Disclosure LibraryPractitioner guidance for every reporting disclosure
Home Disclosure Library GRI GRI 2 GRI 2-23
GRI 2: General Disclosures
Disclosure GRI 2-23

Policy commitments

Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official GRI source.

Dr Ross Kurinko, GRI Certified Trainer
Reviewed by Dr Ross Kurinko · GRI Certified Trainer LRA educational guidance · Not issued or endorsed by GRI
To prepare this disclosure
Disclosure focus

This disclosure asks an organisation to explain the policy commitments that guide how it manages its material impacts, risks and opportunities. In practice, that means setting out the key policies it relies on, what they are intended to achieve, and how they connect to the organisation’s sustainability approach rather than just listing documents by name.

The practical focus is on whether those commitments are real and usable across the organisation. Reporters should make clear where the policies apply, whether they cover the whole organisation or only certain parts of it, and how they are communicated and embedded in day-to-day decision-making. If coverage is uneven, that should be clear too.

This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official GRI source.

Before you start

A quick mental checklist before you prepare this disclosure — tick each as you settle it.

Preparation

Key datapoints to prepare

Datapoint What to capture Evidence hint Owner
Responsible business policy basis Summarise the organisation’s commitments on responsible business conduct and name the intergovernmental instruments those commitments draw on. Approved policy text, policy register, or governance paper showing the referenced instruments. Sustainability / Legal / Policy
Due diligence commitment State whether the responsible business policy says the organisation will carry out due diligence. Policy wording, board-approved policy summary, or internal policy matrix. Sustainability / Legal / Risk
Precautionary approach State whether the responsible business policy says the organisation will use a precautionary approach when making decisions. Policy document, board paper, or compliance review noting the relevant clause. Sustainability / Legal / Risk
Human rights commitment State whether the responsible business policy explicitly includes respect for human rights. Policy text and any approved summary used for reporting. Sustainability / Legal / HR
Human rights scope List the human rights standards or rights areas the organisation says its human rights commitment covers. Human rights policy, supplier code, or policy annex that names the covered rights. Sustainability / Legal / Human Rights
Priority stakeholder groups Capture which stakeholder groups the organisation says it pays special attention to, including any at-risk or vulnerable groups. Human rights policy, stakeholder policy, or impact assessment that names the groups. Sustainability / Human Rights / DEI
Public policy links Record the web links to the policy commitments where they are publicly available. Published policy webpage, PDF URL, or intranet-to-public publication record. Communications / Sustainability / Web
No public access reason Explain why the policy commitments are not publicly available if no public link can be provided. Internal approval note, confidentiality rationale, or legal restriction record. Legal / Sustainability / Communications
Approval level State which internal level approved each policy commitment and whether that was the highest decision-making level. Board minutes, committee minutes, approval memo, or delegated authority record. Governance / Company Secretariat / Legal
Policy reach Describe how far each policy commitment applies across the organisation’s own activities and its external business relationships. Policy scope statement, supplier standards, and any group-wide applicability note. Sustainability / Procurement / Legal
Policy communication Describe how the organisation shares the policy commitments with workers, business partners, and other relevant parties. Induction materials, supplier communications, intranet posts, training records, or policy distribution logs. HR / Procurement / Communications
+ Show GRI 2-23 sub-elements (LRA working checklist)

How to prepare it

1Set the reporting boundary first: decide which policy statements you will include, and make sure you cover every required topic — the business conduct commitments, the human-rights commitment, the named international references, due diligence, precautionary thinking, and the human-rights coverage details.
2Define what each item means in your own filing: separate the general conduct commitments from the specific human-rights promise, then map the human-rights promise to the rights it covers and the groups it is meant to protect, including any people who need extra attention because they may be at greater risk.
3Gather the source material that proves the content: use the approved policy text, board or committee papers, policy registers, intranet or public web pages, and any internal guidance that shows whether the commitments mention the required instruments, due diligence, precautionary approach, and respect for rights.
4Assemble the disclosure in the order the data points need: state the commitments, note whether the human-rights promise is specific and what it covers, add the public link where available or the reason it is not public, identify who approved each commitment and how senior that approval was, explain how far the commitments reach across your own operations and wider business ties, and describe how you share them with staff, partners, and other relevant groups.
5Record any gaps, exceptions, or changes clearly: if a commitment is not public, explain why; if wording, coverage, approval level, or communication method has changed since the last report, note what changed and when; keep the explanation tied to the actual policy evidence you hold.
6Check the final draft against the source documents line by line: confirm that every required point is answered, the wording matches the underlying policy position, the links work, the approval level is accurate, and the scope, coverage, and communication statements are consistent with the official records.
Request the data

