Process requirement 1
Excerpt from the contract clause
Supplier shall integrate the commitments in the Supplier Code of Conduct into policies and allocate responsibility for policies and due diligence, by
a) ensuring that relevant policies, established at the highest management level, are adopted or revised to align with the commitments in the Supplier Code of Conduct,
b) making the policies publicly available and communicating them to rights-holders affected by its own operations,
c) ensuring that the board of directors considers the policies when making decisions,
d) appointing one or more persons in management positions as responsible for the due diligence process and
e) assigning responsibility for the implementation of the policies to employees whose decisions are most likely to increase or decrease the risks of adverse impacts.
Policies
You shall ensure that relevant policies, established at the highest management level, are adopted or revised to align with the commitments in the Supplier Code of Conduct.
Policies are high-level public statements that outline your commitments. They differ from operational guidelines and processes, which are internal tools used to implement policies in practice.
-
All relevant policies with the CEO's signature and date of signing or a statement indicating the board of director's adoption date.
-
If you use a multi-stakeholder initiative's code of conduct, you shall be able to present a comparison of the code against the commitments and a description of how you are working to have the initiative revise its code if necessary.
Guidance for auditor
Fulfils requirement
The company has policies for its own operations that are consistent with the commitments (see expandable text above for what is sufficient).
The company has policies for its supply chain that are consistent with the commitments (see expandable text above for what is sufficient).
All policies are established at the highest management level, which is evidenced by the CEO's signature or a board decision and date of adoption.
Does not fulfil requirement
The company has no policies at all, or they are incomplete:
-
The policies only cover the company’s own operations or supply chain.
-
The policies are not consistent with the commitments (see expandable text above for what is sufficient).
-
The policies are not established at the highest management level or there is not sufficient evidence of this, such as the CEO's signature or a board decision and date of adoption.
-
There are only internal guidelines, no public statements.
-
The company uses a multi-stakeholder initiative's Code of Conduct but has not compared it with the commitments and/or cannot explain how it is working towards the revision of the Code, if necessary.
Making the policies publicly available
You shall make the policies publicly available and communicate them to rights-holders affected by your own operations.
By rights-holders affected by your own operations, we primarily mean employees. Policies can be shared with them via the intranet, in your premises, during onboarding and training sessions, and regularly as needed. In addition, policies shall be publicly available to other affected stakeholders. For example, policies aimed at suppliers or local communities shall be published on your website.
Regardless of where the policies are made publicly available, they shall always be provided in local languages if you, for instance, operate in other countries or have received permission to post your supplier code of conduct in the factories you source from.
At the same time, rights-holders shall be informed about complaints procedures linked to the policies. These procedures may include both formal mechanisms and guidelines for contact with management, HR, and other responsible parties. A common mechanism is whistleblower channels.
-
Links to websites.
-
Photos of policies publicly available in your premises.
-
Screenshots or printouts of intranet pages or onboarding systems.
-
PowerPoint presentations from employee introductions or training sessions.
Guidance for auditor
Fulfils requirement
The policies are public and available to relevant stakeholders:
-
Policies that affect employees are communicated via the intranet, on the premises, at introductions and/or training.
-
Policies that affect external stakeholders such as suppliers and nearby residents are available on the website.
-
The policies are translated into local languages where business is conducted. If the code of conduct has been posted at a supplier, it has also been translated.
Does not fulfil requirement
The policies are not public or difficult to find for affected stakeholders.
-
Policies are not communicated to employees via the intranet, on the premises, at introductions and/or trainings.
-
Policies that affect external stakeholders such as suppliers and nearby residents are not available on the website.
-
The policies are not translated into local languages where operations are conducted. A code of conduct that has been posted at a supplier has not been translated.
The board of directors
You shall ensure that the board of directors considers the policies when making decisions.
The board typically approves policies and sustainability reports and makes strategic decisions that impact people, the environment, and society. Therefore, having board members with sustainability expertise and responsibility can be valuable.
To ensure that the board considers policies in its decision-making, a checklist can be used. We have developed such a checklist, which can be found below under Templates process requirement 1. If the board follows this checklist, the requirement is considered fulfilled, but using the checklist is not mandatory. You can meet the requirement in other ways, such as through clear instructions.
-
Instructions describing how the board of directors considers the policies when making decisions, both for your own operations and the supply chain.
