Ropes & Gray Logo
Page Translations
  • Home
  • Insights
  • Assessing and Prioritizing Risks under the German Due Diligence in Supply Chains Act – New Guidance Issued

Assessing and Prioritizing Risks under the German Due Diligence in Supply Chains Act – New Guidance Issued

Viewpoints
March 12, 2025
6 minutes
Printer-friendly Version
Authors:
Michael R. Littenberg , Samantha Elliott

The German Federal Office for Economic Affairs and Export Control (known as BAFA) has published a new FAQ on performing risk analyses and prioritizing risks under the German Act on Corporate Due Diligence in Supply Chains, more commonly known by its German acronym, the LkSG. Although the FAQ is specific to the LkSG, it provides a useful framework for thinking about human rights risk assessments more generally, including in connection with the pending EU Corporate Sustainability Due Diligence Directive. In this post, we discuss key aspects of the FAQ, including BAFA’s plans for monitoring and enforcement.

The LkSG requires subject companies to take steps to assess and address human rights and environmental risks and adverse impacts. As part of risk management, companies are required to annually conduct an appropriate risk analysis to identify risks in their own business area and at direct suppliers. The LkSG also requires companies to appropriately weight and prioritize identified risks. Many companies struggle with applying these concepts in practice. 

According to the FAQ, the following general principles apply when conducting the risk assessment and prioritizing risks:

  • Companies have significant flexibility and judgment when conducting risk analyses and implementing appropriate and effective measures.
  • Companies do not need to check all suppliers; they may and should prioritize.
  • Companies do not have to address all identified risks; they should focus on prioritized risks.
  • Companies do not need to assess all suppliers equally; BAFA considers generic supplier inquiries and questionnaires to be inappropriate and generally ineffective, and as failing to meet the requirements of the LkSG. Companies should prioritize suppliers with severe and probable risks or unclear risk situations.

Four-step Risk Analysis

The FAQ contemplates a four-step risk analysis process:

Step 1: Develop an overview understanding

  • As an initial step, a subject company should obtain an overview understanding of: (1) its procurement processes and supply chain business relationships; (2) internal responsibilities and existing information in the company’s possession; (3) the structure and actors among its direct suppliers; and (4) the key groups of people that may be affected by the company’s business activities.
  • BAFA notes that this information generally can be obtained through desk-based research and existing purchasing and procurement knowledge. It is generally not necessary to query suppliers at this point in the process, unless no other sources of information are available.

Step 2: Conduct a general risk assessment 

  • This step involves seeking to identify potential general human rights and environmental risks in the company’s industry and countries of operation and procurement. In this step, the company determines typical and relevant risks while identifying areas with little or no risk.  
  • For this analysis, the FAQ indicates that the company should mainly rely on information, including from external sources, about its own industry, operating and sourcing countries and specific commodity supply chains. The information consulted could include media reports, studies, indices or information from industry initiatives and multi-stakeholder initiatives. Suppliers typically are not contacted at this stage.

Step 3: Conduct a specific risk assessment

  • As the next step, the company should conduct a more in-depth analysis of the general risks identified in step 2, specific to the company and its suppliers. The purpose of this step is to confirm whether the identified general risks are actual risks in the company’s business and supply chains. 
  • Suppliers can be excluded from this step of the risk assessment if no general risks were identified, unless a specific risk is indicated, such as through findings from complaint procedures, actual evidence of potential violations at indirect suppliers or there are relevant insights from the implementation of corrective actions. Stated another way, the FAQ indicates priority should be given to suppliers with severe and/or probable risks or unclear risk situations. 
  • The company has discretion to determine an appropriate and effective method of information gathering, depending on the risk, industry and production region. Relevant information sources may include internal documents, public reports, supplier questionnaires, findings from complaints proceedings, survey results, consultations with stakeholders and audit reports. The FAQ indicates that the company should prioritize direct contact with relevant suppliers and avoid blanket inquiries. BAFA makes clear that the widespread practice of contacting all suppliers, without regard to the risk assessment, may be viewed by it as inappropriate and generally ineffective and does not comply with the requirements of the LkSG. According to the FAQ, even when using IT tools to send questionnaires and letters, the suppliers contacted must correspond to the risk assessment and prioritization. 

