Conversation with CS3D Advisor Greta Koch

Ulf Venne: 

Hello everyone and welcome to today’s webinar from Everstream Analytics, a conversation with CS3D negotiator, Greta Koch. I’m Ulf Venne and I’m your host today. We’re going to have a fun time talking about the EU corporate due diligence directive and how it has been made and so on and so forth. And we were going to do this as already our title says with Greta Koch, who is a policy advisor. She’s an expert in AI, working on sustainability for a long time. I just want to welcome you, Greta, and thank you for being here. 

Greta Koch: 

Thank you very much also for having me. 

Ulf Venne: 

So for everybody on the call, we are not going to do an in-depth and detailed introduction into Greta’s life and experience because we have done that before in a podcast together, Greta and myself. It’s called Supply Chain Pioneers. It’s a hobby podcast, but sponsored by Everstream Analytics so I’m happy to share that here. So if you want to know more about Greta and where she’s coming from and her views on the Supply Chain Law in-depth, please check that out. And otherwise, I would now hand over the floor first to Greta to give us a little bit of insights into what is the CS3D, and maybe some of the things that happened while the negotiation was taking place. Before I will then talk about how Everstream Analytics helps solve the CS3D, And then we’ll have a conversation about some of the topics going on right now around CS3D. So Greta over to you. 

Greta Koch: 

Yes, thank you. So due diligence, in general, is of course the obligation for companies to trace their supply chains and to see whether companies cause or contribute any risks in their supply chain when it comes to human rights or the environment. And this whole conversation was actually sparked by international developments that let economies realize that sustainability in supply chains actually is quite necessary. Also is a topic that would save lives because in the end, it was also inspired by Rana Plaza, for instance, where thousands of people died because it was not diligently checked where things were produced. 

And so this whole discussion around international standards of due diligence led to a discussion on the European level, how to improve the performance of companies because there is a wonderful share of companies in the EU that already has due diligence in place and that fulfills the due diligence standards on the international level. But this share was not big enough. And so this is why the commission planned, since 2019 already, to put out the European framework for due diligence directive to have mandatory due diligence for large companies to really check and then also be held liable for things that they themselves cause. 

And so first, in 2020, we started discussing this topic in the Parliament. At the same time, also the German law was in development, but this was a much faster process. So in the end, the German law came much earlier than we did, and we have been developing this law for the past four years. In the end, it was also very politicized topic, so there were a lot of stakeholders that had great concerns with what we had put out, which then translated into the European Council. So the member states, some of them having concerns about the law as such and therefore blocking it. And then in a last-minute push, it actually made it through. 

And this law was then actually published last Friday. So it will enter into force in, I think now it’s 15 days to go. It’s always 20 days after the publication and the official journal of the European Union. And then in three years, the first companies will have to actually do due diligence in a mandatory way. And so as you can see here, the scope of this law is really focusing around the largest companies. So we’re talking about companies with more than 1,000 employees and a worldwide net turnover of more than 450 million. And we have a cascading system for the transposition. So in three years time, as I said, which will be then 2027, we will have those companies with more than 5,000 employees, then a year later we go down to 3,000 employees, and in five years we’re talking about the full scope, so those companies with 1,000 employees and more than 450 million in turnover. 

This whole discussion around the scope was a huge one. When we were still negotiating in the Parliament, we were talking about much more companies that would be involved. Now in the end, I think it’s 0.001% of companies in the EU that are directly affected. Of course, this law also has indirect effects for anyone that’s connected to the supply chain. But overall, we’re talking about 5,000, I think 5,382 companies of the European Union that are in scope. Of course, the largest share of those are German companies, but that’s the discussion we had. 

As I said, the enforcement scheme also has liability connected to it, but there’s also the penalties on the other side, which will be I think the enforcement mechanism that will be more used than the actual liability. So we have a kind of weird way to formulate this penalty, but in the end, the highest possible sanction that a company can receive for the worst thing that you can imagine under the due diligence regime should not be less than 5% of the company’s worldwide turnover. This is a very open definition because in the end, member states can decide to go higher than 5% for the worst kind of sanction, but also not every sanction will be the worst kind so you can also easily go below 5%, which is why it’s more a guideline than anything else. 

