International Supply Chain Compliance: Increased Liability Risk for Decision Makers


published on 25 October 2023 | reading time approx. 7 minutes

As the legislative requirements for companies' due diligence along their supply chains grow, so do the demands on the respective decision-makers. In addition to the expec­ta­tion of profitable corporate management, there is also the requirement to protect the company and its shareholders from economic damage as a result of supply chain violations and the associated sanctions.

Instruments of international supply chain compliance

With the entry into force of the German Supply Chain Act (Lieferkettensorgfaltspflichtengesetz - LkSG) on January 1, 2023, the due diligence standard for German companies in the field of supply chain compliance has become significantly stricter. But it is not only the German legislator that is increasing the obligations along the supply chain. The EU is driving forward the implementation of its Green Deal, continuing the trend toward greater transparency in the supply chains of European companies and a significantly tightened legal framework in the field of supply chain compliance. The European Corporate Sustainability Due Diligence Directive (CSDDD) is in the starting blocks, and there are already effective instruments in place to require companies to comply with certain duty of care standards in supply chains, such as the Conflict Minerals Regulation, the Corporate Sustainability Reporting Directive (CSRD), and the recently added Regulation on deforstation-free products.

Risk of sanctioning for the company

All these regulations have one thing in common, a much stricter sanctions regime. From interim measures such as the seizure of products to exclusion from the public procurement process to financial penalties – the catalog of sanctions is long and has the potential to put the affected companies in a position that could threaten their existence.

In order to avoid such sanctions, decision-makers need to act decisively. But the challenge of fulfilling the legal requirements is great. The jungle of international regulations is difficult to navigate through and, in certain cases, can lead to more of a paralysis than to take action. The question of how much of this is actually still within the company's sphere and to what extent the company can and wants to get involved in monitoring its supply chain, often hinges on investments, costs and the use of personnel capacities.

In particular for midsize companies, implementing the legal regulations often means establishing completely new processes for documentation, control and reporting; in other words, an immense effort (and/or costs). But what happens if these processes are not implemented fast enough, not sufficiently or not at all? What if such strategic decisions are blocked within the group of shareholders or there is disagreement within the executing bodies about the necessary measures? To what extent is the management body allowed to make its own de­ci­sions, and at what point does a decision become the responsibility of the shareholders?

Monitoring the supply chain as a management task

The monitoring of the supply chain and the fulfillment of duties of care under the LkSG is primarily the respon­si­bi­lity of the company's management. They must ensure that the company always acts legally and fully com­plies with its obligations in business transactions.

Within the scope of this so-called duty of legality (Legalitätspflicht), the management also has no discretion. Whether the duties of care under the LkSG are complied with, is not at issue. However, the "how" is often a question of detail, which is part of the general organizational duties of the management. In this area, economic discretion arises, which must be properly exercised within the framework of the business judgment rule.

Involvement of the shareholders

In the case of a limited liability company (GmbH), the discretion of the management ends where the share­holders' meeting has defined the limits. On the one hand, this concerns the classic reservations of consent, by which the shareholders' meeting reserves the right to have a say in essential matters of the company. Depen­ding on the individual case, this can be, for example, investments (above certain monetary thresholds) or the creation of appropriate personnel capacities through the hiring of employees, or, on the other hand, it can manifest itself indirectly through the authorization of budget planning. If the management disregards those reservations of consent, it may be liable to the company.

Since the shareholders' meeting of the GmbH is the highest body of the company, it is also free to intervene in management decisions by issuing instructions. Such instructions are binding on the management, provided they are within the scope of discretion and do not exceed the duty of legality. However, the right to issue in­struc­tions is not available to the shareholders individually, but can only be exercised by shareholders' re­so­lu­tion.  If there is disagreement among the shareholders about the strategic direction of the company, the mechanisms for conflict resolution set out in the articles of association come into play.

When it comes to monitoring the fulfillment of duty of care standards by the management and their organi­za­tion, the shareholders' meeting is not legally obligated to monitor whether the management is doing sufficient, but it can always request information through its information rights and take decisions if it wants to. An instructing resolution of the shareholders can have a liability-releasing effect for the management, at least as far as the internal liability towards the company is concerned.

In the case of a stock corporation (AG), the management board acts independently. At most, it must observe reservations of consent in favor of the supervisory board. It is not possible for shareholders to exert direct influence on management decisions via the Annual General Meeting. A conflict between the common good and shareholder value interests has an even stronger effect here. Shareholders depend on the supervisory board to fulfill its monitoring duties as to whether the management board is fulfilling its duty of care obligations in the field of supply chains. To ensure effective monitoring, suitable authorization catalogs should be defined and periodical reporting to the supervisory board ensured. In the event of a serious incident, the management board can only be dismissed if it persistently violates its duty of care obligations.

