Since 2010, IBM® has required that all of its first-tier suppliers maintain a management system to address their social and environmental responsibilities. In summary, we require all IBM suppliers to have a corporate responsibility and environmental management system in place, measure performance, set goals, disclose results and communicate the requirements to their upstream suppliers who perform work material to the goods and services provided to IBM.
Review the compliance guidelines, terms and conditions, tax forms and more to help suppliers do business with IBM Procurement.
View IBM’s requirements for suppliers to have a management system for corporate responsibility and environmental management.
Within 12 months of starting business with IBM, IBM expects its suppliers to:
- Establish and maintain a corporate social responsibility and environmental management system1 that addresses the supplier’s significant social and environmental matters, including themes such as labor, health and safety, environment, and ethics. The management system should be deployed company-wide or at least at the sites where work for IBM is performed;
- Establish and document programs (a) to control operations impacting social and environmental matters and (b) that confirm compliance with applicable law, regulation and any specific IBM contractual requirements;
- Track supplier’s environmental performance, including energy conservation, greenhouse gas (GHG) emissions2 (Scope 1, where applicable, and Scope 2), waste management and recycling;
- Set voluntary environmental goals to improve performance results including at least one goal in each of the three aspects listed above in requirement #3;
- Publicly disclose (a) results of voluntary environmental goals and other environmental aspects from the supplier’s management system, and (b) any regulatory fines or penalties incurred in the previous year;
- Train employees involved in performing, monitoring, measuring or reporting environmental performance, assuring the appropriate skill-level and competency;
- Conduct self-assessments and audits and management reviews of the management system and performance;
- Cascade similar sustainable procurement requirements to supplier’s own suppliers that perform work that is material to the products, parts, and/or services supplied to IBM.
IBM reserves the right to assess the supplier’s conformance to these requirements any time during the term of the purchase order. In the event of an assessment or audit by IBM or an IBM-directed third-party, suppliers should be able to demonstrate conformance to IBM’s S&EMS requirements. Failure to meet all applicable requirements can ultimately result in discontinued business.
Notes:
1. A management system is a structured framework of policies, practices and procedures that enable an organization to execute its operations in a consistent and sustained manner. It provides a systematic way for an organization to manage its various interrelated operations to achieve planned results, often following a “plan-do-check-act” cycle for continuous improvement.
2. Scope 1 greenhouse gas emissions are direct emissions generated by the company and occur from sources that are owned or controlled by the company such as emissions from combustion in owned or controlled boilers, furnaces, vehicles, etc. Scope 2 greenhouse gas emissions are indirect emissions from consuming purchased or acquired electricity, steam, heat and cooling. Greenhouse gases include carbon dioxide (CO2), methane (CH4), nitrous oxide (N2O) and fluorinated gases such as hydrofluorocarbons (HFCs), perfluorocarbons (PFCs), sulfur hexafluoride (SF6) and nitrogen trifluoride (NF3).
Environmental design requirements are communicated and verified with suppliers.
IBM's design and compliance controls, including a specification for baseline environmental requirements for supplier deliverables to IBM, a product content declaration for IBM suppliers (PCD), packaging compliance and controls and compliance assessment protocols, are managed by interdisciplinary teams with representatives from IBM organizations that design, manufacture, procure, deliver and service our product offerings. The team's activities are coordinated by IBM's Center of Excellence for Product Environmental Compliance.
Learn more about environmental requirements for suppliers on the Resources for suppliers page.
The supplier is expected to have and maintain a business continuity plan and business continuity testing procedures, which include but are not limited to the areas of disaster recovery planning, pandemic planning and cyber security.
Cyber security programs expected include, at a minimum, provisions to prevent, detectand respond to cyber security incidents. Read more in the supply chain security section.
The supplier shall agree to review, update and test the business continuity plan annually and, upon IBM’s request, provide a summary of the business continuity plan and test results. IBM may, from time to time, provide feedback regarding the plan and requests that the supplier take IBM’s comments into consideration when updating the plan. However, the supplier remains solely responsible for the performance of its responsibilities under the agreement and the adequacy of the business continuity plan regardless of whether IBM has reviewed or commented on the plan.
Data and its protection are becoming increasingly important to individuals and enterprises. The European Union enacted the general data protection regulation (GDPR) which became effective on 25 May 2018. The GDPR gives individuals better control over their personal data and establishes one set of data protection rules across the European Economic Area (EEA). The GDPR applies to organizations that process EEA personal data, even if that organization is established outside of the EEA.
Suppliers who have entered into one or more agreements with IBM to provide services involving the processing of IBM personal data, that IBM, IBM personnel, a client, or client’s personnel, provides supplier or uploads to or stores in a contracted service, or cloud service, or to which supplier otherwise has access to, will deploy technical and organizational measures implemented by the supplier to implement a level of security appropriate to the risk, compliance with data protection laws and the protection of the rights of data subjects.
Those suppliers will, upon request, provide IBM with annual certifications and audit reports from accredited independent third-party audits to show GDPR compliance and will submit to audit to demonstrate compliance.
Security is critical for IBM as assets move through the supply chain. We expect our suppliers to observe high standards of security while providing goods or services. IBM suppliers are expected to comply with our global supply chain security requirements, applicable laws and industry standards wherever they conduct business on behalf of IBM.