In terms of liability, what we have is a scheme that is very close to what is already happening on member state level. The EU doesn’t actually have the competence to change really the civil liability regime of a member state, but what we do say is that a company caused an actual damage, so a damage to an actual person then can be held civilly liable. 

And what we also say is that a company should not be held liable for anything that was caused by someone else. So you really have to be directly responsible. It’s really direct causality for any kind of liability that you might face as a company. And here also the definition of this damage and whether you caused it or not, is still member state law. So we’re not really changing the status quo, we’re just stating the fact that companies should be as liable as they already are under national law. 

I think with that, you can go to the next slide, which is really the due diligence process. So what do companies actually need to do? They first need to assess their supply chain. The law actually talks about the chain of activities. We were talking about value chain, supply chain. It was a whole fight around what you should actually call it, but in the end it’s really about what is the definition, and here we went for chain of activities. In reality, we’re really talking about the upstream supply chain, which might include transport, storage, and distribution on the downstream side, but also only when it’s directly done by a company. So you don’t have to trace your consumer relations or who you sell to or who uses your product. It’s really about the supply chain from the raw material to your stage of the product, and then maybe who transports it for you, but this is the maximum already. 

Then companies have to assess their risks in their supply chain. Here we take a very clear risk-based approach, so companies should trace those risks that are most severe and most likely, nothing else. So it’s really about assessing where the most severe and most likely risks lie. And you do that based on OECD criteria. So the OECD process really has a list of risk factors that you can use in order to assess where your risks might lie. And this is the most obvious ones, of course, are the geographic locations and the sector. So based on your geographic location and sector, you can already assess, “Okay, I am selling tomatoes that I have grown in Germany. Tomatoes in Germany is not a high-risk sector in a high-risk location. So here I don’t really have to check, but instead I might have other risks in my supply chain that I actually should look at.” 

And other than sector and geographic location, we’re talking about product-based and also company-based risk factors. So your company structure will in the end also very much determine how far you need to go. And so once you’ve done that, the company can still prioritize. So it’s really a very clear risk-based approach from start to finish. 

Then of course we have a contractual approach to due diligence. So you should change your contracts and really implement due diligence in all levels of your company, and you should also check your information level. This is something that we’ve also very clearly stated in the law is that if you don’t have any information because you can’t access it, that is of course also understandable because different from a German law where you are mostly focusing on your Tier-1, here we are really taking a holistic approach to the supply chain, and so it’ll get more difficult the further down you go in your supply chain to get information. So you can declare if you can’t get any information, this will be also something that will mostly, for instance, happen on the Chinese market where it’s impossible to sometimes even receive answers. This is all something that we’re taking into account. 

The next layer of this risk-based approach is your relationship with the impact. So we are very clearly instead of, as I said, trying to differentiate between is it Tier-1, is it Tier-2, is it Tier-3? It’s much more about what did you contribute to this risk. So if you yourself caused it, then there’s also an obligation of result. If you caused a risk, then you really have to take concrete measures in order to make sure that this risk is mitigated. If you only contributed partially to a risk, then you should cease your contribution. So you can try to take measures in order to really seize those parts of the risk that you contributed to to really try to make an improvement there. 

And another layer is that if this is happening in your supply chain, but you actually did not cause or contribute to it at all, then I’m sorry, I’m disturbed by a massive raid right now outside, sorry so my sound was disrupted, but I hope you can still hear me. So if you did not cause or contribute to it, but it was done somewhere in your supply chain that then you don’t have any obligation of result, it’s really an obligation of means. So you should try to use your influence in order to mitigate that risk. But if you don’t have any influence, then there’s nothing that’s completely expected from you. You can also not be sanctioned and you cannot, as I said, not be held liable for anything that happens there. 

