Process requirement 1
We explain the requirements for policies and how responsibilities shall be allocated between the board, managers, and employees.
Excerpt from the contract clause
Supplier shall integrate the commitments in the Supplier Code of Conduct into policies and allocate responsibility for policies and due diligence, by
a) ensuring that relevant policies, established at the highest management level, are adopted or revised to align with the commitments in the Supplier Code of Conduct,
b) making the policies publicly available and communicating them to rights-holders affected by its own operations,
c) ensuring that the board of directors considers the policies when making decisions,
d) appointing one or more persons in management positions as responsible for the due diligence process and
e) assigning responsibility for the implementation of the policies to employees whose decisions are most likely to increase or decrease the risks of adverse impacts.
Policies
You shall ensure that relevant policies, established at the highest management level, are adopted or revised to align with the commitments in the Supplier Code of Conduct.
Policies are high-level public statements that outline your commitments. They differ from operational guidelines and processes, which are internal tools used to implement policies in practice.
One or more policies
Your commitments may be divided into one or more policies. For example, you should have a human rights policy, an environmental policy, and a business ethics policy for your own operations and a supplier code of conduct.
You may also have policies for specific issues in your own operations, which in some cases are required by law. Examples of such policies include:
- Collective agreements
- Work environment policy
- Health and safety policy
- Discrimination policy
- Anti-harassment and retaliation policies
- Mineral policy
- Climate action plan
- Tax policy
The most important thing is that your policies cover the commitments for your own operations and supply chain.
Established at the highest management level
All relevant policies shall be established at the highest management level, which includes the board of directors and CEO. The easiest way to demonstrate this is through the CEO’s signature and date on the policy. Alternatively, companies can provide the board’s date of adoption or use other methods to demonstrate compliance.
Adopted or revised
Most public sector suppliers already have a policy framework in place, meaning that commitments can often be integrated through revision rather than new policies. If you do not have a supply chain policy, you can easily adopt the Supplier Code of Conduct as your own. However, it is important to ensure that the policies you have in place cover both your own operations and your supply chain.
In light of this, we have developed a human rights policy template, an environmental policy template, and a business ethics policy template, which can be found below under Templates process requirement 1. It is not a requirement to use our templates, they should be seen as support.
Aligned with the commitments
By aligned with the commitments, we mean the following:
There must be a commitment to respect all internationally recognised human rights as expressed in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, the International Covenant on Economic, Social and Cultural Rights—the International Bill of Human Rights. This commitment shall be reflected in policies for both your own operations and supply chains.
All areas of responsibility under workers’ rights need to be covered—but the same wording as in the Supplier Code of Conduct is not required.
- Freedom of association and collective bargaining
- Forced labour
- Child labour
- Discrimination and inhumane treatment
- Health and safety
- Wages
- Working hours
- Regular employment
When it comes to climate and environmental impact, the risks differ depending on sector. Therefore, not all commitments need to be covered, but during monitoring you shall be able to account for your considerations and decisions.
As for environmental rights, these do not need to be specifically mentioned as they are part of the overall commitment to respect all internationally recognised human rights.
All areas of responsibility under business ethics need to be covered—but the same wording as in the Supplier Code of Conduct is not required.
- Corruption
- Anti-competitive behaviour
- Taxation
Responsibility for ensuring compliance
As a supplier, you are responsible for comparing your policy framework with the commitments. If a contracting organisation or auditor detects a difference when monitoring the contract clause, it is considered a deviation. They will not conduct a detailed review of your policies and the commitments – this is your responsibility. The comparison therefore needs to be part of your action plan.
Multi-stakeholder initiatives' codes of conduct
Some suppliers are members of multi-stakeholder initiatives with joint supplier codes of conduct, such as amfori BSCI, the Ethical Trading Initiative or the Responsible Business Alliance. If you are part of such an initiative, it may be difficult to revise the code to align it with the commitments. In such cases, you need to compare the code with the commitments and work to ensure that the initiative updates it.
Supplier Code of Conduct & Due Diligence
Do you want to learn more about the Supplier Code of Conduct and due diligence?
Spend 15 minutes on our training.
Suggested verifications
- All relevant policies with the CEO’s signature and date of signing or a statement indicating the board of director’s adoption date.
- If you use a multi-stakeholder initiative’s code of conduct, you shall be able to present a comparison of the code against the commitments and a description of how you are working to have the initiative revise its code if necessary.
Guidance for auditor
Fulfils requirement
The company has policies for its own operations that are consistent with the commitments (see expandable text above for what is sufficient).
