1. Policies and responsibilities
Contract clause
Supplier shall integrate the commitments in the Supplier Code of Conduct into policies and assign responsibility for policies and due diligence, by
a) ensuring that relevant policies, established at the highest management level, are adopted or revised to align with the commitments in the Supplier Code of Conduct,
b) making the policies publicly available and communicating them to rights-holders affected by its own operations,
c) ensuring that the board of directors considers the policies when making decisions,
d) appointing one or more persons in management positions as responsible for the due diligence process and
e) assigning responsibility for the implementation of the policies to employees whose decisions are most likely to increase or decrease the risks of adverse impacts.
a) Policies
You shall ensure that relevant policies, established at the highest management level, are adopted or revised to align with the commitments in the Supplier Code of Conduct.
Policies are high-level public statements that outline your commitments. They differ from operational guidelines and processes, which are internal tools used to implement policies in practice.
One or more policies
Your commitments may be divided into one or more policies. For example, you should have a human rights policy, an environmental policy, and a business ethics policy for your own operations and a supplier code of conduct.
You may also have policies for specific issues in your own operations, which in some cases are required by law. Examples of such policies are:
- Collective agreements
- Work environment policy
- Health and safety policy
- Discrimination policy
- Anti-harassment and retaliation policies
- Mineral policy
- Climate policy
- Tax policy
The most important thing is that your policies cover the commitments for your own operations and supply chain.
Established at the highest management level
All relevant policies shall be established at the highest management level, which includes the board of directors and CEO. The easiest way to demonstrate this is through the CEO’s signature and date on the policy. Alternatively, companies can provide the board’s date of adoption or use other methods to demonstrate compliance.
Adopted or revised
Most suppliers to the public sector already have a policy framework in place, which means the commitments can often be integrated through revisions rather than by adopting new policies.
If you are missing any policy, you can use our templates for:
- Human Rights Policy
- Environmental Policy
- Business Ethics Policy
- Supplier Code of Conduct
These are available under Templates process requirement 1.
Aligned with the commitments
By aligned with the commitments, we mean the following:
There must be a commitment to respect all internationally recognised human rights as expressed in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the International Covenant on Economic, Social and Cultural Rights. Collectively, these are the International Bill of Human Rights. This commitment shall be reflected in policies for both your own operations and supply chains.
All areas of responsibility under workers’ rights need to be covered – but the same wording as in the Supplier Code of Conduct is not required.
- Freedom of association and collective bargaining
- Forced labour
- Child labour
- Discrimination and inhumane treatment
- Health and safety
- Wages
- Working hours
- Regular employment
When it comes to climate and environmental impact, the risks differ depending on sector. Therefore, not all commitments need to be covered, but during monitoring you shall be able to account for your considerations and decisions.
As for environmental rights, these do not need to be specifically mentioned as they are part of the overall commitment to respect all internationally recognised human rights.
All areas of responsibility under business ethics need to be covered – but the same wording as in the Supplier Code of Conduct is not required.
- Corruption
- Anti-competitive behaviour
- Taxation
Multi-stakeholder initiatives' codes of conduct
If you participate in a multi-stakeholder initiative with a shared supplier code of conduct, such as amfori BSCI and Responsible Business Alliance, it may be difficult to revise the code of conduct. In such cases, you need to compare the code with the commitments and work to ensure that the initiative updates it.
PAGE CONTENT
b) Make policies publicly available
c) Board of directors’ responsibility
d) Responsible persons in management positions
e) Employees who increase or decrease risks
Templates process requirement 1
PROCESS REQUIREMENTS DUE DILIGENCE
1. Policies and responsibilities
3. Prevent and mitigate (causation/contribution)
4. Prevent and mitigate (linkage)
RELATED LINKS SUPPLIERS
3. Supplier’s reporting obligation
RELATED LINKS BUYERS
Supplier Code of Conduct & Due Diligence
Do you want to learn more about the Supplier Code of Conduct and due diligence?
Spend 15 minutes on our training.
Suggested verifications
- All relevant policies with the CEO’s signature and date of signing or a statement indicating the board of director’s adoption date.
- If you use a multi-stakeholder initiative’s code of conduct, you shall be able to present a comparison of the code against the commitments and a description of how you are working to have the initiative revise its code if necessary.
Guidance for auditor
Fulfils requirement
The company has policies for its own operations that are consistent with the commitments (see expandable text above for what is sufficient).
The company has policies for its supply chain that are consistent with the commitments (see expandable text above for what is sufficient).
All policies are established at the highest management level, which is evidenced by the CEO’s signature or a board decision and date of adoption.
Does not fulfil requirement
The company has no policies at all, or they are incomplete:
- The policies only cover the company’s own operations or supply chain.
- The policies are not consistent with the commitments (see expandable text above for what is sufficient).
- The policies are not established at the highest management level or there is not sufficient evidence of this, such as the CEO’s signature or a board decision and date of adoption.
- There are only internal guidelines, no public statements.
- The company uses a multi-stakeholder initiative’s Code of Conduct but has not compared it with the commitments and/or cannot explain how it is working towards the revision of the Code, if necessary.
b) Make policies publicly available
You shall make the policies publicly available and communicate them to rights-holders affected by your own operations.
By rights-holders affected by your own operations, we primarily mean employees. With them, policies can be shared:
- via the intranet
- in your premises
- during onboarding and training sessions, and
- regularly as needed.
In addition, policies shall be publicly available to other affected stakeholders. For example, policies aimed at suppliers or local communities shall be published on your website.
Regardless of where the policies are made publicly available, they shall always be provided in local languages if you, for instance, operate in other countries or have received permission to post your supplier code of conduct in the factories you source from.
Suggested verifications
- Links to websites.
- Photos of policies publicly available in your premises.
