The aim of the LkSG Guide document is to enable readers to use Prewave's software to fully comply with the due diligence requirements of the LkSG (= German Supply Chain Act) for their organisation and to explain all the necessary concepts. Readers should understand which features and functions are used for which purpose. This document is accompanied by an LkSG Click Guide document, which explains the processes and concepts described here in detail and explains step by step which actions you need to perform in Prewave to be able to carry out your LkSG project from start to finish. You can always jump to the Click Guide via links in the text of this document so that, in addition to the explanations of the concepts and processes, you can always find the relevant instructions that you need to carry out your tasks in Prewave.
1.1. Overview of topics
As an introduction to the structure of the LkSG guidelines, it should be mentioned that the chapters essentially follow the chronological sequence of the process steps required to fulfil the due diligence obligations of the LkSG.
The first chapter provides an introduction to the document structure as well as an overview of the services you can expect from Prewave in the context of fulfilling the LkSG due diligence obligations.
The second chapter explains the practical implementation of the risk analysis requirements using Prewave.
The third chapter explains how to deal with reported incidents and identify breaches. It also explains how to plan and implement remedial measures in Prewave based on this.
Chapter 4 is dedicated to the function of the complaints mechanism within Prewave.
Chapter 5 contains detailed information on creating a report for reporting to BAFA.
Finally, Chapter 6 summarises all the appendices that were presented in the previous chapters to improve understanding
1.2. Learning aids
Learning aids are constantly used in the guideline document to help the reader to relate content, to delineate knowledge that is not related to the topic but is useful, or simply to repeat knowledge that has already been taught.
👩⚕️ Expert tip: Some knowledge goes beyond the scope of individual chapters. For those of you readers who are interested in comprehensive contexts or niche knowledge and want to see yourselves as experts, such expert tips are a must.
Good to know: At the end of a paragraph or chapter, the most important components of complex concepts and processes are summarised in order to reduce complexity.
🤓 Examples: In order to translate theory into practice in an understandable way, this document provides application examples to make processes tangible and comprehensible.
Reminder: Contexts that have already been described are repeated from time to time in the document. This serves to refresh the memory and explicitly emphasise necessary content in its various contexts.
1.3 Fulfilment of due diligence obligations
# | Due diligence obligation | Supported by | Link to LkSG paragraph |
1 | Establishment of risk management and internal responsibility (§4) | Customer | LkSG §4 |
2 | Adoption of a declaration of principles (§6 (2)) | Customer | LkSG §6 |
3 | Carrying out regular risk analyses (§5) | Prewave | LkSG §5 |
4 | Preventive measures in own business area and with direct suppliers (§ 6 para. 4) | Prewave | LkSG §6 |
5 | Taking remedial action (§7 para. 1-3) | Prewave | LkSG §7 |
6 | Establishment of a complaints procedure (§8) | Prewave | LkSG §8 |
7 | Implementation of due diligence obligations for indirect suppliers (§9) | Prewave | LkSG §9 |
8 | Documentation and reporting (§ 10 para 1-2) | Prewave | LkSG §10 |
#1 Establishment of risk management and internal responsibility (§4)
The law requires companies to introduce and effectively implement appropriate risk management. Here's what you should do:- Set up a "Supply Chain Act Roundtable" to allocate and permanently define responsibilities. At a minimum, the management, compliance department, legal department, purchasing department and (if available) CSR department should take part. Tip: Other departments may also be able to contribute valuable information, e.g. Product Development, Quality Management. The "Supply Chain Act Roundtable" should meet at regular intervals.
- Record the responsibilities/monitoring measures in writing (in your compliance management system). Tip: If you already have a company-wide CSR/sustainability strategy, it makes sense to integrate your measures as part of the implementation of the Supply Chain Act into this strategy (e.g. link to point 6.6.6 ISO 26000).
- As management, define the financial and human resources for appropriate monitoring of the supply chain (= own business unit and direct suppliers, and indirect suppliers if there is substantiated evidence). A study by the EU Commission estimates additional costs of 0.005% of turnover for monitoring the entire supply chain.
- The law recommends the establishment of the position of a human rights officer who reports directly to the management. Note: When creating a new position, care should be taken to ensure that the person is sufficiently informed and involved in good time to fulfil their duties. They should be in regular contact with other departments involved in order to avoid system errors and minimise the "human" risk.
