LkSG Risk Analysis: Methodology, Structure and BAFA-Compliant Documentation
The risk analysis is the methodological foundation of LkSG compliance. § 5 LkSG prescribes an annual and event-triggered risk assessment — for the company's own business area, direct suppliers and, where there is justified cause, indirect suppliers. Gaps here risk BAFA enquiries and evidentiary shortfalls.
§ 5 of the Supply Chain Due Diligence Act (LkSG) obliges affected companies to conduct a risk analysis on a regular basis. This serves to identify human rights and environmental risks in the company's own business area and at direct suppliers. Where there is justified cause, the risk analysis must be extended to indirect suppliers. The analysis must be conducted once annually and on an event-triggered basis upon material changes (§ 5(4) LkSG).
In practice, the risk analysis is the area that most frequently gives rise to BAFA enquiries during reviews. The reasons: missing weighting of identified risks, unclear delineation of supplier tiers, no version history, and missing evidence of the analytical basis. This article describes how a BAFA-compliant LkSG risk analysis must be structured and documented from a methodological standpoint.
Key Takeaways
- The LkSG risk analysis must distinguish between the company's own business area, direct suppliers and — where there is justified cause — indirect suppliers; an undifferentiated supplier list without tier distinction does not suffice.
- Identified risks must be prioritised by severity and probability of occurrence; a mere listing without assessment and weighting does not satisfy the requirements of § 5(1) LkSG.
- The risk analysis must be repeated and versioned annually, with the prior-year version retained in a traceable manner; absent versioning makes it impossible to evidence which risks were assessed at which point in time.
Legal Basis: What § 5 LkSG Specifically Requires
§ 5 LkSG defines the risk analysis as an instrument for the adequate identification, weighting and prioritisation of human rights and environmental risks. The Act distinguishes between three areas of investigation: the company's own business area (§ 5(1) sentence 1 LkSG), direct suppliers (§ 5(1) sentence 2 LkSG) and indirect suppliers (§ 5(2) LkSG) — the latter only where there is justified cause.
The company's own business area encompasses, pursuant to § 2(6) LkSG, all domestic and foreign subsidiaries over which the obligated company exercises a determining influence. The inclusion of the company's own subsidiaries is initially underestimated by many organisations — it significantly extends the scope of the risk analysis.
Direct suppliers are, pursuant to § 2(7) LkSG, contractual partners from whom goods or services are required for the production of the company's own product. Indirect suppliers (§ 2(8) LkSG) are further back in the chain but may not be entirely disregarded if there is actual evidence of human rights or environmental violations. The external LkSG officer at CIVAC supports the methodological delineation of these three tiers.
Risk Categories: Human Rights and Environment under Annex 1 LkSG
The LkSG defines in § 2(1) and (2) and in the annexes of the Act the specific human rights and environmental risks towards which the analysis is to be directed. Human rights risks include in particular:
- Prohibition of forced labour and debt bondage (§ 2(2) No. 1 LkSG, ILO core conventions)
- Prohibition of child labour (§ 2(2) No. 2 LkSG, ILO Conventions Nos 138 and 182)
- Prohibition of violations of freedom of association (§ 2(2) No. 7 LkSG)
- Prohibition of unequal treatment (§ 2(2) No. 8 LkSG)
- Prohibition of withholding adequate remuneration (§ 2(2) No. 9 LkSG)
Environmental risks relate in particular to actions prohibited under the Minamata Convention (mercury), the Stockholm Convention (persistent organic pollutants) or the Basel Convention (hazardous waste) (§ 2(3) LkSG). They also encompass risks associated with violations of environmental due diligence obligations under a Paris Agreement-aligned approach.
A structured risk analysis must assess each of these categories for each relevant supplier and document a risk score per category.