- Screenshots or printouts of intranet pages or onboarding systems.
- PowerPoint presentations from employee introductions or training sessions.
Guidance for auditor
Fulfils requirement
The policies are public and available to relevant stakeholders:
- Policies that affect employees are communicated via the intranet, on the premises, at introductions and/or training.
- Policies that affect external stakeholders such as suppliers and nearby residents are available on the website.
- The policies are translated into local languages where business is conducted. If the code of conduct has been posted at a supplier, it has also been translated.
Does not fulfil requirement
The policies are not public or difficult to find for affected stakeholders.
- Policies are not communicated to employees via the intranet, on the premises, at introductions and/or trainings.
- Policies that affect external stakeholders such as suppliers and nearby residents are not available on the website.
- The policies are not translated into local languages where operations are conducted. A code of conduct that has been posted at a supplier has not been translated.
- Policies that have been updated after audit have not been made publicly available or communicated.
c) Board of directors’ responsibility
You shall ensure that the board of directors considers the policies when making decisions.
The board typically approves policies and sustainability reports and makes strategic decisions that impact people, the environment, and society. Therefore, having board members with sustainability expertise can be valuable.
To ensure that the board considers the policies in its decision-making, you can, for example, use a checklist or develop clear instructions. We have developed a checklist and included provisions on the board’s responsibilities in our due diligence instruction template. Both are available under Templates process equirement 1.
There is no requirement to use our templates.
Suggested verifications
- Instructions describing how the board of directors considers the policies when making decisions, both for your own operations and the supply chain.
- Checklists for decisions.
- Meeting minutes where considerations have been recorded.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documents/templates that describe how the board of directors takes the policies into account when making decisions.
There is evidence that shows that the board has taken the policies into account when making decisions, such as decision-making material for corporate acquisitions or strategic partnerships where the policies are referenced, meeting minutes where decisions that refer to the policies have been recorded, and annual or sustainability reports where decisions are linked to the policies.
Does not fulfil requirement
The company lacks instructions or equivalent documents/templates that describe how the board of directors takes the policies into account when making decisions.
There is no evidence showing that the board has taken the policies into account when making decisions, such as decision-making material for corporate acquisitions or strategic partnerships where the policies are referenced, meeting minutes where decisions that refer to the policies have been recorded, and annual or sustainability reports where decisions are linked to the policies.
d) Responsible persons in management positions
You shall appoint one or more persons in management positions as responsible for the due diligence process.
Management functions are responsible for implementing policies in practice. These typically include the roles of CEO, CFO, HR Director, General Counsel, Procurement Director, and Sustainability Director. However, the most relevant roles depend on your operations and risks.
Suggested verifications
- Instructions
- Organisational charts
- Job descriptions for management positions
Guidance for auditor
Fulfils requirement
The company has appointed one or more persons in management positions as responsible for due diligence in its own operations.
The company has appointed one or more persons in management positions as responsible for supply chain due diligence.
Relevant roles have been identified based on the company’s operations and risks, such as CEO, HR manager, general counsel, sustainability manager and procurement manager.
The division of responsibilities is documented — for example, through instructions, organisational charts or job descriptions.
Does not fulfil requirement
The company lacks people in management positions responsible for due diligence in its own operations.
The company lacks people in management positions responsible for supply chain due diligence.
Management positions exist, but not all relevant roles have been identified based on the company’s operations and risks.
There is no documentation — for example, instructions, organisational charts, or job descriptions.
e) Employees who increase or decrease risks
You shall assign the responsibility for the implementation of the policies to employees whose decisions are most likely to increase or decrease the risks of adverse impacts.
Example of assignment of responsibilities:
| Departments and functions | Examples of commitments |
|---|---|
| Sustainability | All commitments |
| Environmental and social experts | Human rights, workers’ rights (including health and safety,) the environment |
| Personnel/HR | Workers’ rights (including recruitment, industrial relations, health and safety) |
| Operations, production | Human rights, workers’ rights (including health and safety,) the environment |
| Legal/ compliance | Human rights, workers’ rights (including industrial relations), business ethics, supplier agreements |
| Purchasing/supply chain management | All commitments (including risk assessments, supplier assessments, contracts and monitoring) |
| Community development/stakeholder engagement | Human rights, the environment, community health and safety, stakeholder engagement, disclosure |
| Risk management | All commitments |
A clear assignment of responsibilities requires effective internal communication regarding policies and processes. However, since responsibilities often span multiple departments, cross-functional groups may also be needed to facilitate coordination and decision-making. It is also important that relevant employees have the appropriate competence, training, and authority.
Resources should be adapted to the company’s risks and size. Smaller companies can often manage the work within existing roles, while companies facing greater risks may require dedicated staff and budget.
Suggested verifications
- Instructions
- Organisational charts
- Job descriptions for management positions
- PowerPoint presentations from training sessions
Guidance for auditor
Fulfils requirement
The company has a clear division of responsibilities for the implementation of the policies in its own operations, adapted to the risks.
The company has a clear division of responsibilities for the implementation of the policies in the supply chain, adapted to the risks.
The division of responsibilities is documented — for example, through instructions, organisational charts or job descriptions.
Other types of documentation can also strengthen the image of a functioning division of responsibilities, such as documented training or cross-functional groups for coordination and information sharing.
Does not fulfil requirement
The company lacks a clear division of responsibilities for the implementation of the policies in its own operations, or it is not risk-aligned.
The company lacks a clear division of responsibilities for the implementation of the policies in the supply chain, or it is not risk-aligned.
There no documentation — for example, instructions, organisational charts, or job descriptions.
Nor is there any other documentation that strengthens the image of a functioning division of responsibilities, such as documented training or cross-functional groups for coordination and information sharing.