ESG Policies and Procedures: What Australian Businesses Need to Have in Place

ESG governance requires documented policies and procedures that translate strategic commitments into operational requirements. Policies provide clear guidance to employees and third parties about expected conduct, establish accountability mechanisms, and create the foundation for transparent communication with stakeholders. Yet many Australian organisations lack comprehensive policy frameworks covering the full range of ESG governance requirements.

This article outlines essential ESG policies and procedures Australian businesses should establish, how to develop them effectively, and how they support broader ESG governance. For comprehensive governance framework guidance, see our article on ESG governance frameworks. For specific policy areas including ethics and whistleblower protections, see related articles on business ethics governance and anti-bribery compliance.

Core ESG Policies Every Australian Business Should Have

1. ESG Strategy and Commitment Policy

The foundation is a board-approved policy articulating the organisation’s ESG strategy, material issues, and commitments. This policy should:

• State the organisation’s commitment to sustainable business practices
• Identify material ESG issues (those financially significant to the business)
• Outline strategic objectives and targets
• Define roles and accountability for ESG governance
• Establish governance structures (committees, reporting lines)
• Commit to transparent disclosure and stakeholder engagement

This overarching policy anchors all other ESG policies to strategic direction.

2. Code of Conduct and Values Statement

A code of conduct establishes ethical expectations and behavioural standards. Effective codes address:

• Honesty, integrity, and ethical decision-making
• Respect for persons (non-discrimination, anti-harassment)
• Conflict of interest identification and management
• Confidentiality and intellectual property protection
• Appropriate use of company resources
• Compliance with law
• Reporting of breaches and retaliation protection

The code should be communicated widely, reinforced through training, and regularly reviewed.

3. Environmental Management Policy

Organisations should have documented environmental policy addressing:

• Commitment to minimising environmental impact (energy use, emissions, waste, water)
• Legal compliance with environmental laws and regulations
• Environmental risk assessment and management procedures
• Energy efficiency and renewable energy targets
• Waste management and circular economy principles
• Water conservation and quality protection
• Responsibilities and accountability for environmental performance

Environmental policy should be tailored to industry and organisational context.

4. Social Responsibility and Workforce Policy

Policies addressing social matters should cover:

• Fair and ethical employment practices
• Non-discrimination and equal opportunity
• Freedom of association and collective bargaining
• Fair remuneration and benefits
• Health, safety, and wellbeing standards
• Work-life balance and flexible work arrangements
• Diversity and inclusion commitments
• Training and development opportunities
• Community engagement and social impact initiatives

Social policy should reflect obligations under applicable employment laws and industry standards.

5. Supply Chain ESG Standards Policy

Organisations should establish policies governing ESG standards for suppliers and third parties:

• Expectations regarding supplier ESG practices (labour standards, environmental compliance, business ethics)
• Supplier selection processes incorporating ESG criteria
• Supplier assessment and monitoring procedures
• Remediation processes for non-compliance
• Contract terms addressing ESG requirements
• Transparency and traceability requirements

Supply chain policies should reflect the organisation’s materiality assessment and risk profile.

6. Whistleblower Protection Policy

Corporations Act Part 9.4AAA requires companies to establish procedures enabling protected disclosures. Policy should address:

• Protected discloser definitions and eligibility
• Types of matters that can be reported (misconduct, breaches of law)
• Reporting channels and contacts
• Confidentiality protections
• Non-retaliation assurances and enforcement
• Investigation processes
• Support available to whistleblowers
• Feedback processes

Whistleblower policies should be easily accessible and actively promoted to ensure awareness.

7. Anti-Bribery and Corruption Compliance Policy

Organisations should have clear policies preventing bribery and corruption:

• Prohibition on bribery of public officials and commercial partners
• Gift and hospitality guidance
• Conflict of interest management procedures
• Facilitation payment prohibition
• Third-party due diligence requirements
• Training and awareness programs
• Breaches reporting and investigation

Anti-bribery policies should be tailored to organisational context and jurisdictions where the organisation operates.

8. Data Privacy and Cybersecurity Policy

Privacy Act obligations require policies addressing:

• Commitment to privacy and data protection
• Lawful collection, use, and disclosure of personal information
• Individual rights (access, correction, complaint procedures)
• Information security and breach management
• Cybersecurity standards and incident response
• Third-party data management and contracts
• Training and accountability

Cybersecurity governance is increasingly important given emerging risks to business resilience and reputation.

