D.M. Ethics Management Systems

Code 7.0 Management Systems Preamble

Participants shall adopt or establish a management system with a scope that is related to the content of this Code. The management system shall be designed to ensure: (a) compliance with applicable laws, regulations and customer requirements related to the participant's operations and products; (b) conformance with this Code; and (c) identification and mitigation of operational risks related to this Code. It shall also facilitate continual improvement.

D.M.1 Risk Assessment – Ethics

Elements to Demonstrate Compliance to RBA Code

D.M.1.1 An adequate and effective ethics compliance process is established to monitor, identify, understand, and ensure compliance with applicable laws, regulations, and customer requirements.

1. Policy, Practices, Controls:

Establish a quarterly process to update and maintain a current understanding of and compliance to all applicable legal and customer requirements. The process should include:

• a. Identification of requirements which apply to the facility; be sure to look for emerging and new requirements. This can be done via a legal department with an understanding of the RBA Code, subscriptions to 3rd party reports on regulations, sales & marketing who agree to customer terms, etc.
• b. A means to track these requirements, staying current as:
  • i. The requirements may change (including the RBA Code of Conduct).
  • ii. Facility operations may change and bring the facility in scope of requirements or create a gap.
• c. Assess facility operations against these requirements to identify gaps.
• d. Develop updated policy, procedure, training, communication, recording and reporting to close the gaps.
• e. Implement the changes and test them for compliance.

2. Records are maintained including:

• a. A compliance calendar with owner, reminders, calendar appointments via e-mail.
• b. Summaries of applicable laws and regulations and requirements and how they apply to facility operations.
• c. Review of the key customer requirements that apply to or impact facility operations.
• d. Analysis of the recent RBA Code of Conduct changes.
• e. Minutes from meetings or other that demonstrate the process is conducted quarterly.

D.M.1.2 An adequate and effective management process to identify and assess ethics risks.

1. Policy, Practices, Controls:

• a. An adequate and effective risk assessment process is in place to identify the most significant risks (including applicable legal requirements and applicable customer requirements).
• b. Risk assessment considers business circumstances (country/region of operations, stakeholders, etc.) and covers at minimum honesty, integrity, intellectual property protection, bribery, corruption, fraud/embezzlement, extortion, legal, ethical, fair business/marketing practices, reporting violations, whistleblower protection, kickbacks, bribes, privacy, unlawful payments, etc.
• c. Risk assessment minimum elements:
  • i. Upholding the highest standards of integrity in all business interactions
  • ii. Obtaining undue or improper advantage being promised, offered, authorized, given, or accepted.
  • iii. Intellectual Property Protection
  • iv. Fair business, advertising, and competition
  • v. Non-retaliation or protection of identity
  • vi. Unauthorized disclosure of personal information
• d. Scope of risk assessment:
  • i. Every task
  • ii. Every site operation/process
  • iii. Every physical location
  • iv. Young workers are a separate category
  • v. Foreign and internal migrant workers are a separate category
• e. The risk assessment is current and updated when there is a Significant Change

2. Records are maintained including:

• a. Risk assessment reports.

D.M.2 Control Processes – Ethics

Elements to Demonstrate Compliance to RBA Code

D.M.2.1 Ethics responsibilities and authorities are adequately and effectively defined and assigned for all employee levels (senior managers to workers) for the implementation of management systems, and for compliance with laws, regulations, and codes.

1. Policy, Practices, Controls:

1. Have a senior representative assigned responsibility for implementing social responsibility programs in the facility and supply chain. Their scope should include:

   • a. Understanding and assessing facility compliance with laws and regulations, customer requirements and the RBA Code of Conduct.
   • b. Developing and implementing (likely with other subject matter experts) necessary changes to policies, programs, processes, training, reporting and disclosure as needed to be in legal and customer compliance and RBA Code of Conduct conformance.

2. Responsibilities and authority of each organizational level are recorded in position plans, job descriptions and/or the facility's management system documentation.

   • a. For normal situations.
   • b. For emergency situations which would include where serious adverse impact has been identified.

D.M.2.2 Adequate and effective ethics policies and control processes are established.

