3. Phase 2: Alerting, Incident management, remedial actions & reporting

"If the company determines that a violation of a human rights-related or environmental obligation has occurred or is imminent in its own business or at a direct supplier, it shall take immediate and appropriate remedial action to prevent, remedy or minimise the extent of the violation."

§Section 7 para. 1

3.1 Alerting

The process of identifying a breach can start in Prewave via various channels. 

One possible way to learn about a possible infringement in the area of responsibility is through Prewave's media monitoring. Every day, Prewave's AI screens websites from all over the world in more than 50 languages for keywords related to the legal position of the LkSG and the names of companies in the Prewave network. A syntactic analysis of the keywords in the sentence structure of the media sources found is then used to determine whether a connection can be established. If this is found, a so-called alert is created in Prewave. However, this in itself does NOT constitute a detected violation (more on this in the next chapter Incident Management).

Another channel is the so-called complaint mechanism, which can vary from company to company. On the one hand, these can be covered via Prewave, which means that anyone with an internet connection and an internet-enabled device can log into Prewave and submit a complaint via your company's profile. On the other hand, complaints can also find you via other common third-party solutions. You can also learn how this information can be processed in Prewave in the chapter "Incident Management")

Finally, it is also possible to be informed about possible violations through other findings. Whether this information comes to your attention during a supplier visit or through the statement of a whistleblower, colleague or customer, it is already sufficient to require an investigation. The next chapter describes what this process of identifying a breach at Prewave might look like.

Screenshot 2023-11-23 at 13.36.03

3.2. Incident Management

Incident management in Prewave follows the same principles as risk analysis in that incidents are first identified, prioritised, mitigated and finally monitored and reported. The only difference between incident management and risk analysis is the procedure. In contrast to risk analysis, risk scores are not used for processing, but rather specific information from possible incidents. These are then qualitatively evaluated according to severity and relevance.  Prewave has incorporated the guidelines of the legislator and offers you a structured decision-making process that guides you through all the steps and allows you to document each individual step.

Good to know: Prewave allows you to create your own incidents, so you don't have to rely solely on Prewave's media monitoring. Incidents that are outside the media world can be created and documented yourself using the "Add private Alert" function and processed through the remedial action process. These incidents are only visible within your company.

Screenshot 2023-11-23 at 13.42.13

 

3.2.1 Identifying incidents

Screenshot 2023-11-23 at 13.47.17

🚩 Red flag alert?

The first step in incident management is to create an alert to document the potential breach in your own supply chain and business area. This happens automatically with Prewaves Media Monitoring. If the other channels described are known, the process can be started by creating a customised alert (see LkSG Click Guide).

Prewave's LkSG perspective (link to explanation of perspective) is programmed in such a way that alerts to be tracked in accordance with the LkSG are identified via the alert priority "Critical". So-called red flag alerts represent the minimum requirements for requiring follow-up1. Alerts with lower priorities do not provide a binding recommendation for follow-up, but the user is nevertheless free to check them further, especially if the user realises that, despite the low priority, it could be a relevant case in the opinion of the LkSG. It is important to understand in this context that Prewave provides assistance in decision-making and does not replace the decision-making competences of the user.

🔔 Relevant alert?

This is particularly emphasised in the next process step. If a red flag alert has been created, it is now up to the user to decide whether it is relevant for his/her company or not. This relevance can only be determined through a qualitative analysis and means that the user must make sense of the case through their own research2. Prewave helps with the first step of the analysis by linking to the media report from which the alert was produced and thus enabling the user to jump to the web. 

🔕 New incident?

As some media reports can describe the same case from different angles, several alerts with different risk descriptions may be generated. To prevent you from processing an incident that is already being processed in an incident, Prewave detects similarities between alerts that are already being processed and unprocessed alerts. If you notice that your alert is similar to an alert that has already been processed, Prewave helps you to avoid redundant work and adds another alert to the incident management that has already been triggered using the merge function.

If it is a new incident, it is now created and in the next paragraph we describe how the prioritisation of the incident can now be determined with Prewave.

1 Depending on the risk culture in your organisation, the programmed recommendation can be adjusted by your Customer Success Manager and downgraded to High, Mid... Priority Alerts.

2 Why doesn't Prewave's AI already do this automatically? Even if the Prewave AI can deduce correlations through certain sentence structures, it is not capable of interpreting correlations in terms of scope and relevance. For example, the reported suspicion of child labour at a supplier location is reason enough for the AI to create an alert from this information, but the situation on site is often more complicated and always requires human verification.

3.2.2 Prioritising incidents

Screenshot 2023-11-23 at 13.53.06Once a breach has been identified and you have created an incident review, you now need to find out to what extent and how intensively your company needs to take action to remedy the situation. In this context, the legislator once again emphasises the principle of appropriateness, which was already described in detail at the beginning of chapter 2.3 in the context of carrying out the risk analysis.