So this is very, very important to understand the risk-based approach. It’s much less about where your risk lies and rather how much you’re responsible for it. And this is also important for companies to understand how far they need to go because depending on your business model, you might not even need to check your Tier-1 because there are no risks or because you’re not responsible for them. But in other cases, you might need to go much further than your Tier-1 because this is directly, like a severe risk that was directly caused by you. And so this is very important to understand the logic of due diligence. 

So once you have assessed your risks, you should really take appropriate measures to really remedy the situation, and you should also document the measures that you have taken. So of course, due diligence is never a tick box exercise. You should really continuously assess, and also you will have to have a due diligence strategy that is continuously a process rather than just something that you do once a year. But you also have to document this. 

Different from the German law, we have already a reporting mechanism in place, so we have the CSRD which companies already have to fulfill. And so the reporting is actually already happening under the CSRD, which already defines the value chain. So this is already done. We are not doing any extra reporting under the due diligence directive. 

And so yeah, the measures that you have to take in order to mitigate a risk really completely depend on your context. In the law, we set out a list of things that you can do, but you can choose the mechanism or the appropriate measure that is actually most relevant to your own context because in the end, of course, a lawmaker cannot decide for you what is actually necessary for you to mitigate a risk. It really depends on the stakeholders and what they think about it, what kind of measures you have at hand. And so this is more like an orientational list of measures that you should choose from and that should be most appropriate for you to take. I think this is, yeah, this is the risk-based approach. I hope it was understandable. I do see some questions already, but I have to read them first before I can answer them. But yeah, maybe Ulf you can go ahead in the meantime. 

Ulf Venne: 

Yeah, we’ll do that later. I’ll actually read them aloud as well for everyone’s sake. 

Greta Koch: 

All right. Perfect. 

Ulf Venne: 

Real quick, only because we have a ton of questions already in the chat, which is great, and I also have some leftover from my side as well. So we want to move quickly, but I still have to quickly introduce how Everstream really helps because obviously there is the CS3D, there’s the German Supply Chain Law, there’s UFLPA, there are many others, but they all operate in a very similar capacity and our system is positioned in a way to help you solve all of these at the same time. So from mapping your supply chain, obviously as we just heard, sometimes it’s only Tier-1 you have to map. Sometimes you don’t even have to map Tier-1, but more your own locations and sometimes you have to go down to the sub-tiers and going down to the sub-tiers can be very hard. And we are using a mix of AI, human expert validation and then also customer input in order to generate the best and most likely sub-tier supply chain you can have and that then can go down several tiers. 

And that is a very strong and proven technique that we’re using now for several years and have seen great success with that. So this is, I think, a great foundation to start with once you identify that you have to work on building out your sub-tier supply chain. Then obviously we have to do the risk-based approach. So you have to strategically look at where is it most likely that something is going to happen to me? We talked about tomatoes in Germany not being a big issue. That is something that our risk exposure scores will help you with. 

So we will take a lot of different factors from child labor to forced labor to environmental damages to corruption and so on and so forth, put all of these to each and every location you have. Most of them are region or point-based, some of them are country-based, in order for you to understand the risk. Then you can survey to understand even more. We can add your own risk scores to it. For example, do you have a code of conduct already signed with them or not, which minimizes your risk. So you eventually find the subset of suppliers that is really most likely to be a problem. 

And then you start monitoring and taking action, which we pride ourselves with having very holistic coverage on alerts. In fact, I think we have the highest density of alerts per year that you can find by at the same time providing very high relevance. And we do that by having an AI and human approach at the same time. So we have people that are researching every day trying to find the best intelligence out there for you and leveraging AI to make that process as efficient as possible. 

But for some things, like for example with human rights violations, sometimes there is not good internet source and you have to rely on other sources or paid sources and that’s, or partnerships, and that’s what we do and then our experts come into place and help provide the transparency that you really need and want. So with all of that put together, you can screen new suppliers, you can look at your existing network, you can map your sub-tier supply chain and really be ready to fulfill the reporting at the end of the year. But do it with minimal impact to your workers and your employees because they just naturally get handed the most important information at the end and then only take action when they need to. And that then you put in your report and you’re done. It’s a much easier process like this. 