Methodology: How a BAFA-Compliant Risk Assessment is Structured
A robust risk analysis is based on a three-stage assessment model:
- Identification: Which risks are potentially present in which part of the supply chain? This phase draws on secondary sources (country indices, sector risk profiles, databases such as the Corruption Perceptions Index of Transparency International or the CSR Risk Check of the Federal Ministry of Labour and Social Affairs (BMAS)) as well as primary supplier questionnaires.
- Assessment: How severe is a possible violation, and how probable is its occurrence? Severity is assessed on the basis of the factors of irreversibility, number of persons affected, and nature of the violation (§ 3(2) LkSG).
- Prioritisation: Which risks require immediate preventive measures, which are placed under observation? The result of the prioritisation feeds directly into the action plan under § 6 LkSG.
The critical requirement is that all three steps are documented with date, data basis and responsible person. The traceability of the methodology — not merely the result — is what a BAFA review examines.
Event-Triggered Risk Analysis: When an Update is Required
§ 5(4) sentence 2 LkSG requires an event-triggered update of the risk analysis upon material changes. Material changes include:
- Addition of new suppliers or markets
- Taking on new product categories or production processes
- Violations at existing suppliers becoming known
- Material changes in the political or socioeconomic situation in supplier countries
- New regulatory requirements (e.g. implementation of the EU CSDDD)
In practice, the risk exists that event-triggered updates are not systematically triggered and documented. An LkSG management system must therefore not only schedule the annual analysis but also provide a trigger mechanism that automatically initiates and records event-triggered analyses.
When investigating suspected violations, BAFA first examines whether event-triggered updates have taken place. Companies that have not documented event-triggered analyses despite the existence of indications expose themselves to the allegation of insufficient diligence. The deadline runs from the date of knowledge — this principle also applies to the obligation to conduct an event-triggered risk analysis.
Supplier Questionnaires: Instruments and Common Errors
Supplier questionnaires are a central instrument of the risk analysis, but not an end in themselves. The objective is not the completion of a questionnaire but the acquisition of reliable information about risks in the supply chain. Common errors in supplier questionnaire practice:
- Absent verification: A completed questionnaire is not proof of risk minimisation. Responses must be plausibility-checked — in particular for high-risk categories.
- Missing documentation of response rates: BAFA expects information on what proportion of suppliers were surveyed and what response rate was achieved.
- English-language questionnaires without translation: Suppliers in non-EU countries may be unable to correctly answer complex questions in English. Misinterpretations produce incorrect risk scores.
- Uniform questionnaire without risk gradation: High-risk suppliers require more in-depth questionnaires than low-risk partners.
LkSG software should support supplier questionnaires in multiple languages and with different levels of depth. Responses are directly assigned to the risk score of the respective supplier and stored in a versioned manner.
Documentation and Versioning: The Evidence before BAFA
The risk analysis is only BAFA-compliant if its development history is traceable without gaps. This means:
- The current version of the risk analysis is clearly identified as such
- All prior versions are archived with date and reason for change
- The responsible person and the date of approval are documented
- The sources and data bases used are linked in a traceable manner
Without versioning it cannot be evidenced which risks were known at which point in time and which measures were subsequently taken. For event-triggered risk analyses in particular, this timestamp is decisive: BAFA examines whether the company responded promptly to new information.
The LkSG officer function in the CIVAC workspace maps these requirements with an integrated versioning system. Each risk analysis is filed with a timestamp, predecessor version and responsible person. The audit log records all changes automatically.
Risk Analysis and Action Planning: The Transition to § 6 LkSG
The risk analysis is not an end in itself — it is the direct input for the action plan under § 6 LkSG. The result of the prioritisation determines which preventive measures must be taken for which suppliers and risk areas. The transition from the risk analysis to action planning must be traceable within the system.
In concrete terms: for each risk finding classified as material, a preventive measure with a responsible person, deadline and effectiveness criterion must be recorded. Companies that can present a complete risk analysis but have not derived documented measures from it do not satisfy the requirements of § 6 LkSG and expose themselves to the allegation of lack of consequence.
