Process requirement 1
Excerpt from the contract clause
Supplier shall integrate the commitments in the Supplier Code of Conduct into policies and allocate responsibility for policies and due diligence, by
a) ensuring that relevant policies, established at the highest management level, are adopted or revised to align with the commitments in the Supplier Code of Conduct,
b) making the policies publicly available and communicating them to rights-holders affected by its own operations,
c) ensuring that the board of directors considers the policies when making decisions,
d) appointing one or more persons in management positions as responsible for the due diligence process and
e) assigning responsibility for the implementation of the policies to employees whose decisions are most likely to increase or decrease the risks of adverse impacts.
Policies
You shall ensure that relevant policies, established at the highest management level, are adopted or revised to align with the commitments in the Supplier Code of Conduct.
Policies are high-level public statements that outline your commitments. They differ from operational guidelines and processes, which are internal tools used to implement policies in practice.
-
All relevant policies with the CEO's signature and date of signing or a statement indicating the board of director's adoption date.
-
If you use a multi-stakeholder initiative's code of conduct, you shall be able to present a comparison of the code against the commitments and a description of how you are working to have the initiative revise its code if necessary.
Guidance for auditor
Fulfils requirement
Policies that are aligned with the commitments (see expandable text above) are in place for both the company's own operations and its supply chain.
All policies have been established at the highest management level, which can be demonstrated, for example, through the CEO’s signature or a decision by the board of directors.
Date is not required.
Does not fulfil requirement
Policies are entirely missing or incomplete:
-
The policies cover only the company's own operations or supply chain.
-
The policies are not aligned with the commitments (see expandable text above).
-
The policies have not been established at the highest management level, or there is no evidence of this, such as a CEO signature or a decision by the board of directors.
-
Only internal guidelines exist, not public statements of commitment.
-
The company relies on a multi-stakeholder initiative’s code of conduct but has not compared the code with the commitments and/or cannot explain how they are working to ensure that the initiative updates the code, if necessary.
Making the policies publicly available
You shall make the policies publicly available and communicate them to rights-holders affected by your own operations.
By rights-holders affected by your own operations, we primarily mean employees. Policies can be shared with them via the intranet, in your premises, during onboarding and training sessions, and regularly as needed. In addition, policies shall be publicly available to other affected stakeholders. For example, policies aimed at suppliers or local communities shall be published on your website.
Regardless of where the policies are made publicly available, they shall always be provided in local languages if you, for instance, operate in other countries or have received permission to post your supplier code of conduct in the factories you source from.
At the same time, rights-holders shall be informed about complaints procedures linked to the policies. These procedures may include both formal mechanisms and guidelines for contact with management, HR, and other responsible parties. A common mechanism is whistleblower channels.
-
Links to websites.
-
Photos of policies publicly available in your premises.
-
Screenshots or printouts of intranet pages or onboarding systems.
-
PowerPoint presentations from employee introductions or training sessions.
Guidance for auditor
Fulfils requirement
The policies are public and accessible to relevant stakeholders:
-
Policies that affect employees are communicated via, for example, the intranet, on the premises, during onboarding and/or training sessions.
-
Policies that affect external stakeholders, such as suppliers and local communities, are available on the website.
-
The policies are translated into local languages where operations are conducted. If the code of conduct has been posted at supplier sites, also this has been translated into local languages.
Does not fulfil requirement
If policies are entirely missing, only cover the company’s own operations or the supply chain, or are not aligned with the commitments, this shall also affect the assessment of public availability and communication.
The policies are not public or are difficult for relevant stakeholders to access.
-
Policies are not communicated to employees via, for example, the intranet, on the premises, during onboarding and/or training sessions.
-
Policies that concern external stakeholders, such as suppliers and local communities, are not available on the website.
-
The policies are not translated into local languages where operations are conducted. A code of conduct posted at supplier sites has not been translated into local languages.
The board of directors
You shall ensure that the board of directors considers the policies when making decisions.
The board typically approves policies and sustainability reports and makes strategic decisions that impact people, the environment, and society. Therefore, having board members with sustainability expertise and responsibility can be valuable.
To ensure that the board considers policies in its decision-making, a checklist can be used. We have developed such a checklist, which can be found below under Templates process requirement 1. If the board follows this checklist, the requirement is considered fulfilled, but using the checklist is not mandatory. You can meet the requirement in other ways, such as through clear instructions.
-
Instructions describing how the board of directors considers the policies when making decisions, both for your own operations and the supply chain.
-
Checklists for decisions.
-
Meeting minutes where considerations have been recorded.
Guidance for auditor
Fulfils requirement
The board takes the policies into account when making decisions that affect people, the environment, and society, and this is evident through, for example, instructions or checklists. It is therefore sufficient that the company can demonstrate that procedures exist for taking the policies into account — proof that this has actually occurred is not required.
