0003506
GRI 3: Material Topics 2021
Global Reporting Initiative
International or National Standard
With Membership
GRI 3: Material Topics 2021
GRI 3: Material Topics
2023-01-01
The document as a whole was last reviewed and released on 2022-07-28T00:00:00-0700.
0003506
With Membership
Global Reporting Initiative
International or National Standard
GRI 3: Material Topics 2021
GRI 3: Material Topics
2023-01-01
The document as a whole was last reviewed and released on 2022-07-28T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within GRI 3: Material Topics 2021 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for GRI 3: Material Topics 2021 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [The organization should seek external assurance to assess the quality and credibility of its process of determining material topics. See section 5.2 in GRI 1 for more information on seeking external assurance. § 1. Step 4. Testing the material topics ¶ 3] | Audits and Risk Management | Preventive | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Actionable Reports or Measurements | Preventive | |
| Document any after the fact changes to the engagement file. CC ID 07002 | Establish/Maintain Documentation | Preventive | |
| Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Establish/Maintain Documentation | Preventive | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Establish/Maintain Documentation | Preventive | |
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Records Management | Preventive | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and Risk Management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
| Audit information systems, as necessary. CC ID 13010 | Investigate | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Testing | Detective | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Testing | Detective | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
| Edit the audit assertion for accuracy. CC ID 07030 | Establish/Maintain Documentation | Preventive | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Establish/Maintain Documentation | Preventive | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
| Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Testing | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Testing | Detective | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and Risk Management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and Risk Management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
| Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Testing | Detective | |
| Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Establish/Maintain Documentation | Preventive | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Testing | Preventive | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and Risk Management | Preventive | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and Risk Management | Preventive | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and Risk Management | Preventive | |
| Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and Risk Management | Preventive | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and Risk Management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Communicate | Preventive | |
| Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Testing | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
| Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
| Conduct interviews, as necessary. CC ID 07188 | Testing | Detective | |
| Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
| Explain the goals of the interview to the interviewee. CC ID 07189 | Behavior | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Establish/Maintain Documentation | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Establish/Maintain Documentation | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and Risk Management | Preventive | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Establish/Maintain Documentation | Preventive | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Establish/Maintain Documentation | Preventive | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Establish/Maintain Documentation | Preventive | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Establish/Maintain Documentation | Preventive | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and Risk Management | Detective | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and Risk Management | Preventive | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Testing | Detective | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Establish/Maintain Documentation | Preventive | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Establish/Maintain Documentation | Preventive | |
| Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Testing | Detective | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Monitor and Evaluate Occurrences | Preventive | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Establish Roles | Preventive | |
| Respond to questions or clarification requests regarding the audit. CC ID 08902 | Business Processes | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Document organizational risk criteria. CC ID 12277 | Establish/Maintain Documentation | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Technical Security | Preventive | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Investigate | Detective | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and Risk Management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and Risk Management | Preventive | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Establish/Maintain Documentation | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and Risk Management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and Risk Management | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 | Audits and Risk Management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The severity of an actual or potential negative impact is determined by the following characteristics: Scope: how widespread the impact is, for example, the number of individuals affected or the extent of environmental damage. § 1. Step 3. Severity ¶ 1 Bullet 2 {difficulty}The severity of an actual or potential negative impact is determined by the following characteristics: Irremediable character: how hard it is to counteract or make good the resulting harm. § 1. Step 3. Severity ¶ 1 Bullet 3 The significance of an actual positive impact is determined by the scale and scope of the impact. The significance of a potential positive impact is determined by the scale and scope as well as the likelihood of the impact. § 1. Step 3. Assessing the significance of positive impacts ¶ 1 The significance of an actual positive impact is determined by the scale and scope of the impact. The significance of a potential positive impact is determined by the scale and scope as well as the likelihood of the impact. § 1. Step 3. Assessing the significance of positive impacts ¶ 1 The severity of an actual or potential negative impact is determined by the following characteristics: Scale: how grave the impact is. § 1. Step 3. Severity ¶ 1 Bullet 1] | Audits and Risk Management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 | Audits and Risk Management | Preventive | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [In this step, the organization identifies its actual and potential impacts on the economy, environment, and people, including impacts on their human rights, across the organization's activities and business relationships. Actual impacts are those that have already occurred, and potential impacts are those that could occur but have not yet occurred. These impacts include negative and positive impacts, short-term and long-term impacts, intended and unintended impacts, and reversible and irreversible impacts. § 1. Step 2. ¶ 1 Identifying actual and potential negative impacts with which the organization is involved or could be involved is the first step of due diligence. The organization should consider actual and potential impacts that it causes or contributes to through its activities, as well as actual and potential impacts that are directly linked to its operations, products, or services by its business relationships(see Box 3 in this Standard). § 1. Step 2. Identifying negative impacts ¶ 1 The organization should consider any negative impacts that could result from activities that aim for a positive contribution to sustainable development. Negative impacts cannot be offset by positive impacts. For example, a renewable energy installation may reduce a region's dependence on fossil fuels and bring energy to underserved communities. However, if it displaces local indigenous communities from their lands or territories without their consent, this negative impact should be addressed and remediated, and it cannot be compensated by the positive impacts. § 1. Step 2. Identifying positive impacts ¶ 3 The severity – and therefore the significance – of an impact are not absolute concepts. The severity of an impact should be assessed in relation to the other impacts of the organization. For example, an organization should compare the severity of the impacts of its GHG emissions against the severity of its other impacts. The organization should not assess the significance of its GHG emissions in relation to global GHG emissions, as that comparison could lead to the misleading conclusion that the organization's emissions are not significant. § 1. Step 3. Severity ¶ 5 The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1 The organization may identify many actual and potential impacts. In this step, the organization assesses the significance of its identified impacts to prioritize them. Prioritization enables the organization to take action to address the impacts and also to determine its material topics for reporting. Prioritizing impacts for action is relevant where it is not feasible to address all impacts at once. § 1. Step 3. ¶ 1] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3 In this step, the organization needs to consider the impacts described in the applicable GRI Sector Standards and determine whether these impacts apply to it. § 1. Step 2. ¶ 5 Impacts may change over time as the organization's activities, business relationships, and context evolve. New activities, new business relationships, and major changes in operations or the operating context (e.g., new market entry, product launch, policy change, wider changes to the organization) could lead to changes in the organization's impacts. For this reason, the organization should assess its context and identify its impacts on an ongoing basis. § 1. Step 2. ¶ 6 In cases where the organization has limited resources available for identifying its impacts, it should first identify its negative impacts, before identifying positive impacts, to ensure it complies with applicable laws, regulations, and authoritative intergovernmental instruments. § 1. Step 2. ¶ 7 Identifying actual and potential negative impacts with which the organization is involved or could be involved is the first step of due diligence. The organization should consider actual and potential impacts that it causes or contributes to through its activities, as well as actual and potential impacts that are directly linked to its operations, products, or services by its business relationships(see Box 3 in this Standard). § 1. Step 2. Identifying negative impacts ¶ 1 As part of the initial assessment or scoping exercise, the organization should consider impacts commonly associated with its sectors, its products, geographic locations, or with specific organizations (i.e., impacts associated with a specific entity of the organization, or with an entity it has a business relationship with, such as a poor history of conduct in relation to respecting human rights). It should also consider impacts it has been involved with or knows it is likely to be involved with. In addition to the GRI Sector Standards, the organization can use the Organisation for Economic Co-operation and Development (OECD) Due Diligence Guidance for Responsible Business Conduct [2] and the OECD sectoral guidance on due diligence [13] for information on impacts commonly associated with sectors, products, geographic locations, and specific organizations. It can also use reports from governments, environmental agencies, international organizations, civil society organizations, workers' representatives and trade unions, national human rights institutions, media, or other experts. § 1. Step 2. Identifying negative impacts ¶ 3 As part of the initial assessment or scoping exercise, the organization should consider impacts commonly associated with its sectors, its products, geographic locations, or with specific organizations (i.e., impacts associated with a specific entity of the organization, or with an entity it has a business relationship with, such as a poor history of conduct in relation to respecting human rights). It should also consider impacts it has been involved with or knows it is likely to be involved with. In addition to the GRI Sector Standards, the organization can use the Organisation for Economic Co-operation and Development (OECD) Due Diligence Guidance for Responsible Business Conduct [2] and the OECD sectoral guidance on due diligence [13] for information on impacts commonly associated with sectors, products, geographic locations, and specific organizations. It can also use reports from governments, environmental agencies, international organizations, civil society organizations, workers' representatives and trade unions, national human rights institutions, media, or other experts. § 1. Step 2. Identifying negative impacts ¶ 3] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and Risk Management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 [In this step, the organization identifies its actual and potential impacts on the economy, environment, and people, including impacts on their human rights, across the organization's activities and business relationships. Actual impacts are those that have already occurred, and potential impacts are those that could occur but have not yet occurred. These impacts include negative and positive impacts, short-term and long-term impacts, intended and unintended impacts, and reversible and irreversible impacts. § 1. Step 2. ¶ 1 Identifying actual and potential negative impacts with which the organization is involved or could be involved is the first step of due diligence. The organization should consider actual and potential impacts that it causes or contributes to through its activities, as well as actual and potential impacts that are directly linked to its operations, products, or services by its business relationships(see Box 3 in this Standard). § 1. Step 2. Identifying negative impacts ¶ 1 As part of the initial assessment or scoping exercise, the organization should consider impacts commonly associated with its sectors, its products, geographic locations, or with specific organizations (i.e., impacts associated with a specific entity of the organization, or with an entity it has a business relationship with, such as a poor history of conduct in relation to respecting human rights). It should also consider impacts it has been involved with or knows it is likely to be involved with. In addition to the GRI Sector Standards, the organization can use the Organisation for Economic Co-operation and Development (OECD) Due Diligence Guidance for Responsible Business Conduct [2] and the OECD sectoral guidance on due diligence [13] for information on impacts commonly associated with sectors, products, geographic locations, and specific organizations. It can also use reports from governments, environmental agencies, international organizations, civil society organizations, workers' representatives and trade unions, national human rights institutions, media, or other experts. § 1. Step 2. Identifying negative impacts ¶ 3] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Actionable Reports or Measurements | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and Risk Management | Detective | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Establish/Maintain Documentation | Detective | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and Risk Management | Preventive | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 [The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 | Establish/Maintain Documentation | Preventive | |
| Include how material topics are managed in the disclosure report. CC ID 15657 [For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: § 2. Disclosure 3-3 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
| Include disclosures for each material topic in the disclosure report. CC ID 15658 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages privacy in the disclosure report. CC ID 15785 | Establish/Maintain Documentation | Preventive | |
| Include the content removal policy in the disclosure report. CC ID 15650 | Establish/Maintain Documentation | Preventive | |
| Include the level of management approval required for content removal requests in the disclosure report. CC ID 15653 | Establish/Maintain Documentation | Preventive | |
| Include requirements for content removal requests in the disclosure report. CC ID 15652 | Establish/Maintain Documentation | Preventive | |
| Include the conditions for denying content removal requests in the disclosure report. CC ID 15651 | Establish/Maintain Documentation | Preventive | |
| Include the scope of content removal requests in the disclosure report. CC ID 15648 | Establish/Maintain Documentation | Preventive | |
| Include a description of data subjects in the disclosure report. CC ID 16791 | Establish/Maintain Documentation | Preventive | |
| Include the categories of personal data maintained by the organization in the disclosure report. CC ID 16790 | Establish/Maintain Documentation | Preventive | |
| Include a business need justification for personal data processing in the disclosure report. CC ID 16788 | Establish/Maintain Documentation | Preventive | |
| Include the personal data use purpose specification in the disclosure report. CC ID 16786 | Establish/Maintain Documentation | Preventive | |
| Include a description of the information systems that process personal data in the disclosure report. CC ID 16784 | Establish/Maintain Documentation | Preventive | |
| Include the policies and procedures related to freedom of expression in the disclosure report. CC ID 15604 | Establish/Maintain Documentation | Preventive | |
| Include dispute resolution quality measures in the disclosure report. CC ID 16312 | Establish/Maintain Documentation | Preventive | |
| Include all data requests that resulted in compliance with the disclosure request in the disclosure report. CC ID 15547 | Establish/Maintain Documentation | Preventive | |
| Include individuals whose information is provided to third parties for secondary purposes in the disclosure report. CC ID 15559 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure of aggregated, de-identified, and anonymized data to the requesting party in the disclosure report. CC ID 15570 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages records in the disclosure report. CC ID 16787 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages anti-corruption in the disclosure report. CC ID 16055 | Establish/Maintain Documentation | Preventive | |
| Include a description of incidents of corruption in the disclosure report. CC ID 16067 | Establish/Maintain Documentation | Preventive | |
| Include significant risks related to corruption in the disclosure report. CC ID 16065 | Establish/Maintain Documentation | Preventive | |
| Include the interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16064 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages economic performance in the disclosure report. CC ID 16054 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities posed by climate change in the disclosure report. CC ID 16060 | Establish/Maintain Documentation | Preventive | |
| Include a justification for reporting financial data on a cash basis in the disclosure report. CC ID 16059 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages biodiversity in the disclosure report. CC ID 15986 | Establish/Maintain Documentation | Preventive | |
| Include whether habitat restoration measures have been approved by independent external professionals in the disclosure report. CC ID 16075 | Establish/Maintain Documentation | Preventive | |
| Include the condition of habitat areas protected or restored by the organization in the disclosure report. CC ID 16040 | Establish/Maintain Documentation | Preventive | |
| Include whether third party relationships exist to protect or restore habitat areas in the disclosure report. CC ID 16039 | Establish/Maintain Documentation | Preventive | |
| Include the biodiversity value of operational sites in the disclosure report. CC ID 16034 | Establish/Maintain Documentation | Preventive | |
| Include the type of operations near areas of high biodiversity value in the disclosure report. CC ID 16025 | Establish/Maintain Documentation | Preventive | |
| Include the location of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16020 | Establish/Maintain Documentation | Preventive | |
| Include the location of habitat areas protected or restored by the organization in the disclosure report. CC ID 16018 | Establish/Maintain Documentation | Preventive | |
| Include the species impacted by organizational activities, products, and services in the disclosure report. CC ID 16015 | Establish/Maintain Documentation | Preventive | |
| Include underground land owned by the organization near areas of high biodiversity value in the disclosure report. CC ID 16014 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages taxes in the disclosure report. CC ID 15985 | Establish/Maintain Documentation | Preventive | |
| Include the frequency of tax strategy reviews in the disclosure report. CC ID 16074 | Establish/Maintain Documentation | Preventive | |
| Include a justification for differences between corporate income tax accrued and tax due in the disclosure report. CC ID 16051 | Establish/Maintain Documentation | Preventive | |
| Include the tax jurisdictions in the disclosure report. CC ID 16047 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities assigned to tax governance and control in the disclosure report. CC ID 16030 | Establish/Maintain Documentation | Preventive | |
| Include the tax strategy in the disclosure report. CC ID 16029 | Establish/Maintain Documentation | Preventive | |
| Include the tax governance and control framework in the disclosure report. CC ID 16028 | Establish/Maintain Documentation | Preventive | |
| Include the management of tax risks in the disclosure report. CC ID 16026 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages market presence in the disclosure report. CC ID 15983 | Establish/Maintain Documentation | Preventive | |
| Include the actions taken to determine whether workers are paid above minimum wage in the disclosure report. CC ID 16056 | Establish/Maintain Documentation | Preventive | |
| Include the local minimum wage in the disclosure report. CC ID 15992 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages anti-competitive behavior in the disclosure report. CC ID 15981 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages procurement practices in the disclosure report. CC ID 15980 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages indirect economic impacts in the disclosure report. CC ID 15979 | Establish/Maintain Documentation | Preventive | |
| Include service and infrastructure investments that benefit the public in the disclosure report. CC ID 15984 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages emissions in the disclosure report. CC ID 15970 | Establish/Maintain Documentation | Preventive | |
| Include the risks related to greenhouse gas emissions in the disclosure report. CC ID 16338 | Establish/Maintain Documentation | Preventive | |
| Include the emissions management plan in the disclosure report. CC ID 16177 | Establish/Maintain Documentation | Preventive | |
| Include the scope of the emissions management plan in the disclosure report. CC ID 16168 | Establish/Maintain Documentation | Preventive | |
| Include emission reduction targets in the disclosure report. CC ID 16148 | Establish/Maintain Documentation | Preventive | |
| Include the scope of emission reduction targets in the disclosure report. CC ID 16149 | Establish/Maintain Documentation | Preventive | |
| Include the scope of greenhouse gas emissions in the disclosure report. CC ID 16147 | Establish/Maintain Documentation | Preventive | |
| Include a description of carbon offsets in the disclosure report. CC ID 15988 | Establish/Maintain Documentation | Preventive | |
| Include the design and development of data centers in the disclosure report. CC ID 15620 | Establish/Maintain Documentation | Preventive | |
| Include a list of countries or geographical regions where the organization's products and services are monitored, blocked, or filtered in the disclosure report. CC ID 15601 | Establish/Maintain Documentation | Preventive | |
| Include a list of products affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15641 | Establish/Maintain Documentation | Preventive | |
| Include the implications of blocking or censorship on an organization's products and services in the disclosure report. CC ID 15639 | Establish/Maintain Documentation | Preventive | |
| Identify products and services affected by monitoring or blocking in the disclosure report. CC ID 15638 | Establish/Maintain Documentation | Preventive | |
| Include the reasons modifications were made to existing products and services in the disclosure report. CC ID 15637 | Establish/Maintain Documentation | Preventive | |
| Include the differences between products and services being offered in different markets in the disclosure report. CC ID 15636 | Establish/Maintain Documentation | Preventive | |
| Include the nature of complaints received in the disclosure report. CC ID 15844 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages customer health and safety in the disclosure report. CC ID 15801 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages child labor in the disclosure report. CC ID 15851 | Establish/Maintain Documentation | Preventive | |
| Include operations with a risk for incidents of child labor in the disclosure report. CC ID 15864 | Establish/Maintain Documentation | Preventive | |
| Include third parties with a risk for incidents of child labor in the disclosure report. CC ID 15863 | Establish/Maintain Documentation | Preventive | |
| Include operations with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15862 | Establish/Maintain Documentation | Preventive | |
| Include third parties with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15861 | Establish/Maintain Documentation | Preventive | |
| Include the locations that are at risk for incidents of child labor in the disclosure report. CC ID 15860 | Establish/Maintain Documentation | Preventive | |
| Include the measures taken to abolish child labor in the disclosure report. CC ID 15859 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages diversity and equal opportunity in the disclosure report. CC ID 15853 | Establish/Maintain Documentation | Preventive | |
| Include the employee representation program in the disclosure report. CC ID 15628 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages marketing and labeling in the disclosure report. CC ID 15802 | Establish/Maintain Documentation | Preventive | |
| Include the information required by the product and service information and labeling procedures in the disclosure report. CC ID 15812 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages occupational health and safety in the disclosure report. CC ID 15888 | Establish/Maintain Documentation | Preventive | |
| Include the workers covered by the occupational health and safety management system in the disclosure report. CC ID 16151 | Establish/Maintain Documentation | Preventive | |
| Include a description of voluntary health promotion programs in the disclosure report. CC ID 16119 | Establish/Maintain Documentation | Preventive | |
| Include the main types of work-related ill health in the disclosure report. CC ID 15961 | Establish/Maintain Documentation | Preventive | |
| Include a description of formal joint management-worker health and safety committees in the disclosure report. CC ID 15913 | Establish/Maintain Documentation | Preventive | |
| Include the reasons workers are not represented by formal joint management-worker health and safety committees in the disclosure report. CC ID 15912 | Establish/Maintain Documentation | Preventive | |
| Include work-related hazards in the disclosure report. CC ID 15911 | Establish/Maintain Documentation | Preventive | |
| Include a description of the occupational health and safety risk assessment process in the disclosure report. CC ID 15909 | Establish/Maintain Documentation | Preventive | |
| Include a description of occupational health and safety training in the disclosure report. CC ID 15908 | Establish/Maintain Documentation | Preventive | |
| Include how occupational health and safety information is disseminated and communicated in the disclosure report. CC ID 15907 | Establish/Maintain Documentation | Preventive | |
| Include the occupational health and safety risk reporting process in the disclosure report. CC ID 15904 | Establish/Maintain Documentation | Preventive | |
| Include the occupational health and safety policy in the disclosure report. CC ID 15905 | Establish/Maintain Documentation | Preventive | |
| Include the processes used to investigate work-related incidents in the disclosure report. CC ID 15903 | Establish/Maintain Documentation | Preventive | |
| Include a description of the occupational health and safety management system in the disclosure report. CC ID 15901 | Establish/Maintain Documentation | Preventive | |
| Include the main types of work-related injury in the disclosure report. CC ID 15959 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages forced or compulsory labor in the disclosure report. CC ID 15850 | Establish/Maintain Documentation | Preventive | |
| Include operations with a risk for forced or compulsory labor in the disclosure report. CC ID 15858 | Establish/Maintain Documentation | Preventive | |
| Include third parties with a risk for forced or compulsory labor in the disclosure report. CC ID 15857 | Establish/Maintain Documentation | Preventive | |
| Include the locations with a risk for forced or compulsory labor in the disclosure report. CC ID 15856 | Establish/Maintain Documentation | Preventive | |
| Include the measures taken to eliminate forced or compulsory labor in the disclosure report. CC ID 15855 | Establish/Maintain Documentation | Preventive | |
| Include the measures taken to protect whistleblowers against retaliation in the disclosure report. CC ID 15902 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages employment in the disclosure report. CC ID 15890 | Establish/Maintain Documentation | Preventive | |
| Include the risks of recruiting foreign nationals and offshore employees in the disclosure report. CC ID 15624 | Establish/Maintain Documentation | Preventive | |
| Include the process for reporting near misses in the disclosure report. CC ID 16211 | Establish/Maintain Documentation | Preventive | |
| Include the extent to which benefit plan liabilities are covered in the disclosure report. CC ID 16109 | Establish/Maintain Documentation | Preventive | |
| Include the level of participation in benefit plans in the disclosure report. CC ID 16057 | Establish/Maintain Documentation | Preventive | |
| Include the Code of Conduct in the disclosure report. CC ID 16205 | Establish/Maintain Documentation | Preventive | |
| Include the standard benefits for full-time employees in the disclosure report. CC ID 15897 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages labor-management relations in the disclosure report. CC ID 15889 | Establish/Maintain Documentation | Preventive | |
| Include the scope of work stoppages in the disclosure report. CC ID 16215 | Establish/Maintain Documentation | Preventive | |
| Include the reason for each work stoppage in the disclosure report. CC ID 16213 | Establish/Maintain Documentation | Preventive | |
| Include the impact of work stoppages in the disclosure report. CC ID 16212 | Establish/Maintain Documentation | Preventive | |
| Include a description of collective bargaining agreements in the disclosure report. CC ID 15894 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages supplier environmental assessment in the disclosure report. CC ID 15876 | Establish/Maintain Documentation | Preventive | |
| Include the reasons why relationships were terminated with suppliers having significant negative environmental impacts in the disclosure report. CC ID 15882 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages training and education in the disclosure report. CC ID 15875 | Establish/Maintain Documentation | Preventive | |
| Include a description of professional development programs in the disclosure report. CC ID 15880 | Establish/Maintain Documentation | Preventive | |
| Include a description of professional development assistance in the disclosure report. CC ID 15879 | Establish/Maintain Documentation | Preventive | |
| Include a description of transition assistance programs in the disclosure report. CC ID 15878 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages freedom of association and collective bargaining in the disclosure report. CC ID 15852 | Establish/Maintain Documentation | Preventive | |
| Include the types of operations in which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15868 | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties for which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15867 | Establish/Maintain Documentation | Preventive | |
| Include the locations at risk of violating workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15866 | Establish/Maintain Documentation | Preventive | |