The company has policies for its supply chain that are consistent with the commitments (see expandable text above for what is sufficient).
All policies are established at the highest management level, which is evidenced by the CEO’s signature or a board decision and date of adoption.
Does not fulfil requirement
The company has no policies at all, or they are incomplete:
- The policies only cover the company’s own operations or supply chain.
- The policies are not consistent with the commitments (see expandable text above for what is sufficient).
- The policies are not established at the highest management level or there is not sufficient evidence of this, such as the CEO’s signature or a board decision and date of adoption.
- There are only internal guidelines, no public statements.
- The company uses a multi-stakeholder initiative’s Code of Conduct but has not compared it with the commitments and/or cannot explain how it is working towards the revision of the Code, if necessary.
Making the policies publicly available
You shall make the policies publicly available and communicate them to rights-holders affected by your own operations.
By rights-holders affected by your own operations, we primarily mean employees. Policies can be shared with them via the intranet, in your premises, during onboarding and training sessions, and regularly as needed. In addition, policies shall be publicly available to other affected stakeholders. For example, policies aimed at suppliers or local communities shall be published on your website.
Regardless of where the policies are made publicly available, they shall always be provided in local languages if you, for instance, operate in other countries or have received permission to post your supplier code of conduct in the factories you source from.
At the same time, rights-holders shall be informed about complaints procedures linked to the policies. These procedures may include both formal mechanisms and guidelines for contact with management, HR, and other responsible parties. A common mechanism is whistleblower channels.
Suggested verifications
- Links to websites.
- Photos of policies publicly available in your premises.
- Screenshots or printouts of intranet pages or onboarding systems.
- PowerPoint presentations from employee introductions or training sessions.
Guidance for auditor
Fulfils requirement
The policies are public and available to relevant stakeholders:
- Policies that affect employees are communicated via the intranet, on the premises, at introductions and/or training.
- Policies that affect external stakeholders such as suppliers and nearby residents are available on the website.
- The policies are translated into local languages where business is conducted. If the code of conduct has been posted at a supplier, it has also been translated.
Does not fulfil requirement
The policies are not public or difficult to find for affected stakeholders.
- Policies are not communicated to employees via the intranet, on the premises, at introductions and/or trainings.
- Policies that affect external stakeholders such as suppliers and nearby residents are not available on the website.
- The policies are not translated into local languages where operations are conducted. A code of conduct that has been posted at a supplier has not been translated.
- Policies that have been updated after audit have not been made publicly available or communicated.
The board of directors
You shall ensure that the board of directors considers the policies when making decisions.
The board typically approves policies and sustainability reports and makes strategic decisions that impact people, the environment, and society. Therefore, having board members with sustainability expertise and responsibility can be valuable.
To ensure that the board considers policies in its decision-making, a checklist can be used. We have developed such a checklist, which can be found below under Templates process requirement 1. If the board follows this checklist, the requirement is considered fulfilled, but using the checklist is not mandatory. You can meet the requirement in other ways, such as through clear instructions.
Suggested verifications
- Instructions describing how the board of directors considers the policies when making decisions, both for your own operations and the supply chain.
- Checklists for decisions.
- Meeting minutes where considerations have been recorded.
Guidance for auditor
Fulfils requirement
The company has instructions or equivalent documents/templates that describe how the board of directors takes the policies into account when making decisions.
There is evidence that shows that the board has taken the policies into account when making decisions, such as decision-making material for corporate acquisitions or strategic partnerships where the policies are referenced, meeting minutes where decisions that refer to the policies have been recorded, and annual or sustainability reports where decisions are linked to the policies.
Does not fulfil requirement
The company lacks instructions or equivalent documents/templates that describe how the board of directors takes the policies into account when making decisions.
There is no evidence showing that the board has taken the policies into account when making decisions, such as decision-making material for corporate acquisitions or strategic partnerships where the policies are referenced, meeting minutes where decisions that refer to the policies have been recorded, and annual or sustainability reports where decisions are linked to the policies.
Responsible persons in management positions
You shall appoint one or more persons in management positions as responsible for the due diligence process.
Management functions are responsible for implementing policies in practice. This typically includes the CEO, CFO, HR Director, General Counsel, Procurement Director, and Sustainability Director. However, the most relevant roles depend on your company’s operations and the risks you face.
Suggested verifications
- Instructions
- Organisational charts
- Job descriptions for management positions
Guidance for auditor
Fulfils requirement
The company has appointed one or more persons in management positions as responsible for due diligence in its own operations.