However, evidence that the policies have been taken into account can strengthen the company’s claim that such procedures exist. Examples of such evidence include materials for board meetings where the policies are referenced in risk assessments or recommendations ahead of corporate acquisitions, strategic partnerships, or sourcing from high-risk suppliers; meeting minutes/board decisions; and annual or sustainability reports showing that the board has linked business decisions to the policies.
Does not fulfil requirement
There are no instructions or checklists showing that the board takes the policies into account when making decisions that affect people, the environment, and society.
There is also no evidence that the policies have been taken into account, which could otherwise strengthen the company’s claim that procedures exist.
Responsible persons in management positions
You shall appoint one or more persons in management positions as responsible for the due diligence process.
Management functions are responsible for implementing policies in practice. This typically includes the CEO, CFO, HR Director, General Counsel, Procurement Director, and Sustainability Director. However, the most relevant roles depend on your company's operations and the risks you face.
-
Instructions
-
Organisational charts
-
Job descriptions for management positions
Guidance for auditor
Fulfils requirement
One or more individuals in management positions have been appointed as responsible for due diligence in the company’s own operations and supply chain.
Relevant roles have been identified based on the company’s activities and risk profile — for example, the CEO, Head of HR, General Counsel, Head of Sustainability, and Head of Procurement.
The division of responsibilities is documented — for example, through instructions, organisational charts or job descriptions — and there is a clear link between the designated functions and the due diligence process.
Does not fulfil requirement
If policies are entirely missing, only cover the company’s own operations or the supply chain, or are not aligned with the commitments, this shall also affect the assessment of responsible persons in management positions.
There are no individuals in management positions with responsibility for due diligence in the company’s own operations and supply chain.
Management positions with responsibility for due diligence exist, but not all relevant roles have been identified based on the company’s operations and risks.
There is no documentation — such as instructions, organisational charts, or job descriptions — clearly showing the connection between management functions and due diligence.
Employees who increase or decrease the risks
You shall assign the responsibility for the implementation of the policies to employees whose decisions are most likely to increase or decrease the risks of adverse impacts. Below is a list of departments and functions, along with examples of the commitments they are often responsible for.
Departments and functions
Examples of commitments
Sustainability, responsible purchasing | Potentially all commitments |
Environmental and/or social experts | Human rights, workers' rights including health and safety, the environment |
Personnel/HR | Workers' rights including recruitment, industrial relations and health and safety |
Operations, production | Human rights, workers' rights including health and safety, the environment |
Legal, compliance, ethics/integrity | Human rights, workers' rights including employment and industrial relations, business ethics, supplier agreements |
Purchasing, supply chain management, business relations | All commitments, including risk assessments, supplier assessments, contracts and follow-up (through audits and other methods) |
Community development | Human rights, the environment, community health and safety, stakeholder engagement, disclosure |
Risk management | Potentially all commitments |
A clear division of responsibilities requires effective internal communication about policies, guidelines, and processes. However, since responsibilities often span multiple departments, cross-functional groups or committees may also be needed to facilitate information sharing and decision-making. It is additionally important that relevant employees have the necessary skills, training, and influence within the organisation.
Resources for policy implementation should also be adapted to your risk profile. In smaller companies with limited risks, existing employees may be able to manage the risks as part of their roles. For companies with greater risks, dedicated personnel and budget are often required.
-
Instructions
-
Organisational charts
-
Job descriptions for management positions
-
PowerPoint presentations from training sessions
Guidance for auditor
Fulfils requirement
There is a clear division of responsibilities for the implementation of the policies in the company’s own operations and supply chain, adapted to the risks.
This division of responsibilities is documented — for example, through instructions, organisational charts or job descriptions — and there is a clear link between the responsible functions and the work to mitigate risks.
Other types of material can also strengthen the picture of a well-functioning allocation of responsibilities, such as PowerPoint presentations or screenshots from training sessions, and documentation of cross-functional groups or committees that facilitate coordination and information sharing.
Does not fulfil requirement
If policies are entirely missing, only cover the company’s own operations or the supply chain, or are not aligned with the commitments, this shall also affect the assessment of allocation of responsibility for implementation.
There is no clear allocation of responsibility for the implementation of the policies in the company’s own operations and supply chain.
An allocation of responsibility for the implementation of the policies in the company’s own operations and supply chain exists, but it is not adapted to the risks.
There is no documentation showing how responsibilities are assigned — such as instructions, organisational charts or job descriptions. The connection between responsible functions and the work to mitigate risks is unclear.
There is also no other material that would strengthen the picture of a functioning allocation of responsibilities, such as documented training or cross-functional groups for coordination and information sharing.