However, when it comes to prioritising an incident, we are no longer talking about the probability of an incident occurring, as this has already happened. We are therefore no longer talking about the risk of an incident occurring, but rather its severity. The considerations regarding the ability to influence the supplier remain unchanged and continue to refer to the impact (determined by spend vs. revenue or "forced" by own information) and the causal contribution.

Are the measures appropriate?

Let's first look at the typical approach to determining the impact of a breach:

Screenshot 2023-11-23 at 13.57.51The influence capacity is automatically determined by comparing the supplier's expenditure with the supplier's total turnover, as described in Chapter 2 on the topic Impact.

 

Screenshot 2023-11-23 at 13.57.51-1The causal contribution must be assessed by the user themselves. If research into the incident reveals that the incident was essentially provoked by the user's own actions, the impact should be increased by +1.

:brain: Good to know: The impact can be adjusted by the user at any time. This means that the user has the option of contradicting the results of the impact calculation and increasing or decreasing the impact. If such a change is made, it is recommended to document this change in the data tab in the supplier profile and to comment on the change accordingly. Risks and violations usually arise in the company's own business area due to internal causes. As the company itself is responsible for complying with human rights and environmental standards, the impact at its own sites must always be assessed as critical.

🤓 Examples: When does one speak of an existing causal contribution? 

  • The goods and services purchased from the supplier are specifically responsible for the breach
  • The infringement was provoked by the actions of the company's own employees

 

The severity can be assessed as follows:

Screenshot 2023-11-23 at 13.57.51-2

The severity is determined by various (additional) criteria. On the one hand, the severity of the damage (the intensity or depth of an incident) plays a role. In the case of certain violations, such as forced labor, involuntary labor or the most serious forms of child labor, a significant severity of harm must always be assumed. The number of people affected or the extent of the environmental impact is also important. Finally, the reversibility of the violation should be taken into account. It must first be examined whether it is at all possible to reverse the negative consequences. Irreversible effects are particularly serious. In the case of reversible violations, the effort (also in terms of time) and the resources required to correct the adverse consequences must also be taken into account.

 

Übersicht wie die Schwere selber bewertet werden kann

Severity Example
NO
  • A minor deviation from an internal procedure that has no impact on human rights or the environment and can be rectified quickly.
  • A minor error in the documentation that has no negative consequences for employees or the environment.

LOW

  • A minor violation that has no long-term effects but still violates certain regulations. For example, a short-term exceedance of emissions that does not pose an acute danger.
  • A minor violation of working time regulations that leads to overtime but does not have serious health effects.
MID
  • An incident that leads to short-term negative effects on the health of employees or the environment. For example, a workplace accident with minor injuries.
  • A breach of environmental regulations that leads to soil contamination and requires clean-up and restoration measures. 
HIGH
  • A serious incident that leads to long-term health effects on employees. For example, chronic exposure to toxic chemicals.
  • A major workplace accident resulting in serious injury or even death among employees.
CRITICAL
  • An extremely serious injury that leads to serious health consequences or death in a large number of people. For example, mass poisoning from contaminated food.
  • An environmental disaster that causes widespread and irreparable damage to an ecosystem, such as a large-scale oil leak.

 

Screenshot 2023-11-23 at 13.57.51-3

The contribution of the "type and scope of business activity" considerations to the determination of severity is best explained using an example:

Suppose a company produces electronic devices and has an international focus. The company is considering a measure to ensure that there is no child labor in the supply chain. To assess the appropriateness of this measure, the company would apply the first criterion:

  1. Risk-related aspects: The company would analyze how complex its supply chain is. If the supply chain includes several countries and different stages of production, this could increase the risk that child labor could occur unnoticed. In addition, the international orientation of the company could mean that different legislation and cultural conditions in the various countries have to be taken into account. These factors could increase the risk of violations of human rights standards.
  2. Resource-related aspects: The company would analyze the size of its organization and the resources available. If the company has a large production capacity and high sales, it may be better able to allocate adequate resources to monitor the supply chain and ensure compliance with standards. Similarly, financial resources may be available for training and audits.

Based on this analysis, the company could then assess how appropriate the planned measure to prevent child labor is. If the supply chain is complex and international and the company has sufficient resources, it may be necessary to implement comprehensive controls, audits and training to ensure compliance with the standards.

This example shows how the " type and scale of operations" criterion can be used to assess the appropriateness of a measure in relation to human rights and environmental standards by taking into account the complexity of the operations and the resources available. 

Screenshot 2023-11-28 at 13.30.26

Overview of how the type and scope of the business activity itself can be assessed

Severity

Example

NO

  • A company with exclusively local operations and a small number of employees. The business activity is simply structured and does not include many production stages.
  • A small restaurant that only uses local suppliers and has no international business relationships.