| Include the measures taken to support workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15865 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages waste in the disclosure report. CC ID 15765 | Establish/Maintain Documentation | Preventive | |
| Include the material of spills in the disclosure report. CC ID 15968 | Establish/Maintain Documentation | Preventive | |
| Include the location of spills in the disclosure report. CC ID 15964 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages the rights of indigenous peoples in the disclosure report. CC ID 15849 | Establish/Maintain Documentation | Preventive | |
| Include products that contain declarable substances in the disclosure report. CC ID 16161 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages supplier social assessment in the disclosure report. CC ID 15799 | Establish/Maintain Documentation | Preventive | |
| Include the reason why relationships were terminated with suppliers having significant negative social impacts in the disclosure report. CC ID 15804 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages energy in the disclosure report. CC ID 15783 | Establish/Maintain Documentation | Preventive | |
| Include the types of energy affected by energy reduction in the disclosure report. CC ID 15731 | Establish/Maintain Documentation | Preventive | |
| Include the scope of renewable energy in the disclosure report. CC ID 15509 | Establish/Maintain Documentation | Preventive | |
| Include the scope of energy consumption in the disclosure report. CC ID 15508 | Establish/Maintain Documentation | Preventive | |
| Include the types of energy used in the disclosure report. CC ID 15748 | Establish/Maintain Documentation | Preventive | |
| Refrain from double-counting fuel consumption, as necessary. CC ID 15736 | Process or Activity | Preventive | |
| Include energy efficiency considerations in product design and development in the disclosure report. CC ID 16155 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages public policy in the disclosure report. CC ID 15800 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages materials in the disclosure report. CC ID 15782 | Establish/Maintain Documentation | Preventive | |
| Include the scope of recovered material in the disclosure report. CC ID 16204 | Establish/Maintain Documentation | Preventive | |
| Include materials that present a risk to operations in the disclosure report. CC ID 16173 | Establish/Maintain Documentation | Preventive | |
| Include the risks represented by materials in the disclosure report. CC ID 16171 | Establish/Maintain Documentation | Preventive | |
| Include the risk management approach to the use of materials in the disclosure report. CC ID 16169 | Establish/Maintain Documentation | Preventive | |
| Include management of the availability of materials in the disclosure report. CC ID 16167 | Establish/Maintain Documentation | Preventive | |
| Include management of the price of materials in the disclosure report. CC ID 16165 | Establish/Maintain Documentation | Preventive | |
| Include the business activities that use declarable substances in the disclosure report. CC ID 16158 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages declarable substances in the disclosure report. CC ID 16156 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages non-discrimination in the disclosure report. CC ID 15764 | Establish/Maintain Documentation | Preventive | |
| Include the status of incidents of discrimination in the disclosure report. CC ID 15790 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions taken for incidents of discrimination in the disclosure report. CC ID 15789 | Establish/Maintain Documentation | Preventive | |
| Include a description of incidents of discrimination in the disclosure report. CC ID 15787 | Establish/Maintain Documentation | Preventive | |
| Include incidents of discrimination no longer subject to action in the disclosure report. CC ID 15786 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages local communities in the disclosure report. CC ID 15798 | Establish/Maintain Documentation | Preventive | |
| Include a description of local community consultation committees in the disclosure report. CC ID 15821 | Establish/Maintain Documentation | Preventive | |
| Include the results of impact assessments in the disclosure report. CC ID 15820 | Establish/Maintain Documentation | Preventive | |
| Include a description of community development programs in the disclosure report. CC ID 15818 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact assessments in the disclosure report. CC ID 15817 | Establish/Maintain Documentation | Preventive | |
| Include a description of worker representation bodies in the disclosure report. CC ID 15816 | Establish/Maintain Documentation | Preventive | |
| Include a description of local community grievance processes in the disclosure report. CC ID 15815 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages security practices in the disclosure report. CC ID 15784 | Establish/Maintain Documentation | Preventive | |
| Include trends in the frequency of incidents in the disclosure report. CC ID 15511 | Establish/Maintain Documentation | Preventive | |
| Include trends in the origination of incidents in the disclosure report. CC ID 15512 | Establish/Maintain Documentation | Preventive | |
| Include trends in incident type in the disclosure report. CC ID 15510 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization interacts with water in the disclosure report. CC ID 15752 | Establish/Maintain Documentation | Preventive | |
| Include a description of water consumption in the disclosure report. CC ID 15754 | Establish/Maintain Documentation | Preventive | |
| Include changes in water storage in the disclosure report. CC ID 15762 | Establish/Maintain Documentation | Preventive | |
| Include a description of water discharge in the disclosure report. CC ID 15755 | Establish/Maintain Documentation | Preventive | |
| Include a description of water withdrawal in the disclosure report. CC ID 15753 | Establish/Maintain Documentation | Preventive | |
| Include the priority substances of concern for which water discharge is treated in the disclosure report. CC ID 15761 | Establish/Maintain Documentation | Preventive | |
| Include the effluent discharge standards in the disclosure report. CC ID 15757 | Establish/Maintain Documentation | Preventive | |
| Include water quality standards in the disclosure report. CC ID 15756 | Establish/Maintain Documentation | Preventive | |
| Include business continuity risks in the disclosure report. CC ID 15608 | Establish/Maintain Documentation | Preventive | |
| Include incidents in which encrypted data were acquired with a valid encryption key in the disclosure report. CC ID 15546 | Establish/Maintain Documentation | Preventive | |
| Include recycling in the disclosure report. CC ID 15579 | Establish/Maintain Documentation | Preventive | |
| Include the scope of recycled material in the disclosure report. CC ID 16153 | Establish/Maintain Documentation | Preventive | |
| Include donated materials or refurbished materials in the disclosure report. CC ID 15561 | Establish/Maintain Documentation | Preventive | |
| Include materials being physically handled by third parties for reuse, recycling, or refurbishment in the disclosure report. CC ID 15577 | Establish/Maintain Documentation | Preventive | |
| Include materials being physically handled by the organization for reuse, recycling, or refurbishment in the disclosure report. CC ID 15575 | Establish/Maintain Documentation | Preventive | |
| Include the reuse of materials recovered in the disclosure report. CC ID 15566 | Establish/Maintain Documentation | Preventive | |
| Include products, materials, and parts at the end of their useful life in the disclosure report. CC ID 15553 | Establish/Maintain Documentation | Preventive | |
| Exclude products and parts waiting for repair and under warranty in the disclosure report. CC ID 15551 | Establish/Maintain Documentation | Preventive | |
| Include all monetary liabilities to third parties in the disclosure report. CC ID 15572 | Establish/Maintain Documentation | Preventive | |
| Include both first-party advertising and third-party advertising in the disclosure report. CC ID 15554 | Establish/Maintain Documentation | Preventive | |
| Include the corrective action plan in the disclosure report. CC ID 15900 | Establish/Maintain Documentation | Preventive | |
| Include the costs of corrective actions in the disclosure report. CC ID 16098 | Establish/Maintain Documentation | Preventive | |
| Include exclusions from the scope of disclosure for each material topic in the disclosure report. CC ID 15893 | Establish/Maintain Documentation | Preventive | |
| Include a justification for each exclusion from the scope of disclosure for each material topic in the disclosure report. CC ID 15892 | Establish/Maintain Documentation | Preventive | |
| Include incidents with indications that encrypted data could be readily converted to plain text in the disclosure report. CC ID 15544 | Establish/Maintain Documentation | Preventive | |
| Limit disclosures to data breaches that resulted in a deviation from expected outcomes for confidentiality or integrity in the disclosure report. CC ID 15545 | Establish/Maintain Documentation | Preventive | |
| Limit the disclosure of breaches to those in which the individuals were notified in the disclosure report. CC ID 15550 | Establish/Maintain Documentation | Preventive | |
| Restrict disclosures to wireless communications services in the disclosure report. CC ID 15555 | Establish/Maintain Documentation | Preventive | |
| Restrict disclosures to wireline communications services in the disclosure report. CC ID 15556 | Establish/Maintain Documentation | Preventive | |
| Restrict disclosure to Internet Service Provider services in the disclosure report. CC ID 15569 | Establish/Maintain Documentation | Preventive | |
| Exclude legal fees and expenses used for defense in the disclosure report. CC ID 15571 | Establish/Maintain Documentation | Preventive | |
| Include the external requirements to which third parties are compliant in the disclosure report. CC ID 15573 | Establish/Maintain Documentation | Preventive | |
| Include the impact of monitoring, blocking, or filtering products and services in the disclosure report. CC ID 15602 | Establish/Maintain Documentation | Preventive | |
| Include the reclassification of Internet Service Providers in the disclosure report. CC ID 15576 | Establish/Maintain Documentation | Preventive | |
| Include non-monetary sanctions in the disclosure report. CC ID 15872 | Establish/Maintain Documentation | Preventive | |
| Include business activities that negatively impact the target environment in the disclosure report. CC ID 15683 [For each material topic reported under Disclosure 3-2, the organization shall: report whether the organization is involved with the negative impacts through its activities or as a result of its business relationships, and describe the activities or business relationships; § 2. Disclosure 3-3 ¶ 1(b) For each material topic reported under Disclosure 3-2, the organization shall: report whether the organization is involved with the negative impacts through its activities or as a result of its business relationships, and describe the activities or business relationships; § 2. Disclosure 3-3 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Include the organization's name in the disclosure report. CC ID 15668 | Establish/Maintain Documentation | Preventive | |
| Include the time period in which privacy breaches occurred in the disclosure report. CC ID 15730 | Establish/Maintain Documentation | Preventive | |
| Include the metrics used to track how material topics and related impacts are managed in the disclosure report. CC ID 15686 [For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: goals, targets, and indicators used to evaluate progress; § 2. Disclosure 3-3 ¶ 1(e)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include the process used to track the effectiveness of corrective actions taken to manage material topics and related impacts in the disclosure report. CC ID 15687 [For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: processes used to track the effectiveness of the actions; § 2. Disclosure 3-3 ¶ 1(e)(i) For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: the effectiveness of the actions, including progress toward the goals and targets; § 2. Disclosure 3-3 ¶ 1(e)(iii) For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: actions to prevent or mitigate potential negative impacts; § 2. Disclosure 3-3 ¶ 1(d)(i) For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: actions to manage actual and potential positive impacts; § 2. Disclosure 3-3 ¶ 1(d)(iii) For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: actions to address actual negative impacts, including actions to provide for or cooperate in their remediation; § 2. Disclosure 3-3 ¶ 1(d)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include a list of material topics in the disclosure report. CC ID 15656 [{be material} While most, if not all, of the impacts that have been identified through this process will eventually become financially material, sustainability reporting is also highly relevant in its own right as a public interest activity and is independent of the consideration of financial implications. It is therefore important for the organization to report on all the material topics that it has determined using the GRI Standards. These material topics cannot be deprioritized on the basis of not being considered financially material by the organization. § 1. Box 1. ¶ 2 The organization shall: list its material topics; § 2. Disclosure 3-2 ¶ 1(a) This testing process results in a list of the organization's material topics. § 1. Step 4. Testing the material topics ¶ 4] | Establish/Maintain Documentation | Preventive | |
| Include changes to the list of material topics in the disclosure report. CC ID 15681 [The organization shall: report changes to the list of material topics compared to the previous reporting period. § 2. Disclosure 3-2 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Include the processes used to monitor material topics and related impacts in the disclosure report. CC ID 15819 | Establish/Maintain Documentation | Preventive | |
| Include policies and commitments regarding each material topic in the disclosure report. CC ID 15684 [For each material topic reported under Disclosure 3-2, the organization shall: describe its policies or commitments regarding the material topic; § 2. Disclosure 3-3 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
| Include a commitment to preserve human rights in the disclosure report. CC ID 15854 | Establish/Maintain Documentation | Preventive | |
| Include the reasons that policies and commitments are not publicly available in the disclosure report. CC ID 15873 | Establish/Maintain Documentation | Preventive | |
| Include how the impacts related to material topics are managed in the disclosure report. CC ID 15685 [For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: § 2. Disclosure 3-3 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
| Include the individuals who helped determine the material topics in the disclosure report. CC ID 15680 [The organization shall: specify the stakeholders and experts whose views have informed the process of determining its material topics. § 2. Disclosure 3-1 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Include the impacts related to each material topic in the disclosure report. CC ID 15682 [{negative impact}For each material topic reported under Disclosure 3-2, the organization shall: describe the actual and potential, negative and positive impacts on the economy, environment, and people, including impacts on their human rights; § 2. Disclosure 3-3 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Include the reversibility or irreversibility of impacts in the disclosure report. CC ID 16037 | Establish/Maintain Documentation | Preventive | |
| Include the impact duration in the disclosure report. CC ID 16036 | Establish/Maintain Documentation | Preventive | |
| Include the extent of impacts in the disclosure report. CC ID 16016 | Establish/Maintain Documentation | Preventive | |
| Include the process for determining material topics in the disclosure report. CC ID 15655 [The organization should document its process of determining material topics. This includes documenting the approach taken, decisions, assumptions, and subjective judgments made, sources analyzed, and evidence gathered. Accurate records help the organization explain its chosen approach and report the disclosures in section 2 of this Standard. The records facilitate analysis and assurance. See the Verifiability principle in GRI 1 for more information. § 1. ¶ 5 The organization shall: describe the process it has followed to determine its material topics, including: § 2. Disclosure 3-1 ¶ 1(a) {negative impact}The organization shall: describe the process it has followed to determine its material topics, including: how it has identified actual and potential, negative and positive impacts on the economy, environment, and people, including impacts on their human rights, across its activities and business relationships; § 2. Disclosure 3-1 ¶ 1(a)(i) {negative impact}The organization shall: describe the process it has followed to determine its material topics, including: how it has identified actual and potential, negative and positive impacts on the economy, environment, and people, including impacts on their human rights, across its activities and business relationships; § 2. Disclosure 3-1 ¶ 1(a)(i) The organization shall: describe the process it has followed to determine its material topics, including: how it has prioritized the impacts for reporting based on their significance; § 2. Disclosure 3-1 ¶ 1(a)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include the process for setting goals and targets in the disclosure report. CC ID 15763 | Establish/Maintain Documentation | Preventive | |
| Include the progress towards goals and targets in the disclosure report. CC ID 15688 [For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: the effectiveness of the actions, including progress toward the goals and targets; § 2. Disclosure 3-3 ¶ 1(e)(iii)] | Establish/Maintain Documentation | Preventive | |
| Include the lessons learned in the disclosure report. CC ID 15689 [{manner}For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: lessons learned and how these have been incorporated into the organization's operational policies and procedures; § 2. Disclosure 3-3 ¶ 1(e)(iv)] | Establish/Maintain Documentation | Preventive | |
| Include how lessons learned are incorporated into policies and procedures in the disclosure report. CC ID 15690 [{manner}For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: lessons learned and how these have been incorporated into the organization's operational policies and procedures; § 2. Disclosure 3-3 ¶ 1(e)(iv)] | Establish/Maintain Documentation | Preventive | |
| Include stakeholder engagement activities in the disclosure report. CC ID 15691 [For each material topic reported under Disclosure 3-2, the organization shall: describe how engagement with stakeholders has informed the actions taken (3-3-d) and how it has informed whether the actions have been effective (3-3-e). § 2. Disclosure 3-3 ¶ 1(f)] | Establish/Maintain Documentation | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. § 1. ¶ 7 The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. § 1. ¶ 7 The organization's highest governance body should review and approve the list of material topics. If such a body does not exist, the list should be approved by a senior executive or group of senior executives in the organization. § 1. Step 4. Approval of the material topics ¶ 1 The organization's highest governance body should review and approve the list of material topics. If such a body does not exist, the list should be approved by a senior executive or group of senior executives in the organization. § 1. Step 4. Approval of the material topics ¶ 1] | Establish Roles | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources Management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources Management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Establish/Maintain Documentation | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources Management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources Management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources Management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources Management | Corrective | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [The organization should consider the following in relation to its activities: The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these workers directly or indirectly through a third party), and the work they perform. § 1. Step 1. Activities ¶ 1 Bullet 6] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 | Human Resources Management | Preventive | |
| Establish and maintain an annual report on compensation. CC ID 14801 | Establish/Maintain Documentation | Preventive | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Communicate | Preventive | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Establish/Maintain Documentation | Preventive | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Establish/Maintain Documentation | Preventive | |
| Refrain from using employees' privacy choices to restrict employment. CC ID 12425 | Human Resources Management | Preventive | |
| Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources Management | Preventive | |
| Use rewards and career development to motivate personnel. CC ID 06906 | Behavior | Preventive | |
| Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 | Human Resources Management | Preventive | |
| Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 | Human Resources Management | Preventive | |
| Establish, implement, and maintain job applications. CC ID 16180 | Establish/Maintain Documentation | Preventive | |
| Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources Management | Preventive | |
| Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources Management | Preventive | |
| Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources Management | Preventive | |
| Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources Management | Preventive | |
| Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources Management | Preventive | |
| Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources Management | Preventive | |
| Include a space for the start date on the job application. CC ID 16187 | Human Resources Management | Preventive | |
| Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources Management | Preventive | |
| Approve the wording of job applications. CC ID 16182 | Human Resources Management | Preventive | |
| Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources Management | Preventive | |
| Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources Management | Preventive | |
| Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources Management | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 [{be replicable}{be consistent} The approach for each step will vary according to the specific circumstances of the organization, such as its business model; sectors; geographic, cultural, and legal operating context; ownership structure; and the nature of its impacts. Given these specific circumstances, the steps should be systematic, documented, replicable, and used consistently in each reporting period. The organization should document any changes in its approach together with the rationale for those changes and their implications. § 1. ¶ 6 The organization should document its process of determining material topics. This includes documenting the approach taken, decisions, assumptions, and subjective judgments made, sources analyzed, and evidence gathered. Accurate records help the organization explain its chosen approach and report the disclosures in section 2 of this Standard. The records facilitate analysis and assurance. See the Verifiability principle in GRI 1 for more information. § 1. ¶ 5 The significance of an impact is the sole criterion to determine whether a topic is material for reporting. The organization cannot use difficulty in reporting on a topic or the fact that it does not yet manage the topic as criteria to determine whether or not to report on the topic. In cases where the organization does not manage a material topic, it can report the reasons for not doing so or any plans to manage the topic to comply with the requirements in Disclosure 3-3 Management of material topics in this Standard. § 1. Step 4. Setting a threshold to determine which topics are material ¶ 3] | Business Processes | Preventive | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Establish/Maintain Documentation | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Establish/Maintain Documentation | Preventive | |
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Process or Activity | Detective | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Establish/Maintain Documentation | Preventive | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Communicate | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3 The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3 The organization should identify who its stakeholders are across its activities and business relationships and engage with them to help identify its impacts. § 1. Step 1. Stakeholders ¶ 1 In addition, the organization should seek to understand the concerns of its stakeholders (see Box 2 in this Standard) and consult internal and external experts, such as civil society organizations or academics. § 1. Step 2. ¶ 4 Assessing the significance of the impacts involves quantitative and qualitative analysis. How significant an impact is will be specific to the organization and will be influenced by the sectors in which it operates, and its business relationships, among other factors. In some instances, this may need a subjective decision. The organization should consult with relevant stakeholders (see Box 2 in this Standard) and business relationships to assess the significance of its impacts. The organization should also consult relevant internal or external experts. § 1. Step 3. ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 [The organization should seek to understand the concerns of its stakeholders by consulting them directly in a way that takes into account language and other potential barriers (e.g., cultural differences, gender and power imbalances, divisions within the community). Identifying and removing potential barriers is necessary to ensure that stakeholder engagement is effective. § 1. Box 2. ¶ 1] | Process or Activity | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 [The organization should seek to understand the concerns of its stakeholders by consulting them directly in a way that takes into account language and other potential barriers (e.g., cultural differences, gender and power imbalances, divisions within the community). Identifying and removing potential barriers is necessary to ensure that stakeholder engagement is effective. § 1. Box 2. ¶ 1] | Process or Activity | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 [{stakeholder} Where direct consultation is not possible, the organization should consider reasonable alternatives, such as consulting credible independent experts, such as national human rights institutions, human rights and environmental defenders, trade unions, and other members of civil society. § 1. Box 2. ¶ 7] | Communicate | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Communicate | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Process or Activity | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Communicate | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Communicate | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Process or Activity | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Process or Activity | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Business Processes | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Process or Activity | Preventive | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Actionable Reports or Measurements | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Communicate | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 | Process or Activity | Preventive | |
| Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Process or Activity | Preventive | |
| Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Establish/Maintain Documentation | Preventive | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 | Business Processes | Preventive | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Business Processes | Preventive | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Communicate | Preventive | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Establish/Maintain Documentation | Preventive | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Establish/Maintain Documentation | Preventive | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Communicate | Preventive | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 | Communicate | Preventive | |
| Identify the material topics required to be reported on. CC ID 15654 [An organization reporting in accordance with the GRI Standards is required to determine its material topics. When doing this, the organization is also required to use the applicable GRI Sector Standards (see Requirement 3 in GRI 1: Foundation 2021 and Box 5 in this Standard). § 1. ¶ 1 The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3 In each reporting period, the organization should review its material topics from the previous reporting period to account for changes in the impacts. Changes in impacts can result from changes in the organization's activities and business relationships. This review helps ensure the material topics represent the organization's most significant impacts in each new reporting period. § 1. ¶ 4 {be material} While most, if not all, of the impacts that have been identified through this process will eventually become financially material, sustainability reporting is also highly relevant in its own right as a public interest activity and is independent of the consideration of financial implications. It is therefore important for the organization to report on all the material topics that it has determined using the GRI Standards. These material topics cannot be deprioritized on the basis of not being considered financially material by the organization. § 1. Box 1. ¶ 2 The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1 The organization is required to use the applicable Sector Standards when determining its material topics (see Requirement 3-b in GRI 1: Foundation 2021). Using the Sector Standards is not a substitute for the process of determining material topics, but an aid. The organization still needs to consider its own specific circumstances when determining its material topics. § 1. Box 5. ¶ 2 The organization is required to review each topic described in the applicable Sector Standards and determine whether it is a material topic for the organization. § 1. Box 5. ¶ 3 {information} Once the organization has determined its material topics, it needs to determine what to report for each material topic. See Requirement 4 and Requirement 5 in GRI 1 for information about how to report on material topics. § 1. Step 4. Determining what to report for each material topic ¶ 1] | Business Processes | Preventive | |
| Check the list of material topics for completeness. CC ID 15692 [The organization should test its selection of material topics against the topics in the applicable GRI Sector Standards. This helps the organization ensure that it has not overlooked any topics that are likely to be material for its sectors. § 1. Step 4. Testing the material topics ¶ 1 The organization should also test its selection of material topics with potential information users and experts who understand the organization or its sectors and have insight into one or more of the material topics. This can help the organization validate the threshold it has set to determine which topics are material to report. Examples of experts the organization can consult are academics, consultants, investors, lawyers, national institutions, and non-governmental organizations. § 1. Step 4. Testing the material topics ¶ 2] | Investigate | Preventive | |
| Prioritize material topics used in reporting. CC ID 15678 [In this step, to determine its material topics for reporting, the organization prioritizes its impacts based on their significance. § 1. Step 4. ¶ 1] | Communicate | Preventive | |
| Review and approve the material topics, as necessary. CC ID 15670 [The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. § 1. ¶ 7 The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. § 1. ¶ 7] | Process or Activity | Preventive | |
| Define the thresholds for reporting in the external reporting program. CC ID 15679 [The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1 The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include time requirements in the external reporting program. CC ID 16566 | Communicate | Preventive | |
| Include information about the organizational culture in the external reporting program. CC ID 15610 | Establish/Maintain Documentation | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Communicate | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Communicate | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Establish/Maintain Documentation | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Establish/Maintain Documentation | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Establish/Maintain Documentation | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze the business environment in which the organization operates. CC ID 12798 [The organization should consider the following in relation to its activities: The organization's purpose, value or mission statements, business model, and strategies. § 1. Step 1. Activities ¶ 1 Bullet 1 The organization should consider the following in relation to its activities: The types of activities it carries out (e.g., sales, marketing, manufacturing, distribution) and the geographic locations of these activities. § 1. Step 1. Activities ¶ 1 Bullet 2 {economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1] | Business Processes | Preventive | |
