In June of 2021, Germany’s legislature passed the Act on Corporate Due Diligence in Supply Chains (Supply Chain Due Diligence Act or SCDDA), which will go into force as of Jan. 1, 2023. The Act is far-reaching and impacts multiple facets of the supply chain, from human rights to sustainability, and legal accountability throughout the third-party ecosystem.
Why was the Supply Chain Due Diligence Act created?
In 2011, Germany adopted a set of United Nations Guiding Principles (UNGPs) that outlined how and why companies should value human rights in the supply chain. However, according to a study commissioned by its own government, less than 17% of companies in Germany were in compliance with the UNGPs. As a result, Germany took it upon itself to create the SCDDA to enforce a swath of standards and regulations that would address these concerns.
Which companies does the Supply Chain Due Diligence Act impact?
The new standard applies to companies that have their central administration, principal place of business, administrative headquarters or simply a domestic branch in Germany and have a headcount of at least 3,000 employees in that country or abroad.
However, as of Jan. 1, 2024, that employee headcount drops dramatically, now applying to all aforementioned companies with 1,000 employees or more. Additionally, companies that have temporary agency workers on the rolls for more than six months are also included.
Managing & analyzing supply chain risk within new standards
As defined in the Act, the supply chain refers to all products and services of an enterprise necessary to create the products and provide services, starting from the extraction of raw materials (where applicable) to the delivery of those goods to the end user. Quite simply, the Act is designed to touch every piece of the supply chain so all companies reliant on one another for goods and services are operating under the same compliance procedures.
If organizations haven’t done so already, the Act requires all companies within the defined parameters to:
- Establish a risk management system
- Identify and minimize human rights and environment-related risks
- Name a position or person responsible for monitoring risk management
- Conduct an annual risk analysis and communicate it internally
- If an enterprise identifies a risk prior to the annual analysis, immediate preventative measures are required
- Issue a policy statement on its human rights strategy that is subsequently adopted by the enterprise
- A statement for the company’s own internal use as well as for its direct suppliers is required
- The policy’s effectiveness must be evaluated annually
- Implement due diligence with regard to risks at indirect suppliers
- Documentation and reporting with regard to fulfillment of due diligence obligations
Consequences for non-compliance
International laws without enforcement are nothing more than requests. Under the SCDDA, repercussions for non-compliance include both monetary and business-based objectives. Depending on the level of infraction, companies may be fined up to $8.96M US dollars. For companies with an annual global turnover of more than $448M US dollars, as much as a 2% fine can be levied for noncompliance.
Additionally, penalties can include an exclusion from the award of a supply, works or service contract for up to three years.
How are U.S.-based organizations handling NIST Framework updates on supply chain cybersecurity?
Far-reaching human rights implications
While the SCDDA aims to protect the human rights of workers in Germany, the overarching goal is to impact any business with any dealings in the country. Just how far-reaching will the implications of this legislation go?
In a recent study of 301 participants conducted by the CyberRisk Alliance in conjunction with OneTrust, 56% of companies with more than 1,000 employees said they currently work with more than 50 third parties in their supply chain.
While risk management is a central focus of the SCDDA with the intention of a trickle-down throughout the supply chain, the Act also pinpoints internationally accepted conventions on human rights. Within the Act, these are defined as:
- Prohibition of child labor, slavery and forced labor
- The disregard of occupational safety and health obligations
- Withholding an adequate wage
- Disregard of the right to form trade unions or employee representation
- Denial of access to food and water
- Unlawful taking of land and livelihoods
Due diligence on a global scale
Less than a year after Germany’s government published the Act, the European Commission adopted a proposal for a directive on corporate sustainability due diligence in February of 2022, aiming to make companies of 500 or more employees operating in or with suppliers from the European Union (of which Germany is part) more accountable for environmental and human rights harm caused by their activities.
Similar to the SCDDA, that proposal — which may take a full year or more to finalize — will require corporations to implement risk management systems. Once fully implemented, the EU Directive would affect an estimated 12,800 organizations of varying sizes.
Third-party trust at the core of due diligence
Be it cyber incidents continuing to rise or the scope of human rights widening in terms of labor issues across the supply chain, third-party risk all ties back to single-business ownership. A company creating goods or services is reliant on a network of other companies to meet its objectives, and the SCDDA is framed to create a homogenous chain from top to bottom.
Third-party risk management is quickly evolving into third-party trust management (TPTM), with the SCDDA creating a clear line in the sand for global organizations. TPTM is a critical consideration when standing up an enterprise trust strategy. Enterprise trust is a driver of business development that depends on cross-domain collaboration. The risk domains of trust are Ethics, ESG, Privacy, and Security, and when considered under the lens of trust, each domain must assess trust risk factors in a way that plans for overall business resiliency and continuity — just as the SCDDA requires.
