Lieferkettengesetz compliance – when is enough, enough?

When working with clients to support their compliance with the new German Lieferkettengesetz supply chain legislation, we are frequently asked how far they need to go to satisfy the regulators. This is becoming increasingly common as the threshold for reporting is now widening from organisations with more than 3000 employees in Germany to those with 1000 employees from January 2024. Put simply, the people responsible for Lieferkettengesetz reporting want (and need) to know – when is enough, enough?

The honest reply to this question, which may not, at first, sound all that helpful, is there is no right answer. It genuinely depends on a wide range of factors. To understand what is enough for your organisation, we need to look at the actual legislation.

Lieferkettengesetz (and similar legislation emerging across Europe and the rest of the world) sets out very clearly its expectations for compliance. First, Lieferkettengesetz sets out the requirement for organisations to take a risk-based approach to due diligence within the supply chain. Secondly, it states that the effort undertaken to do that must be commensurate with the organisation’s business and the complexity of the supply chain.

In particular, the guidance for the BAFA submission that constitutes the disclosure element of the Lieferkettengesetz legislation explicitly refers to the “adequacy of risk assessment” saying risk assessment should not present an undue burden, however, organisations should ensure that the effort undertaken is appropriate to their business activities and the risks associated with those activities.

Of course, when you think about it, this makes complete sense. ESG supply chain risk management can never be done in a one-size-fits-all kind of way. A privately-owned chain of sandwich shops employing 1000 people across Germany will have very different risks to a multinational manufacturing organisation sourcing raw materials from multiple continents and the legislation, quite rightly, recognises that. That’s not to say that the sandwich shops will have no risk, but the basic risk profile will be much lower relatively and so, as you would expect, the expectations placed on it by Lieferkettensorgfaltspflichtengesetz, in terms of supply chain risk assessment, are proportionately lower.

So how do you identify what is appropriate for your business? To do this, the OECD Due Diligence Guidance for Responsible Business Conduct recommends carrying out a “broad scoping exercise” to create a high-level picture of end-to-end supply chain risk. This broad, multi-disciplined approach is integral to successful supply chain due diligence and key for organisations that need to be able to demonstrate to regulatory authorities in Germany and beyond that they do understand their risks and that they have “done enough” to mitigate them.

But doing enough is becoming increasingly challenging. The structure and sheer scale of today’s supply chains mean that ESG issues and their causes can be extremely hard to identify, understand and eradicate. Intensive and sustained effort is required to monitor and report at the required frequencies. The data needed to comply goes beyond regular operational boundaries and, often, without due care, data sources with questionable provenance, accuracy or interpretation can often become primary sources of information which undermine the basis for the risk assessment, management, and subsequent disclosures – presenting a substantial threat to a business’s reputation and their regulatory compliance.

For this reason, at Achilles, when we work with organisations to support their ESG and Lieferkettengesetz compliance, we never rely on data from just one source, and we don’t rely on information that is solely gathered from web crawling. Instead, we always start by collecting and assessing data from a wide range of sources including (but not limited to) documentation from organisations in your supply chain, publicly accessible and historical information from the internet and investigation reports from NGOs and charities. Uniquely, we also bring in information captured from our extensive, global, in-person audit programme, and the voices of workers gathered over many years of interviews in similar industries and regions to paint a complete picture of your supply chain risk.

It’s that level of detailed analysis and insight that facilitates a comprehensive Lieferkettengesetz disclosure and gives you the confidence that you have “done enough”. Only when an accurate picture has been created is it really possible to move on to the next step in your journey to “doing enough” – incorporating quality management principles into a risk-based human rights due diligence approach. For more information on the legislation, view our dedicated Lieferkettengesetz page here.


Get great insights in your inbox every month