Update Compliance 22 /2022

First BAFA Guidance on risk analysis under the Supply Chain Due Diligence Act

On January 1, 2023, the Supply Chain Due Diligence Act will enter into force for companies with more than 3,000 employees in Germany. The Federal Office for Economic Affairs and Export Control (BAFA) published its first Guidance on conducting a risk analysis as required by the German Supply Due Diligence Act on August 17, 2022, (still) well before the deadline. The guidance was drafted in an endeavor to aid companies in implementing the risk analysis.

The due diligence obligations under the Supply Chain Due Diligence Act

The Supply Chain Due Diligence Act requires a significant number of businesses to respect human rights and protect the environment beginning on January 1, 2023. Companies will then be required to ensure that violations of human rights and environmental hazards in their own supply chains are identified early on, avoided, or eliminated. To achieve this objective, Section 3 Supply Chain Due Diligence Act outlines a comprehensive list of various measures or procedural steps – known as corporate due diligence obligations – that must be implemented by the relevant companies. The risk analysis is at the core of the obligations associated with due diligence.

Risk analysis as a fundamental requirement of due diligence

Companies should identify, evaluate, and prioritize human rights and environmental risks for their own business area and the business area of their direct suppliers using risk analysis. The results of the risk analysis must be communicated internally to company decision-makers and appropriately incorporated into future business activities. The risk analysis is highly relevant due to the fact that its results provide the foundation for delineating effective preventive and corrective steps. For instance, the declaration of principles cannot be issued unless a risk assessment has been conducted beforehand. Nonetheless, the pertinent regulations of Section 5 Supply Chain Due Diligence Act and the Act’s explanatory memorandum contain only general requirements for conducting risk analyses.

Assistance from BAFA in conducting the risk analysis

As a supervisory authority (and fine authority), BAFA is responsible for monitoring the implementation of the Supply Chain Due Diligence Act’s business obligations. In addition, Section 20 Supply Chain Due Diligence Act mandates that BAFA publish “cross-industry or industry-specific information, assistance, and recommendations” regarding compliance with the Supply Chain Due Diligence Act in “Guidances.” The recently issued Guidance summarizes the key risk analysis requirements of the Supply Chain Due Diligence Act and outlines practical implementation options for the affected companies. Notably, BAFA emphasizes multiple times that the affected companies have discretion in the design and method selection of the risk analysis, and that the implementation of the risk analysis is also subject to reasonableness due to the companies’ finite resources.

In the Guidance, BAFA provides information regarding:

  • the cross-references between risk analysis and the other elements of due diligence obligations and processes;
  • the proportion of routine (annual) risk analyses to event-specific risk analyses;
  • the implementation steps of the risk analysis, from the preparation to its execution to the evaluation of the results, in each case related to the regular and the event-related risk analyses; based on a series of tables with example cases, BAFA always recommends moving from an abstract risk consideration to a specific risk consideration considering the circumstances of the particular company;
  • the necessity to prioritize identified risks based on the Supply Chain Due Diligence Act’s adequacy criteria;
  • the importance of the results of the risk analysis to the development of preventative measures.

The catalog of criteria for the adequacy test and the data collection with additional implementation aides are also helpful.

Assessment of the recommendations

BAFA’s Guidance once again demonstrates the prominent position and significance of risk analysis within the canon of due diligence obligations under the Supply Chain Due Diligence Act and offers helpful information on preparing and implementing regular and event-driven risk analyses. What is startling, however, is the presentation that indirect suppliers would also need to be included in an analysis of event-related risk due to a change in business activity. The Supply Chain Due Diligence Act and the Act’s explanatory memorandum do not make this clear. Rather, Section 5(1), (4) Supply Chain Due Diligence Act states that only a company’s own business area and direct suppliers are the subject of its regular or ad hoc risk analysis. With respect to indirect suppliers, on the other hand, a risk analysis is only to be carried out in the event of substantiated knowledge of a due diligence violation in accordance with Section 9(3)(1) Supply Chain Due Diligence Act. It remains to be seen whether BAFA will adhere to its view.

Practice Notes

It is true that the BAFA Guidance is merely legally non-binding guidance which primarily reflects the legal opinion of that authority. As BAFA is the competent supervisory authority under the Supply Chain Due Diligence Act, however, the guidance contained therein should be carefully evaluated by affected companies and – where relevant – at least considered when implementing their risk analyses. Should a change in business activity necessitate an event-related risk analysis in accordance with the law (but contrary to the current BAFA view), it should not be necessary to include the company’s indirect suppliers (except in the case of verified knowledge).

In contrast, larger companies are increasingly demanding contractual assurances from their contractual partners (especially suppliers) that they will observe certain human rights and environmental due diligence obligations. Even supposedly “smaller” companies are thus de facto obligated to implement the due diligence requirements of the Supply Chain Due Diligence Act. Therefore, companies outside the (direct) scope of the Supply Chain Due Diligence Act should also familiarize themselves with the new due diligence requirements and proactively consider (and, where appropriate, implement) them.

According to BAFA, additional Guidances will follow. A structured questionnaire to draw up the annual report was recently published. A Guidance on the complaints procedure is also to follow.

Download as PDF

Contact persons

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.