, remember your power as a stakeholder in protecting the earth’s most vital resources and vulnerable communities.