D.M. Ethics Management System

Code 8.0 Management Systems Preamble

Participants shall adopt or establish a management system with a scope that is related to the content of this Code. The management system shall be designed to ensure: (a) compliance with applicable laws, regulations and customer requirements related to the participant's operations and products; (b) conformance with this Code; and (c) identification and mitigation of operational risks related to this Code. It shall also facilitate continual improvement.

D.M.1 Risk Assessment – Ethics

Elements to Demonstrate Compliance to RBA Code

D.M.1.1 An adequate and effective ethics compliance process is established to monitor, identify, understand, and ensure compliance with applicable laws, regulations, and customer requirements.

1. Policy, Practices, Controls:

Establish a quarterly process to update and maintain a current understanding of and compliance to all applicable legal and customer requirements. The process should include:

• a. Identification of requirements which apply to the facility; be sure to look for emerging and new requirements. This can be done via a legal department with an understanding of the RBA Code, subscriptions to 3rd party reports on regulations, sales & marketing who agree to customer terms, etc.
• b. A means to track these requirements, staying current as:
  • i. The requirements may change (including the RBA Code of Conduct).
  • ii. Facility operations may change and bring the facility in scope of requirements or create a gap.
• c. Assess facility operations against these requirements to identify gaps.
• d. Develop updated policy, procedure, training, communication, recording and reporting to close the gaps.
• e. Implement the changes and test them for compliance.

2. Records are maintained including:

• a. A compliance calendar with owner, reminders, calendar appointments via e-mail.
• b. Summaries of applicable laws and regulations and requirements and how they apply to facility operations.
• c. Review of the key customer requirements that apply to or impact facility operations.
• d. Analysis of the recent RBA Code of Conduct changes.
• e. Minutes from meetings or other that demonstrate the process is conducted quarterly.

D.M.1.2 An adequate and effective due diligence process is established to identify and assess the most significant actual and potential ethics risks where the facility caused or contributed to adverse impacts (including applicable requirements).

1. Policy, Practices, Controls:

• a. A due diligence process focused on health and safety. It should be designed to identify and assess the most significant actual and potential ethical risks where the facility could cause or contribute to adverse ethical impacts of internal and external rights holders.
• b. It must include specific risks of relevant demographics, such as gender and age, where the facility may experience, cause, or contribute to adverse ethics impacts for internal and external stakeholders (including compliance with applicable requirements)
• c. Risk assessment considers business circumstances (country/region of operations) and covers at a minimum:
  • i. Upholding the highest standards of integrity in all business interactions
  • ii. Obtaining undue or improper advantage being promised, offered, authorized, given, or accepted.
  • iii. Intellectual Property Protection
  • iv. Fair business, advertising, and competition
  • v. Non-retaliation or protection of identity
  • vi. Unauthorized disclosure of personal information
• d. Ensure the stakeholder scope is broad including:
  • i. Direct and indirect workers
  • ii. Young workers, Learners
  • iii. Foreign and internal migrant workers
  • iv. Worker representatives
  • v. Staff functions
  • vi. On-site service providers, Suppliers
  • vii. Customers
  • viii. Stakeholders in the community next to or near the facility which may be impacted.
• e. The risk assessment is updated when there is a Significant Change

2. Records are maintained including:

• a. Stakeholder identification reports.
• b. Risk assessment reports.
• c. Mitigation plans.

D.M.2 Control Processes – Ethics

Elements to Demonstrate Compliance to RBA Code

D.M.2.1 Ethics responsibilities and authorities are adequately and effectively defined and assigned for all employee levels (senior managers to workers) for the implementation of management systems, and for compliance with laws, regulations, and codes.

1. Policy, Practices, Controls:

1. Have a senior representative assigned responsibility for implementing social responsibility programs in the facility and supply chain. Their scope should include:

   • a. Understanding and assessing facility compliance with laws and regulations, customer requirements and the RBA Code of Conduct.
   • b. Developing and implementing (likely with other subject matter experts) necessary changes to policies, programs, processes, training, reporting and disclosure as needed to be in legal and customer compliance and RBA Code of Conduct conformance.

2. Responsibilities and authority of each organizational level are recorded in position plans, job descriptions and/or the facility's management system documentation.

   • a. For normal situations.
   • b. For emergency situations which would include where serious adverse impact has been identified.

D.M.2.2 Adequate and effective ethics policies and control processes are established.

1. Policies, Practices, Controls:

Policies: Aligned with law, the RBA Code of Conduct and facility policy statements are in place including:

• a. Uphold the highest standards of integrity in all business interactions with zero tolerance for all forms of bribery, corruption, extortion, and embezzlement.
• b. Gifts to or from suppliers and customers are not excessive in cost and frequency.
• c. Bribes or other methods of obtaining undue or improper advantage are not being promised, offered, authorized, given, or accepted.
• d. No conflicts of interest.
• e. Ensure compliance with anti-corruption laws.
• f. Appropriate sanctions when a violation is confirmed/proven and a preventive action plan.
• g. Ensure that all business dealings are transparently performed and accurately reflected in the reviewee's business books and records.
• h. No misrepresentation by workers, managers, and their agents.
• i. Information received from suppliers and customers as part of the contracting process is protected.
• j. IP ownership and IP are protected.
• k. Ensuring fair business, advertising, and competition standards are upheld.
• l. No collusion with other companies on product pricing or other factors that could reduce competition.
• m. Protection of identity and non-retaliation.
• n. Protection of whistleblowers and/or users of the grievance mechanism(s) (internal and external).
• o. Preventing unauthorized disclosure of personal information.