Request the policy pack and approval trail

Translate the disclosure into an internal business question — then adapt it to your organisation's own language.

What policy statements do we have on responsible business conduct, who approved them, how far do they apply, and how are they shared internally and externally?

Use your organisation’s own policy names and governance terms first, then map them to the reporting disclosure. Avoid asking in framework language unless that is already how your team talks.

Weak request

Please provide the GRI 2-23 policy commitments disclosure, including all required elements and the approval hierarchy.

Why it fails: This uses framework wording that many internal owners will not recognise, and it does not tell them which documents, systems, or practical details to pull together. It also risks a partial answer because it does not separate policy content, approval, scope, publication status, and communication methods.

Better request

Please send the current policy statements that cover responsible business conduct, plus the approval trail and how they are shared. For each one, include the policy name, what it covers, whether it mentions due diligence, precautionary approach, and human rights, which human rights topics and stakeholder groups it focuses on, who approved it, whether that was the top decision-making level, whether it is public, the link if it is, and how it is communicated to staff and external partners. Use your own policy names and internal terms, and we will map them for reporting.

Formal email template
Subject: Request for policy documents and approval details for reporting

Hi [name/team],

We are preparing the sustainability report and need a short evidence pack on the organisation’s policy statements about responsible business conduct.

Please send, for each relevant policy or statement:
- the document name and current version
- the date it was approved and by whom
- whether it is published externally, and if so the link
- if it is not published, the reason it is kept internal
- the parts of the business and business relationships it covers
- how it is shared with workers, business partners, and other relevant groups
- any note on whether the approval sat with the most senior decision-making level

Please also confirm the wording used internally for these policies so we can map it correctly in the report.

A simple table is fine. Please include the source file or link for each item, and check the official source before sign-off.

Thanks,
[preparer name]
Short Teams / Slack version
Hi [name/team] — could you share the policy pack for the report? We need the current policy names, approval date/approver, whether each one is public or internal-only, what it covers, and how it’s shared with staff and external partners. A table with links/source files is fine. Please use your own policy names and terms, and we’ll map them for reporting. Thanks, [preparer name]
Industry examples
Manufacturing

Context. A group with factories, contractors, and a supplier code managed by Legal and Procurement.

Adapted request. Please share the current code of conduct, supplier standards, and human rights statement, plus the approval record for each. We need to know what each document covers, whether it mentions due diligence or a precautionary approach, which human rights topics and at-risk groups it focuses on, whether it applies to our sites and suppliers, whether it is public, and how it is communicated to employees, contractors, and suppliers.

Example response. Attached table lists three documents: Code of Conduct, Supplier Standards, and Human Rights Statement. The Code and Human Rights Statement were approved by the board; Supplier Standards were approved by the executive committee. All three are public except the supplier onboarding guide, which is internal only because it contains commercial terms. Communication includes induction, annual refresher training, supplier onboarding packs, and the policy portal.

Financial services

Context. A regulated firm with a conduct policy, supplier policy, and public website policy library managed by Legal / Compliance.

Adapted request. Please provide the current conduct and human rights-related policy statements, the approval route for each, and the public links. We also need confirmation of whether they apply to the firm only or also to suppliers and other third parties, and how they are communicated to colleagues and external partners.

Example response. The policy library includes a public Responsible Business Policy and an internal Third-Party Standards document. The Responsible Business Policy was approved by the board and is published on the website. The Third-Party Standards were approved by the risk committee and are internal only because they contain control details. Both are communicated through the intranet, onboarding, annual attestations, and supplier due diligence packs.