1. Policies, Practices, Controls:

Policies: Aligned with law, the RBA Code of Conduct and facility policy statements are in place including:

• a. Uphold the highest standards of integrity in all business interactions with zero tolerance for all forms of bribery, corruption, extortion, and embezzlement.
• b. Gifts to or from suppliers and customers are not excessive in cost and frequency.
• c. Bribes or other methods of obtaining undue or improper advantage are not being promised, offered, authorized, given, or accepted.
• d. No conflicts of interest.
• e. Ensure compliance with anti-corruption laws.
• f. Appropriate sanctions when a violation is confirmed/proven and a preventive action plan.
• g. Ensure that all business dealings are transparently performed and accurately reflected in the reviewee's business books and records.
• h. No misrepresentation by workers, managers, and their agents.
• i. Information received from suppliers and customers as part of the contracting process is protected.
• j. IP ownership and IP are protected.
• k. Ensuring fair business, advertising, and competition standards are upheld.
• l. No collusion with other companies on product pricing or other factors that could reduce competition.
• m. Protection of identity and non-retaliation.
• n. Protection of whistleblowers and/or users of the grievance mechanism(s) (internal and external).
• o. Preventing unauthorized disclosure of personal information.

NOTE: If labor agents are used, then this process also needs to be implemented at the labor agent level.

2. Policies & Procedures in place such that:

• a. Formal program to ensure public Auditee statements are not false or misleading.
• b. Adequate and effective process for every policy element.
• c. IT measures and guidelines about the distribution/dissemination of information to protect information from suppliers and customers and IP.

3. Controls & Monitoring should include:

• a. Appropriate investigation process when there is an alleged violation, including misrepresentation by workers, managers, and their agents.
• b. Appropriate sanctions when a violation is confirmed/proven and a preventive action plan.

2. Records are maintained including:

• a. Current and past policies and procedures, specifications.
• b. Results and reports from review and control steps.
• c. Corrective action plans, plans for improvement.

D.M.2.3 An adequate and effective training process is established for all managers/workers on all policy/process/job-related aspects and performance targets.

1. Policy, Practice, Controls:

1. Process: An adequate and effective training program for workers/managers:
   • a. New employee orientation plan
   • b. Training needs analysis
   • c. Training plan with frequency
   • d. Training material
   • e. Training records with effectiveness evaluation or verification

NOTE: Ensure these minimum training topics are included: risk, policy, process, controls, responsibilities, grievance are covered.

2. Minimum Training Topics should include:

   • a. Upholding the highest standards of integrity in all business interactions.
   • b. Obtaining undue or improper advantage being promised, offered, authorized, given, or accepted.
   • c. Intellectual Property Protection.
   • d. Fair Business, Advertising and Competition.
   • e. Non-retaliation or protection of identity.
   • f. Unauthorized disclosure of personal information.

3. Training is provided to all workers before the beginning of work and regularly thereafter as per the training program.

2. Records are maintained including:

• a. Training records include a verification of training effectiveness.
• b. Educational materials.

3. Serious conditions that will result in a severe finding:

• More than 5% of the workers are not trained within 30 days of the hire date.

D.M.3 Communications – Ethics

Elements to Demonstrate Compliance to RBA Code

D.M.3.1 An adequate and effective worker/manager (including to solicit and encourage worker participation, input and feedback for improvement), Supplier and customer communication/reporting process for ethics is established.

1. Policy, Practices, Controls:

An adequate and effective worker/manager, Supplier and customer communication/reporting process to Suppliers is in place:

1. Suppliers:

   • a. Correspondence to Supplier management.
   • b. Contract terms and conditions requiring Suppliers to conform to the RBA code.

2. Customers:

   • a. Ethics practices and performance.

NOTE: Submitting SAQ to customers does not qualify as disclosure/communication to customers

3. Workers / Managers:
   • a. Adequate and effective process to obtain worker input and feedback.
   • b. The minimum communication topics (each policy, process and management systems element such as responsibilities, risk, grievance, etc.) are covered.

