Risk Analysis Guidance on the Supply Chain Act

According to BAFA, companies are required to establish effective and appropriate risk management. The aim is to identify, prevent, minimise or eliminate human or environmental risks or violations in their supply chain. In doing so, companies should adopt a risk-based approach. Through a well thought-out and comprehensive risk analysis, companies can make informed decisions and focus their efforts on critical areas to ensure compliance with human rights and environmental standards. To comply with the LkSG, companies must implement the following six elements of risk management:

1. Establishing an effective risk management system
2. Risk analysis
3. Preventive measures
4. Remedial measures
5. Complaint procedures
6. Documentation and reporting

Risk analysis is an important component of the overall risk management system and, according to BAFA, forms the basis for appropriate and effective risk management.

In order to understand the LkSG in its entirety and the related due diligence obligations for your company, a distinction is made between these three "parts" of the supply chain, according to the Federal Ministry of Labour and Social Affairs (BMAS) Unit "CSR" - Corporate Social Responsibility:

1. Own business area
2. Direct suppliers = Suppliers with direct contractual reference
3. Indirect suppliers = Suppliers with an indirect relationship (i.e. the suppliers of the suppliers)

On the other hand, the distinction exists in the temporal classification of risk analysis, which are associated with the above-mentioned areas:

• The regular risk analysis, which is carried out once a year.
• The event-related risk analysis, which is triggered by knowledge about a violation (e.g. via complaint procedures) or due to a change in business activity.

This means concretely for your company:

• The regular risk analysis applies to your own business area and your indirect suppliers.
• The ad hoc risk analysis based on substantial knowledge applies to your direct suppliers.
• And last but not least, the event-driven risk analysis due to a change in business activity applies to all three fields.

The results of the risk analysis form the basis for the implementation of further measures to comply with the legislative proposals. The following aspects are to be taken into account:

• Clear guidelines should be established and responsible parties named in order to take adequate steps in case of particularly high risks.
• Certain information is specified by BAFA which should be strictly adhered to, such as a risk analysis should contain concrete questions on the company and procurement structure.
• Direct measures in the case of imminent risks are necessary to prevent or minimise potential damage.
• Risk management strategies should be continuously reviewed and improved to minimise potential risks and reinforce preventive measures.
• Regular reporting based on the findings on progress and actions taken, as well as orderly documentation are essential to demonstrate compliance with the law.

As you can see, the use and implementation of risk analysis is only the beginning.

This risk analysis template contains the questions on the corporate structure and procurement structure of the companies concerned specified by the Federal Office for Economic Affairs and Export Control. In addition, the country selection is based on the country list recommended by BAFA from United Nations Statistics Division. The logics are based on the number of group-dependent companies on which a certain influence is exerted and the procurement categories products, raw materials and services.

After you have opened the template, you can adapt it to your needs and your corporate design. For example, you can change the design completely in the settings bar and add your own logo there. Also customise your company details in the template, such as company name and contact information. Of course, you can also customise entire question fields and pages. Small tip: If you add questions or whole pages to this specific template, then we recommend that you deactivate the logic first. In the last step after you have made all changes, you can again activate the logics for the respective questions.

Reach all relevant people and suppliers where you most want to be found. You can use Netigate to choose several suitable shipping methods for your process: a. Email: Send the survey via Netigate's email system. This way you can inform your suppliers about your risk analysis and send a reminder email at regular intervals. b. General link: Generate a survey link that you can use anywhere or convert it into a QR code for offline activities. c. Website embedding: Place your risk analysis on landing pages, e-shops, blogs or other online platforms. d. (Two way) SMS: Communicate even more flexibly and quickly using text messages. e. Login lists: Create logins for your recipients with user name and password.

Customise the contact email in the settings so that the responsible person directly receives a notification email with the collected data each time a risk analysis is submitted. Set Live Alerts to respond quickly to critical, imminent risks. You can track progress at any time on live dashboards. We also have a step-by-step guide on how to set triggers and logics in no time.

An essential part of the Supply Chain Act (LkSG) is documentation and reporting. Netigate has a comprehensive reporting function. Features include report exportto Excel or PDF, which allows you to quickly and easily transfer your data to an Excel or PDF format. The Quick Analysis gives you a quick overview of the most important results, so you can immediately identify the relevant information. With the help of filters you can better segment the collected data and gain specific insights. In addition, Netigate offers KI-driven text analysis, which automatically captures your answers and groups them into predefined topics. This saves you valuable time in manually sorting the answers and quickly gives you a clear overview of the most important information.

After you have found, adapted, sent and evaluated the template, you now have to make some decisions on the respective risks in this step. BAFA provides a very detailed guide on how to identify, weight and prioritise risks. In brief, the procedure for both the own business unit and the direct suppliers is divided into:

1. Abstract consideration of industry and country-specific risks for the purpose of identifying companies/branches/locations with increased risk disposition.
2. Concrete identification of risks and their weighting and prioritisation according to:
   • type and scope of business activity
   • Probability of occurrence
   • Severity of the violation
   • Possibility of influence
   • Causation contribution of the company to individual risks
3. For the company's own business area: Successive expansion of the concrete risk assessment (see above) to all companies, branches or locations.

Netigate Consulting offers individual expert support and tailored solutions for your supply chain law projects in the implementation of due diligence. In our team, we combine professional expertise from the fields of social sciences, economics and statistics with practice-oriented know-how. The project process with Netigate Consulting is divided into the following phases: 1. Setup: In a kick-off workshop we jointly define the study design and develop the specific questionnaire. 2. Implementation: Our team takes over the questionnaire programming and takes care of the address handling as well as the background variables. 3. Conducting: We support you in sending out the survey and monitor the field process. 4. Analysis: After completion of the data collection, we process the data and conduct a comprehensive data analysis, which serves as the basis for reporting. 5. Communication: We present the results to you in a meaningful results presentation and, if you wish, we can also offer a train-the-trainer workshop. 6. Action: Together we develop measures based on the findings of the survey in an action-planning workshop. Our team accompanies you in the implementation of these measures and advises you on further survey concepts. We give you the choice between a full-service approach or a do-it-yourself option. Our team of experts at Netigate Consulting is there to support you at every stage of your LkSG project - from the design of the questionnaire to the communication of the results.

The regular and ad hoc risk analyses must be introduced depending on when companies fall within the scope of the law: Companies with more than 3,000 employees and thus covered by the law from 1 January 2023 must introduce their risk analyses from that date. For companies with more than 1,000 employees, the obligation applies from 1 January 2024.