| Identify the internal factors that may affect organizational objectives. CC ID 12957 | Process or Activity | Preventive | |
| Include key processes in the analysis of the internal business environment. CC ID 12947 [The organization should consider the following in relation to its activities: The types of activities it carries out (e.g., sales, marketing, manufacturing, distribution) and the geographic locations of these activities. § 1. Step 1. Activities ¶ 1 Bullet 2 The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. § 1. Step 1. ¶ 2] | Process or Activity | Preventive | |
| Include existing information in the analysis of the internal business environment. CC ID 12943 | Process or Activity | Preventive | |
| Include resources in the analysis of the internal business environment. CC ID 12942 [The organization should consider the following in relation to its activities: The types of products and services it offers and the markets it serves (i.e., the types of customers and beneficiaries targeted, and the geographic locations where products and services are offered). § 1. Step 1. Activities ¶ 1 Bullet 3] | Process or Activity | Preventive | |
| Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Process or Activity | Preventive | |
| Include incentives in the analysis of the internal business environment. CC ID 12940 | Process or Activity | Preventive | |
| Include organizational structures in the analysis of the internal business environment. CC ID 12939 [{full-time employee}{part-time employee}{non-guaranteed hours employee}{permanent employee}{temporary employee}The organization should consider the following in relation to its activities: The number of employees, including whether they are full-time, part-time, non-guaranteed hours, permanent or temporary, and their demographic characteristics (e.g., age, gender, geographic location). § 1. Step 1. Activities ¶ 1 Bullet 5] | Process or Activity | Preventive | |
| Include the strategic plan in the analysis of the internal business environment. CC ID 12937 [The organization should consider the following in relation to its activities: The organization's purpose, value or mission statements, business model, and strategies. § 1. Step 1. Activities ¶ 1 Bullet 1] | Process or Activity | Preventive | |
| Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Process or Activity | Preventive | |
| Align assets with business functions and the business environment. CC ID 13681 | Business Processes | Preventive | |
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Communicate | Preventive | |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Monitor and Evaluate Occurrences | Preventive | |
| Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze the external environment in which the organization operates. CC ID 12799 [The organization should consider the following in relation to its activities: The sectors in which the organization is active and their characteristics (e.g., whether they involve informal work, whether they are labor or resource intensive). § 1. Step 1. Activities ¶ 1 Bullet 4] | Business Processes | Preventive | |
| Identify the external forces that may affect organizational objectives. CC ID 12960 | Process or Activity | Preventive | |
| Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Monitor and Evaluate Occurrences | Preventive | |
| Include environmental requirements in the analysis of the external environment. CC ID 12965 [The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. § 1. Step 1. ¶ 2 {economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1] | Business Processes | Preventive | |
| Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Monitor and Evaluate Occurrences | Preventive | |
| Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Business Processes | Preventive | |
| Include society in the analysis of the external environment. CC ID 12963 [{economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1] | Business Processes | Preventive | |
| Include opportunities in the analysis of the external environment. CC ID 12954 | Business Processes | Preventive | |
| Include third party relationships in the analysis of the external environment. CC ID 12952 [The organization's business relationships include relationships with business partners, entities in its value chain (including entities beyond the first tier), and any other entities directly linked to its operations, products, or services. The organization should consider the following in relation to its business relationships: The types of business relationships it has (e.g., joint ventures, suppliers, franchisees). § 1. Step 1. Business Relationships ¶ 1 Bullet 1 The organization's business relationships include relationships with business partners, entities in its value chain (including entities beyond the first tier), and any other entities directly linked to its operations, products, or services. The organization should consider the following in relation to its business relationships: The nature of the business relationships (e.g., whether they are based on a long-term or short-term contract, whether they are based on a specific project or event). § 1. Step 1. Business Relationships ¶ 1 Bullet 3 The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. § 1. Step 1. ¶ 2] | Business Processes | Preventive | |
| Include industry forces in the analysis of the external environment. CC ID 12904 | Business Processes | Preventive | |
| Include threats in the analysis of the external environment. CC ID 12898 | Business Processes | Preventive | |
| Include geopolitics in the analysis of the external environment. CC ID 12897 | Business Processes | Preventive | |
| Include legal requirements in the analysis of the external environment. CC ID 12896 [The organization should consider the following to understand the sustainability context of its activities and business relationships: The organization's responsibility regarding the authoritative intergovernmental instruments with which it is expected to comply. § 1. Step 1. Sustainability context ¶ 1 Bullet 2 The organization should consider the following to understand the sustainability context of its activities and business relationships: The organization's responsibility regarding the laws and regulations with which it is expected to comply. § 1. Step 1. Sustainability context ¶ 1 Bullet 3] | Business Processes | Preventive | |
| Include technology in the analysis of the external environment. CC ID 12837 | Business Processes | Preventive | |
| Include analyzing the market in the analysis of the external environment. CC ID 12836 [{economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1 The organization should consider the following in relation to its activities: The types of products and services it offers and the markets it serves (i.e., the types of customers and beneficiaries targeted, and the geographic locations where products and services are offered). § 1. Step 1. Activities ¶ 1 Bullet 3] | Business Processes | Preventive | |
| Conduct a context analysis to define objectives and strategies. CC ID 12864 [Impacts may change over time as the organization's activities, business relationships, and context evolve. New activities, new business relationships, and major changes in operations or the operating context (e.g., new market entry, product launch, policy change, wider changes to the organization) could lead to changes in the organization's impacts. For this reason, the organization should assess its context and identify its impacts on an ongoing basis. § 1. Step 2. ¶ 6] | Business Processes | Preventive | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 [The organization should consider the following in relation to its activities: The organization's purpose, value or mission statements, business model, and strategies. § 1. Step 1. Activities ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Establish/Maintain Documentation | Preventive | |
| Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Establish/Maintain Documentation | Preventive | |
| Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Establish/Maintain Documentation | Preventive | |
| Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Establish/Maintain Documentation | Preventive | |
| Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Establish/Maintain Documentation | Preventive | |
| Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Communicate | Preventive | |
| Identify all interested personnel and affected parties. CC ID 12845 [In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential impacts. § 1. Step 1. ¶ 1 The organization should identify who its stakeholders are across its activities and business relationships and engage with them to help identify its impacts. § 1. Step 1. Stakeholders ¶ 1 When identifying its stakeholders, the organization should ensure it identifies any individuals or groups it does not have a direct relationship with (e.g., workers in the supply chain or local communities that live at a distance from the organization's operations) and those who are unable to articulate their views (e.g., future generations) but whose interests are affected or could be affected by the organization's activities. § 1. Step 1. Stakeholders ¶ 3 When identifying its stakeholders, the organization should ensure it identifies any individuals or groups it does not have a direct relationship with (e.g., workers in the supply chain or local communities that live at a distance from the organization's operations) and those who are unable to articulate their views (e.g., future generations) but whose interests are affected or could be affected by the organization's activities. § 1. Step 1. Stakeholders ¶ 3 {full-time employee}{part-time employee}{non-guaranteed hours employee}{permanent employee}{temporary employee}The organization should consider the following in relation to its activities: The number of employees, including whether they are full-time, part-time, non-guaranteed hours, permanent or temporary, and their demographic characteristics (e.g., age, gender, geographic location). § 1. Step 1. Activities ¶ 1 Bullet 5 The organization should draw a full list of individuals and groups whose interests are affected or could be affected by the organization's activities. Common categories of stakeholders for organizations are business partners, civil society organizations, consumers, customers, employees and other workers, governments, local communities, nongovernmental organizations, shareholders and other investors, suppliers, trade unions, and vulnerable groups. The organization can further distinguish between individuals and groups whose human rights are affected or could be affected, and individuals and groups with other interests. § 1. Step 1. Stakeholders ¶ 2] | Process or Activity | Detective | |
| Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. § 1. Step 1. ¶ 2 In addition, the organization should seek to understand the concerns of its stakeholders (see Box 2 in this Standard) and consult internal and external experts, such as civil society organizations or academics. § 1. Step 2. ¶ 4 The degree of impact on stakeholders may inform the degree of engagement. The organization should prioritize the most severely affected or potentially affected stakeholders for engagement. § 1. Box 2. ¶ 6 The organization should seek to understand the concerns of its stakeholders by consulting them directly in a way that takes into account language and other potential barriers (e.g., cultural differences, gender and power imbalances, divisions within the community). Identifying and removing potential barriers is necessary to ensure that stakeholder engagement is effective. § 1. Box 2. ¶ 1] | Business Processes | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
| Align the Authority Document list with external requirements. CC ID 06288 [An organization reporting in accordance with the GRI Standards is required to determine its material topics. When doing this, the organization is also required to use the applicable GRI Sector Standards (see Requirement 3 in GRI 1: Foundation 2021 and Box 5 in this Standard). § 1. ¶ 1 The organization is required to use the applicable Sector Standards when determining its material topics (see Requirement 3-b in GRI 1: Foundation 2021). Using the Sector Standards is not a substitute for the process of determining material topics, but an aid. The organization still needs to consider its own specific circumstances when determining its material topics. § 1. Box 5. ¶ 2 The organization is required to review each topic described in the applicable Sector Standards and determine whether it is a material topic for the organization. § 1. Box 5. ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a content index. CC ID 15660 | Establish/Maintain Documentation | Preventive | |
| Include an explanation of why disclosures or requirements do not apply in the content index. CC ID 15662 [If any of the topics that are included in the applicable Sector Standards have been determined by the organization as not material, the organization is required to list them in the GRI content index and explain why they are not material (see Requirement 3-b-ii in GRI 1). This explanation helps information users understand why the organization has determined that topics that are likely to be material for the organization's sectors are not material in its specific circumstances. § 1. Box 5. ¶ 6 A brief explanation in the GRI content index of why the topic is not material is sufficient to comply with Requirement 3-b-ii in GRI 1. In the previous example, the organization could explain that land and resource rights is not a material topic because its existing oil and gas projects are located in uninhabited areas, and there are no plans to start projects in new areas. § 1. Box 5. ¶ 7 If any of the topics that are included in the applicable Sector Standards have been determined by the organization as not material, the organization is required to list them in the GRI content index and explain why they are not material (see Requirement 3-b-ii in GRI 1). This explanation helps information users understand why the organization has determined that topics that are likely to be material for the organization's sectors are not material in its specific circumstances. § 1. Box 5. ¶ 6] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 | Establish/Maintain Documentation | Preventive | |
| Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 [Assessing the significance of the impacts involves quantitative and qualitative analysis. How significant an impact is will be specific to the organization and will be influenced by the sectors in which it operates, and its business relationships, among other factors. In some instances, this may need a subjective decision. The organization should consult with relevant stakeholders (see Box 2 in this Standard) and business relationships to assess the significance of its impacts. The organization should also consult relevant internal or external experts. § 1. Step 3. ¶ 2] | Behavior | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Document the organization's business processes. CC ID 13035 [In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential impacts. § 1. Step 1. ¶ 1] | Establish/Maintain Documentation | Detective | |
| Correlate business processes and applications. CC ID 16300 | Business Processes | Preventive | |
| Disseminate and communicate the business process documentation to interested personnel and affected parties. CC ID 13038 | Communicate | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 [The organization should consider the following in relation to its activities: The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these workers directly or indirectly through a third party), and the work they perform. § 1. Step 1. Activities ¶ 1 Bullet 6] | Business Processes | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 [The organization should consider the following in relation to its activities: The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these workers directly or indirectly through a third party), and the work they perform. § 1. Step 1. Activities ¶ 1 Bullet 6] | Business Processes | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 [The organization should consider the following in relation to its activities: The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these workers directly or indirectly through a third party), and the work they perform. § 1. Step 1. Activities ¶ 1 Bullet 6] | Business Processes | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 [{full-time employee}{part-time employee}{non-guaranteed hours employee}{permanent employee}{temporary employee}The organization should consider the following in relation to its activities: The number of employees, including whether they are full-time, part-time, non-guaranteed hours, permanent or temporary, and their demographic characteristics (e.g., age, gender, geographic location). § 1. Step 1. Activities ¶ 1 Bullet 5] | Business Processes | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Establish/Maintain Documentation | Preventive | |
| Implement changes according to the change control program. CC ID 11776 | Business Processes | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 [{be replicable}{be consistent} The approach for each step will vary according to the specific circumstances of the organization, such as its business model; sectors; geographic, cultural, and legal operating context; ownership structure; and the nature of its impacts. Given these specific circumstances, the steps should be systematic, documented, replicable, and used consistently in each reporting period. The organization should document any changes in its approach together with the rationale for those changes and their implications. § 1. ¶ 6] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a service catalog. CC ID 13634 [The organization should consider the following in relation to its activities: The types of products and services it offers and the markets it serves (i.e., the types of customers and beneficiaries targeted, and the geographic locations where products and services are offered). § 1. Step 1. Activities ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include a service description in the service catalog. CC ID 13917 | Establish/Maintain Documentation | Preventive | |
| Assign unique reference numbers to all services in the service catalog. CC ID 14424 | Establish/Maintain Documentation | Preventive | |
| Include service deliverables for each service description in the service catalog. CC ID 13918 | Establish/Maintain Documentation | Preventive | |
| Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 | Establish/Maintain Documentation | Preventive | |
| Include Service Level Agreements in the service catalog, as necessary. CC ID 13636 | Establish/Maintain Documentation | Preventive | |
| Include Information Technology services in the service catalog, as necessary. CC ID 13635 | Establish/Maintain Documentation | Preventive | |
| Base definitions of Information Technology services on their service characteristics. CC ID 13655 | Establish/Maintain Documentation | Preventive | |
| Categorize services in the service catalog. CC ID 14419 | Establish/Maintain Documentation | Preventive | |
| Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426 | Establish/Maintain Documentation | Preventive | |
| Communicate the service catalog to interested personnel and affected parties. CC ID 13910 | Communicate | Preventive | |
| Establish, implement, and maintain an environmental management system. CC ID 14945 | Business Processes | Preventive | |
| Analyze the environmental impact of organizational changes. CC ID 14979 | Process or Activity | Detective | |
| Analyze the environmental impact of changes in developments, activities, products, and services. CC ID 14980 [To identify its actual and potential positive impacts, the organization should assess the manner in which it contributes or could contribute to sustainable development through its activities, for example, through its products, services, investments, procurement practices, employment practices, or tax payments. This also includes assessing how the organization can shape its purpose, business model, and strategies to deliver positive impacts that contribute to the goal of sustainable development. § 1. Step 2. Identifying positive impacts ¶ 1] | Process or Activity | Detective | |
| Include the scope in the environmental management system. CC ID 14950 [In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential impacts. § 1. Step 1. ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include emergency situations in the scope of the environmental management system. CC ID 14995 | Establish/Maintain Documentation | Preventive | |
| Include the environmental impact of activities, products, and services in the scope of the environmental management system. CC ID 15184 [To identify its actual and potential positive impacts, the organization should assess the manner in which it contributes or could contribute to sustainable development through its activities, for example, through its products, services, investments, procurement practices, employment practices, or tax payments. This also includes assessing how the organization can shape its purpose, business model, and strategies to deliver positive impacts that contribute to the goal of sustainable development. § 1. Step 2. Identifying positive impacts ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Analyze activities, products, and services within the scope of the environmental management system to determine the environmental aspects. CC ID 15183 | Business Processes | Detective | |
| Include activities, products, and services in the scope of the environmental management system. CC ID 15182 | Establish/Maintain Documentation | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
| Define specially restricted data. CC ID 00037 | Data and Information Management | Preventive | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Data and Information Management | Preventive | |
| Preserve each individual's right to human dignity. CC ID 00082 [The organization should respect the human rights of all stakeholders and other individuals with whom it engages (e.g., their rights to privacy, freedom of expression, and peaceful assembly and protest) and it should protect them against reprisals (i.e., non-retaliation for raising complaints or concerns). § 1. Box 2. ¶ 3] | Data and Information Management | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Document and maintain supply chain processes. CC ID 08816 [The organization's business relationships include relationships with business partners, entities in its value chain (including entities beyond the first tier), and any other entities directly linked to its operations, products, or services. The organization should consider the following in relation to its business relationships: The types of activities undertaken by those with which it has business relationships (e.g., manufacturing the organization's products, providing security services to the organization). § 1. Step 1. Business Relationships ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 [In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential impacts. § 1. Step 1. ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 | Establish/Maintain Documentation | Detective | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 | Establish/Maintain Documentation | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Establish/Maintain Documentation | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Establish/Maintain Documentation | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Communicate | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Establish/Maintain Documentation | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Establish/Maintain Documentation | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Establish/Maintain Documentation | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Establish/Maintain Documentation | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Establish/Maintain Documentation | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 [The organization's business relationships include relationships with business partners, entities in its value chain (including entities beyond the first tier), and any other entities directly linked to its operations, products, or services. The organization should consider the following in relation to its business relationships: The geographic locations where the activities of the business relationships take place. § 1. Step 1. Business Relationships ¶ 1 Bullet 4 {economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Document supply chain transactions in the supply chain management program. CC ID 08857 | Business Processes | Preventive | |
| Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Establish/Maintain Documentation | Preventive | |
| Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Physical and Environmental Protection | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Preventive | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Detective | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Audit in scope audit items and compliance documents. CC ID 06730 [The organization should seek external assurance to assess the quality and credibility of its process of determining material topics. See section 5.2 in GRI 1 for more information on seeking external assurance. § 1. Step 4. Testing the material topics ¶ 3] | Audits and risk management | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Preventive | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Preventive | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Preventive | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Preventive | |
| Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Preventive | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Preventive | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Detective | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Preventive | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Preventive | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 | Audits and risk management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The severity of an actual or potential negative impact is determined by the following characteristics: Scope: how widespread the impact is, for example, the number of individuals affected or the extent of environmental damage. § 1. Step 3. Severity ¶ 1 Bullet 2 {difficulty}The severity of an actual or potential negative impact is determined by the following characteristics: Irremediable character: how hard it is to counteract or make good the resulting harm. § 1. Step 3. Severity ¶ 1 Bullet 3 The significance of an actual positive impact is determined by the scale and scope of the impact. The significance of a potential positive impact is determined by the scale and scope as well as the likelihood of the impact. § 1. Step 3. Assessing the significance of positive impacts ¶ 1 The significance of an actual positive impact is determined by the scale and scope of the impact. The significance of a potential positive impact is determined by the scale and scope as well as the likelihood of the impact. § 1. Step 3. Assessing the significance of positive impacts ¶ 1 The severity of an actual or potential negative impact is determined by the following characteristics: Scale: how grave the impact is. § 1. Step 3. Severity ¶ 1 Bullet 1] | Audits and risk management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [In this step, the organization identifies its actual and potential impacts on the economy, environment, and people, including impacts on their human rights, across the organization's activities and business relationships. Actual impacts are those that have already occurred, and potential impacts are those that could occur but have not yet occurred. These impacts include negative and positive impacts, short-term and long-term impacts, intended and unintended impacts, and reversible and irreversible impacts. § 1. Step 2. ¶ 1 Identifying actual and potential negative impacts with which the organization is involved or could be involved is the first step of due diligence. The organization should consider actual and potential impacts that it causes or contributes to through its activities, as well as actual and potential impacts that are directly linked to its operations, products, or services by its business relationships(see Box 3 in this Standard). § 1. Step 2. Identifying negative impacts ¶ 1 The organization should consider any negative impacts that could result from activities that aim for a positive contribution to sustainable development. Negative impacts cannot be offset by positive impacts. For example, a renewable energy installation may reduce a region's dependence on fossil fuels and bring energy to underserved communities. However, if it displaces local indigenous communities from their lands or territories without their consent, this negative impact should be addressed and remediated, and it cannot be compensated by the positive impacts. § 1. Step 2. Identifying positive impacts ¶ 3 The severity – and therefore the significance – of an impact are not absolute concepts. The severity of an impact should be assessed in relation to the other impacts of the organization. For example, an organization should compare the severity of the impacts of its GHG emissions against the severity of its other impacts. The organization should not assess the significance of its GHG emissions in relation to global GHG emissions, as that comparison could lead to the misleading conclusion that the organization's emissions are not significant. § 1. Step 3. Severity ¶ 5 The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1 The organization may identify many actual and potential impacts. In this step, the organization assesses the significance of its identified impacts to prioritize them. Prioritization enables the organization to take action to address the impacts and also to determine its material topics for reporting. Prioritizing impacts for action is relevant where it is not feasible to address all impacts at once. § 1. Step 3. ¶ 1] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3 In this step, the organization needs to consider the impacts described in the applicable GRI Sector Standards and determine whether these impacts apply to it. § 1. Step 2. ¶ 5 Impacts may change over time as the organization's activities, business relationships, and context evolve. New activities, new business relationships, and major changes in operations or the operating context (e.g., new market entry, product launch, policy change, wider changes to the organization) could lead to changes in the organization's impacts. For this reason, the organization should assess its context and identify its impacts on an ongoing basis. § 1. Step 2. ¶ 6 In cases where the organization has limited resources available for identifying its impacts, it should first identify its negative impacts, before identifying positive impacts, to ensure it complies with applicable laws, regulations, and authoritative intergovernmental instruments. § 1. Step 2. ¶ 7 Identifying actual and potential negative impacts with which the organization is involved or could be involved is the first step of due diligence. The organization should consider actual and potential impacts that it causes or contributes to through its activities, as well as actual and potential impacts that are directly linked to its operations, products, or services by its business relationships(see Box 3 in this Standard). § 1. Step 2. Identifying negative impacts ¶ 1 As part of the initial assessment or scoping exercise, the organization should consider impacts commonly associated with its sectors, its products, geographic locations, or with specific organizations (i.e., impacts associated with a specific entity of the organization, or with an entity it has a business relationship with, such as a poor history of conduct in relation to respecting human rights). It should also consider impacts it has been involved with or knows it is likely to be involved with. In addition to the GRI Sector Standards, the organization can use the Organisation for Economic Co-operation and Development (OECD) Due Diligence Guidance for Responsible Business Conduct [2] and the OECD sectoral guidance on due diligence [13] for information on impacts commonly associated with sectors, products, geographic locations, and specific organizations. It can also use reports from governments, environmental agencies, international organizations, civil society organizations, workers' representatives and trade unions, national human rights institutions, media, or other experts. § 1. Step 2. Identifying negative impacts ¶ 3 As part of the initial assessment or scoping exercise, the organization should consider impacts commonly associated with its sectors, its products, geographic locations, or with specific organizations (i.e., impacts associated with a specific entity of the organization, or with an entity it has a business relationship with, such as a poor history of conduct in relation to respecting human rights). It should also consider impacts it has been involved with or knows it is likely to be involved with. In addition to the GRI Sector Standards, the organization can use the Organisation for Economic Co-operation and Development (OECD) Due Diligence Guidance for Responsible Business Conduct [2] and the OECD sectoral guidance on due diligence [13] for information on impacts commonly associated with sectors, products, geographic locations, and specific organizations. It can also use reports from governments, environmental agencies, international organizations, civil society organizations, workers' representatives and trade unions, national human rights institutions, media, or other experts. § 1. Step 2. Identifying negative impacts ¶ 3] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 [In this step, the organization identifies its actual and potential impacts on the economy, environment, and people, including impacts on their human rights, across the organization's activities and business relationships. Actual impacts are those that have already occurred, and potential impacts are those that could occur but have not yet occurred. These impacts include negative and positive impacts, short-term and long-term impacts, intended and unintended impacts, and reversible and irreversible impacts. § 1. Step 2. ¶ 1 Identifying actual and potential negative impacts with which the organization is involved or could be involved is the first step of due diligence. The organization should consider actual and potential impacts that it causes or contributes to through its activities, as well as actual and potential impacts that are directly linked to its operations, products, or services by its business relationships(see Box 3 in this Standard). § 1. Step 2. Identifying negative impacts ¶ 1 As part of the initial assessment or scoping exercise, the organization should consider impacts commonly associated with its sectors, its products, geographic locations, or with specific organizations (i.e., impacts associated with a specific entity of the organization, or with an entity it has a business relationship with, such as a poor history of conduct in relation to respecting human rights). It should also consider impacts it has been involved with or knows it is likely to be involved with. In addition to the GRI Sector Standards, the organization can use the Organisation for Economic Co-operation and Development (OECD) Due Diligence Guidance for Responsible Business Conduct [2] and the OECD sectoral guidance on due diligence [13] for information on impacts commonly associated with sectors, products, geographic locations, and specific organizations. It can also use reports from governments, environmental agencies, international organizations, civil society organizations, workers' representatives and trade unions, national human rights institutions, media, or other experts. § 1. Step 2. Identifying negative impacts ¶ 3] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Detective | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Preventive | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 [The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3] | Audits and risk management | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 [Assessing the significance of the impacts involves quantitative and qualitative analysis. How significant an impact is will be specific to the organization and will be influenced by the sectors in which it operates, and its business relationships, among other factors. In some instances, this may need a subjective decision. The organization should consult with relevant stakeholders (see Box 2 in this Standard) and business relationships to assess the significance of its impacts. The organization should also consult relevant internal or external experts. § 1. Step 3. ¶ 2] | Leadership and high level objectives | Preventive | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
| Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Detective | |
| Use rewards and career development to motivate personnel. CC ID 06906 | Human Resources management | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 [{be replicable}{be consistent} The approach for each step will vary according to the specific circumstances of the organization, such as its business model; sectors; geographic, cultural, and legal operating context; ownership structure; and the nature of its impacts. Given these specific circumstances, the steps should be systematic, documented, replicable, and used consistently in each reporting period. The organization should document any changes in its approach together with the rationale for those changes and their implications. § 1. ¶ 6 The organization should document its process of determining material topics. This includes documenting the approach taken, decisions, assumptions, and subjective judgments made, sources analyzed, and evidence gathered. Accurate records help the organization explain its chosen approach and report the disclosures in section 2 of this Standard. The records facilitate analysis and assurance. See the Verifiability principle in GRI 1 for more information. § 1. ¶ 5 The significance of an impact is the sole criterion to determine whether a topic is material for reporting. The organization cannot use difficulty in reporting on a topic or the fact that it does not yet manage the topic as criteria to determine whether or not to report on the topic. In cases where the organization does not manage a material topic, it can report the reasons for not doing so or any plans to manage the topic to comply with the requirements in Disclosure 3-3 Management of material topics in this Standard. § 1. Step 4. Setting a threshold to determine which topics are material ¶ 3] | Leadership and high level objectives | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 | Leadership and high level objectives | Preventive | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Preventive | |
| Identify the material topics required to be reported on. CC ID 15654 [An organization reporting in accordance with the GRI Standards is required to determine its material topics. When doing this, the organization is also required to use the applicable GRI Sector Standards (see Requirement 3 in GRI 1: Foundation 2021 and Box 5 in this Standard). § 1. ¶ 1 The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3 In each reporting period, the organization should review its material topics from the previous reporting period to account for changes in the impacts. Changes in impacts can result from changes in the organization's activities and business relationships. This review helps ensure the material topics represent the organization's most significant impacts in each new reporting period. § 1. ¶ 4 {be material} While most, if not all, of the impacts that have been identified through this process will eventually become financially material, sustainability reporting is also highly relevant in its own right as a public interest activity and is independent of the consideration of financial implications. It is therefore important for the organization to report on all the material topics that it has determined using the GRI Standards. These material topics cannot be deprioritized on the basis of not being considered financially material by the organization. § 1. Box 1. ¶ 2 The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1 The organization is required to use the applicable Sector Standards when determining its material topics (see Requirement 3-b in GRI 1: Foundation 2021). Using the Sector Standards is not a substitute for the process of determining material topics, but an aid. The organization still needs to consider its own specific circumstances when determining its material topics. § 1. Box 5. ¶ 2 The organization is required to review each topic described in the applicable Sector Standards and determine whether it is a material topic for the organization. § 1. Box 5. ¶ 3 {information} Once the organization has determined its material topics, it needs to determine what to report for each material topic. See Requirement 4 and Requirement 5 in GRI 1 for information about how to report on material topics. § 1. Step 4. Determining what to report for each material topic ¶ 1] | Leadership and high level objectives | Preventive | |
| Analyze the business environment in which the organization operates. CC ID 12798 [The organization should consider the following in relation to its activities: The organization's purpose, value or mission statements, business model, and strategies. § 1. Step 1. Activities ¶ 1 Bullet 1 The organization should consider the following in relation to its activities: The types of activities it carries out (e.g., sales, marketing, manufacturing, distribution) and the geographic locations of these activities. § 1. Step 1. Activities ¶ 1 Bullet 2 {economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1] | Leadership and high level objectives | Preventive | |
| Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Preventive | |
| Analyze the external environment in which the organization operates. CC ID 12799 [The organization should consider the following in relation to its activities: The sectors in which the organization is active and their characteristics (e.g., whether they involve informal work, whether they are labor or resource intensive). § 1. Step 1. Activities ¶ 1 Bullet 4] | Leadership and high level objectives | Preventive | |
| Include environmental requirements in the analysis of the external environment. CC ID 12965 [The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. § 1. Step 1. ¶ 2 {economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1] | Leadership and high level objectives | Preventive | |
| Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Preventive | |
| Include society in the analysis of the external environment. CC ID 12963 [{economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1] | Leadership and high level objectives | Preventive | |
| Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Preventive | |
| Include third party relationships in the analysis of the external environment. CC ID 12952 [The organization's business relationships include relationships with business partners, entities in its value chain (including entities beyond the first tier), and any other entities directly linked to its operations, products, or services. The organization should consider the following in relation to its business relationships: The types of business relationships it has (e.g., joint ventures, suppliers, franchisees). § 1. Step 1. Business Relationships ¶ 1 Bullet 1 The organization's business relationships include relationships with business partners, entities in its value chain (including entities beyond the first tier), and any other entities directly linked to its operations, products, or services. The organization should consider the following in relation to its business relationships: The nature of the business relationships (e.g., whether they are based on a long-term or short-term contract, whether they are based on a specific project or event). § 1. Step 1. Business Relationships ¶ 1 Bullet 3 The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. § 1. Step 1. ¶ 2] | Leadership and high level objectives | Preventive | |
| Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Preventive | |
| Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Preventive | |
| Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Preventive | |
| Include legal requirements in the analysis of the external environment. CC ID 12896 [The organization should consider the following to understand the sustainability context of its activities and business relationships: The organization's responsibility regarding the authoritative intergovernmental instruments with which it is expected to comply. § 1. Step 1. Sustainability context ¶ 1 Bullet 2 The organization should consider the following to understand the sustainability context of its activities and business relationships: The organization's responsibility regarding the laws and regulations with which it is expected to comply. § 1. Step 1. Sustainability context ¶ 1 Bullet 3] | Leadership and high level objectives | Preventive | |
| Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Preventive | |
| Include analyzing the market in the analysis of the external environment. CC ID 12836 [{economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1 The organization should consider the following in relation to its activities: The types of products and services it offers and the markets it serves (i.e., the types of customers and beneficiaries targeted, and the geographic locations where products and services are offered). § 1. Step 1. Activities ¶ 1 Bullet 3] | Leadership and high level objectives | Preventive | |
| Conduct a context analysis to define objectives and strategies. CC ID 12864 [Impacts may change over time as the organization's activities, business relationships, and context evolve. New activities, new business relationships, and major changes in operations or the operating context (e.g., new market entry, product launch, policy change, wider changes to the organization) could lead to changes in the organization's impacts. For this reason, the organization should assess its context and identify its impacts on an ongoing basis. § 1. Step 2. ¶ 6] | Leadership and high level objectives | Preventive | |
| Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. § 1. Step 1. ¶ 2 In addition, the organization should seek to understand the concerns of its stakeholders (see Box 2 in this Standard) and consult internal and external experts, such as civil society organizations or academics. § 1. Step 2. ¶ 4 The degree of impact on stakeholders may inform the degree of engagement. The organization should prioritize the most severely affected or potentially affected stakeholders for engagement. § 1. Box 2. ¶ 6 The organization should seek to understand the concerns of its stakeholders by consulting them directly in a way that takes into account language and other potential barriers (e.g., cultural differences, gender and power imbalances, divisions within the community). Identifying and removing potential barriers is necessary to ensure that stakeholder engagement is effective. § 1. Box 2. ¶ 1] | Leadership and high level objectives | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
| Correlate business processes and applications. CC ID 16300 | Operational management | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 [The organization should consider the following in relation to its activities: The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these workers directly or indirectly through a third party), and the work they perform. § 1. Step 1. Activities ¶ 1 Bullet 6] | Operational management | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 [The organization should consider the following in relation to its activities: The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these workers directly or indirectly through a third party), and the work they perform. § 1. Step 1. Activities ¶ 1 Bullet 6] | Operational management | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 [The organization should consider the following in relation to its activities: The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these workers directly or indirectly through a third party), and the work they perform. § 1. Step 1. Activities ¶ 1 Bullet 6] | Operational management | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 [{full-time employee}{part-time employee}{non-guaranteed hours employee}{permanent employee}{temporary employee}The organization should consider the following in relation to its activities: The number of employees, including whether they are full-time, part-time, non-guaranteed hours, permanent or temporary, and their demographic characteristics (e.g., age, gender, geographic location). § 1. Step 1. Activities ¶ 1 Bullet 5] | Operational management | Preventive | |
| Implement changes according to the change control program. CC ID 11776 | Operational management | Preventive | |
| Establish, implement, and maintain an environmental management system. CC ID 14945 | Operational management | Preventive | |
| Analyze activities, products, and services within the scope of the environmental management system to determine the environmental aspects. CC ID 15183 | Operational management | Detective | |
| Document supply chain transactions in the supply chain management program. CC ID 08857 | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 [{stakeholder} Where direct consultation is not possible, the organization should consider reasonable alternatives, such as consulting credible independent experts, such as national human rights institutions, human rights and environmental defenders, trade unions, and other members of civil society. § 1. Box 2. ¶ 7] | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Preventive | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Preventive | |
| Prioritize material topics used in reporting. CC ID 15678 [In this step, to determine its material topics for reporting, the organization prioritizes its impacts based on their significance. § 1. Step 4. ¶ 1] | Leadership and high level objectives | Preventive | |
| Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Leadership and high level objectives | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Preventive | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Human Resources management | Preventive | |
| Disseminate and communicate the business process documentation to interested personnel and affected parties. CC ID 13038 | Operational management | Preventive | |
| Communicate the service catalog to interested personnel and affected parties. CC ID 13910 | Operational management | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Preventive | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Preventive | |
| Preserve each individual's right to human dignity. CC ID 00082 [The organization should respect the human rights of all stakeholders and other individuals with whom it engages (e.g., their rights to privacy, freedom of expression, and peaceful assembly and protest) and it should protect them against reprisals (i.e., non-retaliation for raising complaints or concerns). § 1. Box 2. ¶ 3] | Privacy protection for information and data | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Preventive | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. § 1. ¶ 7 The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. § 1. ¶ 7 The organization's highest governance body should review and approve the list of material topics. If such a body does not exist, the list should be approved by a senior executive or group of senior executives in the organization. § 1. Step 4. Approval of the material topics ¶ 1 The organization's highest governance body should review and approve the list of material topics. If such a body does not exist, the list should be approved by a senior executive or group of senior executives in the organization. § 1. Step 4. Approval of the material topics ¶ 1] | Human Resources management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Leadership and high level objectives | Preventive | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3 The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3 The organization should identify who its stakeholders are across its activities and business relationships and engage with them to help identify its impacts. § 1. Step 1. Stakeholders ¶ 1 In addition, the organization should seek to understand the concerns of its stakeholders (see Box 2 in this Standard) and consult internal and external experts, such as civil society organizations or academics. § 1. Step 2. ¶ 4 Assessing the significance of the impacts involves quantitative and qualitative analysis. How significant an impact is will be specific to the organization and will be influenced by the sectors in which it operates, and its business relationships, among other factors. In some instances, this may need a subjective decision. The organization should consult with relevant stakeholders (see Box 2 in this Standard) and business relationships to assess the significance of its impacts. The organization should also consult relevant internal or external experts. § 1. Step 3. ¶ 2] | Leadership and high level objectives | Preventive | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Leadership and high level objectives | Preventive | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Preventive | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Preventive | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Preventive | |
| Define the thresholds for reporting in the external reporting program. CC ID 15679 [The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1 The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1] | Leadership and high level objectives | Preventive | |
| Include information about the organizational culture in the external reporting program. CC ID 15610 | Leadership and high level objectives | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Preventive | |
| Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 [The organization should consider the following in relation to its activities: The organization's purpose, value or mission statements, business model, and strategies. § 1. Step 1. Activities ¶ 1 Bullet 1] | Leadership and high level objectives | Preventive | |
| Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Preventive | |
| Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Preventive | |
| Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Preventive | |
| Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Preventive | |
| Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Preventive | |
| Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Preventive | |
| Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
| Align the Authority Document list with external requirements. CC ID 06288 [An organization reporting in accordance with the GRI Standards is required to determine its material topics. When doing this, the organization is also required to use the applicable GRI Sector Standards (see Requirement 3 in GRI 1: Foundation 2021 and Box 5 in this Standard). § 1. ¶ 1 The organization is required to use the applicable Sector Standards when determining its material topics (see Requirement 3-b in GRI 1: Foundation 2021). Using the Sector Standards is not a substitute for the process of determining material topics, but an aid. The organization still needs to consider its own specific circumstances when determining its material topics. § 1. Box 5. ¶ 2 The organization is required to review each topic described in the applicable Sector Standards and determine whether it is a material topic for the organization. § 1. Box 5. ¶ 3] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a content index. CC ID 15660 | Leadership and high level objectives | Preventive | |
| Include an explanation of why disclosures or requirements do not apply in the content index. CC ID 15662 [If any of the topics that are included in the applicable Sector Standards have been determined by the organization as not material, the organization is required to list them in the GRI content index and explain why they are not material (see Requirement 3-b-ii in GRI 1). This explanation helps information users understand why the organization has determined that topics that are likely to be material for the organization's sectors are not material in its specific circumstances. § 1. Box 5. ¶ 6 A brief explanation in the GRI content index of why the topic is not material is sufficient to comply with Requirement 3-b-ii in GRI 1. In the previous example, the organization could explain that land and resource rights is not a material topic because its existing oil and gas projects are located in uninhabited areas, and there are no plans to start projects in new areas. § 1. Box 5. ¶ 7 If any of the topics that are included in the applicable Sector Standards have been determined by the organization as not material, the organization is required to list them in the GRI content index and explain why they are not material (see Requirement 3-b-ii in GRI 1). This explanation helps information users understand why the organization has determined that topics that are likely to be material for the organization's sectors are not material in its specific circumstances. § 1. Box 5. ¶ 6] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
| Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Preventive | |
| Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Preventive | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Preventive | |
| Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Preventive | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Preventive | |
| Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Preventive | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Preventive | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Preventive | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Preventive | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Preventive | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1] | Audits and risk management | Preventive | |
| Document organizational risk criteria. CC ID 12277 | Audits and risk management | Preventive | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Detective | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 | Audits and risk management | Preventive | |
| Include how material topics are managed in the disclosure report. CC ID 15657 [For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: § 2. Disclosure 3-3 ¶ 1(d)] | Audits and risk management | Preventive | |
| Include disclosures for each material topic in the disclosure report. CC ID 15658 | Audits and risk management | Preventive | |
| Include a description of how the organization manages privacy in the disclosure report. CC ID 15785 | Audits and risk management | Preventive | |
| Include the content removal policy in the disclosure report. CC ID 15650 | Audits and risk management | Preventive | |
| Include the level of management approval required for content removal requests in the disclosure report. CC ID 15653 | Audits and risk management | Preventive | |
| Include requirements for content removal requests in the disclosure report. CC ID 15652 | Audits and risk management | Preventive | |
| Include the conditions for denying content removal requests in the disclosure report. CC ID 15651 | Audits and risk management | Preventive | |
| Include the scope of content removal requests in the disclosure report. CC ID 15648 | Audits and risk management | Preventive | |
| Include a description of data subjects in the disclosure report. CC ID 16791 | Audits and risk management | Preventive | |
| Include the categories of personal data maintained by the organization in the disclosure report. CC ID 16790 | Audits and risk management | Preventive | |
| Include a business need justification for personal data processing in the disclosure report. CC ID 16788 | Audits and risk management | Preventive | |
| Include the personal data use purpose specification in the disclosure report. CC ID 16786 | Audits and risk management | Preventive | |
| Include a description of the information systems that process personal data in the disclosure report. CC ID 16784 | Audits and risk management | Preventive | |
| Include the policies and procedures related to freedom of expression in the disclosure report. CC ID 15604 | Audits and risk management | Preventive | |
| Include dispute resolution quality measures in the disclosure report. CC ID 16312 | Audits and risk management | Preventive | |
| Include all data requests that resulted in compliance with the disclosure request in the disclosure report. CC ID 15547 | Audits and risk management | Preventive | |
| Include individuals whose information is provided to third parties for secondary purposes in the disclosure report. CC ID 15559 | Audits and risk management | Preventive | |
| Include the disclosure of aggregated, de-identified, and anonymized data to the requesting party in the disclosure report. CC ID 15570 | Audits and risk management | Preventive | |
| Include a description of how the organization manages records in the disclosure report. CC ID 16787 | Audits and risk management | Preventive | |
| Include a description of how the organization manages anti-corruption in the disclosure report. CC ID 16055 | Audits and risk management | Preventive | |
| Include a description of incidents of corruption in the disclosure report. CC ID 16067 | Audits and risk management | Preventive | |
| Include significant risks related to corruption in the disclosure report. CC ID 16065 | Audits and risk management | Preventive | |
| Include the interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16064 | Audits and risk management | Preventive | |
| Include a description of how the organization manages economic performance in the disclosure report. CC ID 16054 | Audits and risk management | Preventive | |
| Include risks and opportunities posed by climate change in the disclosure report. CC ID 16060 | Audits and risk management | Preventive | |
| Include a justification for reporting financial data on a cash basis in the disclosure report. CC ID 16059 | Audits and risk management | Preventive | |
| Include a description of how the organization manages biodiversity in the disclosure report. CC ID 15986 | Audits and risk management | Preventive | |
| Include whether habitat restoration measures have been approved by independent external professionals in the disclosure report. CC ID 16075 | Audits and risk management | Preventive | |
| Include the condition of habitat areas protected or restored by the organization in the disclosure report. CC ID 16040 | Audits and risk management | Preventive | |
| Include whether third party relationships exist to protect or restore habitat areas in the disclosure report. CC ID 16039 | Audits and risk management | Preventive | |
| Include the biodiversity value of operational sites in the disclosure report. CC ID 16034 | Audits and risk management | Preventive | |
| Include the type of operations near areas of high biodiversity value in the disclosure report. CC ID 16025 | Audits and risk management | Preventive | |
| Include the location of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16020 | Audits and risk management | Preventive | |
| Include the location of habitat areas protected or restored by the organization in the disclosure report. CC ID 16018 | Audits and risk management | Preventive | |
| Include the species impacted by organizational activities, products, and services in the disclosure report. CC ID 16015 | Audits and risk management | Preventive | |
| Include underground land owned by the organization near areas of high biodiversity value in the disclosure report. CC ID 16014 | Audits and risk management | Preventive | |
| Include a description of how the organization manages taxes in the disclosure report. CC ID 15985 | Audits and risk management | Preventive | |
| Include the frequency of tax strategy reviews in the disclosure report. CC ID 16074 | Audits and risk management | Preventive | |
| Include a justification for differences between corporate income tax accrued and tax due in the disclosure report. CC ID 16051 | Audits and risk management | Preventive | |
| Include the tax jurisdictions in the disclosure report. CC ID 16047 | Audits and risk management | Preventive | |
| Include the roles and responsibilities assigned to tax governance and control in the disclosure report. CC ID 16030 | Audits and risk management | Preventive | |
| Include the tax strategy in the disclosure report. CC ID 16029 | Audits and risk management | Preventive | |
| Include the tax governance and control framework in the disclosure report. CC ID 16028 | Audits and risk management | Preventive | |
| Include the management of tax risks in the disclosure report. CC ID 16026 | Audits and risk management | Preventive | |
| Include a description of how the organization manages market presence in the disclosure report. CC ID 15983 | Audits and risk management | Preventive | |
| Include the actions taken to determine whether workers are paid above minimum wage in the disclosure report. CC ID 16056 | Audits and risk management | Preventive | |
| Include the local minimum wage in the disclosure report. CC ID 15992 | Audits and risk management | Preventive | |
| Include a description of how the organization manages anti-competitive behavior in the disclosure report. CC ID 15981 | Audits and risk management | Preventive | |
| Include a description of how the organization manages procurement practices in the disclosure report. CC ID 15980 | Audits and risk management | Preventive | |
| Include a description of how the organization manages indirect economic impacts in the disclosure report. CC ID 15979 | Audits and risk management | Preventive | |
| Include service and infrastructure investments that benefit the public in the disclosure report. CC ID 15984 | Audits and risk management | Preventive | |
| Include a description of how the organization manages emissions in the disclosure report. CC ID 15970 | Audits and risk management | Preventive | |
| Include the risks related to greenhouse gas emissions in the disclosure report. CC ID 16338 | Audits and risk management | Preventive | |
| Include the emissions management plan in the disclosure report. CC ID 16177 | Audits and risk management | Preventive | |
| Include the scope of the emissions management plan in the disclosure report. CC ID 16168 | Audits and risk management | Preventive | |
| Include emission reduction targets in the disclosure report. CC ID 16148 | Audits and risk management | Preventive | |
| Include the scope of emission reduction targets in the disclosure report. CC ID 16149 | Audits and risk management | Preventive | |
| Include the scope of greenhouse gas emissions in the disclosure report. CC ID 16147 | Audits and risk management | Preventive | |
| Include a description of carbon offsets in the disclosure report. CC ID 15988 | Audits and risk management | Preventive | |
| Include the design and development of data centers in the disclosure report. CC ID 15620 | Audits and risk management | Preventive | |
| Include a list of countries or geographical regions where the organization's products and services are monitored, blocked, or filtered in the disclosure report. CC ID 15601 | Audits and risk management | Preventive | |
| Include a list of products affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15641 | Audits and risk management | Preventive | |
| Include the implications of blocking or censorship on an organization's products and services in the disclosure report. CC ID 15639 | Audits and risk management | Preventive | |
| Identify products and services affected by monitoring or blocking in the disclosure report. CC ID 15638 | Audits and risk management | Preventive | |
| Include the reasons modifications were made to existing products and services in the disclosure report. CC ID 15637 | Audits and risk management | Preventive | |