- Management must be informed of the current status of the work at least once a year and on an ad hoc basis
Extract from TW guidelines on the Supply Chain Due Diligence Act
#2 Adoption of a declaration of principles (§6 (2))
The law requires companies to adopt a policy statement and sets out the minimum content. Here is what you should do:- As management, adopt a policy statement that must include: (i) a description of the process by which the company fulfils its due diligence obligations, (ii) the risks identified in the risk analysis with reference to the relevant international agreements, (iii) human rights and environmental expectations that the company has of its employees and suppliers.
- Note: Policy statements are usually brief and only roughly state that the company is committed to protecting human rights, which risks the company has recognised in particular and what it does and expects to do about them (human rights strategy). There are numerous templates on the Internet that you can use as a basis. The declaration of principles serves as the basis for your own Code of Conduct and the Supplier Code of Conduct. Tip: Check (also in future) whether your existing policy statement is specific enough, as the law requires the company to at least name its key measures in the context of risk analysis, prevention, remediation, reporting obligations and grievance mechanisms. The human rights-related expectations are likely to be centered in the mitigation and defence of human rights risks.
- Communicate the (new) policy statement to employees, the works council, suppliers in the supply chain and the public.
Extract from TW guidelines on the Supply Chain Due Diligence Act
Info box "Prewave support":
The fulfilment of this duty of care is not supported by Prewave. However, existing policy statements have been published by other companies which you can use as a guide. We therefore recommend that you search the web using the search terms "policy statement" AND "LkSG"; you will quickly find what you are looking for. Preparatory measures!
1. Draft policy statement (When? In any case immediately after risk analysis)
2. "Further relevant documents" - probably an expression that policy statement can also be spread over several documents
3. Contents of policy statement to be presented in detail via questionnaire (due diligence obligations of the LkSG)
#3 Carrying out regular risk analyses (§5)
The law requires companies to carry out an appropriate risk analysis as part of their risk management. You should do the following here: At least once a year and on an ad hoc basis: Determine whether there is a risk that your own business activities or the business activities of your direct (or indirect if there are indications) suppliers violate human rights. A risk analysis is " incident-related" if the company must expect a significantly changed or significantly expanded risk situation in the supply chain, for example due to the introduction of new products, projects or a new business area. Tip: Embed the principle of regular risk identification in your compliance management system.
- To do this, take stock of all your company's business activities and business relationships → Where could human rights be affected? These result from internationally recognised agreements, in particular the ILO core labour standards, which are conclusively referred to in the law. Please note: The risks for those potentially affected must be determined, not the risks for the company itself.
- What is the best way to take stock? According to the law, the method of obtaining information is at the discretion of the company. Tip: Start by utilising internal knowledge and existing mechanisms. As described above under risk management, a "Supply Chain Act Roundtable" makes sense here. You can also access external knowledge, such as the "Human Rights Due Diligence Information Portal" of the German UN Global Compact or CSR Risk Checks online (e.g. https://www.mvorisicochecker.nl/en). Other approaches may be useful or even necessary, e.g: Conduct supplier surveys (especially if the supplier may have superior knowledge or the risk originates from their sphere), conduct on-site inspections, seek dialogue with (potentially affected) stakeholders, such as employees, trade unions, local residents. Also take into account findings from the processing of information in the complaints procedure. Compliance tip: Possible content for surveys/inspections as well as the associated responsibilities, processes and control mechanisms should be collected and recorded in advance.
- Prioritise the identified risks (according to "appropriateness criteria" = (i) type and scope of business activity, (ii) company's ability to influence the direct causer, (iii) expected severity of the breach, (iv) reversibility of the breach, (v) likelihood of the breach occurring, (vi) type of contribution to the cause), especially if you cannot address everything at the same time. Note: Prioritisation is also not about the interests of the company, but the interests of the (potentially) affected parties. Tip: The explanatory memorandum to the law mentions the "ordered procurement quantity" as an example under the criterion of influence. You should take this into account in contractual provisions.
- Communicate the results of the risk analysis to the relevant decision-makers in the company, in particular management, legal department, compliance, purchasing, CSR department, human rights officer(s).
Extract from TW guidelines on the Supply Chain Due Diligence Act
Info box "Prewave support"
With the help of Prewave, you can fulfil the requirements for a regular risk analysis in just a few steps. In Prewave, human rights and environmental risks are identified and can then be weighted and prioritised in our risk tool according to the criteria from section 3 paragraph 2 (more information on this under 2.2.).