-
Checklists for decisions.
-
Meeting minutes where considerations have been recorded.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documents/templates that describe how the board of directors takes the policies into account when making decisions.
It is sufficient that the company can demonstrate that there are procedures in place to consider the policies—proof of actual application is not required. However, such documentation can strengthen the company's claim that procedures are in place. Examples can be documentation for company acquisitions, strategic partnerships or purchases from risk suppliers where the policies are referenced, recorded decisions that refer to the policies, and annual or sustainability reports where decisions are linked to the policies.
Does not fulfil requirement
The company lacks instructions or equivalent documents/templates that describe how the board of directors takes the policies into account when making decisions.
In addition, the company lacks proof of actual application, which could strengthen the company's claim that procedures are in place.
Responsible persons in management positions
You shall appoint one or more persons in management positions as responsible for the due diligence process.
Management functions are responsible for implementing policies in practice. This typically includes the CEO, CFO, HR Director, General Counsel, Procurement Director, and Sustainability Director. However, the most relevant roles depend on your company's operations and the risks you face.
-
Instructions
-
Organisational charts
-
Job descriptions for management positions
Guidance for auditor
Fulfils requirement
The company has appointed one or more persons in management positions as responsible for due diligence in its own operations.
The company has appointed one or more persons in management positions as responsible for supply chain due diligence.
Relevant roles have been identified based on the company's operations and risks, such as CEO, HR manager, general counsel, sustainability manager and procurement manager.
The division of responsibilities is documented — for example, through instructions, organisational charts or job descriptions.
Does not fulfil requirement
The company lacks people in management positions responsible for due diligence in its own operations.
The company lacks people in management positions responsible for supply chain due diligence.
Management positions exist, but not all relevant roles have been identified based on the company's operations and risks.
There is a lack of documentation — for example, instructions, organisational charts, or job descriptions.
Employees who increase or decrease the risks
You shall assign the responsibility for the implementation of the policies to employees whose decisions are most likely to increase or decrease the risks of adverse impacts. Below is a list of departments and functions, along with examples of the commitments they are often responsible for.
Departments and functions
Examples of commitments
Sustainability, responsible purchasing | Potentially all commitments |
Environmental and/or social experts | Human rights, workers' rights including health and safety, the environment |
Personnel/HR | Workers' rights including recruitment, industrial relations and health and safety |
Operations, production | Human rights, workers' rights including health and safety, the environment |
Legal, compliance, ethics/integrity | Human rights, workers' rights including employment and industrial relations, business ethics, supplier agreements |
Purchasing, supply chain management, business relations | All commitments, including risk assessments, supplier assessments, contracts and follow-up (through audits and other methods) |
Community development | Human rights, the environment, community health and safety, stakeholder engagement, disclosure |
Risk management | Potentially all commitments |
A clear division of responsibilities requires effective internal communication about policies, guidelines, and processes. However, since responsibilities often span multiple departments, cross-functional groups or committees may also be needed to facilitate information sharing and decision-making. It is additionally important that relevant employees have the necessary skills, training, and influence within the organisation.
Resources for policy implementation should also be adapted to your risk profile. In smaller companies with limited risks, existing employees may be able to manage the risks as part of their roles. For companies with greater risks, dedicated personnel and budget are often required.
-
Instructions
-
Organisational charts
-
Job descriptions for management positions
-
PowerPoint presentations from training sessions
Guidance for auditor
Fulfils requirement
The company has a clear division of responsibilities for the implementation of the policies in its own operations, adapted to the risks.
The company has a clear division of responsibilities for the implementation of the policies in the supply chain, adapted to the risks.
The division of responsibilities is documented — for example, through instructions, organisational charts or job descriptions.
Other types of documentation can also strengthen the image of a functioning division of responsibilities, such as documented training or cross-functional groups for coordination and information sharing.
Does not fulfil requirement
The company lacks a clear division of responsibilities for the implementation of the policies in its own operations, or it is not risk-aligned.
The company lacks a clear division of responsibilities for the implementation of the policies in the supply chain, or it is not risk-aligned.
There is a lack of documentation — for example, instructions, organisational charts, or job descriptions.
Nor is there any other documentation that strengthens the image of a functioning division of responsibilities, such as documented training or cross-functional groups for coordination and information sharing.
-
Supplier code of conduct template (coming soon)