NOTE: Examples of worker participation mechanisms: worker surveys, suggestions boxes, worker focus groups, joint worker-management committees, worker/union representatives, process improvement teams.

Feedback channels are clearly communicated and visible (suggestion box, etc.)

2. Records are maintained including:

• a. Communications records include a verification of communication effectiveness.
• b. Input/feedback records.
• c. Written information to workers on how to provide input/feedback for improvement.
• d. Communications/presentations to Suppliers.
• e. Communications/presentations to customers.

D.M.3.2 An adequate and effective process is established to anonymously report grievances confidentially without fear of reprisal or intimidation.

1. Policy, Practices, Controls:

1. Process:

   • a. Comprehensive functioning process to anonymously report grievances without fear of reprisal, which is internal (for workers and staff) and external (for workers of suppliers, local community, or interested actors and Whistleblowers).
   • b. Clear grievance channels so anyone is comfortable reporting grievances and so that reporting is encouraged.
   • c. Workers shall be encouraged to raise safety concerns, including early reporting of discomfort.

2. Investigation and actions:

   • a. Promptly investigate the validity of any grievance.
   • b. Ensure the investigation and remediation is impartial, non-discriminatory, and where applicable, consistent with previous actions.
   • c. Communicate back to those involved, where possible, the outcome of the investigation and next steps, while maintaining appropriate privacy for those involved.
   • d. Remind participants that there is to be no retribution for making the grievance.

2. Records are maintained including:

• a. Grievance records
• b. Investigation records
• c. Workers are provided with written information on how to report grievances.

3. Serious conditions to ensure do not occur include:

• Grievances not being investigated and addressed within 3 months of being received.
• Not putting in place and actioning a corrective action plan after confirming a grievance.

D.M.4 Performance Review and Continuous Improvement – Ethics

Elements to Demonstrate Compliance to RBA Code

D.M.4.1 An adequate and effective ethics management performance review and continuous improvement process is established.

1. Policy, Practices, Controls:

1. Process elements should include:

   • a. Annual or more frequent review of objectives and systems.
     • i. Management system review
     • ii. Performance review
   • b. Formal and communicated goals, indicators, objectives, and targets.
   • c. Goals shall clearly define the period considered; each goal shall include:
     • i. Time Period: (between base date and target date) shall be forward-looking.
     • ii. Base date: Date from which the goal is being measured.
     • iii. Target date: Date in the future when the goal is intended to be achieved.
     • iv. Baseline: the value of what is being measured at the start
     • v. Targeted improvement value: The quantitative value of the goal (numeric and greater than 0)
     • vi. Assignment of owners, implementation plans with completion dates.
   • d. Additional action plans if goal, indicator, objective, or target is off track.
   • e. Communication of the goals and progress to workers (as appropriate).

2. Evaluation:

   • a. Regularly not exceeding 2 years but earlier if there is a Significant Change.
   • b. Effectiveness of controls (including control processes).
   • c. Should include every related program whose scope include:
     • i. Consideration of risk assessment results.
     • ii. Legal and regulatory requirements.
     • iii. Company standards/requirements.
     • iv. Achieving continual improvement.
   • d. Evaluation reports should include:
     • i. Upholding the highest standards of integrity in all business interactions
     • ii. Obtaining undue or improper advantage being promised, offered, authorized, given, or accepted.
     • iii. Intellectual Property Protection
     • iv. Fair business, advertising, and competition
     • v. Non-retaliation or protection of identity
     • vi. Unauthorized disclosure of personal information

2. Records are maintained including:

• a. System review meetings.
• b. Management review meeting presentation materials/analysis/data. Be sure to include:
  • i. Date, agenda, attendees (including senior manager).
  • ii. Presentation material (references).
  • iii. Progress towards objectives.
  • iv. Results of assessments.
  • v. Completion of corrective/preventive actions.
  • vi. Risks/issues.
  • vii. Other information that was used to determine the effectiveness of the management system and identify improvement opportunities.
  • viii. Agreed preventive/corrective actions.
• c. Formal target, indicator, and objective tracking.
• d. Regular progress reporting.
• e. Evaluation reports for (at least):
  • i. Control effectiveness.
  • ii. Training and Communication.
  • iii. Grievances related to ethical concerns.