The obligation to communicate results to decision-makers can be easily realised with the help of our numerous export functions. It is also possible to invite your colleagues to the Prewave platform to give them an insight into the processes.
Prewave allows you to differentiate between regular (annual) and ad hoc risk analyses. This enables you to keep track of your risk analyses and provide adequate reporting.
#4 Preventive measures in own business area and with direct suppliers (§ 6 para. 4)
Own business area
The law requires that companies must immediately implement appropriate preventive measures in their own business area if a risk is identified. Here is what you should do:
- Develop/update your own company codes of conduct based on the policy statement. Carry out regular updates.
- Integrate sustainability into your purchasing practices. Procurement plays a decisive role in avoiding and minimising human rights risks. Tip: ISO 20400 "Sustainable Procurement" provides guidance on what sustainable procurement can look like - it contains information on the corresponding strategy, organisation and processes.
Please note: Interestingly, the explanatory memorandum to the law specifically mentions contract design elements that have a significant influence on the human rights risk, such as purchase prices, delivery times, cost specifications and time pressure. Therefore, especially when concluding contracts in high-risk areas, make sure that the overall design of the contract does not increase the risk of human rights violations. In addition to the relevant contractual elements specified in the law, other elements such as payment terms (not too long) should be considered. It is also a good idea to offer the supplier incentives such as bonus structures or an extension of the business relationship/contract renewal option if certain sustainability goals are achieved or participation in sustainability investments. On the subject of "sustainable contract design", please also read our publication "Sustainable Supply Chains".
- Procurement guideline: for individual procurement steps (e.g. product development, order placement, purchasing, production lead times), define the precautions to be taken to minimise or prevent the identified risks.
- Carry out employee training/education on the relevant codes of conduct and guidelines (especially in purchasing), e.g. when onboarding new employees. Tip: Regular training leads to a corresponding sensitisation of employees and to a reduction in resistance (trade-off thinking). This increases the chances that the implementation measures of the Supply Chain Act will not ultimately fail due to a lack of change management. Compliance tip: If possible, expand your existing training programmes to include the topic of "Supply Chain Act".
- Check on a risk basis whether the defined measures are actually being adhered to and implemented in the individual business areas of the company.
- The effectiveness of the specified preventive measures must be reviewed once a year and if necessary on an ad hoc basis. Findings from the processing of information from the complaints procedure must be taken into account. The measures must be updated immediately if necessary. Tip: In order to be able to measure whether individual measures are effective, it makes sense to set specific targets, e.g. with regard to the number of training sessions.
Extract from TW guidelines on the Supply Chain Due Diligence Act
Within your supplier base
The law requires that companies must immediately implement appropriate preventive measures against a supplier if a risk is identified. Here is what you should do:
- Make a careful supplier selection and supplier assessment. Note: Certifications such as SMETA (SEDEX), SA8000, BSCI or industry-specific seals are only a first point of reference, as their content varies. In certain supply chains, it is possible that no supplier possesses any certificates. In such cases it is all the more important that careful supplier selection also requires your own surveys and checks of your own human rights-related expectations. Compliance tip: Link human rights and environmental issues to existing processes in the area of business partner screening.
- Develop/update your code of conduct for suppliers based on the declaration of principles. Make regular updates. Considerations regarding supplier development (e.g. long-term cooperation) can also be useful, particularly in recognised problem areas. Participation in industry initiatives can also be useful and have a risk-minimising effect; in addition, influence can be increased and synergy effects achieved.
- Drafting of contracts: Obligate your contractual partner appropriately. In addition to the general codes of conduct, this also requires specific details in individual contracts, depending on the results of the risk analysis. Contractual regulations consist of an interplay between obligations (behavioural obligations, reporting obligations, auditing obligations) and sanctions such as contractual penalties and termination options. The explanatory memorandum to the law also mentions other examples, such as that the contractual partner must only purchase products from selected (previously audited) suppliers or must provide proof that certain products come from certified regions or raw materials from certified smelters (Chain of Custody certification). Interestingly, the law also specifically mentions the use of "pass-on clauses" in relation to upstream suppliers. In other words, the supplier is to be obliged to enforce the Supplier Code of Conduct vis-à-vis its suppliers by means of suitable contractual provisions. Please note: To date, such "pass-on clauses" have been viewed critically under German general terms and conditions law, as they can restrict the supplier's freedom of disposition, meaning that "endeavour clauses" were previously considered more permissible. This could change as a result of the LkSG and lead to a need to edit corresponding provisions in the Supplier Code of Conduct. On the subject of "sustainable contract design", please also read our publication "Sustainable Supply Chains".
