Our due diligence approach includes engagement with a range of different entities, using audit standards, and procedures to assess performance and complete corrective action where required, and integrating learnings into our capability-building and prevention programs.

 

Engagement

We assess our operations and suppliers using a variety of engagements.

  • Desk assessment. We use this level of engagement with most entities. The analysis considers the type of service or activity that is involved, the country, the level of spend associated with the engagement, and information we have about the entity itself. This base level of risk sensing helps inform our further levels of engagement.
  • Self-Assessment Questionnaire (SAQ). The entity is asked to complete a questionnaire that is based on our Code. The SAQ includes up to 240 questions that cover the entity’s site characteristics and practices related to labor, health and safety, environment, business ethics, and the management system. Information obtained from the SAQ further helps HP to assess risk and can determine the prioritization for an onsite audit.
  • Audits. The scope of onsite audits depends on the nature of the work performed by the entity and the nature of the prioritized risks. For most of our manufacturing suppliers, we conduct full Code audits. For non-manufacturing suppliers, we may conduct audits only covering those portions of the Code that are relevant for the operation. For example, suppliers that provide labor or services in an office environment would be evaluated for the labor and ethics portions of the Code.

 

Audit standards and procedures

HP has Full Member Status in the Responsible Business Alliance (RBA). We implement the RBA code of conduct within our operations and our supply chains. The RBA code is the basis for our HP Code, which is how we communicate our human rights requirements with those we contract with. The Code is based on international norms and standards, including the UDHR, International Labour Organization (ILO) standards, and the OECD Guidelines for Multinational Enterprises.

 

We leverage the RBA Validated Audit Process (VAP) and Audit Protocol for all the audits that we conduct involving the Code. We utilize only certified auditors—and most of the audits are conducted by third-party auditing firms. This standardized protocol means that the process for conducting the audits, as well as interpreting the findings, rating results, and instigating corrective actions, is both consistent and comparable.

 

For example, the audit protocol requires the auditor to conduct a management system (policies and procedures) review to assess how the entity manages their operation. The auditor then examines records and data, capturing information and evidence that enable the implementation of policies and procedures to be assessed. Finally, the auditor conducts interviews with workers and supervisors to assess the rights-holder’s perspective and experience of working in the facility. Through this systematic assessment against the Code, findings are determined by triangulating the information learned from each part of the assessment. A closing meeting is held by the auditors with the entity’s management team to brief them on a summary of the audit findings. A detailed audit report is prepared, which summarizes the actual findings, the gap with the Code, and the recommended corrective action.

The audit protocol characterizes findings in terms of: 

• Their type, which is based on severity (risk level), and their scope (number of people that could be impacted). 

• The “types” of findings can include risk of nonconformance (minor, major, and priority). 


Corrective action plans (CAPs) are required for all major and priority nonconformance findings, with associated time frames for them to be closed. Depending on the nature and severity of findings, it is part of the process to determine if there were victims and adverse human rights impacts. Risks that we have seen include the charging of recruitment fees, withholding of personal identity documents or passports, unsafe working conditions, and excessive working hours. 


Auditors are required to escalate any findings of indicators of modern slavery. Suppliers must immediately cease all practices contributing to a modern slavery audit finding and report their corrective action no later than 30 days after the audit. The finding will then be re-examined during a site visit by a third-party auditor or a certified HP auditor to confirm resolution. 

The process to address remedy for workers who paid fees involves many steps. After the supplier is notified of the finding in the audit report, we work with the supplier to agree on a CAP. Our program relies on our business relationship to incentivize suppliers to complete their CAP.
In parallel, our local auditing teams help provide the support and feedback suppliers need to achieve resolution and to reimburse the workers. We also work to build suppliers’ capabilities through partnerships with external organizations. Suppliers are then able to conduct their own due diligence and implement the appropriate remedy. This due diligence involves conducting worker interviews, reviewing documents, and researching migration costs as estimated by external organizations. Once they have confirmed payment to workers (usually via signed receipts or pay slips), HP schedules an onsite validation visit, which consists of document review and confidential worker interviews conducted by certified auditors.
Finally, through our quarterly key performance indicator program, we take the additional step of internally monitoring these suppliers— from nonconformance identification through corrective action and beyond—to ensure timely resolution and sustained performance. We share this report with HP executives who manage the business relationship.


Learning and prevention 

As a part of conducting due diligence and engagement with our partners, suppliers and employees, we look to identify recurring issues, gaps, or challenges in performance that need to be systematically addressed. Integrating this knowledge into our communications, training and capability building helps to better prevent and mitigate risks. Through our collaborations with the RBA and others, we work to build industry tools, standards, and training to support continuous improvement.