And we have done so with many different companies. Here is one of our global automotive Tier-1’s that have worked with us on this. And they were really already working with us on just mitigating risks, which is our core business is mitigating operational risks, stopping production halts and so on. And they were really happy they could use the same software for mitigating their sustainability issues because now they have the same fundamentals to start with, the same data stream. At the same time, they have operational cost savings through mitigating their incidents, their disruption risks, and because now it’s just another data feed, they’re having a much more sustainable sustainability initiative because they get the ROI from one side and then that is just an add-on essentially. And that it makes it just very compelling. Also for your CFO because it’s not only the tick in the box, but you can really make a difference while at the same time saving a lot of money by mitigating operational risks. 

So they are very happy with what they do and feel very much equipped for CS3D. We actually finalized the whole reporting for LKSG as well, but then got stopped last minute and that was a little bit disappointing, I have to say for everybody involved. I was working very hard on that as well. But maybe we can talk about this in our conversations. If you have any more questions around them, please put them in chat. But I just want to ask first, so I do know that the forced labor regulation and CS3D were essentially issued at the same time, do you have any opinion what’s the big difference? Because both are kind of tackling the same topic, but then I think it’s a different breed of regulation, I guess. 

Greta Koch: 

Yeah, that’s true. So the reason why those things were separately presented is really because forced labor was supposed to be a completely different mechanism than due diligence. Due diligence is really about company law and companies assessing their risks while forced labor was meant as a trading instrument. So really to block any kind of trade that was produced using forced labor. And of course, as part of due diligence, the main part of due diligence is really to make sure you don’t have any forced labor or child labor in your supply chain. I think that’s the biggest issue you should look for first. But for the forced labor regulation was originally meant as a complete trading exercise and trading mechanism, and therefore also regulation, it’s not company law at all. 

And so I think that it’s partly the problem of how the EU actually deals with these kinds of issues in the system of the EU, that you have completely different people working on those issues and they’re not looking left and that these topics were not streamlined more correctly. 

I think the same can also be said, for instance, for the CSRD, which already asks reporting on the supply chain without defining it because due diligence was supposed to deliver that definition and these kinds of things. And of course you also, an argument is often that if one of the laws failed, you at least still have the other one. So due diligence could have easily failed. In the podcast, if you listen to it, I actually say it will fail so just for you to know the timeline of this podcast and then you would’ve at least had the forced labor regulation, but now you have both at the same time and they’re not streamlined correctly. And that’s part of the trouble. 

And often the feedback that I get from companies on due diligence can be quite negative, but it’s actually now turning a corner, I would say. I feel like some feedback that we get is also positive, but now the forced labor regulation and also deforestation regulation are really taking the hits. So yeah, it’s interesting how this conversation evolves. 

Ulf Venne: 

Yeah. And that actually leads me to my next questions before we go to the questions we got from everybody else, because imitation is the best form of flattery, and now we see that the German Supply Chain Law might get transformed very quickly to already go into the direction of the risk-based approach coming from the CS3D, maybe also because it has a better reputation. What is your view on that and does it make you happy in any which way or is it just good news? 

Greta Koch: 

I mean, in the end, they have to transpose the European law because they have to. It’s a European directive, so Germany has to transpose it into law, and that means they have to change the German law. I’m not sure they would’ve done that any otherwise, but I think that it’s very important to understand the differences in the risk-based approach because it’s often argued that essentially they’re the same, but the structure is different. And we really tried to learn from the lessons learned of the German law and the problems that came with the approach that was taken because the fact that it was a clear Tier-1 approach, but which also meant that you immediately have to change your contracts and you immediately have to trace all the risks, or at least that was how it’s interpreted, led to companies really losing faith in the exercise of due diligence because it felt like it’s a huge bureaucratic exercise that felt entirely unnecessary on a lot of parts of the supply chain. And they also felt like it wouldn’t have any effect anyways. 

