On 17 August 2022, the Federal Office for Economic Affairs and Export Control (Bundesamt für Wirtschaft und Ausfuhrkontrolle, “BAFA”) has issued its first handout to provide guidance to companies currently implementing a risk management system to comply with the German Supply Chain Due Diligence Act (“SCDDA”). The document is aptly titled “Identifying, Weighing, and Prioritizing Risks” – as this is essentially what the risk analysis needs to do. Overall, the handout includes what has already been stated in the SCDDA, summarizes the essential requirements for a risk analysis, and gives a little more background on the requirements and a few practical examples with respect to the implementation.
Why Risk Analysis?
The goal of the risk analysis required by the SCDDA is to obtain knowledge about any human rights-related and environmental-related risks in a company’s own business area and along its supply chain. Based on this, the company is required to weigh and prioritize the risks identified and to implement measures to prevent or remedy any prioritized risks or violations. All this has to be done in an “appropriate” manner.
What is “Appropriate”?
This is not really news to companies that have read the SCDDA and have been already thinking about how to introduce or adapt their risk management systems accordingly. The law pivots around the term “appropriate”, using it 19 times and highlighting that only “appropriate actions” must be taken. Many companies hoped that this handout would provide more details on what the term “appropriate” means. The handout does not really meet this expectation and mainly quotes the SCDDA by explaining that (i) the nature and scope, (ii) the company’s ability to influence the source of the risks, (iii) the severity and probability of occurrence of a violation, as well as (iv) the company’s causal contribution to the risk or violation, are the relevant criteria for determining whether a measure is “appropriate”. However, the BAFA is working on a separate handout on “appropriateness”, which shall be published soon.
Regular vs. ad hoc Risk Analysis
The handout emphasizes that there are two types of risk analysis that a company has to undertake: (i) the regular (annual) risk analysis, as well as (ii) an ad hoc risk analysis. The handout clarifies that the ad hoc risk analysis is triggered by two events:
- Substantiated knowledge: Where a company has factual indications with respect to the possibility of a human rights-related or environmental-related risk or violation at one or more indirect suppliers, it must undertake a risk analysis with respect to these suppliers. Substantiated knowledge can, inter alia, be obtained through complaints, media or NGO reports, as well as general discussions within existing industry initiatives.
- Changes in the company’s internal or external risk exposure: Further, a risk analysis can be triggered, where the risk landscape of a company changes, e.g. by launching a new product, for which input materials are sourced from new suppliers in countries that are new to the company. In addition, external events can also trigger the need for an ad hoc risk analysis, e.g. the outbreak of a conflict in a certain country or a natural disaster in a country of operation.
In the handout, BAFA advises to take a proactive approach, as companies that consider the risks in the deeper supply chains from the outset in the regular risk analysis can save time and effort later, which would have to be invested in an ad hoc analysis.
The handout explains that the implementation of an appropriate risk analysis creates transparency within a company’s own business area as well as along its supply chain. This transparency makes it possible to determine which areas must be covered by the risk analysis. The handout provides a list of basic information that a company should gather to create such transparency as a basis for the risk analysis:
- Company structure: name and industry of all group companies over which the company has significant influence; and for all of these group companies: (i) a contact person, (ii) operating sites/locations, (iii) product types/types of services, (iv) sales volume, and (v) number of employees.
- Procurement structure: (i) procurement categories, (ii) types of products or services within these categories, (iii) procurement countries, (iv) number of direct suppliers per procurement category and country, and (v) order volume per procurement category in the last financial year.
- Type and scope of business activity: (i) list of most important products and services, (ii) visualisation of the supply chain and key business relationships, and (iii) an overview of the current activity in the countries in which the company is active or where the company is sourcing.
Where a company has already identified “high-risk” suppliers, additionally, the following information should be obtained for such suppliers (direct or indirect): (i) name, (ii) contact person, (iii) parent company, (iv) order volume in the last financial year, (v) sites and locations, (vi) number of employees, and (vii) presence of employee representation.
In addition to this list of required information, the handout provides more detailed guidance on the regular risk analysis explaining that the regular risk analysis comprises two steps:
- the abstract analysis, and
- the concrete analysis.
The abstract analysis will give an overview of the information available to the company (as described above). Ideally, a company will then know which human rights-related and environmental-related risks are relevant for the countries, the company is active in or sources from (country-specific risks), as well as the risks related to the industry, the company is active in (industry-specific risks). The concrete analysis will then help determining, weighing, and prioritizing any concrete risks, e.g. by creating a “heat map”.
Materials to Work with
In its Annex II, the handout provides a helpful and pretty comprehensive list of documents and public sources that can support companies in implementing a proper supplier due diligence risk analysis.
The BAFA handout does not provide entirely new information. Companies that are already into the implementation process and have come across numerous detailed questions will likely not find much help here. That said, is a helpful summary of the SCDDA’s essential requirements for a risk analysis, in particular, for companies that only start to familiarize themselves with the SCDDA now. For these companies, the handout also includes a list of sources of information in Annex II to the handout, which may be a good starting point to start assessing risks and what to look out for when doing so. However, it does not include any new information or extensive guidance for companies that are already familiar with the SCDDA and with risk management systems in general.
In the near future, we expect further handouts by BAFA and understand that the BAFA is currently already working on handouts with respect to the term “appropriateness” and complaint procedures. It has to be seen whether these will provide more detailed guidance to companies or will again mostly summarize the SCDDA.