Step 4: Prioritize risks

  • Following the step 3 identification of specific risks, the company must assess and prioritize those risks for the implementation of preventive measures, applying the criteria for appropriateness contemplated by the LkSG. Companies have discretion when prioritizing risks, but they must be able to justify why a particular risk is addressed as a priority.
  • The FAQ indicates that, as part of the prioritization assessment, the key risk factors to consider in the overall risk analysis include:
    • Company-level risk factors (e.g., the supplier’s LkSG obligations);
    • Operational risk factors;
    • Geographic and contextual risk factors (e.g., the level of law enforcement in relation to the nature of risks/violations);
    • Risk factors related to the particular products and services; and
    • Industry-specific risk factors. 

Preventive Measures

According to the FAQ, preventive measures are required to be rooted in the results of the risk analysis. Indiscriminately assigning suppliers preventive measures such as training, contractual obligations or codes of conduct, regardless of the identified risks, may be deemed inappropriate and generally ineffective by BAFA. Further, companies should look at the supplier’s capacity to implement preventive measures. For example, measures that clearly overwhelm a supplier (e.g., because the supplier cannot afford implementation) are generally ineffective. Measures should take into account a supplier’s resources, size, industry, position in the supply and value chain and the specific local circumstances.

BAFA Monitoring and Enforcement

BAFA has indicated it will monitor and enforce implementation of the risk-based approach described in this post in inspections, which typically occur through broad-based reviews of controls, or when there is a specific trigger, such as a media report or tip received. 

In the FAQ, BAFA indicates that companies using approaches that are not risk-based or who try to pass on their due diligence obligations to other business partners in the supply chain are not acting appropriately or effectively and thus fail to fulfill their obligations under the LkSG. For example, companies cannot replace their risk analysis with contractual assurances or certificates of risk-free supply chains from suppliers. BAFA may consider this to be an indication of an inadequate risk analysis and, at its discretion, may reach out to the company for further clarification. Additionally, the mere assurance of a supplier's adherence to standards throughout the entire supply chain (e.g., signing on to a supplier code of conduct) will generally not be deemed to be effective and appropriate risk management.

In the FAQ, BAFA provides an email for suppliers to contact BAFA if they believe they are being asked to provide information indiscriminately and not in a risk-based manner. Anonymous submissions can be made by suppliers to BAFA. Upon receipt of a supplier complaint, BAFA may initiate an investigation, starting with a written request for information from the subject company. 

Rebecca Schulga, a Visiting Foreign Lawyer, contributed to the preparation of this post. 

About our Practice
 
Ropes & Gray has a leading ESG, CSR and business and human rights compliance practice. We offer clients a comprehensive approach in these subject areas through a global team with members in the United States, Europe and Asia. Senior members of the practice have advised on these matters for more than 30 years, enabling us to provide a long-term perspective and depth and breadth of experience that few firms can match. For further information on the practice, click here.

Subscribe to Ropes & Gray Viewpoints by topic here.

Related Services

    Authors

    Michael R. Littenberg
    Michael R. Littenberg
    Partner
    New York+1 212 596 9160
    Michael.Littenberg@ropesgray.com
    See Bio
    Samantha Elliott
    Samantha Elliott
    Associate
    New York+1 212 596 9596
    Samantha.Elliott@ropesgray.com
    See Bio

    Stay Up To Date with Ropes & Gray

    Subscribe to Our Podcast

    Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.

    Subscribe on AppleSubscribe on Spotify
    Follow Us on Social

    Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.

    Follow Us on LinkedInFollow Us on X
    Join Our Mailing List

    We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.

    Join Our Mailing List