And that is kind of true because most of the risks, of course, not all of the risks, but most of the risks are not happening in your Tier-1. If you look at child labor, I would be surprised if anyone had forced labor or child labor with a direct supplier. And so in order to make it more effective but also more efficient, we really worked very hard to try to focus it more, rather than following the German approach, we really tried to say, “Okay, we already have the international standards by the OECD. These have been working well for companies for 10 years. Mind you, they were of course not mandatory and there was no liability connected, but the standards themselves have worked very well.” And so we try to mirror that logic to really say, “Okay, from the get go, you only look at the most severe risks. We have a clear list of risk factors, so this will be very clearly defined by the commission.” And from there you have to really look at your relationship with the impact. 

And if you are causing it because it’s in your own company or because you set the pricing strategy or because you have contracts that lead to a specific situation, then you should also do something about it. And everything else has to remain an obligation of means because it’s impossible to ask companies to go any further than that. And this is really a logic you have to understand, and this makes the bureaucratic exercise of really checking every single thing. I know this has improved, but still there are companies that are even checking the toilet paper that is being used in the company rather than their actual risky suppliers and the product that they are themselves producing. So it’s really about the focus, focus on your most severe issues and the ones that you are actually responsible for and then you have a proper due diligence in place. And this is something that deviates from the German approach, which also says you can prioritize, but it never said actually this supplier you don’t even need to look at because it’s irrelevant. This is really something that should help in practice. 

Ulf Venne: 

Okay. Going into some of the questions we got, I directly take up the last portion of your answer. Could you clarify the scope for downstream chain of activities? Does it include direct and indirect business partners or only direct? And direct means essentially directly involved in your production versus toilet paper or the laptop would be indirect. 

Greta Koch: 

So we do hope that our definition is very clear that for instance, your toilet paper is only, it’s completely irrelevant to your due diligence process. It’s really about the product that you are selling. But when it comes to downstream, we’re not talking about any customer relations or the sale of the product or the use of the product. So it’s really only you have your upstream supply chain and then downstream it’s only talking about distribution, transport and storage of the product. And that also only, if it is done directly on behalf of your company. So only direct relationships, but not even the one that you’re selling to, only the ones that are transporting or storing the product for you and everything else is not part of the definition. So this is not part of the law. 

Ulf Venne: 

Good. And as you already highlighted, the podcast we did together was done while they were still arguing about the law, if it comes into force or not. What were some of the main changes that we have seen since then that were partaking in the compromise? So eventually it got approved, so what were the fine tunings? 

Greta Koch: 

Yeah, so in the last stretch, I mean in general, everything changed a lot. But in the last stretch, the scope changed. So we had originally foreseen a scope of companies with more than 500 employees and that was now doubled up to 1,000. Something that also changed was that the financial institutions are no longer in scope and they’re mentioned, but they actually don’t have to do due diligence because downstream, the downstream supply chain is deleted and there’s no relevant upstream for the financial sector, at least in terms of due diligence. And so really deleting the financial sector in essence was a huge change. 

Then we had a huge discussion around climate change. So originally the commission had proposed that we have these transition plans on climate change that really outline how your climate risks also in your supply chain. And this transition plan is now still mentioned, but it’s completely in line with the CSRD. So with the already existing reporting structure and also you set targets for your climate risks in your supply chain, but it’s not relevant whether you actually fulfill those targets because there will be no enforcement around it. You cannot be sanctioned or held liable for anything relating to your climate risks. And so this was watered down to a sense where it could be easily deleted as well because you already have to do a transition plan reporting under the CSRD, and this was one change that was big. 

And then also the downstream definition. So originally we had foreseen to also include, way back we also wanted to include the sale of the product, but also for instance, the disposal. I think that actually the disposal, in my opinion, was always an important part of due diligence when it comes to environmental impacts. But now the disposal was actually deleted in the last minute by a request from Italy. So every change that was made was by a request from a member state that then in the end could say yes. So those were the major changes. 