Draft your disclosure

Notes that turn data into a disclosure

LRA training templates — adapt them to your organisation, and check the official source before sign-off.

Method note

This disclosure can be built by listing each policy commitment, noting the external principles it refers to, and recording whether it includes due diligence, a precautionary approach, and respect for human rights, together with the approval level, scope of application, communication methods, and any public link or reason for non-public status.

Context note

Taken together, the data show how the organisation frames responsible business conduct in policy, how formally those commitments are authorised, how widely they apply, and how the organisation makes them known to people inside and outside the business.

Fluctuation statement

If the picture changes from one period to the next, explain whether that is because policies were updated, approval moved to a different level, coverage was broadened or narrowed, links were added or removed, or communication practices changed.

Content index entry
GRI 2-23 Policy commitments — [location / page] / [notes]
Download Centre

Preparation tools & forms

Professional preparation tools for GRI 2-23 — free with an LRA Community membership. Register once (it's free) and every download unlocks, together with the Disclosure Library, templates and the LRA AI-assistant.

Free · Community members
Assurance readiness

For each claim, check the evidence

ClaimRiskEvidence to check
The information reported for this disclosure reconciles to the underlying source records.What is reported cannot be traced back to the systems or documents it was drawn from, or does not tie out to them.calculation_workbook reconciling the reported value to source_system_export
The information reported for this disclosure is current as at the reporting date.The disclosure reflects a different period, a cut-off before the reporting date, or stale data carried over from a prior period.approval_record showing the data cut-off date and the period covered
The scope behind the information reported for this disclosure is applied consistently.Parts of the organisation are silently in or out of scope, or the scope differs from the prior period without that change being explained.methodology defining the scope and a site_register of what it covers
Everything in scope is included in the information reported for this disclosure — nothing material is left out.Parts of the population that should be reported are omitted, understating or overstating the disclosure.site_register of the full population vs the calculation_workbook of what was actually included

Evidence pack to prepare

Common reporting gaps

The information is presented without a date or as-at point.The scope or boundary of the statement is left undefined.Key terms are used inconsistently across the report.Material changes since the previous period are not disclosed.Assertions are made without supporting detail or a source record.Boilerplate is used that does not actually answer what is asked.
Common gaps

Mistakes to avoid when collecting the data

Wrong policy owner
The data request goes to the wrong team, so the person who actually holds the policy register, approval record, or web link is never asked.
Framework language only
The collector asks for the item using reporting jargon instead of the organisation’s own policy names, so the source team cannot match the request to their records.
No boundary set
The team never agrees which policies, entities, or business relationships are in scope, so some commitments are counted twice while others are left out.
Wrong time basis
Evidence is pulled from a different reporting period or approval date than the one being reported, so the dataset does not line up with the year under review.
Mixed counting basis
One spreadsheet combines policy-level records, approval-level records, and communication records in a single count, which makes the figures impossible to reconcile.
Source labels lost
The original file names, document titles, or system tags are stripped away during collection, so no one can trace each data point back to the source.
Separate groups merged
Policies that should stay distinct, such as different commitment types or different stakeholder groups, are merged into one population and the detail is lost.
Missing evidence trail
The collector saves the content but not the supporting metadata, such as who approved it, when it was approved, or where it was published, so later review is blocked.
No sign-off record
The draft data set is circulated without a named reviewer or approval trail, so there is no clear record that the source information was checked before disclosure drafting.