LOW

  • A company with a regional presence that offers a wider range of products or services. The supply chain may cover several countries.
  • A small garment manufacturer with suppliers from neighbouring countries but using mainly local materials.

MID

  • A multinational corporation with a complex supply chain that operates in several countries and manufactures a wide range of products. The company has international business relationships.
  • An electronics manufacturer that produces in several countries and sources various raw materials from different parts of the world.

HIGH

  • A company operating in a controversial sector, such as mining or chemical production. Business activities can have serious environmental impacts.
  • A global company with a complex supply chain and many suppliers, where the risk of human rights violations or environmental damage is high.

CRITICAL

  • A company with a direct impact on vital resources such as clean water or food. Any violation of standards could have catastrophic consequences.
  • A company that operates in a conflict zone and could exacerbate human rights violations through its business activities.

3.2.3 Initiating remedial measures

Screenshot 2023-11-28 at 16.51.15

Once the incident has been prioritised, remedial measures are suggested to you based on the action priority and the remedial measures already initiated in connection with the incident review. The suggestions are not binding and you are completely free to decide which remedial actions you want to take and in what order. Of course, it is also possible to initiate several remedial actions in parallel. This is done via the TAKE ACTION button. It is also possible to completely exclude certain remedial actions. This can be done using the SKIP ACTION button and the reasoning behind this decision can be documented in the ticket. As soon as you have planned the first remedial measures, the status of the incident review automatically changes to "Mitigation in progress", which is now also visible to your colleagues in the Alert and in the Action Dashboard and Planner. Finally, 3.2.4. explains how to finalise the corrective action plan once you have initiated your measures.

3.2.4 Reviewing remedial action plan

Screenshot 2023-11-28 at 16.54.04The last step in the process is to check the effectiveness of the corrective measures that have been introduced and the corrective measures. The following examples are intended to illustrate the various scenarios you may be confronted with in this process step and how Prewave can help you to map them.


Incident / violation can be successfully resolved

The fictitious company "EcoFashion" recognises signs of possible environmental pollution in its supply chain. As a remedial action, the company decides to organise training for its suppliers to promote more sustainable practices. Here is how EcoFashion could check the effectiveness of the measure:

  1. Training delivery: EcoFashion conducts training sessions for suppliers, teaching environmentally friendly practices and resource conservation.
  2. Monitoring: The company monitors suppliers in the months following the training to see if their practices change.
  3. Measurable changes: EcoFashion analyses environmental data such as water consumption, energy consumption and waste production before and after the training sessions to identify measurable changes.
  4. Feedback and communication: The company collects feedback from suppliers to see if they have been able to integrate the training content into their processes.
  5. Examples of sustainable practices: EcoFashion collects examples of more sustainable practices from suppliers who have successfully implemented changes.


If, during monitoring, suppliers are shown to be making measurable improvements by using fewer resources or reducing waste, this confirms the effectiveness of the training. In this case, EcoFashion could discontinue the training and other measures and mark the corrective action plan as "Mitigation finished" in the incident review. Of course, it is also imaginable that the success story could be continued and the action plan could be extended to other suppliers. 

Incident could not be successfully resolved

However, if no significant changes in suppliers' practices are identified after the training or if the feedback is negative, the company may consider finding alternative approaches to promote environmentally friendly practices and initiate further measures. The status of the incident review therefore remains in "Mitigation in progress" until the next impact review. 


All efforts to contain the incident prove futile

If, after several review cycles, it turns out that all measures prove to be futile, EcoFashion can weigh up the extent to which the efforts are in proportion to the business relationship and decide to discontinue the efforts. If this decision is made, this must be documented in Prewave by setting the status in the incident review to "Mitigation failed".

:pencil:Reminder: In the case of direct or indirect suppliers, there is no duty to succeed. At sites belonging to the company's own business division, cancellation of the measures is not accepted; here there is a duty to succeed.

Anticipated incident turns out to be irrelevant or unconfirmed

If the initial concerns about water use at the supplier have not been confirmed and adequate safety protocols are already in place, the training may be unnecessary. In this case, the cancellation of the training would be justified due to the identified effectiveness gap. In this case, document this in Prewave by setting the status to "Mitigation aborted" in the Incident Review.

However, the company could instead consider alternative measures that are better suited to the actual needs of the supplier, such as promoting other sustainable practices or extending monitoring to other areas, and document this separately in the Action Dashboard outside of the Incident Review.

FAQ Incident Management:


How can I recognise that an alert is already being worked on?

You can recognise this by the status label below the alert priority display. It shows the status of the Incidence Management and who is responsible for it. Under "See details" you can navigate to the ticket and view further details on the progress.


👉 Move on to the next chapter