| Include the differences between products and services being offered in different markets in the disclosure report. CC ID 15636 | Audits and risk management | Preventive | |
| Include the nature of complaints received in the disclosure report. CC ID 15844 | Audits and risk management | Preventive | |
| Include a description of how the organization manages customer health and safety in the disclosure report. CC ID 15801 | Audits and risk management | Preventive | |
| Include a description of how the organization manages child labor in the disclosure report. CC ID 15851 | Audits and risk management | Preventive | |
| Include operations with a risk for incidents of child labor in the disclosure report. CC ID 15864 | Audits and risk management | Preventive | |
| Include third parties with a risk for incidents of child labor in the disclosure report. CC ID 15863 | Audits and risk management | Preventive | |
| Include operations with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15862 | Audits and risk management | Preventive | |
| Include third parties with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15861 | Audits and risk management | Preventive | |
| Include the locations that are at risk for incidents of child labor in the disclosure report. CC ID 15860 | Audits and risk management | Preventive | |
| Include the measures taken to abolish child labor in the disclosure report. CC ID 15859 | Audits and risk management | Preventive | |
| Include a description of how the organization manages diversity and equal opportunity in the disclosure report. CC ID 15853 | Audits and risk management | Preventive | |
| Include the employee representation program in the disclosure report. CC ID 15628 | Audits and risk management | Preventive | |
| Include a description of how the organization manages marketing and labeling in the disclosure report. CC ID 15802 | Audits and risk management | Preventive | |
| Include the information required by the product and service information and labeling procedures in the disclosure report. CC ID 15812 | Audits and risk management | Preventive | |
| Include a description of how the organization manages occupational health and safety in the disclosure report. CC ID 15888 | Audits and risk management | Preventive | |
| Include the workers covered by the occupational health and safety management system in the disclosure report. CC ID 16151 | Audits and risk management | Preventive | |
| Include a description of voluntary health promotion programs in the disclosure report. CC ID 16119 | Audits and risk management | Preventive | |
| Include the main types of work-related ill health in the disclosure report. CC ID 15961 | Audits and risk management | Preventive | |
| Include a description of formal joint management-worker health and safety committees in the disclosure report. CC ID 15913 | Audits and risk management | Preventive | |
| Include the reasons workers are not represented by formal joint management-worker health and safety committees in the disclosure report. CC ID 15912 | Audits and risk management | Preventive | |
| Include work-related hazards in the disclosure report. CC ID 15911 | Audits and risk management | Preventive | |
| Include a description of the occupational health and safety risk assessment process in the disclosure report. CC ID 15909 | Audits and risk management | Preventive | |
| Include a description of occupational health and safety training in the disclosure report. CC ID 15908 | Audits and risk management | Preventive | |
| Include how occupational health and safety information is disseminated and communicated in the disclosure report. CC ID 15907 | Audits and risk management | Preventive | |
| Include the occupational health and safety risk reporting process in the disclosure report. CC ID 15904 | Audits and risk management | Preventive | |
| Include the occupational health and safety policy in the disclosure report. CC ID 15905 | Audits and risk management | Preventive | |
| Include the processes used to investigate work-related incidents in the disclosure report. CC ID 15903 | Audits and risk management | Preventive | |
| Include a description of the occupational health and safety management system in the disclosure report. CC ID 15901 | Audits and risk management | Preventive | |
| Include the main types of work-related injury in the disclosure report. CC ID 15959 | Audits and risk management | Preventive | |
| Include a description of how the organization manages forced or compulsory labor in the disclosure report. CC ID 15850 | Audits and risk management | Preventive | |
| Include operations with a risk for forced or compulsory labor in the disclosure report. CC ID 15858 | Audits and risk management | Preventive | |
| Include third parties with a risk for forced or compulsory labor in the disclosure report. CC ID 15857 | Audits and risk management | Preventive | |
| Include the locations with a risk for forced or compulsory labor in the disclosure report. CC ID 15856 | Audits and risk management | Preventive | |
| Include the measures taken to eliminate forced or compulsory labor in the disclosure report. CC ID 15855 | Audits and risk management | Preventive | |
| Include the measures taken to protect whistleblowers against retaliation in the disclosure report. CC ID 15902 | Audits and risk management | Preventive | |
| Include a description of how the organization manages employment in the disclosure report. CC ID 15890 | Audits and risk management | Preventive | |
| Include the risks of recruiting foreign nationals and offshore employees in the disclosure report. CC ID 15624 | Audits and risk management | Preventive | |
| Include the process for reporting near misses in the disclosure report. CC ID 16211 | Audits and risk management | Preventive | |
| Include the extent to which benefit plan liabilities are covered in the disclosure report. CC ID 16109 | Audits and risk management | Preventive | |
| Include the level of participation in benefit plans in the disclosure report. CC ID 16057 | Audits and risk management | Preventive | |
| Include the Code of Conduct in the disclosure report. CC ID 16205 | Audits and risk management | Preventive | |
| Include the standard benefits for full-time employees in the disclosure report. CC ID 15897 | Audits and risk management | Preventive | |
| Include a description of how the organization manages labor-management relations in the disclosure report. CC ID 15889 | Audits and risk management | Preventive | |
| Include the scope of work stoppages in the disclosure report. CC ID 16215 | Audits and risk management | Preventive | |
| Include the reason for each work stoppage in the disclosure report. CC ID 16213 | Audits and risk management | Preventive | |
| Include the impact of work stoppages in the disclosure report. CC ID 16212 | Audits and risk management | Preventive | |
| Include a description of collective bargaining agreements in the disclosure report. CC ID 15894 | Audits and risk management | Preventive | |
| Include a description of how the organization manages supplier environmental assessment in the disclosure report. CC ID 15876 | Audits and risk management | Preventive | |
| Include the reasons why relationships were terminated with suppliers having significant negative environmental impacts in the disclosure report. CC ID 15882 | Audits and risk management | Preventive | |
| Include a description of how the organization manages training and education in the disclosure report. CC ID 15875 | Audits and risk management | Preventive | |
| Include a description of professional development programs in the disclosure report. CC ID 15880 | Audits and risk management | Preventive | |
| Include a description of professional development assistance in the disclosure report. CC ID 15879 | Audits and risk management | Preventive | |
| Include a description of transition assistance programs in the disclosure report. CC ID 15878 | Audits and risk management | Preventive | |
| Include a description of how the organization manages freedom of association and collective bargaining in the disclosure report. CC ID 15852 | Audits and risk management | Preventive | |
| Include the types of operations in which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15868 | Audits and risk management | Preventive | |
| Include the types of third parties for which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15867 | Audits and risk management | Preventive | |
| Include the locations at risk of violating workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15866 | Audits and risk management | Preventive | |
| Include the measures taken to support workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15865 | Audits and risk management | Preventive | |
| Include a description of how the organization manages waste in the disclosure report. CC ID 15765 | Audits and risk management | Preventive | |
| Include the material of spills in the disclosure report. CC ID 15968 | Audits and risk management | Preventive | |
| Include the location of spills in the disclosure report. CC ID 15964 | Audits and risk management | Preventive | |
| Include a description of how the organization manages the rights of indigenous peoples in the disclosure report. CC ID 15849 | Audits and risk management | Preventive | |
| Include products that contain declarable substances in the disclosure report. CC ID 16161 | Audits and risk management | Preventive | |
| Include a description of how the organization manages supplier social assessment in the disclosure report. CC ID 15799 | Audits and risk management | Preventive | |
| Include the reason why relationships were terminated with suppliers having significant negative social impacts in the disclosure report. CC ID 15804 | Audits and risk management | Preventive | |
| Include a description of how the organization manages energy in the disclosure report. CC ID 15783 | Audits and risk management | Preventive | |
| Include the types of energy affected by energy reduction in the disclosure report. CC ID 15731 | Audits and risk management | Preventive | |
| Include the scope of renewable energy in the disclosure report. CC ID 15509 | Audits and risk management | Preventive | |
| Include the scope of energy consumption in the disclosure report. CC ID 15508 | Audits and risk management | Preventive | |
| Include the types of energy used in the disclosure report. CC ID 15748 | Audits and risk management | Preventive | |
| Include energy efficiency considerations in product design and development in the disclosure report. CC ID 16155 | Audits and risk management | Preventive | |
| Include a description of how the organization manages public policy in the disclosure report. CC ID 15800 | Audits and risk management | Preventive | |
| Include a description of how the organization manages materials in the disclosure report. CC ID 15782 | Audits and risk management | Preventive | |
| Include the scope of recovered material in the disclosure report. CC ID 16204 | Audits and risk management | Preventive | |
| Include materials that present a risk to operations in the disclosure report. CC ID 16173 | Audits and risk management | Preventive | |
| Include the risks represented by materials in the disclosure report. CC ID 16171 | Audits and risk management | Preventive | |
| Include the risk management approach to the use of materials in the disclosure report. CC ID 16169 | Audits and risk management | Preventive | |
| Include management of the availability of materials in the disclosure report. CC ID 16167 | Audits and risk management | Preventive | |
| Include management of the price of materials in the disclosure report. CC ID 16165 | Audits and risk management | Preventive | |
| Include the business activities that use declarable substances in the disclosure report. CC ID 16158 | Audits and risk management | Preventive | |
| Include a description of how the organization manages declarable substances in the disclosure report. CC ID 16156 | Audits and risk management | Preventive | |
| Include a description of how the organization manages non-discrimination in the disclosure report. CC ID 15764 | Audits and risk management | Preventive | |
| Include the status of incidents of discrimination in the disclosure report. CC ID 15790 | Audits and risk management | Preventive | |
| Include corrective actions taken for incidents of discrimination in the disclosure report. CC ID 15789 | Audits and risk management | Preventive | |
| Include a description of incidents of discrimination in the disclosure report. CC ID 15787 | Audits and risk management | Preventive | |
| Include incidents of discrimination no longer subject to action in the disclosure report. CC ID 15786 | Audits and risk management | Preventive | |
| Include a description of how the organization manages local communities in the disclosure report. CC ID 15798 | Audits and risk management | Preventive | |
| Include a description of local community consultation committees in the disclosure report. CC ID 15821 | Audits and risk management | Preventive | |
| Include the results of impact assessments in the disclosure report. CC ID 15820 | Audits and risk management | Preventive | |
| Include a description of community development programs in the disclosure report. CC ID 15818 | Audits and risk management | Preventive | |
| Include a description of the impact assessments in the disclosure report. CC ID 15817 | Audits and risk management | Preventive | |
| Include a description of worker representation bodies in the disclosure report. CC ID 15816 | Audits and risk management | Preventive | |
| Include a description of local community grievance processes in the disclosure report. CC ID 15815 | Audits and risk management | Preventive | |
| Include a description of how the organization manages security practices in the disclosure report. CC ID 15784 | Audits and risk management | Preventive | |
| Include trends in the frequency of incidents in the disclosure report. CC ID 15511 | Audits and risk management | Preventive | |
| Include trends in the origination of incidents in the disclosure report. CC ID 15512 | Audits and risk management | Preventive | |
| Include trends in incident type in the disclosure report. CC ID 15510 | Audits and risk management | Preventive | |
| Include a description of how the organization interacts with water in the disclosure report. CC ID 15752 | Audits and risk management | Preventive | |
| Include a description of water consumption in the disclosure report. CC ID 15754 | Audits and risk management | Preventive | |
| Include changes in water storage in the disclosure report. CC ID 15762 | Audits and risk management | Preventive | |
| Include a description of water discharge in the disclosure report. CC ID 15755 | Audits and risk management | Preventive | |
| Include a description of water withdrawal in the disclosure report. CC ID 15753 | Audits and risk management | Preventive | |
| Include the priority substances of concern for which water discharge is treated in the disclosure report. CC ID 15761 | Audits and risk management | Preventive | |
| Include the effluent discharge standards in the disclosure report. CC ID 15757 | Audits and risk management | Preventive | |
| Include water quality standards in the disclosure report. CC ID 15756 | Audits and risk management | Preventive | |
| Include business continuity risks in the disclosure report. CC ID 15608 | Audits and risk management | Preventive | |
| Include incidents in which encrypted data were acquired with a valid encryption key in the disclosure report. CC ID 15546 | Audits and risk management | Preventive | |
| Include recycling in the disclosure report. CC ID 15579 | Audits and risk management | Preventive | |
| Include the scope of recycled material in the disclosure report. CC ID 16153 | Audits and risk management | Preventive | |
| Include donated materials or refurbished materials in the disclosure report. CC ID 15561 | Audits and risk management | Preventive | |
| Include materials being physically handled by third parties for reuse, recycling, or refurbishment in the disclosure report. CC ID 15577 | Audits and risk management | Preventive | |
| Include materials being physically handled by the organization for reuse, recycling, or refurbishment in the disclosure report. CC ID 15575 | Audits and risk management | Preventive | |
| Include the reuse of materials recovered in the disclosure report. CC ID 15566 | Audits and risk management | Preventive | |
| Include products, materials, and parts at the end of their useful life in the disclosure report. CC ID 15553 | Audits and risk management | Preventive | |
| Exclude products and parts waiting for repair and under warranty in the disclosure report. CC ID 15551 | Audits and risk management | Preventive | |
| Include all monetary liabilities to third parties in the disclosure report. CC ID 15572 | Audits and risk management | Preventive | |
| Include both first-party advertising and third-party advertising in the disclosure report. CC ID 15554 | Audits and risk management | Preventive | |
| Include the corrective action plan in the disclosure report. CC ID 15900 | Audits and risk management | Preventive | |
| Include the costs of corrective actions in the disclosure report. CC ID 16098 | Audits and risk management | Preventive | |
| Include exclusions from the scope of disclosure for each material topic in the disclosure report. CC ID 15893 | Audits and risk management | Preventive | |
| Include a justification for each exclusion from the scope of disclosure for each material topic in the disclosure report. CC ID 15892 | Audits and risk management | Preventive | |
| Include incidents with indications that encrypted data could be readily converted to plain text in the disclosure report. CC ID 15544 | Audits and risk management | Preventive | |
| Limit disclosures to data breaches that resulted in a deviation from expected outcomes for confidentiality or integrity in the disclosure report. CC ID 15545 | Audits and risk management | Preventive | |
| Limit the disclosure of breaches to those in which the individuals were notified in the disclosure report. CC ID 15550 | Audits and risk management | Preventive | |
| Restrict disclosures to wireless communications services in the disclosure report. CC ID 15555 | Audits and risk management | Preventive | |
| Restrict disclosures to wireline communications services in the disclosure report. CC ID 15556 | Audits and risk management | Preventive | |
| Restrict disclosure to Internet Service Provider services in the disclosure report. CC ID 15569 | Audits and risk management | Preventive | |
| Exclude legal fees and expenses used for defense in the disclosure report. CC ID 15571 | Audits and risk management | Preventive | |
| Include the external requirements to which third parties are compliant in the disclosure report. CC ID 15573 | Audits and risk management | Preventive | |
| Include the impact of monitoring, blocking, or filtering products and services in the disclosure report. CC ID 15602 | Audits and risk management | Preventive | |
| Include the reclassification of Internet Service Providers in the disclosure report. CC ID 15576 | Audits and risk management | Preventive | |
| Include non-monetary sanctions in the disclosure report. CC ID 15872 | Audits and risk management | Preventive | |
| Include business activities that negatively impact the target environment in the disclosure report. CC ID 15683 [For each material topic reported under Disclosure 3-2, the organization shall: report whether the organization is involved with the negative impacts through its activities or as a result of its business relationships, and describe the activities or business relationships; § 2. Disclosure 3-3 ¶ 1(b) For each material topic reported under Disclosure 3-2, the organization shall: report whether the organization is involved with the negative impacts through its activities or as a result of its business relationships, and describe the activities or business relationships; § 2. Disclosure 3-3 ¶ 1(b)] | Audits and risk management | Preventive | |
| Include the organization's name in the disclosure report. CC ID 15668 | Audits and risk management | Preventive | |
| Include the time period in which privacy breaches occurred in the disclosure report. CC ID 15730 | Audits and risk management | Preventive | |
| Include the metrics used to track how material topics and related impacts are managed in the disclosure report. CC ID 15686 [For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: goals, targets, and indicators used to evaluate progress; § 2. Disclosure 3-3 ¶ 1(e)(ii)] | Audits and risk management | Preventive | |
| Include the process used to track the effectiveness of corrective actions taken to manage material topics and related impacts in the disclosure report. CC ID 15687 [For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: processes used to track the effectiveness of the actions; § 2. Disclosure 3-3 ¶ 1(e)(i) For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: the effectiveness of the actions, including progress toward the goals and targets; § 2. Disclosure 3-3 ¶ 1(e)(iii) For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: actions to prevent or mitigate potential negative impacts; § 2. Disclosure 3-3 ¶ 1(d)(i) For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: actions to manage actual and potential positive impacts; § 2. Disclosure 3-3 ¶ 1(d)(iii) For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: actions to address actual negative impacts, including actions to provide for or cooperate in their remediation; § 2. Disclosure 3-3 ¶ 1(d)(ii)] | Audits and risk management | Preventive | |
| Include a list of material topics in the disclosure report. CC ID 15656 [{be material} While most, if not all, of the impacts that have been identified through this process will eventually become financially material, sustainability reporting is also highly relevant in its own right as a public interest activity and is independent of the consideration of financial implications. It is therefore important for the organization to report on all the material topics that it has determined using the GRI Standards. These material topics cannot be deprioritized on the basis of not being considered financially material by the organization. § 1. Box 1. ¶ 2 The organization shall: list its material topics; § 2. Disclosure 3-2 ¶ 1(a) This testing process results in a list of the organization's material topics. § 1. Step 4. Testing the material topics ¶ 4] | Audits and risk management | Preventive | |
| Include changes to the list of material topics in the disclosure report. CC ID 15681 [The organization shall: report changes to the list of material topics compared to the previous reporting period. § 2. Disclosure 3-2 ¶ 1(b)] | Audits and risk management | Preventive | |
| Include the processes used to monitor material topics and related impacts in the disclosure report. CC ID 15819 | Audits and risk management | Preventive | |
| Include policies and commitments regarding each material topic in the disclosure report. CC ID 15684 [For each material topic reported under Disclosure 3-2, the organization shall: describe its policies or commitments regarding the material topic; § 2. Disclosure 3-3 ¶ 1(c)] | Audits and risk management | Preventive | |
| Include a commitment to preserve human rights in the disclosure report. CC ID 15854 | Audits and risk management | Preventive | |
| Include the reasons that policies and commitments are not publicly available in the disclosure report. CC ID 15873 | Audits and risk management | Preventive | |
| Include how the impacts related to material topics are managed in the disclosure report. CC ID 15685 [For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: § 2. Disclosure 3-3 ¶ 1(d)] | Audits and risk management | Preventive | |
| Include the individuals who helped determine the material topics in the disclosure report. CC ID 15680 [The organization shall: specify the stakeholders and experts whose views have informed the process of determining its material topics. § 2. Disclosure 3-1 ¶ 1(b)] | Audits and risk management | Preventive | |
| Include the impacts related to each material topic in the disclosure report. CC ID 15682 [{negative impact}For each material topic reported under Disclosure 3-2, the organization shall: describe the actual and potential, negative and positive impacts on the economy, environment, and people, including impacts on their human rights; § 2. Disclosure 3-3 ¶ 1(a)] | Audits and risk management | Preventive | |
| Include the reversibility or irreversibility of impacts in the disclosure report. CC ID 16037 | Audits and risk management | Preventive | |
| Include the impact duration in the disclosure report. CC ID 16036 | Audits and risk management | Preventive | |
| Include the extent of impacts in the disclosure report. CC ID 16016 | Audits and risk management | Preventive | |
| Include the process for determining material topics in the disclosure report. CC ID 15655 [The organization should document its process of determining material topics. This includes documenting the approach taken, decisions, assumptions, and subjective judgments made, sources analyzed, and evidence gathered. Accurate records help the organization explain its chosen approach and report the disclosures in section 2 of this Standard. The records facilitate analysis and assurance. See the Verifiability principle in GRI 1 for more information. § 1. ¶ 5 The organization shall: describe the process it has followed to determine its material topics, including: § 2. Disclosure 3-1 ¶ 1(a) {negative impact}The organization shall: describe the process it has followed to determine its material topics, including: how it has identified actual and potential, negative and positive impacts on the economy, environment, and people, including impacts on their human rights, across its activities and business relationships; § 2. Disclosure 3-1 ¶ 1(a)(i) {negative impact}The organization shall: describe the process it has followed to determine its material topics, including: how it has identified actual and potential, negative and positive impacts on the economy, environment, and people, including impacts on their human rights, across its activities and business relationships; § 2. Disclosure 3-1 ¶ 1(a)(i) The organization shall: describe the process it has followed to determine its material topics, including: how it has prioritized the impacts for reporting based on their significance; § 2. Disclosure 3-1 ¶ 1(a)(ii)] | Audits and risk management | Preventive | |
| Include the process for setting goals and targets in the disclosure report. CC ID 15763 | Audits and risk management | Preventive | |
| Include the progress towards goals and targets in the disclosure report. CC ID 15688 [For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: the effectiveness of the actions, including progress toward the goals and targets; § 2. Disclosure 3-3 ¶ 1(e)(iii)] | Audits and risk management | Preventive | |
| Include the lessons learned in the disclosure report. CC ID 15689 [{manner}For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: lessons learned and how these have been incorporated into the organization's operational policies and procedures; § 2. Disclosure 3-3 ¶ 1(e)(iv)] | Audits and risk management | Preventive | |
| Include how lessons learned are incorporated into policies and procedures in the disclosure report. CC ID 15690 [{manner}For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: lessons learned and how these have been incorporated into the organization's operational policies and procedures; § 2. Disclosure 3-3 ¶ 1(e)(iv)] | Audits and risk management | Preventive | |
| Include stakeholder engagement activities in the disclosure report. CC ID 15691 [For each material topic reported under Disclosure 3-2, the organization shall: describe how engagement with stakeholders has informed the actions taken (3-3-d) and how it has informed whether the actions have been effective (3-3-e). § 2. Disclosure 3-3 ¶ 1(f)] | Audits and risk management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Preventive | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [The organization should consider the following in relation to its activities: The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these workers directly or indirectly through a third party), and the work they perform. § 1. Step 1. Activities ¶ 1 Bullet 6] | Human Resources management | Preventive | |
| Establish and maintain an annual report on compensation. CC ID 14801 | Human Resources management | Preventive | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Human Resources management | Preventive | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Human Resources management | Preventive | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Human Resources management | Preventive | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Human Resources management | Preventive | |
| Establish, implement, and maintain job applications. CC ID 16180 | Human Resources management | Preventive | |
| Document the organization's business processes. CC ID 13035 [In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential impacts. § 1. Step 1. ¶ 1] | Operational management | Detective | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 [{be replicable}{be consistent} The approach for each step will vary according to the specific circumstances of the organization, such as its business model; sectors; geographic, cultural, and legal operating context; ownership structure; and the nature of its impacts. Given these specific circumstances, the steps should be systematic, documented, replicable, and used consistently in each reporting period. The organization should document any changes in its approach together with the rationale for those changes and their implications. § 1. ¶ 6] | Operational management | Preventive | |
| Establish and maintain a service catalog. CC ID 13634 [The organization should consider the following in relation to its activities: The types of products and services it offers and the markets it serves (i.e., the types of customers and beneficiaries targeted, and the geographic locations where products and services are offered). § 1. Step 1. Activities ¶ 1 Bullet 3] | Operational management | Preventive | |
| Include a service description in the service catalog. CC ID 13917 | Operational management | Preventive | |
| Assign unique reference numbers to all services in the service catalog. CC ID 14424 | Operational management | Preventive | |
| Include service deliverables for each service description in the service catalog. CC ID 13918 | Operational management | Preventive | |
| Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 | Operational management | Preventive | |
| Include Service Level Agreements in the service catalog, as necessary. CC ID 13636 | Operational management | Preventive | |
| Include Information Technology services in the service catalog, as necessary. CC ID 13635 | Operational management | Preventive | |
| Base definitions of Information Technology services on their service characteristics. CC ID 13655 | Operational management | Preventive | |
| Categorize services in the service catalog. CC ID 14419 | Operational management | Preventive | |
| Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426 | Operational management | Preventive | |
| Include the scope in the environmental management system. CC ID 14950 [In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential impacts. § 1. Step 1. ¶ 1] | Operational management | Preventive | |
| Include emergency situations in the scope of the environmental management system. CC ID 14995 | Operational management | Preventive | |
| Include the environmental impact of activities, products, and services in the scope of the environmental management system. CC ID 15184 [To identify its actual and potential positive impacts, the organization should assess the manner in which it contributes or could contribute to sustainable development through its activities, for example, through its products, services, investments, procurement practices, employment practices, or tax payments. This also includes assessing how the organization can shape its purpose, business model, and strategies to deliver positive impacts that contribute to the goal of sustainable development. § 1. Step 2. Identifying positive impacts ¶ 1] | Operational management | Preventive | |
| Include activities, products, and services in the scope of the environmental management system. CC ID 15182 | Operational management | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Document and maintain supply chain processes. CC ID 08816 [The organization's business relationships include relationships with business partners, entities in its value chain (including entities beyond the first tier), and any other entities directly linked to its operations, products, or services. The organization should consider the following in relation to its business relationships: The types of activities undertaken by those with which it has business relationships (e.g., manufacturing the organization's products, providing security services to the organization). § 1. Step 1. Business Relationships ¶ 1 Bullet 2] | Third Party and supply chain oversight | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 [In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential impacts. § 1. Step 1. ¶ 1] | Third Party and supply chain oversight | Preventive | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 | Third Party and supply chain oversight | Detective | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 | Third Party and supply chain oversight | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Third Party and supply chain oversight | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 [The organization's business relationships include relationships with business partners, entities in its value chain (including entities beyond the first tier), and any other entities directly linked to its operations, products, or services. The organization should consider the following in relation to its business relationships: The geographic locations where the activities of the business relationships take place. § 1. Step 1. Business Relationships ¶ 1 Bullet 4 {economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1] | Third Party and supply chain oversight | Preventive | |
| Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Corrective | |
| Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 | Human Resources management | Preventive | |
| Refrain from using employees' privacy choices to restrict employment. CC ID 12425 | Human Resources management | Preventive | |
| Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources management | Preventive | |
| Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 | Human Resources management | Preventive | |
| Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 | Human Resources management | Preventive | |
| Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources management | Preventive | |
| Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources management | Preventive | |
| Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources management | Preventive | |
| Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources management | Preventive | |
| Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources management | Preventive | |
| Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources management | Preventive | |
| Include a space for the start date on the job application. CC ID 16187 | Human Resources management | Preventive | |
| Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources management | Preventive | |
| Approve the wording of job applications. CC ID 16182 | Human Resources management | Preventive | |
| Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources management | Preventive | |
| Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources management | Preventive | |
| Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources management | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Check the list of material topics for completeness. CC ID 15692 [The organization should test its selection of material topics against the topics in the applicable GRI Sector Standards. This helps the organization ensure that it has not overlooked any topics that are likely to be material for its sectors. § 1. Step 4. Testing the material topics ¶ 1 The organization should also test its selection of material topics with potential information users and experts who understand the organization or its sectors and have insight into one or more of the material topics. This can help the organization validate the threshold it has set to determine which topics are material to report. Examples of experts the organization can consult are academics, consultants, investors, lawyers, national institutions, and non-governmental organizations. § 1. Step 4. Testing the material topics ¶ 2] | Leadership and high level objectives | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
| Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Preventive | |
| Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Preventive | |
| Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Preventive | |
| Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Leadership and high level objectives | Preventive | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Preventive | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Third Party and supply chain oversight | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 [The organization should seek to understand the concerns of its stakeholders by consulting them directly in a way that takes into account language and other potential barriers (e.g., cultural differences, gender and power imbalances, divisions within the community). Identifying and removing potential barriers is necessary to ensure that stakeholder engagement is effective. § 1. Box 2. ¶ 1] | Leadership and high level objectives | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 [The organization should seek to understand the concerns of its stakeholders by consulting them directly in a way that takes into account language and other potential barriers (e.g., cultural differences, gender and power imbalances, divisions within the community). Identifying and removing potential barriers is necessary to ensure that stakeholder engagement is effective. § 1. Box 2. ¶ 1] | Leadership and high level objectives | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Preventive | |
| Review and approve the material topics, as necessary. CC ID 15670 [The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. § 1. ¶ 7 The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. § 1. ¶ 7] | Leadership and high level objectives | Preventive | |
| Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Preventive | |
| Include key processes in the analysis of the internal business environment. CC ID 12947 [The organization should consider the following in relation to its activities: The types of activities it carries out (e.g., sales, marketing, manufacturing, distribution) and the geographic locations of these activities. § 1. Step 1. Activities ¶ 1 Bullet 2 The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. § 1. Step 1. ¶ 2] | Leadership and high level objectives | Preventive | |
| Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Preventive | |
| Include resources in the analysis of the internal business environment. CC ID 12942 [The organization should consider the following in relation to its activities: The types of products and services it offers and the markets it serves (i.e., the types of customers and beneficiaries targeted, and the geographic locations where products and services are offered). § 1. Step 1. Activities ¶ 1 Bullet 3] | Leadership and high level objectives | Preventive | |
| Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Preventive | |
| Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Preventive | |
| Include organizational structures in the analysis of the internal business environment. CC ID 12939 [{full-time employee}{part-time employee}{non-guaranteed hours employee}{permanent employee}{temporary employee}The organization should consider the following in relation to its activities: The number of employees, including whether they are full-time, part-time, non-guaranteed hours, permanent or temporary, and their demographic characteristics (e.g., age, gender, geographic location). § 1. Step 1. Activities ¶ 1 Bullet 5] | Leadership and high level objectives | Preventive | |
| Include the strategic plan in the analysis of the internal business environment. CC ID 12937 [The organization should consider the following in relation to its activities: The organization's purpose, value or mission statements, business model, and strategies. § 1. Step 1. Activities ¶ 1 Bullet 1] | Leadership and high level objectives | Preventive | |
| Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Preventive | |
| Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Preventive | |
| Identify all interested personnel and affected parties. CC ID 12845 [In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential impacts. § 1. Step 1. ¶ 1 The organization should identify who its stakeholders are across its activities and business relationships and engage with them to help identify its impacts. § 1. Step 1. Stakeholders ¶ 1 When identifying its stakeholders, the organization should ensure it identifies any individuals or groups it does not have a direct relationship with (e.g., workers in the supply chain or local communities that live at a distance from the organization's operations) and those who are unable to articulate their views (e.g., future generations) but whose interests are affected or could be affected by the organization's activities. § 1. Step 1. Stakeholders ¶ 3 When identifying its stakeholders, the organization should ensure it identifies any individuals or groups it does not have a direct relationship with (e.g., workers in the supply chain or local communities that live at a distance from the organization's operations) and those who are unable to articulate their views (e.g., future generations) but whose interests are affected or could be affected by the organization's activities. § 1. Step 1. Stakeholders ¶ 3 {full-time employee}{part-time employee}{non-guaranteed hours employee}{permanent employee}{temporary employee}The organization should consider the following in relation to its activities: The number of employees, including whether they are full-time, part-time, non-guaranteed hours, permanent or temporary, and their demographic characteristics (e.g., age, gender, geographic location). § 1. Step 1. Activities ¶ 1 Bullet 5 The organization should draw a full list of individuals and groups whose interests are affected or could be affected by the organization's activities. Common categories of stakeholders for organizations are business partners, civil society organizations, consumers, customers, employees and other workers, governments, local communities, nongovernmental organizations, shareholders and other investors, suppliers, trade unions, and vulnerable groups. The organization can further distinguish between individuals and groups whose human rights are affected or could be affected, and individuals and groups with other interests. § 1. Step 1. Stakeholders ¶ 2] | Leadership and high level objectives | Detective | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
| Refrain from double-counting fuel consumption, as necessary. CC ID 15736 | Audits and risk management | Preventive | |
| Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
| Analyze the environmental impact of organizational changes. CC ID 14979 | Operational management | Detective | |
| Analyze the environmental impact of changes in developments, activities, products, and services. CC ID 14980 [To identify its actual and potential positive impacts, the organization should assess the manner in which it contributes or could contribute to sustainable development through its activities, for example, through its products, services, investments, procurement practices, employment practices, or tax payments. This also includes assessing how the organization can shape its purpose, business model, and strategies to deliver positive impacts that contribute to the goal of sustainable development. § 1. Step 2. Identifying positive impacts ¶ 1] | Operational management | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Detective | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Detective | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
| Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Detective | |
| Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Detective | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Audits and risk management | Preventive | |
| Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Preventive | |
| Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Detective | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Detective | |
| Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Human Resources Management | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Process or Activity | |
| Identify all interested personnel and affected parties. CC ID 12845 [In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential impacts. § 1. Step 1. ¶ 1 The organization should identify who its stakeholders are across its activities and business relationships and engage with them to help identify its impacts. § 1. Step 1. Stakeholders ¶ 1 When identifying its stakeholders, the organization should ensure it identifies any individuals or groups it does not have a direct relationship with (e.g., workers in the supply chain or local communities that live at a distance from the organization's operations) and those who are unable to articulate their views (e.g., future generations) but whose interests are affected or could be affected by the organization's activities. § 1. Step 1. Stakeholders ¶ 3 When identifying its stakeholders, the organization should ensure it identifies any individuals or groups it does not have a direct relationship with (e.g., workers in the supply chain or local communities that live at a distance from the organization's operations) and those who are unable to articulate their views (e.g., future generations) but whose interests are affected or could be affected by the organization's activities. § 1. Step 1. Stakeholders ¶ 3 {full-time employee}{part-time employee}{non-guaranteed hours employee}{permanent employee}{temporary employee}The organization should consider the following in relation to its activities: The number of employees, including whether they are full-time, part-time, non-guaranteed hours, permanent or temporary, and their demographic characteristics (e.g., age, gender, geographic location). § 1. Step 1. Activities ¶ 1 Bullet 5 The organization should draw a full list of individuals and groups whose interests are affected or could be affected by the organization's activities. Common categories of stakeholders for organizations are business partners, civil society organizations, consumers, customers, employees and other workers, governments, local communities, nongovernmental organizations, shareholders and other investors, suppliers, trade unions, and vulnerable groups. The organization can further distinguish between individuals and groups whose human rights are affected or could be affected, and individuals and groups with other interests. § 1. Step 1. Stakeholders ¶ 2] | Leadership and high level objectives | Process or Activity | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
| Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Investigate | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Testing | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Testing | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
| Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Testing | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Testing | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Audits and Risk Management | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Audits and Risk Management | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
| Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Testing | |
| Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Testing | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
| Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Behavior | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Audits and Risk Management | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Testing | |
| Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Testing | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Investigate | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [In this step, the organization identifies its actual and potential impacts on the economy, environment, and people, including impacts on their human rights, across the organization's activities and business relationships. Actual impacts are those that have already occurred, and potential impacts are those that could occur but have not yet occurred. These impacts include negative and positive impacts, short-term and long-term impacts, intended and unintended impacts, and reversible and irreversible impacts. § 1. Step 2. ¶ 1 Identifying actual and potential negative impacts with which the organization is involved or could be involved is the first step of due diligence. The organization should consider actual and potential impacts that it causes or contributes to through its activities, as well as actual and potential impacts that are directly linked to its operations, products, or services by its business relationships(see Box 3 in this Standard). § 1. Step 2. Identifying negative impacts ¶ 1 The organization should consider any negative impacts that could result from activities that aim for a positive contribution to sustainable development. Negative impacts cannot be offset by positive impacts. For example, a renewable energy installation may reduce a region's dependence on fossil fuels and bring energy to underserved communities. However, if it displaces local indigenous communities from their lands or territories without their consent, this negative impact should be addressed and remediated, and it cannot be compensated by the positive impacts. § 1. Step 2. Identifying positive impacts ¶ 3 The severity – and therefore the significance – of an impact are not absolute concepts. The severity of an impact should be assessed in relation to the other impacts of the organization. For example, an organization should compare the severity of the impacts of its GHG emissions against the severity of its other impacts. The organization should not assess the significance of its GHG emissions in relation to global GHG emissions, as that comparison could lead to the misleading conclusion that the organization's emissions are not significant. § 1. Step 3. Severity ¶ 5 The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1 The organization may identify many actual and potential impacts. In this step, the organization assesses the significance of its identified impacts to prioritize them. Prioritization enables the organization to take action to address the impacts and also to determine its material topics for reporting. Prioritizing impacts for action is relevant where it is not feasible to address all impacts at once. § 1. Step 3. ¶ 1] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3 In this step, the organization needs to consider the impacts described in the applicable GRI Sector Standards and determine whether these impacts apply to it. § 1. Step 2. ¶ 5 Impacts may change over time as the organization's activities, business relationships, and context evolve. New activities, new business relationships, and major changes in operations or the operating context (e.g., new market entry, product launch, policy change, wider changes to the organization) could lead to changes in the organization's impacts. For this reason, the organization should assess its context and identify its impacts on an ongoing basis. § 1. Step 2. ¶ 6 In cases where the organization has limited resources available for identifying its impacts, it should first identify its negative impacts, before identifying positive impacts, to ensure it complies with applicable laws, regulations, and authoritative intergovernmental instruments. § 1. Step 2. ¶ 7 Identifying actual and potential negative impacts with which the organization is involved or could be involved is the first step of due diligence. The organization should consider actual and potential impacts that it causes or contributes to through its activities, as well as actual and potential impacts that are directly linked to its operations, products, or services by its business relationships(see Box 3 in this Standard). § 1. Step 2. Identifying negative impacts ¶ 1 As part of the initial assessment or scoping exercise, the organization should consider impacts commonly associated with its sectors, its products, geographic locations, or with specific organizations (i.e., impacts associated with a specific entity of the organization, or with an entity it has a business relationship with, such as a poor history of conduct in relation to respecting human rights). It should also consider impacts it has been involved with or knows it is likely to be involved with. In addition to the GRI Sector Standards, the organization can use the Organisation for Economic Co-operation and Development (OECD) Due Diligence Guidance for Responsible Business Conduct [2] and the OECD sectoral guidance on due diligence [13] for information on impacts commonly associated with sectors, products, geographic locations, and specific organizations. It can also use reports from governments, environmental agencies, international organizations, civil society organizations, workers' representatives and trade unions, national human rights institutions, media, or other experts. § 1. Step 2. Identifying negative impacts ¶ 3 As part of the initial assessment or scoping exercise, the organization should consider impacts commonly associated with its sectors, its products, geographic locations, or with specific organizations (i.e., impacts associated with a specific entity of the organization, or with an entity it has a business relationship with, such as a poor history of conduct in relation to respecting human rights). It should also consider impacts it has been involved with or knows it is likely to be involved with. In addition to the GRI Sector Standards, the organization can use the Organisation for Economic Co-operation and Development (OECD) Due Diligence Guidance for Responsible Business Conduct [2] and the OECD sectoral guidance on due diligence [13] for information on impacts commonly associated with sectors, products, geographic locations, and specific organizations. It can also use reports from governments, environmental agencies, international organizations, civil society organizations, workers' representatives and trade unions, national human rights institutions, media, or other experts. § 1. Step 2. Identifying negative impacts ¶ 3] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Audits and Risk Management | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 [In this step, the organization identifies its actual and potential impacts on the economy, environment, and people, including impacts on their human rights, across the organization's activities and business relationships. Actual impacts are those that have already occurred, and potential impacts are those that could occur but have not yet occurred. These impacts include negative and positive impacts, short-term and long-term impacts, intended and unintended impacts, and reversible and irreversible impacts. § 1. Step 2. ¶ 1 Identifying actual and potential negative impacts with which the organization is involved or could be involved is the first step of due diligence. The organization should consider actual and potential impacts that it causes or contributes to through its activities, as well as actual and potential impacts that are directly linked to its operations, products, or services by its business relationships(see Box 3 in this Standard). § 1. Step 2. Identifying negative impacts ¶ 1 As part of the initial assessment or scoping exercise, the organization should consider impacts commonly associated with its sectors, its products, geographic locations, or with specific organizations (i.e., impacts associated with a specific entity of the organization, or with an entity it has a business relationship with, such as a poor history of conduct in relation to respecting human rights). It should also consider impacts it has been involved with or knows it is likely to be involved with. In addition to the GRI Sector Standards, the organization can use the Organisation for Economic Co-operation and Development (OECD) Due Diligence Guidance for Responsible Business Conduct [2] and the OECD sectoral guidance on due diligence [13] for information on impacts commonly associated with sectors, products, geographic locations, and specific organizations. It can also use reports from governments, environmental agencies, international organizations, civil society organizations, workers' representatives and trade unions, national human rights institutions, media, or other experts. § 1. Step 2. Identifying negative impacts ¶ 3] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Actionable Reports or Measurements | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Audits and Risk Management | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Establish/Maintain Documentation | |
| Document the organization's business processes. CC ID 13035 [In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential impacts. § 1. Step 1. ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Analyze the environmental impact of organizational changes. CC ID 14979 | Operational management | Process or Activity | |
| Analyze the environmental impact of changes in developments, activities, products, and services. CC ID 14980 [To identify its actual and potential positive impacts, the organization should assess the manner in which it contributes or could contribute to sustainable development through its activities, for example, through its products, services, investments, procurement practices, employment practices, or tax payments. This also includes assessing how the organization can shape its purpose, business model, and strategies to deliver positive impacts that contribute to the goal of sustainable development. § 1. Step 2. Identifying positive impacts ¶ 1] | Operational management | Process or Activity | |
| Analyze activities, products, and services within the scope of the environmental management system to determine the environmental aspects. CC ID 15183 | Operational management | Business Processes | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 [{be replicable}{be consistent} The approach for each step will vary according to the specific circumstances of the organization, such as its business model; sectors; geographic, cultural, and legal operating context; ownership structure; and the nature of its impacts. Given these specific circumstances, the steps should be systematic, documented, replicable, and used consistently in each reporting period. The organization should document any changes in its approach together with the rationale for those changes and their implications. § 1. ¶ 6 The organization should document its process of determining material topics. This includes documenting the approach taken, decisions, assumptions, and subjective judgments made, sources analyzed, and evidence gathered. Accurate records help the organization explain its chosen approach and report the disclosures in section 2 of this Standard. The records facilitate analysis and assurance. See the Verifiability principle in GRI 1 for more information. § 1. ¶ 5 The significance of an impact is the sole criterion to determine whether a topic is material for reporting. The organization cannot use difficulty in reporting on a topic or the fact that it does not yet manage the topic as criteria to determine whether or not to report on the topic. In cases where the organization does not manage a material topic, it can report the reasons for not doing so or any plans to manage the topic to comply with the requirements in Disclosure 3-3 Management of material topics in this Standard. § 1. Step 4. Setting a threshold to determine which topics are material ¶ 3] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Communicate | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3 The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3 The organization should identify who its stakeholders are across its activities and business relationships and engage with them to help identify its impacts. § 1. Step 1. Stakeholders ¶ 1 In addition, the organization should seek to understand the concerns of its stakeholders (see Box 2 in this Standard) and consult internal and external experts, such as civil society organizations or academics. § 1. Step 2. ¶ 4 Assessing the significance of the impacts involves quantitative and qualitative analysis. How significant an impact is will be specific to the organization and will be influenced by the sectors in which it operates, and its business relationships, among other factors. In some instances, this may need a subjective decision. The organization should consult with relevant stakeholders (see Box 2 in this Standard) and business relationships to assess the significance of its impacts. The organization should also consult relevant internal or external experts. § 1. Step 3. ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 [The organization should seek to understand the concerns of its stakeholders by consulting them directly in a way that takes into account language and other potential barriers (e.g., cultural differences, gender and power imbalances, divisions within the community). Identifying and removing potential barriers is necessary to ensure that stakeholder engagement is effective. § 1. Box 2. ¶ 1] | Leadership and high level objectives | Process or Activity | |
| Identify barriers to stakeholder engagement. CC ID 15676 [The organization should seek to understand the concerns of its stakeholders by consulting them directly in a way that takes into account language and other potential barriers (e.g., cultural differences, gender and power imbalances, divisions within the community). Identifying and removing potential barriers is necessary to ensure that stakeholder engagement is effective. § 1. Box 2. ¶ 1] | Leadership and high level objectives | Process or Activity | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 [{stakeholder} Where direct consultation is not possible, the organization should consider reasonable alternatives, such as consulting credible independent experts, such as national human rights institutions, human rights and environmental defenders, trade unions, and other members of civil society. § 1. Box 2. ¶ 7] | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Communicate | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Process or Activity | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Communicate | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Process or Activity | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Process or Activity | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Business Processes | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Process or Activity | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Communicate | |
| Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Process or Activity | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 | Leadership and high level objectives | Business Processes | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Business Processes | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Leadership and high level objectives | Communicate | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Communicate | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Communicate | |
| Identify the material topics required to be reported on. CC ID 15654 [An organization reporting in accordance with the GRI Standards is required to determine its material topics. When doing this, the organization is also required to use the applicable GRI Sector Standards (see Requirement 3 in GRI 1: Foundation 2021 and Box 5 in this Standard). § 1. ¶ 1 The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3 In each reporting period, the organization should review its material topics from the previous reporting period to account for changes in the impacts. Changes in impacts can result from changes in the organization's activities and business relationships. This review helps ensure the material topics represent the organization's most significant impacts in each new reporting period. § 1. ¶ 4 {be material} While most, if not all, of the impacts that have been identified through this process will eventually become financially material, sustainability reporting is also highly relevant in its own right as a public interest activity and is independent of the consideration of financial implications. It is therefore important for the organization to report on all the material topics that it has determined using the GRI Standards. These material topics cannot be deprioritized on the basis of not being considered financially material by the organization. § 1. Box 1. ¶ 2 The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1 The organization is required to use the applicable Sector Standards when determining its material topics (see Requirement 3-b in GRI 1: Foundation 2021). Using the Sector Standards is not a substitute for the process of determining material topics, but an aid. The organization still needs to consider its own specific circumstances when determining its material topics. § 1. Box 5. ¶ 2 The organization is required to review each topic described in the applicable Sector Standards and determine whether it is a material topic for the organization. § 1. Box 5. ¶ 3 {information} Once the organization has determined its material topics, it needs to determine what to report for each material topic. See Requirement 4 and Requirement 5 in GRI 1 for information about how to report on material topics. § 1. Step 4. Determining what to report for each material topic ¶ 1] | Leadership and high level objectives | Business Processes | |
| Check the list of material topics for completeness. CC ID 15692 [The organization should test its selection of material topics against the topics in the applicable GRI Sector Standards. This helps the organization ensure that it has not overlooked any topics that are likely to be material for its sectors. § 1. Step 4. Testing the material topics ¶ 1 The organization should also test its selection of material topics with potential information users and experts who understand the organization or its sectors and have insight into one or more of the material topics. This can help the organization validate the threshold it has set to determine which topics are material to report. Examples of experts the organization can consult are academics, consultants, investors, lawyers, national institutions, and non-governmental organizations. § 1. Step 4. Testing the material topics ¶ 2] | Leadership and high level objectives | Investigate | |
| Prioritize material topics used in reporting. CC ID 15678 [In this step, to determine its material topics for reporting, the organization prioritizes its impacts based on their significance. § 1. Step 4. ¶ 1] | Leadership and high level objectives | Communicate | |
| Review and approve the material topics, as necessary. CC ID 15670 [The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. § 1. ¶ 7 The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. § 1. ¶ 7] | Leadership and high level objectives | Process or Activity | |
| Define the thresholds for reporting in the external reporting program. CC ID 15679 [The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1 The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Communicate | |