Where judgement is often needed

What counts as a policy change after a deal or disposal
Use the reporting cut-off you apply elsewhere, then explain whether newly acquired or sold parts of the business are included, excluded, or shown separately and why.
When local policy language differs by country
If the same commitment is written differently across jurisdictions, describe the common substance, note any country-specific differences, and explain which version you treat as the main one for reporting.
Where a team or entity sits on the boundary of scope
For joint ventures, franchises, agents, contractors, or other close relationships, state the practical rule you used to decide inclusion and disclose any exclusions at the edge of the perimeter.
Choosing the timing basis for approval and publication
If approval, launch, or public posting happened at different times, state which date you use for the disclosure and explain the basis for that choice.
Deciding between exact figures and estimates
Where you cannot verify every policy link, approval level, or communication route directly, say what was checked, what was estimated, and how material gaps were handled.
Handling privacy limits in communication reporting
If naming specific worker groups, partners, or vulnerable populations would create privacy or safety issues, aggregate the information and explain the level of grouping used.
Setting the level of detail for human-rights coverage
When the commitment refers to broad rights or a long list of protected groups, state the categories you grouped together and make clear any important exclusions or overlaps.
Explaining whether the commitment reaches beyond owned operations
If the policy also covers suppliers, distributors, contractors, or other linked parties, spell out which relationships are covered in practice and where the commitment stops.
Dealing with mixed approval levels across commitments
If different commitments were signed off by different parts of the organisation, list each one with its approval point and note whether any sits below the most senior level.
Using rounded or summarised wording for public links and access
If you provide a landing page, document library, or grouped link rather than a direct file, explain how a reader can reach the relevant policy and whether any parts are restricted.
Examples

Illustrative examples

Synthetic, written by LRA — not from a company report, not text from any standard.

Illustrative (synthetic) example — consumer goods manufacturing

We have set out our responsible-conduct policy in a public code that points to the recognised human-rights due-diligence expectations, the recognised responsible-business guidance, and the ILO core labour standards; it also says we carry out due diligence, apply a precaution-first approach where impacts are uncertain, and respect human rights across our operations and value chain. Our human-rights commitment covers civil, political, economic, social and cultural rights, with extra attention to migrant workers, women in lower-paid roles, young workers, and people with disabilities. - The code was approved by the board, which is the most senior approval level for this set of commitments, and it applies to our own sites as well as suppliers, contractors and other business links. - The policy pack is available on our website at synthetic example links: https://example.com/policy-code, https://example.com/human-rights-policy; we share it through induction, annual refresher training, supplier onboarding, contract clauses, and internal notices to relevant teams and managers.

Synthetic illustration only: this example shows how a reporter might describe the policy basis, approval, scope and communication channels in plain language.

Illustrative (synthetic) example — food and beverage distribution

Our sustainability policy refers to the recognised sustainability principles, the OECD guidance for multinational enterprises, and the ILO labour standards, and it states that we expect risk-based due diligence, a precautionary mindset for serious or irreversible harm, and respect for human rights in day-to-day decisions. The human-rights section covers the full range of internationally recognised rights and gives particular attention to seasonal workers, agency workers, smallholder suppliers, and communities near our depots and transport routes. - These commitments were signed off by the executive committee rather than the board, so they are not approved at the most senior level, and they are intended to cover our operations plus key trading relationships. - The policies are not posted publicly because they are embedded in internal governance documents and supplier manuals; we communicate them through manager briefings, e-learning, supplier packs, onboarding materials, and periodic reminders from procurement and HR.

Synthetic illustration only: this example shows a non-public policy set, a lower approval point, and internal/external communication routes in a concise narrative form.

Company reports

How companies report GRI 2-23

Real reports where this topic is disclosed. These are report practice, not exact disclosure templates to copy.