The BAFA annual report (§ 10 LkSG) expressly requires an assessment of the effectiveness of the measures taken. Companies must therefore not only demonstrate that measures were planned, but also whether and how they took effect. A compliance platform that manages risk analysis and action management as linked modules maps this requirement structurally and significantly reduces the effort of preparing the BAFA report.
External Support: When an LkSG Officer Carries the Risk Analysis
Conducting a methodologically robust LkSG risk analysis requires expertise that is not available internally in sufficient measure in many mid-sized companies. The competencies required include: knowledge of international human rights standards (ILO core conventions, UN Guiding Principles on Business and Human Rights), familiarity with BAFA's LkSG assessment framework, and practical experience in supplier risk assessment.
An external LkSG officer brings these competencies and takes on the methodological leadership of the risk analysis. This is particularly relevant for:
- Companies conducting a risk analysis for the first time and with no experience of the BAFA format
- Companies with complex, internationally branched supply chains
- Companies that must quickly and in an audit-proof manner supply event-triggered risk analyses following an incident
CIVAC offers through its partner network external LkSG officers with demonstrated practical experience in risk analysis methodology. The appointment is made with a written letter and documented reporting line structure.
Conclusion: Risk Analysis as the Foundation of LkSG Compliance
A BAFA-compliant LkSG risk analysis is more than a supplier list with traffic-light colours. It is a structured, methodologically traceable process that is repeated annually and on an event-triggered basis, fully documented and linked to an action plan. Organisations that work methodologically rigorously here lay the foundation for all further LkSG obligations — from the policy statement to the annual BAFA report.
CIVAC as a compliance platform and officer-as-a-service provider offers both: the structured workspace for the internal conduct of the risk analysis, and external LkSG officers who take responsibility for the methodology. Licence the workspace for your internal officers or appoint ours. 490 ready-to-use audit templates, integrated action management and automatic versioning create the conditions for the auditor to call — and the evidence to be ready.
If you wish to set up your risk analysis on a methodologically robust basis: turn reading into action. Write to info@civac.de or use the contact form at civac.de.
FAQ
How frequently must the LkSG risk analysis be conducted?
§ 5(4) LkSG requires an annual risk analysis. In addition, an event-triggered update is required when material changes occur in the supply chain, new suppliers are added, or there are substantiated indications of violations at indirect suppliers.
Must indirect suppliers always be included in the risk analysis?
No, indirect suppliers are only included where there is justified cause (§ 5(2) LkSG). Such cause exists when there is actual evidence of human rights or environmental violations at indirect suppliers, or when the company becomes aware from other sources of elevated risks in certain procurement regions.
Which sources are permissible for the LkSG risk analysis?
The LkSG prescribes no specific sources. Sources that are permissible and established in practice include: the CSR Risk Check of the BMAS, the Corruption Perceptions Index of Transparency International, ILO country reports and sector-specific risk profiles (e.g. from sector sustainability initiatives). The sources used must be documented.
How detailed must the risk assessment be for each supplier?
The LkSG requires an appropriate level of depth, determined by risk level and sphere of influence (§ 3(2) LkSG). High-risk suppliers require more in-depth analyses with source evidence and direct supplier questionnaires. For low-risk suppliers, a plausible categorisation with a reference to the data basis suffices.
Must the risk analysis be approved by management?
The LkSG does not prescribe explicit approval by management, but § 4(3) LkSG requires the LkSG officer to report to management. In BAFA practice, management approval is regarded as evidence of the institutional embedding of the risk analysis and should therefore be documented.
Can the risk analysis be conducted by an external consultant?
Yes, the LkSG does not require internal conduct. Responsibility remains with the obligated company, even if external officers or consultants lead the methodology. The decisive requirement is that the results are accepted within the company, take responsibility from the officer, and are documented in the internal system.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.