Ulf Venne: 

Yeah. For everybody, I understand we are on time, but we have so many good questions that we would like to go over only two or three more minutes for a couple more questions. So if you want to stay, happy, if you want to check afterwards our recording, that’s also fine, but we’re going to continue just a couple of minutes more. So maybe that is something for a short answer. Now, will the EU provide overviews with high-risk countries, industries and sectors, or will we rely on some standards that are already out there? 

Greta Koch: 

Easy answer, yes, we will provide it. 

Ulf Venne: 

Good. That’s a very easy answer. Good. And then there were several questions around penalties. So we talk about penalties of 5%, but then I think it’s more a threshold where it can go lower and higher based on severity, I guess. 

Greta Koch: 

The severity, yeah. 

Ulf Venne: 

And then also different for each country, can you maybe confirm that just once again how that exactly works? 

Greta Koch: 

Yeah, so we have this number of 5%, but this is just for member states to basically align with this goal that the most severe mistake in the due diligence policy by a company in the member state should be sanctioned with at least 5%. But that means that member states have a list of sanctions basically, and then the highest possible one has to be above 5%. But that does not stop member states from setting any higher thresholds. Also, for instance, I don’t know, Germany could decide to say actually we want to have a sanction for the worst one that’s higher than 5%, we go up to 7%. So there will be a huge difference actually in terms of sanctioning among the member states because the EU doesn’t have any competence to harmonize this. But yeah, we will have member states that go above 5% and for anything that’s not the highest possible sanction, you can also go below 5%. So it’s in the end up to member states. I don’t know what these lists will look like and we will see that in two years. 

Ulf Venne: 

So essentially you’re trying to anchor them around a number in the law as good as possible, but in the end they have to decide? 

Greta Koch: 

Exactly. 

Ulf Venne: 

Yeah. Good. Then I think that’s a question that’s very deep into the text of the law already. So what’s the difference between own operations and subsidiaries? 

Greta Koch: 

That depends on the group structure. So what we do say is that parent companies also fall under the scope if the group together reaches the threshold. So if you’re a parent of a group that has more than 1,000 employees, you’re already covered. And the parent company then, if it’s covered, is already responsible for all their subsidiaries. So originally we would say own operations, it’s really what’s happening in a single company, not in every subsidiary except for the parent. The parent really has to do due diligence for all of their subsidiaries as soon as it’s covered. 

Ulf Venne: 

And then we have a last question. How can we, it’s not the last question, but the last we’re going to cover here actually. So how can we determine under CS3D company’s responsibilities and risk, whether entire or partial, given complexity and length of supply chain? 

Greta Koch: 

So that’s what we have the risk-based approach for, that you really look at your most, you first go by severity. So first you check what most severe risks are out there and then you check your involvement with the risk. And so it’s really about, I don’t think that you will have caused a risk from in the length of a supply chain where you don’t even know who the supplier is. I think that’s quite impossible. So causing really happens when companies are fully aware of what they’re doing usually. And so if you’re contributing to a risk, you might need to go a bit further, but that’s why we have these different levels of involvement. They don’t always translate also towards the length. 

So causing does not always happen in Tier-1. It can also happen in Tier-2, but I don’t think it happens at the end of the supply chain. And similarly, if you have a very long supply chain and you don’t have any information, nobody’s expecting you to receive the information with any unreasonable means, you can declare that you don’t get any information. And so that’s why we’re trying to, I know it’s difficult and complex process, but we’re trying to tailor everything towards the needs of the company to really take into account your context, your length, and also your market power. 

Ulf Venne: 

Yeah. So we have many more amazing questions. Just wanted to highlight again, if you need help in implementing the law, we’re obviously at your disposal. I also shared, on the last slide, our practical guide on how to implement it from a digital technology perspective and how to make it easier for you as a company. And with that, I want to say- 

Speaker 3: 

Sorry, I think we just lost Ulf. But thank you very much Greta for joining us today and we will be sending out the recording to everyone shortly after the broadcast ends. Thank you very much. Enjoy the rest of your day. 

Greta Koch: 

Thanks for having me, and thanks for participating. Bye. 

Speaker 3: 

Bye-Bye.