Interconexión Eléctrica S.A. E.S.P.
Electric Utilities / IPP / Energy Traders · Colombia · 2024
Open report →
Interconexión Eléctrica S.A. E.S.P.'s 2024 Integrated Management Report includes coverage of certain narrative items related to sustainability disclosures, such as references to intergovernmental instruments on page 140 and details on due diligence processes and complaint handling on page 142. The report also describes how stakeholder engagement has influenced company actions on page 144. However, several narrative items, including (a-iii), (a-iv), (b-i), (b-ii), (d), and (e), are not found or clearly addressed in the report.
Oberoi Realty Limited
Real Estate · India · 2025
Open report →
Oberoi Realty Limited’s ESG Report FY 2024-25 provides covered evidence of policy commitments related to its Code of Conduct on page 126, indicating embedding of these commitments and associated processes. Partial context is given on due diligence processes and employee training on page 36, as well as human rights risk management and monitoring on page 102, though no headline values are presented. Several narrative items, including specific disclosures under (a-iii), (b-ii), (d), (e), and (f), are not found or remain unclear in the report.
Globalvia
Ground Transportation — Highways and Railtracks · Spain · 2025
Open report →
Globalvia's 2025 Sustainability Report provides coverage on its business conduct policies, including prevention and detection of corruption and bribery (p.106), and its commitment to human rights (p.104). The report also includes a message from the General Manager addressing policy commitments and due diligence (p.113). However, several narrative items related to other aspects of the disclosure are not found or unclear in the report, indicating gaps in the coverage of certain required elements.
✓ LRA AI Assistant · Human-in-the-loop
Dr Ross Kurinko
Ask Study Studio AI assistant about this disclosure
Get a practical answer for your reporting context. Your first answer is free — create a free account to continue the conversation.
TryHow do I prepare GRI 2-23?What data do I need to collect?Where can I see a real-report example?What mistakes should I avoid?
1 free answer
Check your understanding

Scenarios to work through

A reporting lead has a draft policy pack that mentions the UN Guiding Principles and the OECD Guidelines, but the human rights section was copied from an old supplier code and does not say whether the company’s own policy covers due diligence or the precautionary approach. The board paper is due for sign-off next week.

QWhat should the preparer check before finalising the disclosure on the policy pack?
Reveal model answer →

A sustainability manager is drafting the human rights part of the report. The company has a short statement saying it respects human rights, but the team has not yet agreed whether it covers all internationally recognised rights or only a narrower set linked to operations in three countries.

QHow should the preparer handle the scope of the human rights commitment?
Reveal model answer →

The legal team says the policy is on the intranet, but the external website only has a summary page. The report team is unsure whether to include a link, note that the full text is internal, or say the policy is unavailable to the public.

QWhat is the right way to present public access to the policy commitments?
Reveal model answer →

A group policy was approved by the audit committee, while the parent company’s board later endorsed the same wording for the wider group. The communications team also wants to say the policy applies to employees, joint ventures, and key suppliers, but the current draft only mentions employees and direct suppliers.

QWhat should the preparer confirm about approval level and coverage before publishing?
Reveal model answer →
Framework references

Related framework references

How this disclosure maps across the major reporting frameworks.

GRI
GRI 2-23
within GRI 2: General Disclosures
Open official source →
Primary
Related & explore
FAQ

Questions this page answers

For GRI 2-23, what data points do I need to gather before I start drafting the disclosure?+
How do I use the step-by-step preparation section for GRI 2-23 in practice?+
What should I include in the evidence pack for GRI 2-23 so it is assurance-ready?+
What are the assurance claims I need to test for GRI 2-23?+
How do I avoid the common reporting gaps in a GRI 2-23 disclosure?+
Who should own the GRI 2-23 disclosure in my organisation?+
How do I decide the scope for the policy reach and human rights scope datapoints in GRI 2-23?+
What does the page mean by public policy links and no public access reason for GRI 2-23?+
How do I turn the GRI 2-23 data into a draft disclosure?+
Can I use the synthetic example on the GRI 2-23 page as a template for my own disclosure?+
More questions this page can help with
GRI 2-23 workbook download: what is the Prep & Assurance workbook for and how should I use it?Where do I find the printable Library Card PDF for GRI 2-23 and what is it for?What should I check before I say the GRI 2-23 disclosure is assurance-ready?How do I evidence approval level and policy communication for GRI 2-23?What are the most common mistakes people make when drafting GRI 2-23?How do I use the from company reports table on the GRI 2-23 page?What narrative starters does the GRI 2-23 page give for the draft output?How should I document due diligence commitment for GRI 2-23?How do I show responsible business policy basis in a GRI 2-23 draft?What evidence should I keep for priority stakeholder groups in GRI 2-23?How do I make sure the GRI 2-23 data table is internally consistent?Does the GRI 2-23 page give an ESRS or ISSB mapping I can rely on?