Supply Chain Act: How best to prepare now
As early as next year, companies will be expected to start the test runs for the required reporting and supplier monitoring
Global supply chains deliver major efficiencies and growth opportunities to many regions of the world, with German-based companies also benefiting. However, minimum social standards are not always met. Around 25 million people worldwide are currently subjected to forced labor, for example, and 75 million children are toiling under exploitative working conditions.
Germany's "Act on Corporate Due Diligence in Supply Chains" aims to put an end to this abuse by criminalizing human rights violations such as forced labor and child labor, slavery, unhealthy and unsafe working conditions, and discrimination through wage dumping or unequal treatment.
If everything goes to plan, the regulations, known as the Supply Chain Act for short, will be passed by the German Bundestag later this year and come into force in January 2023. Companies would be well advised to use the time to prepare for the new legal situation.
Due diligence for the supply chain
Implementing the provisions of the Supply Chain Act poses major challenges for the 600 or so companies that will initially be affected. These are firms that have their headquarters in Germany and employ more than 3,000 people. They have a good 20 months to get to grips with the extensive requirements and put in place the right conditions for a legally compliant supply chain. From 2024, companies with more than 1,000 employees will also be subject to this law. They too will then have to guarantee social responsibility along their entire supply chain – from raw material to finished product.
Key aspects of what the law requires:
- Companies must adopt a policy statement on respect for human rights and make it publicly available. The statement must describe the procedures the company will apply to ensure implementation of the Supply Chain Act. In addition, the specific human rights and environmental risks involved must be described according to certain specifications.
- Furthermore, companies must establish a comprehensive risk management system. It must be updated annually and integrated into the respective business processes, such as supplier selection. A risk analysis must be conducted to identify possible adverse effects on human rights and specify countermeasures to be taken.
- Companies will also be obligated to set up a complaints mechanism and to appoint a responsible person based in Germany.
- The extensive documentation requirements include an annual, publicly accessible report in which each company describes identified risks in their supply chain, countermeasures and implications for future activities.
- In the event of a violation within a company's own business unit, corrective measures must be taken immediately and these must bring the violation to an end. Further preventive measures must also be initiated. If the violation by a direct supplier cannot be ended in the foreseeable future, a specific minimization and prevention plan must be drawn up.
Large fines for violations
Compliance with the law will be monitored by the Federal Office of Economics and Export Control (BAFA). It will review the company reports and investigate complaints. In the event of omissions or violations, it can impose fines or exclude companies from public procurement contracts. Businesses with annual revenues in excess of EUR 400 million will be fined up to 2 percent of revenues for non-compliance, while fines for smaller companies will range between EUR 100,000 and EUR 800,000.
Victims of human rights violations will have the right to bring legal action before the German courts, and they can also file a complaint with the BAFA. In addition, non-governmental organizations (NGOs) and trade unions based in Germany may file lawsuits and complaints on behalf of foreign victims.
Companies should be aware that the focus of the Supply Chain Act lies on direct human rights violations. Environmental considerations play only an indirect role, namely when there is a risk to human health or safety. This means that things like air, water and soil pollution or a high level of water consumption that endangers food production or the security of the local drinking water supply may also be a cause of legal action.
Tier 1, Tier 2: Which suppliers are affected?
The requirements companies have to meet are graded according to the different links in the supply chain (own business unit, direct supplier, indirect supplier) as well as in accordance with the type and scope of business activity, the company's ability to influence the direct perpetrator of the violation, and the typically anticipated severity of the violation itself.
What does that mean?
In the company's own business unit and in the case of a direct supplier (Tier 1), respect for human rights must be contractually guaranteed. The corresponding control mechanisms must also be defined in the contract. Companies must offer training and development programs and conduct a risk analysis at least once a year.
Indirect suppliers (Tier 2 and below) are only monitored passively. In other words, there must be institutionalized complaints procedures in place for internal and external stakeholders such as whistleblowers, affected employees and NGOs.
Time is of the essence: What companies should do now
Even though the law leaves a lot of room for interpretation with its many rather vague formulations and not all companies are affected to the same extent, businesses should use the rest of this year to prepare. Then there will be sufficient time to do test runs in 2022 before the regulations take full effect in January 2023.
A check-up of the entire supply chain that leaves no stone unturned will provide the best basis for the necessary risk management. All suppliers should be checked to identify what risk potential they entail: Which countries do they operate in? How high is the proportion of manual work in the value chain? Who does this work? Could it involve child labor? What about environmental risks that may violate human rights?
Once potential risks have been identified, a list of critical and non-critical suppliers can be drawn up. With suppliers assessed as critical, a strategy for further action should be jointly agreed upon and implemented. The above questions will also need to be asked in any future supplier selection and risk management process.
In addition to this, companies should put in place the necessary organizational structures and internal processes for the legally required reporting and supplier monitoring that they will have to do. We recommend testing the internal and external communications for this in 2022 if not before.
There is a very long list of other tasks to be done. These range from appointing a responsible person based in Germany and organizing regular management meetings to informing employees and supporting them during the implementation phase.
What the list shows is that the Supply Chain Act will mean a lot of work for businesses. Companies should start doing their homework now to have a good chance of keeping the implementation effort as low as possible.
This publication has been prepared for general guidance only. It does not constitute individual advice, and in particular it does not constitute legal or tax advice, nor can it replace such individual advice.
Readers should not act on the information contained in this publication without first seeking individual advice.
The respective company of the Roland Berger group ("Roland Berger") assumes no liability for the accuracy and completeness of the content provided in this publication and shall not be liable for any damages arising from the use of the information contained in the publication.