Depending on the form and structure of the company, the ability of shareholders to influence such fundamental strategic decisions and the monitoring of supply chain standards therefore varies greatly. The creation of appropriate and functioning internal governance structures is therefore also an essential factor at shareholder level. After all, the common goal is always to protect the company from economic damage and to safeguard its reputation.

General liability of corporate bodies

The executive bodies are obliged to act in the best interests of the company. If they fail to do so, they are internally liable to the company. Such internal liability of the executive bodies towards the company is firmly anchored in both the German Limited Liability Companies Act (GmbHG) and the German Stock Corporation Act (AktG), § 93 (2) Sentence 1 AktG and § 43 (2) GmbHG respectively.

The standard of fault is the diligence of a reasonable and conscientious (“ordentlicher und gewissenhafter”) manager, § 93 (1) Sentence 1 AktG and § 43 (1) GmbHG. The decision-maker bears the burden of proof for compliance with this standard of diligence, § 93 (2) Sentence 2 AktG. Under certain circumstances, the decision-maker may even be liable for breaches of duty committed through simple negligence.

This raises the question of the precise definition of this standard of diligence. In principle, every company management is subject to the duty of legality, i.e. the legal provisions that affect the company in its external relationship. This also includes duties of care under public law, such as those under the LkSG. However, § 93 (1) Sentence 2 AktG contains the business judgment rule. According to this rule, there is no breach of duty of care if the decision-maker assumed and could reasonably assume that he was acting in the interest (“zum Whole”) of the company. This legislative definition shows that the existence of a breach of duty of care depends, to a large extent, on the individual case. The problem here lies in the distinction between a mistaken decision, which is still covered by the discretion of the company manager, and the actual breach of a duty of care. The company management often has a wide discretionary scope in the execution of its rights and duties. Over the years, this scope of discretion has been further specified by case law for the various areas of responsibility of the executive bodies.

Liability of executive bodies for breaches of supply chains obligations

In the area of duty of care obligations under supply chain law, there has been a lack of landmark decisions in case law so far. It remains to be seen whether and to what extent decision-makers will have to be held liable for a company's failure to comply with its supply chain obligations. The individual regulations already contain high and, in some cases, specifically defined duty of care requirements that are likely to considerably restrict the discretion of decision-makers. According to § 6 (2) Sentence 2 LkSG, for example, when a risk is identified, the company management must issue a policy statement on the company's human rights strategy in order to avoid acting in breach of § 24 LkSG.

In addition, parallels can be drawn with similar duties of care from other areas of responsibility. For example, a breach of duty due to an inadequate risk management system. The establishment of a functioning risk moni­to­ring system is part of the general organizational duties of the executive bodies. The duty to monitor de­ve­lop­ments that pose a threat to the company's existence is enshrined in § 91 (2) AktG. Even though there is no comparable provision in the GmbHG, it is also mandatory for a GmbH managing director to set up a functioning risk monitoring system. The legally required risk monitoring also includes, among other things, the mandatory audit of the annual financial statements, §§ 316 et seq. HGB. This suggests that breaches of other reporting obligations, such as those under the LkSG, could also be understood as breaches of duty of care leading to liability.

Possibilities to reduce liability

Therefore, the question of possibilities to reduce the liability risk of decision-makers arises. It can already be said that there is no panacea for liability risks associated with supply chain law.

Affected decision-makers are well advised to take appropriate precautions as soon as possible. In particular, if not already in place, a compliance management system should be implemented as soon as possible. Synergies should be utilized and obligations (e.g., documentation and reporting obligations under CRSD and EUDR) should be bundled.

One possibility could also be the delegation of certain obligations. Although this does not lead to a release of liability for the decision-maker, it does help to ensure an effective allocation of tasks and thus reduce the liability risk. Delegation is generally permissible provided that no original personal duties of the decision-maker are affected. Here too, however, the standard of § 93 (1) sentence 1 AktG must always be observed. This contains the selection of the person to whom the delegation is made and the supervision of that person. As compliance is basically an original management task, the possibility of delegation is very limited. However, such delegation is conceivable in the case of the establishment and monitoring of the above-mentioned compliance management system. In view of the high complexity of such a system and the quantity of duties, delegation may not only be useful but even necessary. However, in this case, too, a balance must be found between the essence of original management tasks and necessary delegation.


The requirements in the field of international supply chain compliance are increasing and with them the risk of sanctions for breaches of duties of care. Since the decisions or inaction that lead to such violations are usually directly attributable to the management, this also increases the risk of internal liability of the decision-makers towards the company.

This risk must not be shifted or even ignored, but specifically addressed. Especially by creating appropriate compliance structures liability risks can be identified and then eliminated. In doing so a holistic approach should be adopted. From the introduction of new processes to their documentation and reporting, a com­pre­hen­sive strategy should be developed at management level and, where necessary, (legal) advice should be sought.

Deutschland Weltweit Search Menu