9. Diversity and Inclusion Policy

Organisations should document diversity and inclusion commitments:

• Commitment to diversity in workforce and leadership
• Non-discrimination and equal opportunity principles
• Targets for underrepresented groups (gender, ethnicity, Indigenous peoples, disability)
• Recruitment and promotion practices supporting diversity
• Inclusive workplace practices (flexible work, accessibility, religious accommodation)
• Harassment and bullying prevention
• Monitoring and reporting on diversity metrics

Diversity policy should be supported by accountability structures and regular progress monitoring.

10. Stakeholder Engagement and Communications Policy

Organisations should have policies governing stakeholder engagement:

• Commitment to transparent communication
• Engagement processes with employees, customers, investors, communities
• Grievance and complaint procedures
• Community impact assessment procedures
• Social media and public communication guidelines
• Investor relations and disclosure practices
• Media engagement and crisis communication procedures

Developing and Implementing ESG Policies

Policy Development Process

Effective policies are developed through intentional processes:

• Materiality assessment: Identify which ESG issues are material to the business
• Stakeholder consultation: Engage employees, customers, investors, and communities in policy development
• Legal review: Ensure policies comply with applicable laws and regulations
• Board approval: Secure board endorsement of significant policies
• Communication: Clearly communicate policies to relevant audiences
• Implementation: Establish processes and accountability for policy implementation
• Monitoring: Track compliance and effectiveness

Policy Communication and Training

Policies only drive behaviour if communicated and understood. Organisations should:

• Make policies easily accessible (intranet, handbooks, training materials)
• Provide mandatory training on key policies (codes of conduct, whistleblower protections, anti-bribery)
• Target training to relevant roles (procurement staff on supplier standards, HR on diversity)
• Conduct refresher training regularly
• Monitor training completion and understanding

Policy Integration and Coordination

ESG policies should be integrated with broader organisational policies. For example:

• Environmental policy should align with health and safety policy
• Code of conduct should align with anti-bribery and whistleblower policies
• Supply chain policy should align with procurement policy
• Diversity policy should align with recruitment and remuneration policies

Integrated policy frameworks avoid contradictions and confusion.

Regular Review and Update

Policies should be reviewed at least annually and updated if:

• Legal or regulatory requirements change
• Organisational structure or strategy evolves
• Policy effectiveness gaps are identified
• Stakeholder feedback suggests improvements
• Industry standards evolve

Policy Frameworks and Standards Alignment

ESG policies should align with applicable standards and frameworks:

• Corporations Act 2001: Whistleblower protections, director duties, continuous disclosure
• ASX CGC Principles: Ethics policy (Principle 3), risk management (Principle 7)
• AASB S1: Governance disclosure requirements for in-scope entities
• Privacy Act 1988: Privacy policy requirements
• Work Health and Safety Act: Health and safety policy requirements
• Modern Slavery Act 2018: Modern slavery policy requirements for in-scope organisations

Key Takeaways

Australian businesses should establish comprehensive ESG policy frameworks covering strategy, ethics, environmental management, social responsibility, supply chain standards, whistleblower protections, anti-bribery compliance, data privacy, diversity, and stakeholder engagement. Policies should be developed through structured processes, approved by boards, communicated widely, and regularly reviewed. Effective policies translate ESG strategy into operational requirements and create accountability for ESG performance.

Frequently Asked Questions

Are ESG policies mandatory for all Australian companies?

Mandatory policies vary by organisation size and industry. Whistleblower policies are required for companies under Corporations Act Part 9.4AAA. Other policies (environmental, diversity, anti-bribery) are required by specific legislation or as regulatory best practice. Best practice is that all organisations should have comprehensive ESG policies.

Should policies be lengthy or concise?

Policies should be clear and accessible. Core policies (code of conduct, whistleblower protection) should be concise enough to be understood. Detailed operational procedures can be documented separately. Concise, well-structured policies are more likely to be read and understood.

How should organisations ensure policy compliance?

Compliance is ensured through communication, training, monitoring, and accountability. Organisations should track policy training completion, monitor compliance indicators, investigate alleged breaches, and take proportionate remedial action.

Should ESG policies be publicly disclosed?

Yes. Best practice is to publicly disclose core policies (code of conduct, environmental policy, diversity policy, whistleblower procedures) on company websites. Disclosure demonstrates commitment and accountability.

How frequently should policies be reviewed and updated?

Formal annual reviews are advisable. More frequent reviews should occur if legal changes, organisational changes, or identified gaps warrant updates.

Should policies address modern slavery risks?

Yes. Organisations in scope of the Modern Slavery Act 2018 must have modern slavery policies. Best practice is that all organisations with supply chains should address modern slavery risks.