D.M.4.2 An adequate and effective ethics self-assessment process is established to assess conformance with the RBA Code and customer requirements periodically.

1. Policy, Practices, Controls:

1. An adequate and effective self-assessment process to periodically assess conformance with:

   • a. Applicable legal regulatory requirements.
   • b. Customer requirements.
   • c. RBA Code requirements.
   • d. Own policies, standards, management system, requirements to which the facility subscribes to.

2. The assessment scope should include:

   • a. All areas of the facility.
   • b. All policies, processes, physical conditions, and work practices.
   • c. Review of records.
   • d. Interviews with individuals responsible for compliance and conformance
     • i. Workers (direct and indirect)
     • ii. Staff and management
     • iii. Supplier management

3. Assessment findings should be reviewed by senior management.

2. Records are maintained including:

• a. Self-assessment Reports
• b. Results of management reviews
• c. Corrective action plans

D.M.4.3 An adequate and effective ethics corrective action process is established to rectify and close non-conformances.

1. Policy, Practices, Controls:

1. Ensure there is a Corrective action process (CAP) in place, which contains the following:
   • a. Core elements of root cause analysis, specific corrective actions, owners, due dates, tracking process.
   • b. Additional actions when a corrective action is off-track.
   • c. A link demonstrated between the CAP and the performance management objectives and targets.
   • d. Review action items by management representative after verification by the appropriate person.
   • e. Any issues/concerns noted in the insurance inspection report regarding people, fire, or facility have an agreed corrective action plan.

2. Records are maintained including:

• a. Original non-conformance.
• b. CAP for each non-conformance.
• c. Progress reports.
• d. Closure verification reports (with management confirmation)
• e. Copies of any regulatory citations/violation notices received in the past three years, including any communications with the agencies, and follow-up review or inspection.

2.0.0 (2022-06-01)

Changed

• Split of the generic 7.0.0 management system into the ethics-specific D.M Ethics Management System (new at VAP 7.1.2): At VAP 7.0.0 there was a single generic Management System (Appendix Section E, E2-E11: Management Accountability, Legal & Customer Requirements, Risk Assessment & Risk Management, Improvement Objectives, Training, Communication, Worker Feedback/Participation/Grievance, Audits & Assessments, Corrective Action Process, Documentation & Records) assessed across all four components (Labor, Health & Safety, Environment, Ethics) under shared rated questions. At VAP 7.1.2 this single system was split into discipline-specific systems (AM/BM/CM/DM); the D.M Ethics Management System carries forward only the ethics-scoped requirements and rates them as a standalone criterion. It introduces ethics-specific rated triggers absent from the combined 7.0.0 rating: the D.M.2.3 training severe-finding ('>5% of workers not trained within 30 days of the hire date') and the D.M.3.2 grievance Priority triggers (a confirmed grievance without a corrective action plan, and grievances not investigated/addressed within 3 months). Because ethics conformance is now rated independently with new fail-triggering conditions, a facility that passed the combined 7.0.0 system could now fail D.M, hence major.

1.0.0 (2021-01-01)

Changed

• Initial historical baseline — the 7.0.0 generic Management System (RBA Code of Conduct 7.0), scoped to ethics: Earliest imported version of the management-system lineage. At RBA Code of Conduct 7.0 there was one generic Management System (Appendix Section E): E2 Management Accountability and Responsibility (incl. annual management review and continuous improvement), E3 Legal and Customer Requirements (quarterly compliance process), E4 Risk Assessment and Risk Management, E5 Improvement Objectives (annual performance management), E6 Training, E7 Communication, E8 Worker Feedback, Participation and Grievance, E9 Audits and Assessments (self-audit), E10 Corrective Action Process, and E11 Documentation and Records. The single system was assessed across all four components (Labor, Health & Safety, Environment, Ethics); this version presents those requirements scoped to the Ethics component. At VAP 7.1.2 the generic system was split into discipline-specific systems and this is the shared 7.0.0 ancestor of the D.M Ethics Management System.