2. Phase 1: Preparation and regular risk analysis

If your organisation is implementing Prewave for the first time as part of the software-supported implementation of the LkSG, it should be briefly mentioned that in addition to the regular and annually recurring LkSG project process, an initial setup also takes place. This includes, for example, certain IT-relevant setups such as API or SSO (Single Sign On) connection, but also user invitations and the initial transmission of supplier data. The regular and annually recurring LkSG project process includes all necessary steps to fulfil the due diligence obligations - from the risk analysis to the BAFA report - and is the subject of the guideline document.

Screenshot 2023-11-21 at 17.23.26

Exemplary Implementation Workflow 

 

Screenshot 2023-11-22 at 15.48.43Exemplary workflow within a business year

:brain: Good to know: 

The deadlines shown in the image may change depending on the legal situation. You can find the exact specifications directly on the Website of BAFA.

2.1 Step 1: Preparation


At the start of the project, Prewave must be provided with the necessary data to make the system operational and to enable the fulfilment of all other due diligence obligations.

step 1

2.1.1 Upload of own business sites and immediate Tier-1 suppliers

Legislation requires companies to obtain an overview of their own procurement structures. Companies often already have a good breakdown of their own locations and their direct suppliers, e.g. from their ERP or SRM systems. To transmit and clarify the minimum requirements for your supplier data, your Account Executive will provide you with a template, the so-called 📎 Discovery-List (📎 +Explanation). This already describes the minimum information that must be present so that Prewave can either match your data or upload it to the system. Make sure you know the exact requirements of the discovery list at your kick-off meeting, where Prewave's Account Executive introduces you to your Customer Success Manager and the project process is coordinated. Customers without a Customer Success Manager can consult the knowledge base. The discovery process may vary depending on the size of the list and the workload, such questions should be clarified after the discovery list has been handed over.

As soon as all data on your own business area and direct suppliers has been provided to Prewave, the implementation phase begins and the project is handed over to your dedicated Customer Success Manager1 . This person, together with the project manager in your organisation, is responsible for the full implementation of your LkSG-compliant risk management. In addition to the implementation stream, the Customer Success Manager is also involved in supporting the realisation of the LkSG stream by explaining the use of Prewave to you in regular meetings and dealing with your questions and suggestions. 

What does all necessary supplier data include?

According to the LkSG, you are obliged to subject all your suppliers to a risk analysis. You decide what your supplier scope looks like with Prewave. With Prewave, you have the advantage of being able to determine a supplier risk with just a few data points; as a rule, information regarding the name, country and city in which your supplier/own location is active is sufficient. The provision of a unique identifier, such as DUNS, is preferred and speeds up the matching process, but is not mandatory.

Definition of internal company responsibility

A further step is the definition of internal company responsibility. This can initially be communicated to Prewave at supplier and product group level so that it can be mapped programmatically in Prewave. This is done with the help of collections. Collections can be understood as folders in which suppliers/own locations can be collected and assigned to responsible persons.

🤓 Example: A collection can be assigned to a colleague who is responsible for purchasing plastic components. The collection is then appropriately named "plastic components", filled with the respective suppliers/own locations and the purchaser is assigned as the manager responsible for the collection.

:brain: Good to know: The collection-supplier relationship can already be defined via the discovery list. The assignment of users to the collections takes place as soon as all suppliers and therefore also collections have been successfully set up in the system.

In addition to responsibilities, the responsible persons (= users) must of course also be transferred to Prewave so that they can be set up in the system. You can find a 📎 user list here, which must be filled with all responsible persons and their permissions in the system (role overview 📎 here)

According to the LkSG, a risk analysis of your own supply chain is required once a year and must be reported (see 📎 Reporting).

The preparatory steps for a risk analysis are described below.

1 A Customer Success Manager is available if a Customer Success Manager package has been contracted. Customers who have not contracted this service can access all documents in the Knowledge Hub as well as tutorial videos on YouTube.

2.1.2 Supplier discovery


Initially, all suppliers submitted to Prewave must be set up in the system. In this first phase of the ongoing project, all suppliers automatically receive an abstract risk analysis using our Peer Scoring method. This is based on the determination of risks by country risk based on the supplier location. Country risks are defined by global indices (see chapter 11.1.5. Indices in the 📎 Prewave Click Guide) and risks by industry activity assigned by Prewave (explanation see 📎 here). The duration of this analysis varies between 4 and 12 weeks depending on capacity utilisation and data quality.