- Carry out supplier monitoring, in particular with regular audits of suppliers. Compliance tip: Specify in particular which types of audits should take place (self-assessment, self-audit, third-party audit, audit with certification), which questions should be asked of the supplier, how often such checks should take place, how this process should be reviewed within the company and thus designed to be audit-proof.
- Carry out supplier training/education on your expectations and recognised risks.
- The effectiveness of the preventive measures must be reviewed once a year and on an ad hoc basis. Take into account findings from the processing of information from the complaints procedure. The measures must be updated immediately if necessary. Tip: In order to be able to measure whether individual measures are effective, it makes sense to set specific targets, e.g. with regard to the number of "sustainably" selected suppliers or the number of inspections.
Info box "Prewave support"
Prewave enables you to implement suitable procurement strategies and purchasing practices in your own business area, as required by law. You can use Prewave to check new suppliers before concluding a contract and introduce suitable preventive measures based on the risk exposure identified. In addition to consulting Prewave prior to supplier onboarding, it is also possible to integrate Prewave's risk data directly into your SRM and BSM systems
#5 Taking remedial action (§7 para. 1-3)
The law requires companies to take immediate remedial action to prevent, stop or minimise imminent or actual breaches. Here's what you should do:
- In your own business area, you must take remedial action that leads to the cessation of the breach.
- In the event of (imminent) breaches in the business area of the direct (or, in the case of tip-offs, indirect) supplier, you must - if you are not in a position to end the breach yourself - immediately draw up a corrective action (time) plan together with the supplier to minimise and prevent the breach, which typically contains the following elements: (i) First, ask your supplier to correct the noncompliance by a specific date. Make your requirements clear and offer concrete support. Consider, for example, the involvement of affected persons, trade union representatives or civil society organisations. (ii) Join forces with other companies to increase the pressure on the supplier (e.g. via industry initiatives or other companies working with the supplier). (iii) If it is foreseeable that the supplier will not fulfil the requirements, you should enforce a contractual penalty, temporarily suspend the business relationship or remove the company from possible award lists until the supplier has ended the violation. Compliance tip: Regularly check whether your escalation levels are leading to success and define responsibilities, both in terms of who has which tasks internally and who is to be informed in which cases. Document your measures. Tip: Up to now, the legal requirements for an action plan have often not been included in the Code of Conduct in this form, so contractual adjustments should be considered.
- The law only provides for the termination of business relationships with a supplier as a last resort. Tip: Take a look at how the topic of "breaches" is covered in your current codes of conduct. Companies often stipulate here that the cooperation is terminated immediately if an infringement occurs. Corresponding regulations may need to be revised.
- The effectiveness of the preventive measures must be reviewed once a year and on an ad hoc basis. Findings from the processing of information from the complaints procedure must be taken into account. The measures must be updated immediately if necessary.
Extract from TW guidelines on the Supply Chain Due Diligence Act
Info box "Prewave support"
With the Incident and Action Manager, you have your remedial measures under control. Based on so-called "alerts" (incident reports), you can plan your remedial measures directly from the alerts and also carry them out in Prewave. All actions are documented in Prewave and can be used at various levels for reporting and effectiveness analyses (more on this in 3.1)
#6 Establishment of a complaints procedure (§8)
The law requires companies to set up an internal complaints procedure without delay. Here is what you should do:
- The purpose of the grievance procedure is to enable (i) (potentially) affected persons in your own business area and in and around the supply chain and (ii) persons who have knowledge of possible violations to draw attention to human rights and environmental risks and violations. Alternatively: Participation in an external grievance mechanism (e.g. an industry association) provided it fulfils the accessibility, transparency and integrity requirements set out in the law. Note: The complaints procedure must therefore be accessible beyond the immediate supplier to the named persons within the entire supply chain.
- Requirements for the complaints mechanism: The procedure must be defined in writing, in particular: Who are the target groups? What happens in the event of a complaint? What procedural steps follow? What is the timeline? Users do not suffer any disadvantages by utilising the complaints procedure! Confidentiality and data protection are guaranteed! The persons entrusted by the company with the implementation of the procedure must offer a guarantee of impartiality.