The company has appointed one or more persons in management positions as responsible for supply chain due diligence.
Relevant roles have been identified based on the company’s operations and risks, such as CEO, HR manager, general counsel, sustainability manager and procurement manager.
The division of responsibilities is documented — for example, through instructions, organisational charts or job descriptions.
Does not fulfil requirement
The company lacks people in management positions responsible for due diligence in its own operations.
The company lacks people in management positions responsible for supply chain due diligence.
Management positions exist, but not all relevant roles have been identified based on the company’s operations and risks.
There is no documentation — for example, instructions, organisational charts, or job descriptions.
Employees who increase or decrease the risks
You shall assign the responsibility for the implementation of the policies to employees whose decisions are most likely to increase or decrease the risks of adverse impacts.
Below is a list of departments and functions, along with examples of the commitments they are often responsible for.
| Departments and functions | Examples of commitments |
|---|---|
| Sustainability, responsible purchasing | Potentially all commitments |
| Environmental and/or social experts | Human rights, workers’ rights including health and safety, the environment |
| Personnel/HR | Workers’ rights including recruitment, industrial relations and health and safety |
| Operations, production | Human rights, workers’ rights including health and safety, the environment |
| Legal, compliance, ethics/integrity | Human rights, workers’ rights including employment and industrial relations, business ethics, supplier agreements |
| Purchasing, supply chain management, business relations | All commitments, including risk assessments, supplier assessments, contracts and follow-up (through audits and other methods) |
| Community development | Human rights, the environment, community health and safety, stakeholder engagement, disclosure |
| Risk management | Potentially all commitments |
A clear division of responsibilities requires effective internal communication about policies, guidelines, and processes. However, since responsibilities often span multiple departments, cross-functional groups or committees may also be needed to facilitate information sharing and decision-making. It is additionally important that relevant employees have the necessary skills, training, and influence within the organisation.
Resources for policy implementation should also be adapted to your risk profile. In smaller companies with limited risks, existing employees may be able to manage the risks as part of their roles. For companies with greater risks, dedicated personnel and budget are often required.
Suggested verifications
- Instructions
- Organisational charts
- Job descriptions for management positions
- PowerPoint presentations from training sessions
Guidance for auditor
Fulfils requirement
The company has a clear division of responsibilities for the implementation of the policies in its own operations, adapted to the risks.
The company has a clear division of responsibilities for the implementation of the policies in the supply chain, adapted to the risks.
The division of responsibilities is documented — for example, through instructions, organisational charts or job descriptions.
Other types of documentation can also strengthen the image of a functioning division of responsibilities, such as documented training or cross-functional groups for coordination and information sharing.
Does not fulfil requirement
The company lacks a clear division of responsibilities for the implementation of the policies in its own operations, or it is not risk-aligned.
The company lacks a clear division of responsibilities for the implementation of the policies in the supply chain, or it is not risk-aligned.
There no documentation — for example, instructions, organisational charts, or job descriptions.
Nor is there any other documentation that strengthens the image of a functioning division of responsibilities, such as documented training or cross-functional groups for coordination and information sharing.
Templates process requirement 1
- Human rights policy template
- Environmental policy template
- Business ethics policy template
- Checklist for the board of directors
- Supplier code of conduct template
- Responsible sourcing instruction template(section 1) (currently under revision)
Process requirements
Integrate commitments into policies and allocate responsibility for policies and due diligence
We explain the requirements for policies and how responsibilities shall be allocated between the board of directors, managers, and employees.
Identify and assess adverse impacts
We explain the concepts of risk suppliers, supply chain mapping, rights-holder consultations and particularly vulnerable groups, as well as how to prioritise risks based on likelihood and severity.
Prevent and mitigate adverse impacts that you cause or contribute to
We explain the responsibility to cease activities that cause or contribute to adverse impacts, establish action plans, and promote sustainable purchasing practices.
Prevent and mitigate adverse impacts linked to your operations
We explain the responsibility regarding supplier assessments, action plans, and the forwarding of requirements—including transparency—as well as the ability to temporarily suspend or terminate the contract.
Monitor the measures to prevent and mitigate adverse impacts
We explain what we mean by following-up action plans, meaningful consultations with rights-holders, and addressing deviations.
Enable complaints
We explain the key functions of complaints procedures, for which stakeholders they should be accessible, and the need to address submitted complaints.
Provide for remediation
We explain the concept of remediation, when remediation is required, the importance of engaging in meaningful consultation with affected rights-holders, and the need to assess whether they are satisfied with both the process and the outcome.