👩‍⚕️ Expert tip: During the first risk analysis step, project participants and users already undergo training on the use of Prewave as a risk management system to ensure that their organisation fully complies with the requirements of Section 4.

:brain: Good to know: Future risk analyses with suppliers already in the system can be carried out immediately and at any time.

As already described, the information required to carry out an abstract risk analysis is actively prepared during the system setup. Once all suppliers have been identified, they can be seamlessly transferred to the further analysis process. In the next step, we describe how insignificant suppliers can be excluded from further consideration.

2.2 Step 2: Abstract risk analysis: fulfilment of the requirement for a risk analysis in accordance with §5 

step 2

2.2.1 Classification of significant (high risk) suppliers

In the further course of the risk analysis, the findings from the peer scoring are used and interpreted for the abstract risk analysis in order to define which suppliers are to be considered significant in relation to their abstract risk. Now you become active in the system for the first time and use the risk analysis tool in Prewave. You can find a detailed description of how to create a risk analysis in the LkSG Click Guide 📎 on this page.

Risk group Risk assessment
No Minor probability of an incident occuring
Low Low probability of an incident occurring
Mid Mid probability of an incident occurring
High High probability of an incident occurring
Critical Critical (very high) probability of an incident occuring

The definition of what constitutes a significant supplier is generally left to the customer. An efficient and appropriate categorisation according to significance depends on the supplier portfolio, the type and scope of business activities and the customer's internal resources and structures. As a minimum, however, it is recommended (in accordance with the BAFA handout on risk analysis) to consider those suppliers as material that have a high risk (= score 55 or lower) either in the country risk or in the industry/product group risk.

:brain: Good to know: Country risks are derived from various indices used by Prewave (Link)
Industry and commodity risks are derived from the frequency of incidents related to industries and commodity groups, which are statistically determined by Prewave using media screening.

👩‍⚕️ Expert tip: Prewave recommends that suppliers can be considered essential as soon as either the industry score or the country score is < 55 and therefore the supplier belongs to the high risk group and actual risks are very likely for most suppliers. Prewave relieves you of the work of assigning your high risk suppliers by allowing you to set the threshold values when creating your risk analysis and displaying a selection of recommended suppliers in the next step of the analysis. You can find out how to make these settings in the Click Guide here

2.3. Step 3: Detailed Risk Analysis 

step 3

2.3.1 Red Flag Screening

The quantity of significant suppliers collected is then subjected to a specific risk analysis using our red flag screening method in order to check the plausibility of the assumed risks (see the 📎 LkSG Click Guide for details of how this is done in Prewave)

The suppliers are scanned by the Prewave AI for incidents found in digital media and documented in the supplier profiles as so-called Prewave Alerts or just Alerts. 

It is important to understand that not all alerts detected are relevant for your risk analysis. Prewave uses over 140 risk event types to visualise risks in supply chains. Not all of these risk event types are relevant for a risk analysis in accordance with the LkSG. For example, financial risks at a supplier are irrelevant for the considerations of the LkSG, whereas risks relating to the use of child labour are very relevant. In order to be able to make distinctions in the risk assessment, Prewave has so-called perspectives in which a selection of risk event types are created in order to be able to assume a specific risk "perspective". It is therefore important that you ensure that you have selected the LkSG perspective for all your LkSG-specific analyses. 

What happens with the detected alerts?

Once you have ensured that the LkSG perspective has been selected, only those alerts that fall under LkSG-relevant risk event types are included in your analyses and thus also in the alert score. What is the alert score? The alert score is a further score component alongside the peer score and is therefore a quantified representation of the risks identified in the red flag screening. 

Together with the results from the peer scoring, this results in a collective risk score, which in the prewave environment is called the Full Score (360° score) and now describes concrete risks as well as abstract risks. The image on the left shows the summarised result of a red flag screening for an example company. The detected incidents are automatically weighted according to risk in the red flag screening and, depending on their relevance for the considerations of the LkSG legal positions, transferred to an LkSG risk scoring (see image below right).