NOTE: If labor agents are used, then this process also needs to be implemented at the labor agent level.

2. Policies & Procedures in place such that:

• a. There is a mitigation process for all significant actual and potential ethics risks identified, tracking implementation, and resulting adverse impact.
• b. Formal program to ensure company public statements are not false or misleading.
• c. Adequate and effective process for every policy element.
• d. IT measures and guidelines are in place regarding the distribution and dissemination of information to protect information from suppliers and customers and IP.
• e. There is appropriate retention (on and off site) and appropriate levels of access to ensure privacy conforming to legal and customer requirements.

3. Controls & Monitoring should include:

• a. Appropriate investigation process when there is an alleged violation, including misrepresentation by workers, managers, and their agents.
• b. Appropriate sanctions when a violation is confirmed/proven and a preventive action plan.

2. Records are maintained including:

• a. Current and past policies and procedures, specifications.
• b. Results and reports from review and control steps.
• c. Corrective action plans, plans for improvement.

D.M.2.3 An adequate and effective training process is established for all managers/workers on all policy/process/job-related aspects and performance targets.

1. Policy, Practice, Controls:

1. Process: An adequate and effective training program for workers/managers:
   • a. New employee orientation plan
   • b. Training needs analysis
   • c. Training plan with frequency
   • d. Training material
   • e. Training records with effectiveness evaluation or verification

NOTE: Ensure these minimum training topics are included: risk, policy, process, controls, responsibilities, grievance are covered.

2. Minimum Training Topics should include:

   • a. Upholding the highest standards of integrity in all business interactions.
   • b. Obtaining undue or improper advantage being promised, offered, authorized, given, or accepted.
   • c. Intellectual Property Protection.
   • d. Fair Business, Advertising and Competition.
   • e. Non-retaliation or protection of identity.
   • f. Unauthorized disclosure of personal information.

3. Training is provided to all workers before the beginning of work and regularly thereafter as per the training program.

2. Records are maintained including:

• a. Training records include a verification of training effectiveness.
• b. Educational materials.

3. Serious conditions that will result in a severe finding:

• More than 5% of the workers are not trained within 30 days of the hire date.

D.M.3 Communications – Ethics

Elements to Demonstrate Compliance to RBA Code

D.M.3.1 An adequate and effective ongoing two-way communication process with workers, and internal and external stakeholders, where relevant or necessary, is established to obtain feedback on operational ethics practices and conditions and to foster continuous improvement.

1. Policy, Practices, Controls:

1. A healthy and effective, ongoing two-way communication process with workers, other internal and external stakeholders, where relevant or necessary, to obtain their feedback on operational ethical practices and conditions and to foster continuous improvement.
   • a. Examples of worker participation mechanisms: worker surveys, suggestions boxes, worker focus groups, joint worker-management committees, worker/union representatives, process improvement teams.
   • b. Examples of two-way communication: face-to-face meetings, town halls, worker focus groups, joint worker-management committees, process improvement team, message groups (WhatsApp, Line, WeChat, etc.), brown bag lunches
   • c. Examples of stakeholder engagement mechanisms: newsletters with request for feedback, message groups (WhatsApp, Line, WeChat, etc.), social media, neighborhood or community meetings, drop-in sessions, focus groups, feedback, and impact discussions (data/study driven)

NOTE: Ensure these minimum topics are included or asked about to promote comprehensive dialogue: risk, policy, process, controls, responsibilities, grievance are covered.

2. Minimum internal and external stakeholders:
   • a. Direct and indirect workers
   • b. Young workers, Learners
   • c. (Foreign and internal) migrant workers
   • d. Worker representatives
   • e. Staff functions
   • f. On-site service providers, Suppliers
   • g. Customers.

NOTE: Submitting SAQ to customers does not qualify as communication with customers

3. Feedback channels are clearly communicated and visible (suggestion box, emails)

2. Records are maintained including:

• a. Communications records include a verification of communication effectiveness.
• b. Input/feedback records.
• c. Written information to workers on how to provide input/feedback for improvement.
• d. Correspondence to supplier management.
• e. Communications/Presentations to internal and external stakeholders.

D.M.3.2 An adequate and effective process is established to anonymously report grievances confidentially without fear of reprisal or intimidation.

1. Policy, Practices, Controls:

1. Process:

   • a. Comprehensive functioning process to anonymously report grievances without fear of reprisal, which is internal (for workers and staff) and external (for workers of suppliers, local community, or interested actors and Whistleblowers).
   • b. Clear grievance channels so anyone is comfortable reporting grievances and so that reporting is encouraged.
   • c. Workers shall be encouraged to raise safety concerns, including early reporting of discomfort.

