Due Diligence list view
      Back to home
      1. Supply Chain Hub
      2. Due Diligence
      3. Due Diligence list view

      Conducting a risk analysis according to LkSG and defining measures

      This article describes how companies subject to the German Supply Chain Due Diligence Act can use the VERSO Supply Chain Hub to conduct a regular risk analysis of their direct suppliers and define and track preventive measures.

      TABLE OF CONTENTS


      The German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichten­gesetz - LkSG) requires companies to conduct a risk analysis of human rights and environmental risks in their own business area as well as in their supply chain and to take appropriate preventive and remedial measures.

      I. Conducting a risk analysis via inviting suppliers and the Risk Check  

      The aim of the risk analysis according to the requirements of the LkSG is the identification, weighting, and prioritization of human rights and environmental risks following a systematic and consistent approach.

      a. Sending a connection request to all relevant direct suppliers and affiliated companies:

      The connection request can fulfill the following purposes: 

      • documentation of the "Bemühenspflicht" (obligation to make a reasonable effort) required by the LkSG for all suppliers
      • automated risk analysis via Due Diligence list view for those who respond to the connection request
      • optional: automated follow-up requests such as the Code of Conduct request

      Before you send the connection requests, you should evaluate the following topics. You can discuss this with your VERSO Supply Chain Hub Customer Success Manager during the kick-off meeting: 

      • The scope of suppliers a connection request should be sent to (a small PO Spend threshold can be set, or risk information already known)
      • Whether to invite subsidiaries to complement the analysis of your own business area (eigener Geschäftsbereich) - use the predefined Tag "subsidiary" / "Tochtergesellschaft"
      • Whether to directly require suppliers to complete assessments topics (if you upload a high number of suppliers with an unknown abstract risk profile, we highly recommend sending the connection request without ticking any assessment topics)

      Click here for a description of how to send a connection request: How do I send a connection request?

      You also want to use the Supply Chain Hub to analyze your own business processes (eigener Geschäftsbereich)? Please take a look here: Can I also analyze my own business processes (eigener Geschäftsbereich) with the Supply Chain Hub according to LkSG

      The requirements regarding the own business area are stricter than those regarding the suppliers (Erfüllungspflicht vs. Bemühenspflicht). The information assessed in the platform provides a basis for this analysis, but further steps are needed (check with your compliance department / consulting lawyer).

      b. Conducting a risk check for non-connected suppliers

      The risk-check process is as follows, described in this article: How to perform a risk check for not-registered suppliers

      II. Defining preventive measures to address supply chain risks ("Präventionsmaßnahmen")

      a. Analyzing the Due Diligence list view to prioritize risk categories and define relevant preventive measures:

      The Due Diligence list view provides a decision basis, providing standardized results. Using the standardized results from the list view, you can make an informed decision, which risks you prioritize and for which suppliers additional preventive measures are necessary. 

      The results of the whole risk assessment for the direct suppliers connected to your company via the VERSO Supply Chain Hub are summarized in the Due Diligence list view: "Insights" >> "Due Diligence"

      For a generic "How to use" for the Due Diligence list view, click here

       

      In the list view, you find a summary of the risk results, according to the 13 LkSG reporting categories:

      1. Of your suppliers 

      2. The result by supplier

      The risk level of a given LkSG risk category (M1-M10 and U1-U3) is calculated for each supplier as a weighted arithmetic average of the abstract (country + sector risk) and concrete (Maturity Assessment) risk. The overall risk of a supplier across all LkSG risk categories is calculated as the mean of the risk levels in these risk categories.

      3. The calculation methodology and the data sources used are described in more detail on the page "Learn how risks are calculated", which is accessible from the list view.

       

      Follow these steps to use the due diligence list view for your LkSG analysis: 

      1. Validate the automatic analysis to check whether you want to exclude risk categories from the risk identification process. This may be especially relevant where there is no data available to quantify country or sector risks. (e.g., in case of no data in either sector and country risks, see "Learn how risks are calculated" to know what we recommend in this case).

      2. Prioritize risk categories according to the "Angemessenheitskriterien".

      See in this article "Appropriateness" according to the LkSG in the platform how these criteria are reflected in the platform.

      You only need to define actions for prioritized risk categories. However, every exclusion needs to be well explained and documented.  Focus on the risk category results, not the overall risk. For the prioritization of risks, please consider that the results for U country risks have a lower significance than M country risks because it only states the ratification status in the given country. When the sector risk is high, you should take actions to mitigate the risks, e.g., require the assessment topic "Environmental Protection".

      You can find further guidance on risk identification, prioritization and further topics around the LkSG in the BAFA guides (many also available in English): https://www.bafa.de/DE/Lieferketten/Ueberblick/ueberblick_node.html  

      The results of the risk analysis should find recognition in your human rights policy (Grundsatzerklärung). 

       

      Following steps 1 and 2, can I "overwrite" the list view's automatic results? 

      There are two actions to document results other than the automatic results, e.g., following expert evaluation, actions taken to gather further risk information outside the platform: 

      • Use tags to categorize suppliers according to your own risk assessment, e.g., using the predefined "low/high risk" tags. You can also define your own tags. Afterward, you can easily filter suppliers for your risk assessment.

      See here on how to apply tags: What are tags for and how do I use them?

      • Document your own assessment as a preventative action. An action category often applicable is "Additional risk information".

      See this article on how to use actions: What are actions and how do I use them?

       

      Use the filter function of "Recommended Maturity Assessments": 

      • You can filter for 4 different Maturity Assessment topics and use the "And"/"Or" function to get a list of suppliers that are identified from the system and recommended sending the chosen topics to.

       

      • If a supplier is recommended for the filtered topic but also for another one, e.g., "Environmental Protection", this will also be shown directly for every supplier in the list view. 

      To learn how the logic behind the feature "Recommended Maturity Assessment" works and how the system identifies the right suppliers to send specific assessments to, please read the following article: Recommended Maturity Assessments

      b. Implement and document preventive measures to react to prioritized risks: 

      There are generally two types of preventive measures that can be documented via the platform: 

      Measure type 1: Standardized measures applicable to a bulk of suppliers

      ⇒ Use platform requests to require suppliers to implement the measures. 

       

      You can directly send requests via the due diligence list view by:

      1. Selecting the relevant suppliers

      2. Clicking on "Send Request".

      There are eight request types that can be used. 

      The following article shows how to send requests to suppliers and contains links to all articles on how to fill in and send a specific request type: How do I send requests to my suppliers

       

      Measure type 2: Individual measures defined on a case-by-case basis

      ⇒ Document measures as actions in the platform

      See: What are actions and how do I use them? And Action Types

      c. Prioritize risks and implement and document preventive measures for non-registered suppliers: 

      You can use the risk check to prioritize suppliers for follow-up actions according to the risk profiles.  

      See: How to perform a risk check for not-registered suppliers

      Use the resulting Excel download as working file:

      • You can manually adapt the results complemented resulting from your own analyses or any additional information you gathered (e.g., check of material that suppliers might send you outside the platform)
      • You can document any results of your analyses in the following forms
        • Apply tags to the suppliers in the sent-request list view (e.g., low risk)

      Also see: What are tags for and how do I use them?

        • Document an action for your own company describing your analysis or any upcoming task resulting out of this.
        • Use columns M-R in the Risk Check export file 
      • Based on your analysis of the risk check, you can reinforce your activities to persuade prioritized suppliers to register on the platform to get additional risk information (personal follow-up, integration into annual supplier meetings)

      To know how you can use the information for reporting under the law, please see this article: Preparing the BAFA report