| Include information about the organizational culture in the external reporting program. CC ID 15610 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Leadership and high level objectives | Communicate | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Communicate | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze the business environment in which the organization operates. CC ID 12798 [The organization should consider the following in relation to its activities: The organization's purpose, value or mission statements, business model, and strategies. § 1. Step 1. Activities ¶ 1 Bullet 1 The organization should consider the following in relation to its activities: The types of activities it carries out (e.g., sales, marketing, manufacturing, distribution) and the geographic locations of these activities. § 1. Step 1. Activities ¶ 1 Bullet 2 {economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1] | Leadership and high level objectives | Business Processes | |
| Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Process or Activity | |
| Include key processes in the analysis of the internal business environment. CC ID 12947 [The organization should consider the following in relation to its activities: The types of activities it carries out (e.g., sales, marketing, manufacturing, distribution) and the geographic locations of these activities. § 1. Step 1. Activities ¶ 1 Bullet 2 The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. § 1. Step 1. ¶ 2] | Leadership and high level objectives | Process or Activity | |
| Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Process or Activity | |
| Include resources in the analysis of the internal business environment. CC ID 12942 [The organization should consider the following in relation to its activities: The types of products and services it offers and the markets it serves (i.e., the types of customers and beneficiaries targeted, and the geographic locations where products and services are offered). § 1. Step 1. Activities ¶ 1 Bullet 3] | Leadership and high level objectives | Process or Activity | |
| Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Process or Activity | |
| Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Process or Activity | |
| Include organizational structures in the analysis of the internal business environment. CC ID 12939 [{full-time employee}{part-time employee}{non-guaranteed hours employee}{permanent employee}{temporary employee}The organization should consider the following in relation to its activities: The number of employees, including whether they are full-time, part-time, non-guaranteed hours, permanent or temporary, and their demographic characteristics (e.g., age, gender, geographic location). § 1. Step 1. Activities ¶ 1 Bullet 5] | Leadership and high level objectives | Process or Activity | |
| Include the strategic plan in the analysis of the internal business environment. CC ID 12937 [The organization should consider the following in relation to its activities: The organization's purpose, value or mission statements, business model, and strategies. § 1. Step 1. Activities ¶ 1 Bullet 1] | Leadership and high level objectives | Process or Activity | |
| Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Process or Activity | |
| Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Business Processes | |
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Communicate | |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze the external environment in which the organization operates. CC ID 12799 [The organization should consider the following in relation to its activities: The sectors in which the organization is active and their characteristics (e.g., whether they involve informal work, whether they are labor or resource intensive). § 1. Step 1. Activities ¶ 1 Bullet 4] | Leadership and high level objectives | Business Processes | |
| Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Process or Activity | |
| Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include environmental requirements in the analysis of the external environment. CC ID 12965 [The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. § 1. Step 1. ¶ 2 {economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1] | Leadership and high level objectives | Business Processes | |
| Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Business Processes | |
| Include society in the analysis of the external environment. CC ID 12963 [{economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1] | Leadership and high level objectives | Business Processes | |
| Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Business Processes | |
| Include third party relationships in the analysis of the external environment. CC ID 12952 [The organization's business relationships include relationships with business partners, entities in its value chain (including entities beyond the first tier), and any other entities directly linked to its operations, products, or services. The organization should consider the following in relation to its business relationships: The types of business relationships it has (e.g., joint ventures, suppliers, franchisees). § 1. Step 1. Business Relationships ¶ 1 Bullet 1 The organization's business relationships include relationships with business partners, entities in its value chain (including entities beyond the first tier), and any other entities directly linked to its operations, products, or services. The organization should consider the following in relation to its business relationships: The nature of the business relationships (e.g., whether they are based on a long-term or short-term contract, whether they are based on a specific project or event). § 1. Step 1. Business Relationships ¶ 1 Bullet 3 The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. § 1. Step 1. ¶ 2] | Leadership and high level objectives | Business Processes | |
| Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Business Processes | |
| Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Business Processes | |
| Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Business Processes | |
| Include legal requirements in the analysis of the external environment. CC ID 12896 [The organization should consider the following to understand the sustainability context of its activities and business relationships: The organization's responsibility regarding the authoritative intergovernmental instruments with which it is expected to comply. § 1. Step 1. Sustainability context ¶ 1 Bullet 2 The organization should consider the following to understand the sustainability context of its activities and business relationships: The organization's responsibility regarding the laws and regulations with which it is expected to comply. § 1. Step 1. Sustainability context ¶ 1 Bullet 3] | Leadership and high level objectives | Business Processes | |
| Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Business Processes | |
| Include analyzing the market in the analysis of the external environment. CC ID 12836 [{economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1 The organization should consider the following in relation to its activities: The types of products and services it offers and the markets it serves (i.e., the types of customers and beneficiaries targeted, and the geographic locations where products and services are offered). § 1. Step 1. Activities ¶ 1 Bullet 3] | Leadership and high level objectives | Business Processes | |
| Conduct a context analysis to define objectives and strategies. CC ID 12864 [Impacts may change over time as the organization's activities, business relationships, and context evolve. New activities, new business relationships, and major changes in operations or the operating context (e.g., new market entry, product launch, policy change, wider changes to the organization) could lead to changes in the organization's impacts. For this reason, the organization should assess its context and identify its impacts on an ongoing basis. § 1. Step 2. ¶ 6] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 [The organization should consider the following in relation to its activities: The organization's purpose, value or mission statements, business model, and strategies. § 1. Step 1. Activities ¶ 1 Bullet 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Communicate | |
| Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. § 1. Step 1. ¶ 2 In addition, the organization should seek to understand the concerns of its stakeholders (see Box 2 in this Standard) and consult internal and external experts, such as civil society organizations or academics. § 1. Step 2. ¶ 4 The degree of impact on stakeholders may inform the degree of engagement. The organization should prioritize the most severely affected or potentially affected stakeholders for engagement. § 1. Box 2. ¶ 6 The organization should seek to understand the concerns of its stakeholders by consulting them directly in a way that takes into account language and other potential barriers (e.g., cultural differences, gender and power imbalances, divisions within the community). Identifying and removing potential barriers is necessary to ensure that stakeholder engagement is effective. § 1. Box 2. ¶ 1] | Leadership and high level objectives | Business Processes | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align the Authority Document list with external requirements. CC ID 06288 [An organization reporting in accordance with the GRI Standards is required to determine its material topics. When doing this, the organization is also required to use the applicable GRI Sector Standards (see Requirement 3 in GRI 1: Foundation 2021 and Box 5 in this Standard). § 1. ¶ 1 The organization is required to use the applicable Sector Standards when determining its material topics (see Requirement 3-b in GRI 1: Foundation 2021). Using the Sector Standards is not a substitute for the process of determining material topics, but an aid. The organization still needs to consider its own specific circumstances when determining its material topics. § 1. Box 5. ¶ 2 The organization is required to review each topic described in the applicable Sector Standards and determine whether it is a material topic for the organization. § 1. Box 5. ¶ 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a content index. CC ID 15660 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an explanation of why disclosures or requirements do not apply in the content index. CC ID 15662 [If any of the topics that are included in the applicable Sector Standards have been determined by the organization as not material, the organization is required to list them in the GRI content index and explain why they are not material (see Requirement 3-b-ii in GRI 1). This explanation helps information users understand why the organization has determined that topics that are likely to be material for the organization's sectors are not material in its specific circumstances. § 1. Box 5. ¶ 6 A brief explanation in the GRI content index of why the topic is not material is sufficient to comply with Requirement 3-b-ii in GRI 1. In the previous example, the organization could explain that land and resource rights is not a material topic because its existing oil and gas projects are located in uninhabited areas, and there are no plans to start projects in new areas. § 1. Box 5. ¶ 7 If any of the topics that are included in the applicable Sector Standards have been determined by the organization as not material, the organization is required to list them in the GRI content index and explain why they are not material (see Requirement 3-b-ii in GRI 1). This explanation helps information users understand why the organization has determined that topics that are likely to be material for the organization's sectors are not material in its specific circumstances. § 1. Box 5. ¶ 6] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 [Assessing the significance of the impacts involves quantitative and qualitative analysis. How significant an impact is will be specific to the organization and will be influenced by the sectors in which it operates, and its business relationships, among other factors. In some instances, this may need a subjective decision. The organization should consult with relevant stakeholders (see Box 2 in this Standard) and business relationships to assess the significance of its impacts. The organization should also consult relevant internal or external experts. § 1. Step 3. ¶ 2] | Leadership and high level objectives | Behavior | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 [The organization should seek external assurance to assess the quality and credibility of its process of determining material topics. See section 5.2 in GRI 1 for more information on seeking external assurance. § 1. Step 4. Testing the material topics ¶ 3] | Audits and risk management | Audits and Risk Management | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Actionable Reports or Measurements | |
| Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Establish/Maintain Documentation | |
| Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Establish/Maintain Documentation | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Establish/Maintain Documentation | |
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Records Management | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Audits and Risk Management | |
| Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Establish/Maintain Documentation | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Establish/Maintain Documentation | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
| Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Establish/Maintain Documentation | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Audits and risk management | Testing | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Audits and Risk Management | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Audits and Risk Management | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Communicate | |
| Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Testing | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Audits and Risk Management | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Establish/Maintain Documentation | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Establish/Maintain Documentation | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Audits and Risk Management | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Establish/Maintain Documentation | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Establish Roles | |
| Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [The significance of an impact is assessed in relation to the other impacts the organization has identified. The organization should arrange its impacts from most to least significant and define a cut-off point or threshold to determine which of the impacts it will focus its reporting on. The organization should document this threshold. To facilitate prioritization, the organization should group the impacts into topics (see Box 4 in this Standard). § 1. Step 4. Setting a threshold to determine which topics are material ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Document organizational risk criteria. CC ID 12277 | Audits and risk management | Establish/Maintain Documentation | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Technical Security | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Audits and Risk Management | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Audits and Risk Management | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Establish/Maintain Documentation | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Audits and Risk Management | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Audits and Risk Management | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The severity of an actual or potential negative impact is determined by the following characteristics: Scope: how widespread the impact is, for example, the number of individuals affected or the extent of environmental damage. § 1. Step 3. Severity ¶ 1 Bullet 2 {difficulty}The severity of an actual or potential negative impact is determined by the following characteristics: Irremediable character: how hard it is to counteract or make good the resulting harm. § 1. Step 3. Severity ¶ 1 Bullet 3 The significance of an actual positive impact is determined by the scale and scope of the impact. The significance of a potential positive impact is determined by the scale and scope as well as the likelihood of the impact. § 1. Step 3. Assessing the significance of positive impacts ¶ 1 The significance of an actual positive impact is determined by the scale and scope of the impact. The significance of a potential positive impact is determined by the scale and scope as well as the likelihood of the impact. § 1. Step 3. Assessing the significance of positive impacts ¶ 1 The severity of an actual or potential negative impact is determined by the following characteristics: Scale: how grave the impact is. § 1. Step 3. Severity ¶ 1 Bullet 1] | Audits and risk management | Audits and Risk Management | |
| Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Audits and Risk Management | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Audits and Risk Management | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 [The first three steps in the process to determine material topics relate to the organization's ongoing identification and assessment of impacts. During these steps, the organization identifies and assesses its impacts regularly, as part of its day-to-day activities, and while engaging with relevant stakeholders and experts. These ongoing steps allow the organization to actively identify and manage its impacts as they evolve and as new ones arise. The first three steps are conducted independently of the sustainability reporting process, but they inform the last step. In Step 4, the organization prioritizes its most significant impacts for reporting and, in this way, determines its material topics. § 1. ¶ 3] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 | Audits and risk management | Establish/Maintain Documentation | |
| Include how material topics are managed in the disclosure report. CC ID 15657 [For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: § 2. Disclosure 3-3 ¶ 1(d)] | Audits and risk management | Establish/Maintain Documentation | |
| Include disclosures for each material topic in the disclosure report. CC ID 15658 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages privacy in the disclosure report. CC ID 15785 | Audits and risk management | Establish/Maintain Documentation | |
| Include the content removal policy in the disclosure report. CC ID 15650 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of management approval required for content removal requests in the disclosure report. CC ID 15653 | Audits and risk management | Establish/Maintain Documentation | |
| Include requirements for content removal requests in the disclosure report. CC ID 15652 | Audits and risk management | Establish/Maintain Documentation | |
| Include the conditions for denying content removal requests in the disclosure report. CC ID 15651 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of content removal requests in the disclosure report. CC ID 15648 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of data subjects in the disclosure report. CC ID 16791 | Audits and risk management | Establish/Maintain Documentation | |
| Include the categories of personal data maintained by the organization in the disclosure report. CC ID 16790 | Audits and risk management | Establish/Maintain Documentation | |
| Include a business need justification for personal data processing in the disclosure report. CC ID 16788 | Audits and risk management | Establish/Maintain Documentation | |
| Include the personal data use purpose specification in the disclosure report. CC ID 16786 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the information systems that process personal data in the disclosure report. CC ID 16784 | Audits and risk management | Establish/Maintain Documentation | |
| Include the policies and procedures related to freedom of expression in the disclosure report. CC ID 15604 | Audits and risk management | Establish/Maintain Documentation | |
| Include dispute resolution quality measures in the disclosure report. CC ID 16312 | Audits and risk management | Establish/Maintain Documentation | |
| Include all data requests that resulted in compliance with the disclosure request in the disclosure report. CC ID 15547 | Audits and risk management | Establish/Maintain Documentation | |
| Include individuals whose information is provided to third parties for secondary purposes in the disclosure report. CC ID 15559 | Audits and risk management | Establish/Maintain Documentation | |
| Include the disclosure of aggregated, de-identified, and anonymized data to the requesting party in the disclosure report. CC ID 15570 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages records in the disclosure report. CC ID 16787 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages anti-corruption in the disclosure report. CC ID 16055 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of incidents of corruption in the disclosure report. CC ID 16067 | Audits and risk management | Establish/Maintain Documentation | |
| Include significant risks related to corruption in the disclosure report. CC ID 16065 | Audits and risk management | Establish/Maintain Documentation | |
| Include the interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16064 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages economic performance in the disclosure report. CC ID 16054 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks and opportunities posed by climate change in the disclosure report. CC ID 16060 | Audits and risk management | Establish/Maintain Documentation | |
| Include a justification for reporting financial data on a cash basis in the disclosure report. CC ID 16059 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages biodiversity in the disclosure report. CC ID 15986 | Audits and risk management | Establish/Maintain Documentation | |
| Include whether habitat restoration measures have been approved by independent external professionals in the disclosure report. CC ID 16075 | Audits and risk management | Establish/Maintain Documentation | |
| Include the condition of habitat areas protected or restored by the organization in the disclosure report. CC ID 16040 | Audits and risk management | Establish/Maintain Documentation | |
| Include whether third party relationships exist to protect or restore habitat areas in the disclosure report. CC ID 16039 | Audits and risk management | Establish/Maintain Documentation | |
| Include the biodiversity value of operational sites in the disclosure report. CC ID 16034 | Audits and risk management | Establish/Maintain Documentation | |
| Include the type of operations near areas of high biodiversity value in the disclosure report. CC ID 16025 | Audits and risk management | Establish/Maintain Documentation | |
| Include the location of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16020 | Audits and risk management | Establish/Maintain Documentation | |
| Include the location of habitat areas protected or restored by the organization in the disclosure report. CC ID 16018 | Audits and risk management | Establish/Maintain Documentation | |
| Include the species impacted by organizational activities, products, and services in the disclosure report. CC ID 16015 | Audits and risk management | Establish/Maintain Documentation | |
| Include underground land owned by the organization near areas of high biodiversity value in the disclosure report. CC ID 16014 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages taxes in the disclosure report. CC ID 15985 | Audits and risk management | Establish/Maintain Documentation | |
| Include the frequency of tax strategy reviews in the disclosure report. CC ID 16074 | Audits and risk management | Establish/Maintain Documentation | |
| Include a justification for differences between corporate income tax accrued and tax due in the disclosure report. CC ID 16051 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tax jurisdictions in the disclosure report. CC ID 16047 | Audits and risk management | Establish/Maintain Documentation | |
| Include the roles and responsibilities assigned to tax governance and control in the disclosure report. CC ID 16030 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tax strategy in the disclosure report. CC ID 16029 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tax governance and control framework in the disclosure report. CC ID 16028 | Audits and risk management | Establish/Maintain Documentation | |
| Include the management of tax risks in the disclosure report. CC ID 16026 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages market presence in the disclosure report. CC ID 15983 | Audits and risk management | Establish/Maintain Documentation | |
| Include the actions taken to determine whether workers are paid above minimum wage in the disclosure report. CC ID 16056 | Audits and risk management | Establish/Maintain Documentation | |
| Include the local minimum wage in the disclosure report. CC ID 15992 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages anti-competitive behavior in the disclosure report. CC ID 15981 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages procurement practices in the disclosure report. CC ID 15980 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages indirect economic impacts in the disclosure report. CC ID 15979 | Audits and risk management | Establish/Maintain Documentation | |
| Include service and infrastructure investments that benefit the public in the disclosure report. CC ID 15984 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages emissions in the disclosure report. CC ID 15970 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks related to greenhouse gas emissions in the disclosure report. CC ID 16338 | Audits and risk management | Establish/Maintain Documentation | |
| Include the emissions management plan in the disclosure report. CC ID 16177 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of the emissions management plan in the disclosure report. CC ID 16168 | Audits and risk management | Establish/Maintain Documentation | |
| Include emission reduction targets in the disclosure report. CC ID 16148 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of emission reduction targets in the disclosure report. CC ID 16149 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of greenhouse gas emissions in the disclosure report. CC ID 16147 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of carbon offsets in the disclosure report. CC ID 15988 | Audits and risk management | Establish/Maintain Documentation | |
| Include the design and development of data centers in the disclosure report. CC ID 15620 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of countries or geographical regions where the organization's products and services are monitored, blocked, or filtered in the disclosure report. CC ID 15601 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of products affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15641 | Audits and risk management | Establish/Maintain Documentation | |
| Include the implications of blocking or censorship on an organization's products and services in the disclosure report. CC ID 15639 | Audits and risk management | Establish/Maintain Documentation | |
| Identify products and services affected by monitoring or blocking in the disclosure report. CC ID 15638 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reasons modifications were made to existing products and services in the disclosure report. CC ID 15637 | Audits and risk management | Establish/Maintain Documentation | |
| Include the differences between products and services being offered in different markets in the disclosure report. CC ID 15636 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of complaints received in the disclosure report. CC ID 15844 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages customer health and safety in the disclosure report. CC ID 15801 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages child labor in the disclosure report. CC ID 15851 | Audits and risk management | Establish/Maintain Documentation | |
| Include operations with a risk for incidents of child labor in the disclosure report. CC ID 15864 | Audits and risk management | Establish/Maintain Documentation | |
| Include third parties with a risk for incidents of child labor in the disclosure report. CC ID 15863 | Audits and risk management | Establish/Maintain Documentation | |
| Include operations with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15862 | Audits and risk management | Establish/Maintain Documentation | |
| Include third parties with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15861 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations that are at risk for incidents of child labor in the disclosure report. CC ID 15860 | Audits and risk management | Establish/Maintain Documentation | |
| Include the measures taken to abolish child labor in the disclosure report. CC ID 15859 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages diversity and equal opportunity in the disclosure report. CC ID 15853 | Audits and risk management | Establish/Maintain Documentation | |
| Include the employee representation program in the disclosure report. CC ID 15628 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages marketing and labeling in the disclosure report. CC ID 15802 | Audits and risk management | Establish/Maintain Documentation | |
| Include the information required by the product and service information and labeling procedures in the disclosure report. CC ID 15812 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages occupational health and safety in the disclosure report. CC ID 15888 | Audits and risk management | Establish/Maintain Documentation | |
| Include the workers covered by the occupational health and safety management system in the disclosure report. CC ID 16151 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of voluntary health promotion programs in the disclosure report. CC ID 16119 | Audits and risk management | Establish/Maintain Documentation | |
| Include the main types of work-related ill health in the disclosure report. CC ID 15961 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of formal joint management-worker health and safety committees in the disclosure report. CC ID 15913 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reasons workers are not represented by formal joint management-worker health and safety committees in the disclosure report. CC ID 15912 | Audits and risk management | Establish/Maintain Documentation | |
| Include work-related hazards in the disclosure report. CC ID 15911 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the occupational health and safety risk assessment process in the disclosure report. CC ID 15909 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of occupational health and safety training in the disclosure report. CC ID 15908 | Audits and risk management | Establish/Maintain Documentation | |
| Include how occupational health and safety information is disseminated and communicated in the disclosure report. CC ID 15907 | Audits and risk management | Establish/Maintain Documentation | |
| Include the occupational health and safety risk reporting process in the disclosure report. CC ID 15904 | Audits and risk management | Establish/Maintain Documentation | |
| Include the occupational health and safety policy in the disclosure report. CC ID 15905 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes used to investigate work-related incidents in the disclosure report. CC ID 15903 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the occupational health and safety management system in the disclosure report. CC ID 15901 | Audits and risk management | Establish/Maintain Documentation | |
| Include the main types of work-related injury in the disclosure report. CC ID 15959 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages forced or compulsory labor in the disclosure report. CC ID 15850 | Audits and risk management | Establish/Maintain Documentation | |
| Include operations with a risk for forced or compulsory labor in the disclosure report. CC ID 15858 | Audits and risk management | Establish/Maintain Documentation | |
| Include third parties with a risk for forced or compulsory labor in the disclosure report. CC ID 15857 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations with a risk for forced or compulsory labor in the disclosure report. CC ID 15856 | Audits and risk management | Establish/Maintain Documentation | |
| Include the measures taken to eliminate forced or compulsory labor in the disclosure report. CC ID 15855 | Audits and risk management | Establish/Maintain Documentation | |
| Include the measures taken to protect whistleblowers against retaliation in the disclosure report. CC ID 15902 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages employment in the disclosure report. CC ID 15890 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks of recruiting foreign nationals and offshore employees in the disclosure report. CC ID 15624 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for reporting near misses in the disclosure report. CC ID 16211 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent to which benefit plan liabilities are covered in the disclosure report. CC ID 16109 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of participation in benefit plans in the disclosure report. CC ID 16057 | Audits and risk management | Establish/Maintain Documentation | |
| Include the Code of Conduct in the disclosure report. CC ID 16205 | Audits and risk management | Establish/Maintain Documentation | |
| Include the standard benefits for full-time employees in the disclosure report. CC ID 15897 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages labor-management relations in the disclosure report. CC ID 15889 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of work stoppages in the disclosure report. CC ID 16215 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reason for each work stoppage in the disclosure report. CC ID 16213 | Audits and risk management | Establish/Maintain Documentation | |
