Since the Supply Chain Due Diligence Act came into force at the start of the year, im-plementing its requirements has to many companies become a fixed part of daily business. In this article, we point out the aspects that have turned into recurring is-sues which have to be considered in order to implement the Act properly.

The Supply Chain Due Diligence Act has been in force since 1 January 2023 and has to be implemented by businesses employing more than 3,000 employees working in Germany. From the start of 2024, the duty to implement it also applies to businesses with more than 1,000 employees. Apart from the obligation to implement the rules of the Act, strict implementation of the measures is of particular concern to retailers. In retail, there are numerous and wide-ranging supply chains – product ranges include goods from a wide variety of traders from the most varied sources, and observing human rights and environmental standards often varies enormously between different countries. Ethical business practices are increasingly important to customers, so businesses should also pay a lot of attention to this for the sake of their own interest.

Practical experience in implementing the Supply Chain Due Diligence Act

Our experience so far shows that the following questions in implementing the Act are relevant to almost every business:

How can existing structures be used to implement the Supply Chain Due Diligence Act?

Unlike with the introduction of the GDPR in 2018, for example, most businesses today have corporate governance structures in place and so possess the requisite awareness. This makes implementation much easier because the mechanisms of the existing systems can be drawn on. For example, it helps to have a defined methodology for compliance risk assessment in evaluating risks consistently in the company’s business. A risk survey can be carried out on direct suppliers, linked to aspects of the risk management system. Established internal control system structures also allow steps to be taken to implement duties of care within the organisation and especially subsidiaries, e.g. by adding to the minimum control set. Finally, existing reporting structures can be built on and management informed in an integrated way.

Who is responsible for risk management related to the Supply Chain Due Diligence Act?

A condition for the effectiveness of the risk management related to the Supply Chain Due Diligence Act is that a human rights commissioner is appointed, although this person does not need to bear this designation. But where should this role be located within the organisation? Projects for implementing such rules are often initiated from purchasing but that area is typically not viewed as being responsible for the company’s business. Furthermore, it is not closely related to the whistleblower system which is employed in the complaints procedure. The best solution has proven to be locating systemic responsibility on the second line of the Three Lines Model, which is most frequently the compliance department. This ensures the necessary independence and proximity to management.

Is it absolutely necessary for the company to have its own IT tool?

It’s when analysing the risks posed by direct suppliers that many companies particularly face challenges. What information can or must be gathered? Which suppliers have to be included? How often does the risk analysis have to be repeated? Software applications can be a big help here, particularly when they are able to access the data on suppliers in the ERP system by means of an interface. At the same time, these applications often come with high costs. The value that an IT supported solution adds should therefore be weighed up carefully and ideally only after carrying out an initial risk survey. It can then be estimated much more accurately how many suppliers have to be monitored so closely that it is no longer possible without support from software. In the retail branch, the large number of suppliers involved tends to speak in favour of using IT. At the same time, sourcing suppliers mostly locally may indicate a lower risk appetite and therefore require a lower level of complexity in the risk survey.