2. Investigation and actions:

   • a. Promptly investigate the validity of any grievance.
   • b. Ensure the investigation and remediation is impartial, non-discriminatory, and where applicable, consistent with previous actions.
   • c. Communicate back to those involved, where possible, the outcome of the investigation and next steps, while maintaining appropriate privacy for those involved.
   • d. Remind participants that there is to be no retribution for making the grievance.

2. Records are maintained including:

• a. Grievance records
• b. Investigation records
• c. Workers are provided with written information on how to report grievances.

3. Serious conditions to ensure do not occur include:

• Grievances not being investigated and addressed within 3 months of being received.
• Not putting in place and actioning a corrective action plan after confirming a grievance.

D.M.4 Performance Review and Continuous Improvement – Ethics

Elements to Demonstrate Compliance to RBA Code

D.M.4.1 An adequate and effective ethics management performance review and continuous improvement process is established.

1. Policy, Practices, Controls:

1. Process elements should include:

   • a. Annual or more frequent review of objectives and systems.
     • i. Management system review
     • ii. Performance review
   • b. Formal and communicated goals, indicators, objectives, and targets.
   • c. Goals shall clearly define the period considered; each goal shall include:
     • i. Time Period: (between base date and target date) shall be forward-looking.
     • ii. Base date: Date from which the goal is being measured.
     • iii. Target date: Date in the future when the goal is intended to be achieved.
     • iv. Baseline: the value of what is being measured at the start
     • v. Targeted improvement value: The quantitative value of the goal (numeric and greater than 0)
     • vi. Assignment of owners, implementation plans with completion dates.
   • d. Additional action plans if goal, indicator, objective, or target is off track.
   • e. Communication of the goals and progress to workers (as appropriate).

2. Evaluation:

   • a. Regularly not exceeding 2 years but earlier if there is a Significant Change.
   • b. Effectiveness of controls (including control processes).
   • c. Should include every related program whose scope include:
     • i. Consideration of risk assessment results.
     • ii. Legal and regulatory requirements.
     • iii. Company standards/requirements.
     • iv. Achieving continual improvement.
   • d. Evaluation reports should include:
     • i. Upholding the highest standards of integrity in all business interactions
     • ii. Obtaining undue or improper advantage being promised, offered, authorized, given, or accepted.
     • iii. Intellectual Property Protection
     • iv. Fair business, advertising, and competition
     • v. Non-retaliation or protection of identity
     • vi. Unauthorized disclosure of personal information

2. Records are maintained including:

• a. System review meetings.
• b. Management review meeting presentation materials/analysis/data. Be sure to include:
  • i. Date, agenda, attendees (including senior manager).
  • ii. Presentation material (references).
  • iii. Progress towards objectives.
  • iv. Results of assessments.
  • v. Completion of corrective/preventive actions.
  • vi. Risks/issues.
  • vii. Other information that was used to determine the effectiveness of the management system and identify improvement opportunities.
  • viii. Agreed preventive/corrective actions.
• c. Formal target, indicator, and objective tracking.
• d. Regular progress reporting.
• e. Evaluation reports for (at least):
  • i. Control effectiveness.
  • ii. Training and Communication.
  • iii. Grievances related to ethical concerns.

D.M.4.2 An adequate and effective ethics self-assessment process is established to assess conformance with the RBA Code and customer requirements periodically.

1. Policy, Practices, Controls:

1. An adequate and effective self-assessment process to periodically assess conformance with:

   • a. Applicable legal regulatory requirements.
   • b. Customer requirements.
   • c. RBA Code requirements.
   • d. Own policies, standards, management system, requirements to which the facility subscribes to.

2. The assessment scope should include:

   • a. All areas of the facility.
   • b. All policies, processes, physical conditions, and work practices.
   • c. Review of records.
   • d. Interviews with individuals responsible for compliance and conformance
     • i. Workers (direct and indirect)
     • ii. Staff and management
     • iii. Supplier management

3. Assessment findings should be reviewed by senior management.

2. Records are maintained including:

• a. Self-assessment Reports
• b. Results of management reviews
• c. Corrective action plans

D.M.4.3 An adequate and effective ethics corrective action process is established to rectify and close non-conformances.

1. Policy, Practices, Controls:

1. Ensure there is a Corrective action process (CAP) in place, which contains the following:
   • a. Core elements of root cause analysis, specific corrective actions, owners, due dates, tracking process.
   • b. Additional actions when a corrective action is off-track.
   • c. A link demonstrated between the CAP and the performance management objectives and targets.
   • d. Review action items by management representative after verification by the appropriate person.
   • e. Any issues/concerns noted in the insurance inspection report regarding people, fire, or facility have an agreed corrective action plan.

2. Records are maintained including:

• a. Original non-conformance.
• b. CAP for each non-conformance.
• c. Progress reports.
• d. Closure verification reports (with management confirmation)
• e. Copies of any regulatory citations/violation notices received in the past three years, including any communications with the agencies, and follow-up review or inspection.

1.0.0 (2024-01-01)

Initial release.