- Guarantee access to and use of the complaints mechanism. When making it accessible, a combination of different complaint channels (depending on the target group) is recommended. For example, consider setting up hotlines/e-mail addresses/websites, complaint forms, imprints on products, (internal/external) contact persons. Note: Where risks have been identified, particular attention should be paid to how barriers to the complaints procedure (e.g. language, fear of consequences) can be minimised.
- To ensure that the respective complaint channels are also recognised, you must provide public (website) and regular targeted information about the complaints procedure. The procedure must also be made transparent.
- The effectiveness of the complaints procedure must be reviewed at least once a year or on an ad hoc basis and updated immediately if necessary.
- Difference to the whistleblowing system under the Whistleblowing Directive/Whistleblower Protection Act: The complaints procedure under the Supply Chain Act is more far-reaching in that it must also be accessible to persons outside the company. The whistleblowing system under the Whistleblower Protection Act is broader in its scope of application (reporting violations of Union law) and sets out even more specific requirements as to how the whistleblowing system should be organised. It makes sense to combine measures that will be necessary under both drafts. We are happy to provide support, including with the implementation of technical solutions.
Info box "Prewave support"
Prewave provides all customers with the so-called Grievance Report functionality to ensure compliance with the requirement described in §8. With this functionality, Prewave provides a communication channel between the grievance source and the company. Once the customer profile has been successfully created on the Prewave platform, each person has the opportunity to register on the platform free of charge and to file an anonymous complaint in the customer profile. In the event that a complaint is received against our customers via the Prewave platform, it is forwarded via the feed to the dedicated "Grievance Manager" (extra role to guarantee clearly assigned and responsible processing of complaints in the system).
The processing of complaints is the responsibility of the customer. Prewave only provides the communication channel and relevant functionalities to simplify the process.
Good to know: If a grievance mechanism already exists, Prewave can redirect all complaints received through the platform to the existing procedure.
Extract from TW guidelines on the Supply Chain Due Diligence Act
#7 Implementation of due diligence obligations for indirect suppliers (§9)
Info box "Prewave support"
By using Prewave, you not only have access to an automatic whistleblowing system, but also to an automated weighting and prioritisation of the notifications produced (also known as alerts). With Prewave, you can easily fulfil the obligations described in Section 9 (5) (1-2). In the case of the due diligence obligation to implement event-related risk analyses described in Section 5 (3), you can use the Analysis Feature to analyse all your direct suppliers for risks at any time using the data from Supplier Risk Scoring.
The appropriate preventive measures described in Section 9 (2) can not only be documented with Prewave but also implemented. Prewave offers the necessary action tools that enable you to execute and document all your measures, from internal audits to on-site audits. In addition to achieving LkSG compliance, this enables you not only to improve your supply chain intelligence capabilities, but also to increase your real influence on suppliers.
The implementation of a concept for the prevention, termination or minimisation of incidents according to §9 para. 3 is already programmatically implemented in Prewave through a recommendation system.
#8 Documentation and reporting (§ 10 para 1-2)
The law requires companies to document the fulfilment of due diligence obligations and report on this once a year. You should do the following:
- Document your due diligence obligations fulfilled under 1. to 7. on an ongoing basis and keep the documentation for at least 7 years.
- Report once a year (no later than 4 months after the end of the financial year) on the previous year's fulfilment of your due diligence obligations, in particular on the risks identified and the measures taken. You should also assess the effectiveness of the measures and your conclusions for the future. If you have not identified any risks, no further explanations are necessary. Trade and business secrets do not have to be disclosed. Electronic access to the report format is provided by the Federal Office of Economics and Export Control.
- Make your report publicly accessible on your website free of charge for a period of 7 years.
Extract from TW guidelines on the Supply Chain Due Diligence Act
Info box "Prewave support"
Prewave stores all data relating to risks, complaints and preventive and corrective measures. A relevant selection of the data (incidents, supplier-specific and supply chain-specific risks and results from questionnaires) is available to the customer in the system and exportable at any time. Prewave also provides a report based directly on the requirements of the Bafa guidelines, which you can export at any time based on current and historical data. This can be customised via the Report Centre with just a few clicks and exported ready for reporting (with the exception of chapters A, D and E; for these, an answer matrix is provided which is filled in by the customer)