IBM supply chain responsibility requirements

Committed to a responsible supply chain

Since 2010, IBM® has required that all of its first-tier suppliers maintain a management system to address their social and environmental responsibilities. In summary, we require all IBM suppliers to have a corporate responsibility and environmental management system in place, measure performance, set goals, disclose results and communicate the requirements to their upstream suppliers who perform work material to the goods and services provided to IBM.

Cultivating supply chain responsibility

IBM is committed to help suppliers build and enhance their capability to manage their responsibilities effectively, systematically, and sustainability over the long-term.

Information for suppliers

Review the compliance guidelines, terms and conditions, tax forms and more to help suppliers do business with IBM Procurement.

Learn more

Supplier management system guide and related information

View IBM’s requirements for suppliers to have a management system for corporate responsibility and environmental management.

Read the corporate responsibility and environmental management system supplier guide

View the designing, developing and implementing a management system: An overview

Social and environmental management system supplier requirements

IBM's requirements for suppliers to establish and maintain a corporate responsibility and environmental management system, measuring performance, setting goals and disclosing results are:

Establish and maintain a corporate social responsibility and environmental management system (S&EMS) addressing significant social and environmental matters, including the Responsible Business Alliance (RBA) Code of Conduct elements such as labor, health and safety, environment, ethics and management system. This system should be deployed company-wide or at their sites where work for IBM is performed. In the event of an audit by IBM or an IBM-directed third-party, suppliers should be able to demonstrate complete compliance with IBM’s S&EMS requirements and applicable elements of the RBA Code of Conduct;
Establish and document programs (a) to control operations impacting social and environmental matters and (b) that confirm compliance with applicable law, regulation and any specific IBM contractual requirements;
Track and improve supplier's environmental performance for energy conservation, waste management and recycling and Scope 1 (where applicable) and scope 2 greenhouse gas (GHG) emissions*;
Set voluntary environmental goals to achieve positive results including, at least one goal in each of the three aspects listed in requirement 3;
Publicly disclose (a) results of voluntary environmental goals and other environmental aspects from the supplier’s management system, and (b) any regulatory fines or penalties incurred in the previous year;
Train employees involved in performing, monitoring, measuring or reporting of environmental performance, assuring the appropriate skill-level and competency;
Conduct self-assessments and audits and management reviews of the management system and performance;
Cascade these to the supplier's own suppliers that perform work that is material to the products, parts, and or services supplied to IBM.

*Note:

Scope 1 greenhouse gas emissions: Direct emissions generated by the company; Occur from sources that are owned or controlled by the company such as emissions from combustion in owned or controlled boilers, furnaces, vehicles, etc.

Scope 2 greenhouse gas emissions: Indirect emissions from consuming purchased or acquired electricity, steam, heatand cooling.

Greenhouse gases include carbon dioxide (CO2), methane (CH4), nitrous oxide (N2O) and fluorinated gases such as hydrofluorocarbons (HFCs), perfluorocarbons (PFCs), sulfur hexafluoride (SF6) and nitrogen trifluoride (NF3).

IBM reserves the right to assess the supplier's conformance to these requirements any time during the term of the purchase order. Failure to comply with all applicable requirements can ultimately result in termination.

Supply chain product and materials stewardship

Environmental design requirements are communicated and verified with suppliers.

IBM's design and compliance controls, including a specification for baseline environmental requirements for supplier deliverables to IBM, a product content declaration for IBM suppliers (PCD), packaging compliance and controls and compliance assessment protocols, are managed by interdisciplinary teams with representatives from IBM organizations that design, manufacture, procure, deliver and service our product offerings. The team's activities are coordinated by IBM's Center of Excellence for Product Environmental Compliance.

Environmental and packaging requirements for suppliers

Learn more about environmental requirements for suppliers on the Resources for suppliers page.

Business continuity

The supplier is expected to have and maintain a business continuity plan and business continuity testing procedures, which include but are not limited to the areas of disaster recovery planning, pandemic planning and cyber security.

Cyber security programs expected include, at a minimum, provisions to prevent, detectand respond to cyber security incidents. Read more in the supply chain security section.

The supplier shall agree to review, update and test the business continuity plan annually and, upon IBM’s request, provide a summary of the business continuity plan and test results. IBM may, from time to time, provide feedback regarding the plan and requests that the supplier take IBM’s comments into consideration when updating the plan. However, the supplier remains solely responsible for the performance of its responsibilities under the agreement and the adequacy of the business continuity plan regardless of whether IBM has reviewed or commented on the plan.

Privacy and GDPR

Data and its protection are becoming increasingly important to individuals and enterprises. The European Union enacted the general data protection regulation (GDPR) which became effective on 25 May 2018. The GDPR gives individuals better control over their personal data and establishes one set of data protection rules across the European Economic Area (EEA). The GDPR applies to organizations that process EEA personal data, even if that organization is established outside of the EEA.

Suppliers who have entered into one or more agreements with IBM to provide services involving the processing of IBM personal data, that IBM, IBM personnel, a client, or client’s personnel, provides supplier or uploads to or stores in a contracted service, or cloud service, or to which supplier otherwise has access to, will deploy technical and organizational measures implemented by the supplier to implement a level of security appropriate to the risk, compliance with data protection laws and the protection of the rights of data subjects.

Those suppliers will, upon request, provide IBM with annual certifications and audit reports from accredited independent third-party audits to show GDPR compliance and will submit to audit to demonstrate compliance.

Supply chain security requirement

Security is critical for IBM as assets move through the supply chain. We expect our suppliers to observe high standards of security while providing goods or services. IBM suppliers are expected to comply with our global supply chain security requirements, applicable laws and industry standards wherever they conduct business on behalf of IBM.

Take the next step

Explore how IBM is implementing social and environmental responsibility among its suppliers.

Read the 2023 IBM Impact Report