Experience has shown that the initial suspicion based on the abstract risk analysis is plausible for 10% of all initially delivered suppliers, depending on their business area. The next step will show you how to find out which of these suppliers you actually need to take action.

2.3.2 Maturity Assessments

As a new service and extension of the specific risk analysis, Prewave has also been offering maturity assessments since September 2023. Prewave identifies certifications, policies and audit reports made publicly available by the supplier on its website and incorporates these into the supplier's assessment score. This has two major advantages: (1) the specific risk analysis is based on another data source and is therefore more reliable, (2) suppliers who can already demonstrate a high level of maturity on the basis of the maturity assessment do not have to submit another assessment.

2.4. Step 4: Weighting and Prioritisation 

step 4

After the detailed risk analysis, Prewave is used to carry out a weighting and prioritisation in accordance with Section 5 (2) (described in Section 3 (2)). All risk suppliers are evaluated on the basis of the detected risks (risk score) and the impact. This means that two further 📎 appropriatness criteria, defined by the LkSG, are now included in the considerations in this step. The capacity to influence and the contribution to causation now make it possible to determine a third and ultimately action-orientated value, the so-called Action Priority. Put simply, this means that all high risk suppliers are now also checked to see whether the relationship with the supplier is extensive enough to consider taking action as meaningfl. The action priority should therefore be regarded as a guiding value for the next steps in the risk analysis. Prewave recommends that all suppliers with an Action Priority of HIGH or CRITICAL should take appropriate preventive measures in accordance with Section 6 of the LkSG.

Screenshot 2023-11-22 at 16.13.13

2.4.1 How are RISK and IMPACT actually assessed? 

RISK explained:
Many appropriateness criteria are already taken into account by the risk score. The following explains how the individual appropriateness criteria are respected in Prewave's risk analysis method.

Type and scope of business relationship

The type of business activity is assessed using country, industry and commodity risks, among other things. Depending on location, industry and product groups in which your supplier operates, these risks are mapped in the peer score using the aforementioned components. 

The scope of the business activity is taken into account in alerting and consequently in alert scoring. As their sites are also brought into relation with alerts from the entire company complex (company level), the size and complexity of the company is taken into account. This factor will also be highly relevant when it comes to determining the intensity of the prevention measures at the location, as high complexity requires high intensity in order to implement your own measures in the affected processes at the location.

Severity and likelihood of incidents

The severity of the risks identified for each supplier or own location is assessed using the rating scale of the LkSG perspective with regard to the intensity of the violation (see perspective matrix). The severity of the incident is categorised on the basis of the risk category as described in the LkSG, as well as on the basis of how close an incident is to the company's own procurement structure (Direct = supplier site affected, Company = one or more related sites at the supplier are affected, Tier 2+ = the deeper supply chain is affected).

The probability of occurrence is taken into account with the help of the country, industry and commodity risks in the form of the peer score. The frequency of reported incidents with a poor score is also reflected in the alert score. The questions in the self-assessments are also designed in such a way that their scoring logic reflects a certain probability of occurrence of events via the score. For example, a lack of certifications provides information on the extent to which a supplier has implemented measures that help to minimise risks. The lack of such certification then has a correspondingly negative impact on the risk score.

 

IMPACT explanation:

The impact is determined based on the considerations of the influencing capacity and the causal contribution. How these dimensions are operationalised in Prewave is explained below:

Influencing capacity
The influencing capacity over direct suppliers is determined by comparing spend (business volume) and revenue (total sales), or more precisely, a divisional calculation. For example, a supplier with an annual spend of €1bn and a total annual turnover of €10bn has an influence of 10%. It is your responsibility to specify the business volume for the supplier and is typically already specified in the supplier upload, but can be submitted or updated at any time. Prewave determines the total turnover (based on publicly available data) as part of the detailed analysis of the main suppliers and provides this for the impact calculation.
Spend / Revenue Ratio Impact Category
0-1%  No
1-3% Low
3-7% Mid
7-20% High
20-100% Critical
Contribution to causation

In line with the BAFA's expectations, a numerical value is used for the contribution to causation, which you can define independently for each supplier. This is done in the supplier profile's data tab. The consequence of ticking this information is an increase in the impact value +1, meaning that where the impact may originally have been Mid, it would now be High.

