Conducting a risk analysis according to LkSG and defining measures

TABLE OF CONTENTS

• I. Conducting a risk analysis via inviting suppliers and the Risk Check  
• II. Defining preventive measures to address supply chain risks ("Präventionsmaßnahmen")

The German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichten­gesetz - LkSG) requires companies to conduct a risk analysis of human rights and environmental risks in their own business area as well as in their supply chain and to take appropriate preventive and remedial measures.

This article describes how companies subject to this law can use the sustainabill platform to conduct a regular risk analysis of their direct suppliers (Step I) and define and track preventive measures (Step II). 

I. Conducting a risk analysis via inviting suppliers and the Risk Check  

The aim of the risk analysis according to the requirements of the LkSG is the identification, weighting, and prioritization of human rights and environmental risks following a systematic and consistent approach.

a. Sending a connection request to all relevant direct suppliers and affiliated companies:

The connection request can fulfill the following purposes: 

• documentation of the "Bemühenspflicht" (obligation to make a reasonable effort) required by the LkSG for all suppliers
• automated risk analysis via LkSG Dashboard for those who respond to the connection request
• optional: automated follow-up requests such as the Code of Conduct request

Before you send the connection requests, you should evaluate the following topics. You can discuss this with your sustainabill onboarding manager during the kick-off meeting: 

• The scope of suppliers a connection request should be sent to (a small PO Spend threshold can be set, or risk information already known)
• Whether to invite subsidiaries to complement the analysis of your own business area (eigener Geschäftsbereich) - use the predefined Tag "subsidiary" / "Tochtergesellschaft"
• Whether to directly require suppliers to complete assessments topics (if you upload a high number of suppliers with an unknown abstract risk profile, we highly recommend sending the connection request without ticking any assessment topics)

Click here for a description of how to send a connection request: How do I send a connection request?

You also want to use sustainabill to analyze your own business processes (eigener Geschäftsbereich)? Please take a look here: Can I also analyze my own business processes (eigener Geschäftsbereich) with sustainabill according to LkSG

Please note that the requirements regarding the own business area are stricter than those regarding the suppliers (Erfüllungspflicht vs. Bemühenspflicht). The information assessed in the platform provides a basis for this analysis, but further steps are needed (check with your compliance department / consulting lawyer).

b. Conducting a risk check for non-connected suppliers:

The risk-check process is as follows, described in this article: How to perform a Risk Check of not registered-suppliers on the sustainabill platform.

II. Defining preventive measures to address supply chain risks ("Präventionsmaßnahmen")

a. Analyzing the Due Diligence Dashboard to prioritize risk categories and define relevant preventive measures:

The Due Diligence dashboard provides a decision basis, providing standardized results. Using the standardized results from the dashboard, you can make an informed decision, which risks you prioritize and for which suppliers additional preventive measures are necessary. 

The results of the whole risk assessment for the direct suppliers connected to your company via the sustainabill platform are summarized in the Due Diligence Dashboard: Insights >> Dashboards >> Due Diligence

For a generic "How to use" for the Due Diligence Dashboard, click here. 

In the dashboard, you find a summary of the risk results, according to the 13 LkSG reporting categories:

1. Of your suppliers 

2. The result by supplier

The risk level of a given LkSG risk category (M1-M10 and U1-U3) is calculated for each supplier as a weighted arithmetic average of the abstract (country + sector risk) and concrete (Maturity Assessment) risk. The overall risk of a supplier across all LkSG risk categories is calculated as the mean of the risk levels in these risk categories.

3. The calculation methodology and the data sources used are described in more detail on the page "Learn how risks are calculated", which is accessible from the dashboard.

Follow these steps to use the due diligence dashboard for your LkSG analysis: 

1. Validate the automatic analysis to check whether you want to exclude risk categories from the risk identification process. This may be especially relevant where there is no data available to quantify country or sector risks. (e.g., in case of no data in either sector and country risks, see "Learn how risks are calculated" to know what we recommend in this case).

2. Prioritize risk categories according to the "Angemessenheitskriterien" (see in this article "Appropriateness" according to the LkSG in the platform how these criteria are reflected in the platform). You only need to define actions for prioritized risk categories. However, every exclusion needs to be well explained and documented.  Focus on the risk category results, not the overall risk. For the prioritization of risks, please consider that the results for U country risks have a lower significance than M country risks because it only states the ratification status in the given country. When the sector risk is high, you should take actions to mitigate the risks, e.g. require the assessment topic "Environmental Protection".

You can find further guidance on risk identification, prioritization and further topics around the LkSG in the BAFA guides (many also available in English): https://www.bafa.de/DE/Lieferketten/Ueberblick/ueberblick_node.html 

The results of the risk analysis should find recognition in your human rights policy (Grundsatzerklärung). 

Following steps 1 and 2, can I "overwrite" the dashboard's automatic results? 

There are two actions to document results other than the automatic results, e.g. following expert evaluation, actions taken to gather further risk information outside the platform: 

• Use tags to categorize suppliers according to your own risk assessment, e.g. using the predefined "low/high risk" tags. You can also define your own tags. Afterward, you can easily filter suppliers for your risk assessment. See here on how to apply tags: What are tags for and how do I use them?
• Document your own assessment as a preventative action. An action category often applicable is "Additional risk information". See this article on how to use actions: What are actions and how do I use them?

Use the filter function of "Recommended Maturity Assessments": 

• You can filter for 4 different Maturity Assessment topics to get a list of suppliers that are identified from the system and recommended sending the chosen topics to.

• If you choose to filter for the suppliers to send e.g. the topic "Human rights and labor" to, it will show you all suppliers that are recommended for this topic.

• If a supplier is recommended for the filtered topic but also for another one, e.g. "Environmental Protection", this will also be shown directly for every supplier in the list view. 

To learn how the logic behind the feature "Recommended Maturity Assessment" works and how the system identifies the right suppliers to send specific assessments to, please read the following article: Recommended Maturity Assessments

b. Implement and document preventive measures to react to prioritized risks: 

There are generally two types of preventive measures that can be documented via the platform: 

Measure type 1: Standardized measures applicable to a bulk of suppliers: use platform requests to require suppliers to implement the measures. 

You can directly send requests via the due diligence dashboard by:

1. Selecting the relevant suppliers

2. Clicking on "Send Request".

There are eight request types that can be used. The following article shows how to send requests to suppliers and contains links to all articles on how to fill in and send a specific request type: How do I send requests to my suppliers

Measure type 2: Individual measures defined on a case-by-case basis --> document measures as actions in the platform (See: What are actions and how do I use them? and Action Types)

c. Prioritize risks and implement and document preventive measures for non-registered suppliers: 

You can use the risk check (see: How to perform a Risk Check of not registered-suppliers on the sustainabill platform.)to prioritize suppliers for follow-up actions according to the risk profiles. Use the resulting Excel download as working file: 

• You can manually adapt the results complemented resulting from your own analyses or any additional information you gathered (e.g. check of material that suppliers might send you outside the platform)
• You can document any results of your analyses in the following forms
  • Apply tags to the suppliers in the sent-request list view (e.g. low risk), see also What are tags for and how do I use them? 
  • Document an action for your own company describing your analysis or any upcoming task resulting out of this, see also What are actions and how do I use them?
  • Use columns M-R in the Risk Check export file 
• Based on your analysis of the risk check, you can reinforce your activities to persuade prioritized suppliers to register on the platform to get additional risk information (personal follow-up, integration into annual supplier meetings)

To know how you can use the information for reporting under the law, please see this article: Preparing the BAFA report