| Include the impact of work stoppages in the disclosure report. CC ID 16212 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of collective bargaining agreements in the disclosure report. CC ID 15894 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages supplier environmental assessment in the disclosure report. CC ID 15876 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reasons why relationships were terminated with suppliers having significant negative environmental impacts in the disclosure report. CC ID 15882 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages training and education in the disclosure report. CC ID 15875 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of professional development programs in the disclosure report. CC ID 15880 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of professional development assistance in the disclosure report. CC ID 15879 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of transition assistance programs in the disclosure report. CC ID 15878 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages freedom of association and collective bargaining in the disclosure report. CC ID 15852 | Audits and risk management | Establish/Maintain Documentation | |
| Include the types of operations in which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15868 | Audits and risk management | Establish/Maintain Documentation | |
| Include the types of third parties for which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15867 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations at risk of violating workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15866 | Audits and risk management | Establish/Maintain Documentation | |
| Include the measures taken to support workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15865 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages waste in the disclosure report. CC ID 15765 | Audits and risk management | Establish/Maintain Documentation | |
| Include the material of spills in the disclosure report. CC ID 15968 | Audits and risk management | Establish/Maintain Documentation | |
| Include the location of spills in the disclosure report. CC ID 15964 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages the rights of indigenous peoples in the disclosure report. CC ID 15849 | Audits and risk management | Establish/Maintain Documentation | |
| Include products that contain declarable substances in the disclosure report. CC ID 16161 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages supplier social assessment in the disclosure report. CC ID 15799 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reason why relationships were terminated with suppliers having significant negative social impacts in the disclosure report. CC ID 15804 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages energy in the disclosure report. CC ID 15783 | Audits and risk management | Establish/Maintain Documentation | |
| Include the types of energy affected by energy reduction in the disclosure report. CC ID 15731 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of renewable energy in the disclosure report. CC ID 15509 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of energy consumption in the disclosure report. CC ID 15508 | Audits and risk management | Establish/Maintain Documentation | |
| Include the types of energy used in the disclosure report. CC ID 15748 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from double-counting fuel consumption, as necessary. CC ID 15736 | Audits and risk management | Process or Activity | |
| Include energy efficiency considerations in product design and development in the disclosure report. CC ID 16155 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages public policy in the disclosure report. CC ID 15800 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages materials in the disclosure report. CC ID 15782 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of recovered material in the disclosure report. CC ID 16204 | Audits and risk management | Establish/Maintain Documentation | |
| Include materials that present a risk to operations in the disclosure report. CC ID 16173 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks represented by materials in the disclosure report. CC ID 16171 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risk management approach to the use of materials in the disclosure report. CC ID 16169 | Audits and risk management | Establish/Maintain Documentation | |
| Include management of the availability of materials in the disclosure report. CC ID 16167 | Audits and risk management | Establish/Maintain Documentation | |
| Include management of the price of materials in the disclosure report. CC ID 16165 | Audits and risk management | Establish/Maintain Documentation | |
| Include the business activities that use declarable substances in the disclosure report. CC ID 16158 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages declarable substances in the disclosure report. CC ID 16156 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages non-discrimination in the disclosure report. CC ID 15764 | Audits and risk management | Establish/Maintain Documentation | |
| Include the status of incidents of discrimination in the disclosure report. CC ID 15790 | Audits and risk management | Establish/Maintain Documentation | |
| Include corrective actions taken for incidents of discrimination in the disclosure report. CC ID 15789 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of incidents of discrimination in the disclosure report. CC ID 15787 | Audits and risk management | Establish/Maintain Documentation | |
| Include incidents of discrimination no longer subject to action in the disclosure report. CC ID 15786 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages local communities in the disclosure report. CC ID 15798 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of local community consultation committees in the disclosure report. CC ID 15821 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of impact assessments in the disclosure report. CC ID 15820 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of community development programs in the disclosure report. CC ID 15818 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the impact assessments in the disclosure report. CC ID 15817 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of worker representation bodies in the disclosure report. CC ID 15816 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of local community grievance processes in the disclosure report. CC ID 15815 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages security practices in the disclosure report. CC ID 15784 | Audits and risk management | Establish/Maintain Documentation | |
| Include trends in the frequency of incidents in the disclosure report. CC ID 15511 | Audits and risk management | Establish/Maintain Documentation | |
| Include trends in the origination of incidents in the disclosure report. CC ID 15512 | Audits and risk management | Establish/Maintain Documentation | |
| Include trends in incident type in the disclosure report. CC ID 15510 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization interacts with water in the disclosure report. CC ID 15752 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of water consumption in the disclosure report. CC ID 15754 | Audits and risk management | Establish/Maintain Documentation | |
| Include changes in water storage in the disclosure report. CC ID 15762 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of water discharge in the disclosure report. CC ID 15755 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of water withdrawal in the disclosure report. CC ID 15753 | Audits and risk management | Establish/Maintain Documentation | |
| Include the priority substances of concern for which water discharge is treated in the disclosure report. CC ID 15761 | Audits and risk management | Establish/Maintain Documentation | |
| Include the effluent discharge standards in the disclosure report. CC ID 15757 | Audits and risk management | Establish/Maintain Documentation | |
| Include water quality standards in the disclosure report. CC ID 15756 | Audits and risk management | Establish/Maintain Documentation | |
| Include business continuity risks in the disclosure report. CC ID 15608 | Audits and risk management | Establish/Maintain Documentation | |
| Include incidents in which encrypted data were acquired with a valid encryption key in the disclosure report. CC ID 15546 | Audits and risk management | Establish/Maintain Documentation | |
| Include recycling in the disclosure report. CC ID 15579 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of recycled material in the disclosure report. CC ID 16153 | Audits and risk management | Establish/Maintain Documentation | |
| Include donated materials or refurbished materials in the disclosure report. CC ID 15561 | Audits and risk management | Establish/Maintain Documentation | |
| Include materials being physically handled by third parties for reuse, recycling, or refurbishment in the disclosure report. CC ID 15577 | Audits and risk management | Establish/Maintain Documentation | |
| Include materials being physically handled by the organization for reuse, recycling, or refurbishment in the disclosure report. CC ID 15575 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reuse of materials recovered in the disclosure report. CC ID 15566 | Audits and risk management | Establish/Maintain Documentation | |
| Include products, materials, and parts at the end of their useful life in the disclosure report. CC ID 15553 | Audits and risk management | Establish/Maintain Documentation | |
| Exclude products and parts waiting for repair and under warranty in the disclosure report. CC ID 15551 | Audits and risk management | Establish/Maintain Documentation | |
| Include all monetary liabilities to third parties in the disclosure report. CC ID 15572 | Audits and risk management | Establish/Maintain Documentation | |
| Include both first-party advertising and third-party advertising in the disclosure report. CC ID 15554 | Audits and risk management | Establish/Maintain Documentation | |
| Include the corrective action plan in the disclosure report. CC ID 15900 | Audits and risk management | Establish/Maintain Documentation | |
| Include the costs of corrective actions in the disclosure report. CC ID 16098 | Audits and risk management | Establish/Maintain Documentation | |
| Include exclusions from the scope of disclosure for each material topic in the disclosure report. CC ID 15893 | Audits and risk management | Establish/Maintain Documentation | |
| Include a justification for each exclusion from the scope of disclosure for each material topic in the disclosure report. CC ID 15892 | Audits and risk management | Establish/Maintain Documentation | |
| Include incidents with indications that encrypted data could be readily converted to plain text in the disclosure report. CC ID 15544 | Audits and risk management | Establish/Maintain Documentation | |
| Limit disclosures to data breaches that resulted in a deviation from expected outcomes for confidentiality or integrity in the disclosure report. CC ID 15545 | Audits and risk management | Establish/Maintain Documentation | |
| Limit the disclosure of breaches to those in which the individuals were notified in the disclosure report. CC ID 15550 | Audits and risk management | Establish/Maintain Documentation | |
| Restrict disclosures to wireless communications services in the disclosure report. CC ID 15555 | Audits and risk management | Establish/Maintain Documentation | |
| Restrict disclosures to wireline communications services in the disclosure report. CC ID 15556 | Audits and risk management | Establish/Maintain Documentation | |
| Restrict disclosure to Internet Service Provider services in the disclosure report. CC ID 15569 | Audits and risk management | Establish/Maintain Documentation | |
| Exclude legal fees and expenses used for defense in the disclosure report. CC ID 15571 | Audits and risk management | Establish/Maintain Documentation | |
| Include the external requirements to which third parties are compliant in the disclosure report. CC ID 15573 | Audits and risk management | Establish/Maintain Documentation | |
| Include the impact of monitoring, blocking, or filtering products and services in the disclosure report. CC ID 15602 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reclassification of Internet Service Providers in the disclosure report. CC ID 15576 | Audits and risk management | Establish/Maintain Documentation | |
| Include non-monetary sanctions in the disclosure report. CC ID 15872 | Audits and risk management | Establish/Maintain Documentation | |
| Include business activities that negatively impact the target environment in the disclosure report. CC ID 15683 [For each material topic reported under Disclosure 3-2, the organization shall: report whether the organization is involved with the negative impacts through its activities or as a result of its business relationships, and describe the activities or business relationships; § 2. Disclosure 3-3 ¶ 1(b) For each material topic reported under Disclosure 3-2, the organization shall: report whether the organization is involved with the negative impacts through its activities or as a result of its business relationships, and describe the activities or business relationships; § 2. Disclosure 3-3 ¶ 1(b)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's name in the disclosure report. CC ID 15668 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time period in which privacy breaches occurred in the disclosure report. CC ID 15730 | Audits and risk management | Establish/Maintain Documentation | |
| Include the metrics used to track how material topics and related impacts are managed in the disclosure report. CC ID 15686 [For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: goals, targets, and indicators used to evaluate progress; § 2. Disclosure 3-3 ¶ 1(e)(ii)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the process used to track the effectiveness of corrective actions taken to manage material topics and related impacts in the disclosure report. CC ID 15687 [For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: processes used to track the effectiveness of the actions; § 2. Disclosure 3-3 ¶ 1(e)(i) For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: the effectiveness of the actions, including progress toward the goals and targets; § 2. Disclosure 3-3 ¶ 1(e)(iii) For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: actions to prevent or mitigate potential negative impacts; § 2. Disclosure 3-3 ¶ 1(d)(i) For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: actions to manage actual and potential positive impacts; § 2. Disclosure 3-3 ¶ 1(d)(iii) For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: actions to address actual negative impacts, including actions to provide for or cooperate in their remediation; § 2. Disclosure 3-3 ¶ 1(d)(ii)] | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of material topics in the disclosure report. CC ID 15656 [{be material} While most, if not all, of the impacts that have been identified through this process will eventually become financially material, sustainability reporting is also highly relevant in its own right as a public interest activity and is independent of the consideration of financial implications. It is therefore important for the organization to report on all the material topics that it has determined using the GRI Standards. These material topics cannot be deprioritized on the basis of not being considered financially material by the organization. § 1. Box 1. ¶ 2 The organization shall: list its material topics; § 2. Disclosure 3-2 ¶ 1(a) This testing process results in a list of the organization's material topics. § 1. Step 4. Testing the material topics ¶ 4] | Audits and risk management | Establish/Maintain Documentation | |
| Include changes to the list of material topics in the disclosure report. CC ID 15681 [The organization shall: report changes to the list of material topics compared to the previous reporting period. § 2. Disclosure 3-2 ¶ 1(b)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes used to monitor material topics and related impacts in the disclosure report. CC ID 15819 | Audits and risk management | Establish/Maintain Documentation | |
| Include policies and commitments regarding each material topic in the disclosure report. CC ID 15684 [For each material topic reported under Disclosure 3-2, the organization shall: describe its policies or commitments regarding the material topic; § 2. Disclosure 3-3 ¶ 1(c)] | Audits and risk management | Establish/Maintain Documentation | |
| Include a commitment to preserve human rights in the disclosure report. CC ID 15854 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reasons that policies and commitments are not publicly available in the disclosure report. CC ID 15873 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the impacts related to material topics are managed in the disclosure report. CC ID 15685 [For each material topic reported under Disclosure 3-2, the organization shall: describe actions taken to manage the topic and related impacts, including: § 2. Disclosure 3-3 ¶ 1(d)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the individuals who helped determine the material topics in the disclosure report. CC ID 15680 [The organization shall: specify the stakeholders and experts whose views have informed the process of determining its material topics. § 2. Disclosure 3-1 ¶ 1(b)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the impacts related to each material topic in the disclosure report. CC ID 15682 [{negative impact}For each material topic reported under Disclosure 3-2, the organization shall: describe the actual and potential, negative and positive impacts on the economy, environment, and people, including impacts on their human rights; § 2. Disclosure 3-3 ¶ 1(a)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the reversibility or irreversibility of impacts in the disclosure report. CC ID 16037 | Audits and risk management | Establish/Maintain Documentation | |
| Include the impact duration in the disclosure report. CC ID 16036 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent of impacts in the disclosure report. CC ID 16016 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for determining material topics in the disclosure report. CC ID 15655 [The organization should document its process of determining material topics. This includes documenting the approach taken, decisions, assumptions, and subjective judgments made, sources analyzed, and evidence gathered. Accurate records help the organization explain its chosen approach and report the disclosures in section 2 of this Standard. The records facilitate analysis and assurance. See the Verifiability principle in GRI 1 for more information. § 1. ¶ 5 The organization shall: describe the process it has followed to determine its material topics, including: § 2. Disclosure 3-1 ¶ 1(a) {negative impact}The organization shall: describe the process it has followed to determine its material topics, including: how it has identified actual and potential, negative and positive impacts on the economy, environment, and people, including impacts on their human rights, across its activities and business relationships; § 2. Disclosure 3-1 ¶ 1(a)(i) {negative impact}The organization shall: describe the process it has followed to determine its material topics, including: how it has identified actual and potential, negative and positive impacts on the economy, environment, and people, including impacts on their human rights, across its activities and business relationships; § 2. Disclosure 3-1 ¶ 1(a)(i) The organization shall: describe the process it has followed to determine its material topics, including: how it has prioritized the impacts for reporting based on their significance; § 2. Disclosure 3-1 ¶ 1(a)(ii)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for setting goals and targets in the disclosure report. CC ID 15763 | Audits and risk management | Establish/Maintain Documentation | |
| Include the progress towards goals and targets in the disclosure report. CC ID 15688 [For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: the effectiveness of the actions, including progress toward the goals and targets; § 2. Disclosure 3-3 ¶ 1(e)(iii)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the lessons learned in the disclosure report. CC ID 15689 [{manner}For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: lessons learned and how these have been incorporated into the organization's operational policies and procedures; § 2. Disclosure 3-3 ¶ 1(e)(iv)] | Audits and risk management | Establish/Maintain Documentation | |
| Include how lessons learned are incorporated into policies and procedures in the disclosure report. CC ID 15690 [{manner}For each material topic reported under Disclosure 3-2, the organization shall: report the following information about tracking the effectiveness of the actions taken: lessons learned and how these have been incorporated into the organization's operational policies and procedures; § 2. Disclosure 3-3 ¶ 1(e)(iv)] | Audits and risk management | Establish/Maintain Documentation | |
| Include stakeholder engagement activities in the disclosure report. CC ID 15691 [For each material topic reported under Disclosure 3-2, the organization shall: describe how engagement with stakeholders has informed the actions taken (3-3-d) and how it has informed whether the actions have been effective (3-3-e). § 2. Disclosure 3-3 ¶ 1(f)] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. § 1. ¶ 7 The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. § 1. ¶ 7 The organization's highest governance body should review and approve the list of material topics. If such a body does not exist, the list should be approved by a senior executive or group of senior executives in the organization. § 1. Step 4. Approval of the material topics ¶ 1 The organization's highest governance body should review and approve the list of material topics. If such a body does not exist, the list should be approved by a senior executive or group of senior executives in the organization. § 1. Step 4. Approval of the material topics ¶ 1] | Human Resources management | Establish Roles | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Human Resources Management | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Establish/Maintain Documentation | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Human Resources Management | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Human Resources Management | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [The organization should consider the following in relation to its activities: The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these workers directly or indirectly through a third party), and the work they perform. § 1. Step 1. Activities ¶ 1 Bullet 6] | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 | Human Resources management | Human Resources Management | |
| Establish and maintain an annual report on compensation. CC ID 14801 | Human Resources management | Establish/Maintain Documentation | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Human Resources management | Communicate | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Human Resources management | Establish/Maintain Documentation | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Human Resources management | Establish/Maintain Documentation | |
| Refrain from using employees' privacy choices to restrict employment. CC ID 12425 | Human Resources management | Human Resources Management | |
| Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources management | Human Resources Management | |
| Use rewards and career development to motivate personnel. CC ID 06906 | Human Resources management | Behavior | |
| Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 | Human Resources management | Human Resources Management | |
| Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain job applications. CC ID 16180 | Human Resources management | Establish/Maintain Documentation | |
| Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources management | Human Resources Management | |
| Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources management | Human Resources Management | |
| Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources management | Human Resources Management | |
| Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources management | Human Resources Management | |
| Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources management | Human Resources Management | |
| Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources management | Human Resources Management | |
| Include a space for the start date on the job application. CC ID 16187 | Human Resources management | Human Resources Management | |
| Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources management | Human Resources Management | |
| Approve the wording of job applications. CC ID 16182 | Human Resources management | Human Resources Management | |
| Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources management | Human Resources Management | |
| Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources management | Human Resources Management | |
| Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources management | Human Resources Management | |
| Correlate business processes and applications. CC ID 16300 | Operational management | Business Processes | |
| Disseminate and communicate the business process documentation to interested personnel and affected parties. CC ID 13038 | Operational management | Communicate | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 [The organization should consider the following in relation to its activities: The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these workers directly or indirectly through a third party), and the work they perform. § 1. Step 1. Activities ¶ 1 Bullet 6] | Operational management | Business Processes | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 [The organization should consider the following in relation to its activities: The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these workers directly or indirectly through a third party), and the work they perform. § 1. Step 1. Activities ¶ 1 Bullet 6] | Operational management | Business Processes | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 [The organization should consider the following in relation to its activities: The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these workers directly or indirectly through a third party), and the work they perform. § 1. Step 1. Activities ¶ 1 Bullet 6] | Operational management | Business Processes | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 [{full-time employee}{part-time employee}{non-guaranteed hours employee}{permanent employee}{temporary employee}The organization should consider the following in relation to its activities: The number of employees, including whether they are full-time, part-time, non-guaranteed hours, permanent or temporary, and their demographic characteristics (e.g., age, gender, geographic location). § 1. Step 1. Activities ¶ 1 Bullet 5] | Operational management | Business Processes | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Establish/Maintain Documentation | |
| Implement changes according to the change control program. CC ID 11776 | Operational management | Business Processes | |
| Provide audit trails for all approved changes. CC ID 13120 [{be replicable}{be consistent} The approach for each step will vary according to the specific circumstances of the organization, such as its business model; sectors; geographic, cultural, and legal operating context; ownership structure; and the nature of its impacts. Given these specific circumstances, the steps should be systematic, documented, replicable, and used consistently in each reporting period. The organization should document any changes in its approach together with the rationale for those changes and their implications. § 1. ¶ 6] | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a service catalog. CC ID 13634 [The organization should consider the following in relation to its activities: The types of products and services it offers and the markets it serves (i.e., the types of customers and beneficiaries targeted, and the geographic locations where products and services are offered). § 1. Step 1. Activities ¶ 1 Bullet 3] | Operational management | Establish/Maintain Documentation | |
| Include a service description in the service catalog. CC ID 13917 | Operational management | Establish/Maintain Documentation | |
| Assign unique reference numbers to all services in the service catalog. CC ID 14424 | Operational management | Establish/Maintain Documentation | |
| Include service deliverables for each service description in the service catalog. CC ID 13918 | Operational management | Establish/Maintain Documentation | |
| Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 | Operational management | Establish/Maintain Documentation | |
| Include Service Level Agreements in the service catalog, as necessary. CC ID 13636 | Operational management | Establish/Maintain Documentation | |
| Include Information Technology services in the service catalog, as necessary. CC ID 13635 | Operational management | Establish/Maintain Documentation | |
| Base definitions of Information Technology services on their service characteristics. CC ID 13655 | Operational management | Establish/Maintain Documentation | |
| Categorize services in the service catalog. CC ID 14419 | Operational management | Establish/Maintain Documentation | |
| Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426 | Operational management | Establish/Maintain Documentation | |
| Communicate the service catalog to interested personnel and affected parties. CC ID 13910 | Operational management | Communicate | |
| Establish, implement, and maintain an environmental management system. CC ID 14945 | Operational management | Business Processes | |
| Include the scope in the environmental management system. CC ID 14950 [In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential impacts. § 1. Step 1. ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Include emergency situations in the scope of the environmental management system. CC ID 14995 | Operational management | Establish/Maintain Documentation | |
| Include the environmental impact of activities, products, and services in the scope of the environmental management system. CC ID 15184 [To identify its actual and potential positive impacts, the organization should assess the manner in which it contributes or could contribute to sustainable development through its activities, for example, through its products, services, investments, procurement practices, employment practices, or tax payments. This also includes assessing how the organization can shape its purpose, business model, and strategies to deliver positive impacts that contribute to the goal of sustainable development. § 1. Step 2. Identifying positive impacts ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Include activities, products, and services in the scope of the environmental management system. CC ID 15182 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Data and Information Management | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Data and Information Management | |
| Preserve each individual's right to human dignity. CC ID 00082 [The organization should respect the human rights of all stakeholders and other individuals with whom it engages (e.g., their rights to privacy, freedom of expression, and peaceful assembly and protest) and it should protect them against reprisals (i.e., non-retaliation for raising complaints or concerns). § 1. Box 2. ¶ 3] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document and maintain supply chain processes. CC ID 08816 [The organization's business relationships include relationships with business partners, entities in its value chain (including entities beyond the first tier), and any other entities directly linked to its operations, products, or services. The organization should consider the following in relation to its business relationships: The types of activities undertaken by those with which it has business relationships (e.g., manufacturing the organization's products, providing security services to the organization). § 1. Step 1. Business Relationships ¶ 1 Bullet 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 [In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential impacts. § 1. Step 1. ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Communicate | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 [The organization's business relationships include relationships with business partners, entities in its value chain (including entities beyond the first tier), and any other entities directly linked to its operations, products, or services. The organization should consider the following in relation to its business relationships: The geographic locations where the activities of the business relationships take place. § 1. Step 1. Business Relationships ¶ 1 Bullet 4 {economic challenge}{environmental challenge}{human rights challenge}The organization should consider the following to understand the sustainability context of its activities and business relationships: Economic, environmental, human rights, and other societal challenges at local, regional, and global levels related to the organization's sectors and the geographic location of its activities and business relationships (e.g., climate change, lack of law enforcement, poverty, political conflict, water stress). § 1. Step 1. Sustainability context ¶ 1 Bullet 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document supply chain transactions in the supply chain management program. CC ID 08857 | Third Party and supply chain oversight | Business Processes | |
| Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Third Party and supply chain oversight | Physical and Environmental Protection | |