One example where it would be appropriate to indicate a causal contribution across the board is if decision-makers from your own company are also in decision-making positions at the supplier. Many other reasons are conceivable, so it makes sense to agree internally on the necessary conditions that represent the existence of a causal contribution.

The impact, i.e. the ability to influence and the contribution to causation, is generally assessed as critical in the company's own business area. This is because in the case of risks and violations in the company's own business area, the company usually causes the risk or violation itself, as it is responsible for complying with human rights and environmental standards 

Synthesis


To reiterate: This two-dimensional view of your suppliers results in the action priority defined by Prewave. It provides an indication of which suppliers ultimately need to be addressed with preventive measures or perhaps even remedial measures.

As an example, you can see such an evaluation by action priority in the Prewave Risk Matrix in the image below. The correlation quickly becomes clear: the higher the risk, the faster action can be taken, even with a lower impact. Conversely, with a high level of influence, the system recommends action even at a lower risk.

 2.4.2 Frequently Asked Questions

How often do I have to perform a risk analysis? 

Once a year with all own locations and direct suppliers on the self-selected reporting date within the relevant financial year.


Wenn du I have to perform an ad-hoc risk analysis? 

The obligation to analyse risks on an ad hoc basis applies to circumstances that have significantly changed or added risks, but everywhere in the supply chain, both for direct and indirect suppliers. The risks to be analysed are those that are obviously new or have changed significantly (e.g. due to the introduction of new products, projects or a new business area).


2.5 Step 5: Fulfilment of requirements for prevention and remedial measures according to §6 & §7 LkSG

Screenshot 2023-11-29 at 15.58.15

Definition of terms: 
Before describing the implementation of preventive and remedial measures, it is important to have a common understanding of the distinction between the two terms. This understanding will help you to make better decisions about when preventive or remedial measures are appropriate:

Screenshot 2023-11-29 at 16.01.23

Preventive measures are interventions that are typically initiated when a certain risk has been identified at one or more suppliers, but no acute incident has occurred. The example on the left illustrates this distinction using the example of the risk of flooding in the Netherlands. Based on projections of weather and climate data, there are indications that flooding is likely to occur. In reality, however, this flooding has not yet occurred and the risk has not yet materialised. Due to the high probability of flooding, the Dutch government decides to introduce preventive measures, including the construction of dams. 

Risk management in Prewave is very similar. Based on the results of a risk analysis, Prewave maps the probability of negative incidents occurring at its suppliers and makes recommendations for action. Mid and high priority form the typical action priorities here, which, if identified at a supplier, should result in preventive measures at that supplier.

Screenshot 2023-11-29 at 16.10.40

Remedial measures are actions that are initiated when a certain incident has acutely materialised and the negative influences are noticeable. In the example on the right, this is illustrated by a flooded house. Preventive measures such as sandbags or dams are of little help. The negative phenomena of flooding must be eliminated, i.e. the water must be pumped out of the cellar.

In Prewave, this process mainly takes place in the feed, where alerts describe possible incidents that have been picked up in the digital media world. It is now up to you to check whether "your house is affected by the reported flooding" in an initial remedial measure (= incident review). If it turns out to be affected, you can now use Prewave to initiate and document further remedial measures (more on this in 📎 Chapter 3).

Screenshot 2023-11-29 at 16.10.49

2.5.1 Preventive measures according to §6

The procedure for implementing preventive measures can look as follows, for example:

In order to check the accuracy of the results from the abstract risk analysis, your company intends to conduct a survey of suppliers using questionnaires. However, it soon becomes clear that this method does not always fulfill the requirements of a comprehensive risk analysis. This means that the risks cannot be negated and further measures are necessary (lack of certifications, critical self-disclosures, etc.). Further risk assessment efforts may be necessary, particularly for suppliers from high-risk countries and sectors. The next step for the company is therefore to evaluate which suppliers require a physical on-site visit or a comprehensive audit in order to fulfil the requirements of a comprehensive risk analysis.

You can find out how you can implement and document specific prevention measures in Prewave in the Click Guide.

Overview of preventice measures

A detailed overview of all actions can be found 📎 here.

Prewave offers a portfolio of different prevention measures and differentiates between them in terms of intensity and whether the results of the measures can be included in the scoring. The necessary measures are recommended based on the action priority. If the action priority of a supplier is HIGH, Prewave recommends measures up to an intensity of HIGH.

Measure

Description

Intensity

Scoring

Basic Self Assessment Prewave offers four questionnaires, which are divided into the groups:
  • Labour and human rights
  • Environmental law
  • Business ethics
  • Health and safety
Those evaluate the risks in all LkSG legal positions. They should be used to further validate the identified risks

Influence on the risk score via the SSA score (20% weighting)

LOW

Code of Conduct

Obtaining a code of conduct is considered a standard measure to clarify the expectations of the business relationship and to obtain assurances. 

No influence on the risk score

LOW

Internal Review

Provides the opportunity to document internal efforts to review risks.

No influence on the risk score

LOW

Detailed Self-Assessment

You have the option of developing your own questionnaires in Prewave, which work in exactly the same way as the Basic Self Assessments.

Influence on the risk score via the SSA score (20% weighting)

MID

Awareness Training

You have the option of documenting the implementation of training courses at the supplier. With the Action Platform, you will soon also be able to conduct training courses via Prewave.

HIGH

Desk Audit

You have the option of documenting the conduct of desk audits at the supplier. With the Action Platform, you will soon also be able to carry out desk audits via Prewave.

HIGH

On-Site Audit

You have the option of documenting the conduct of on-site audits at the supplier. With the Action Platform, you will soon also be able to carry out on-site audits via Prewave.

CRITICAL

Offboarding

You have the option of documenting the termination of the business relationship.

CRITICAL

2.5.2. Remedial Measures

The findings of the preventive measures may result in an extended information situation that requires remedial measures to be taken. For example, a desk audit may reveal specific violations of one or more legal positions.

Based on this in-depth assessment, the company can identify and develop specific remedial measures to address the existing gaps and risks in the supply chain.

These remediation measures could include training for suppliers to ensure that labour conditions comply with international standards. Increased certification or audit procedures could also be implemented to ensure compliance with the required regulations. These targeted measures serve to end the recognised violations. Remedial actions are implemented taking into account the urgency and impact of the identified problem areas.

You can find out how you can implement and document specific remedial measures in Prewave in the 📎 Click Guide.

Overview of preventive measures

A detailed overview of all actions can be found 📎 here.

Prewave offers a portfolio of different prevention measures and differentiates between them in terms of intensity and whether the results of the measures can be included in the scoring. Based on the action priority, the necessary measures are recommended accordingly. If the action priority of a supplier is HIGH, Prewave recommends measures up to an intensity of HIGH.

 

Maßnahme

Beschreibung

Intensität

Scoring

Basic Self-Assessment

Prewave offers four questionnaires, which are divided into the groups:

  • Labour and human rights
  • Environmental law
  • Business ethics
  • Health and safety

Those evaluate the risks in all LkSG legal positions. They should be used to further validate the identified risks

Influence on the risk score via the SSA score (20% weighting)

LOW

Incident Review

Provides the opportunity to address incidents and possibly identify a breach. Within the Incident Review, you can implement a corrective action plan to document your actions in connection with a breach and ultimately evaluate their success. All measures can be attached here.

LOW

Statement Request

Gives you the opportunity to request your suppliers to comment on an incident directly in Prewave.

MID

Awareness Training

You have the option of documenting the implementation of training courses at the supplier. With the Action Platform, you will soon also be able to conduct training courses via Prewave.

HIGH

On-Site Audit

You have the option of documenting the performance of on-site audits at the supplier. With the Action Platform, you will soon be able to carry out on-site audits via Prewave.

CRITICAL

Offboarding

You have the option of documenting the termination of the business relationship.

CRITICAL

:pencil: Reminder: the termination of business relationships is only necessary if, firstly, the violation of a protected legal position or an environmental obligation is considered to be very serious, secondly, the implementation of the measures developed in the concept - together with the supplier - does not remedy the situation after the time specified in the concept has expired, thirdly, the company has no other less severe means at its disposal and, fourthly, an increase in influence does not appear to be promising.

 

👉 Move on to the next chapter