How Do I Describe My Company's Governance Policies in an ESG Report?
A practical guide to describing governance policies like code of conduct, anti-corruption measures, whistleblowing, and data protection in a VSME ESG report.

Confused about ESG?

Book a free call with our CEO, Anders, and he will guide you through it!
Governance policies do not need to be a formal 40-page compliance manual: most SMEs already have relevant practices, they just have not written them down as a formal policy.
Cover five core areas: code of conduct, anti-corruption, whistleblowing, data protection, and environmental/social responsibility (but only where relevant to your business).
Explain how each policy is implemented and communicated, not just that it exists; this is what makes a governance disclosure credible.
Governance policies do not need to be a formal 40-page compliance manual: most SMEs already have relevant practices, they just have not written them down as a formal policy.
Cover five core areas: code of conduct, anti-corruption, whistleblowing, data protection, and environmental/social responsibility (but only where relevant to your business).
Explain how each policy is implemented and communicated, not just that it exists; this is what makes a governance disclosure credible.
"We don't have governance policies": most companies already do
When SMEs reach the governance section of their ESG report, a common reaction is to assume this only applies to large corporations with dedicated legal and compliance departments. In reality, most companies, even small ones, already have informal versions of these policies in practice, even if they have never been written down or called "governance" before.
If your employees know not to accept bribes, know who to talk to if something feels wrong, and know not to share customer data carelessly, you already have the foundation of a governance framework. This section is about describing that foundation clearly, not building an entirely new compliance system from scratch.
What is this question actually asking?
The governance section typically asks you to describe your policies covering:
- Code of conduct
- Anti-bribery and anti-corruption measures
- Whistleblowing procedures
- Data protection
- Environmental and social responsibility
Importantly, you must explain how these policies are implemented, communicated to employees, and monitored, rather than just listing them as topics you are aware of. A strong answer shows that these are not just words on a page, but practices that actually happen inside your company.
You do not need a policy in every single category if it genuinely does not apply to your business. However, most companies, even quite small ones, will have something meaningful to say about at least three or four of these areas.
The five core governance areas
Code of business conduct
This defines the expected standards of behaviour for employees, contractors, and leadership, including things like professional conduct, ethical decision-making, and how conflicts of interest are handled. If your company has ever told a new hire "here is how we expect people to behave" or handled a conflict of interest situation with a clear process, you have the makings of a code of conduct, even if it has never been written down formally.
Anti-bribery and anti-corruption policy
This covers your company's stance on bribery, facilitation payments, and corrupt practices, including expectations for third parties like suppliers or partners you do business with. Even a simple internal rule, such as "we do not accept gifts above a certain value from suppliers" or "we do not make payments to expedite official processes," is a real anti-corruption practice worth describing.
Whistleblowing and speak-up policy
This is about how employees can report concerns (misconduct, unethical behaviour, or policy violations) without fear of retaliation. Even a small company can have a meaningful whistleblowing approach. For example: "employees can raise concerns directly with the CEO or via a confidential email address, and all reports are reviewed promptly."
Data protection and privacy policy
This covers how personal data is collected, stored, processed, shared, and retained, generally with reference to GDPR or relevant local regulations. Most companies already have practical data protection habits, such as access controls, limited data retention, and secure storage, even if they have never assembled them into a formal written policy.
Environmental and social responsibility policy
This sets out your company's approach to environmental sustainability, social impact, and stakeholder engagement, specifically how these considerations factor into decisions on operations, procurement, or community involvement. If your company already prefers certain suppliers for sustainability reasons, or supports any social causes, that belongs here.
Don't just list policies: explain how they work
This is the part that separates a strong governance disclosure from a weak one. It is not enough to say "we have a code of conduct." A good description also explains:
- Implementation and oversight: Who is responsible for these policies day to day, and how significant issues get escalated.
- Communication and training: How employees actually learn about these policies (onboarding, annual training, internal systems, or email updates).
- Monitoring and continuous improvement: How compliance is checked, whether through informal reviews, spot checks, or periodic external audits, and how any issues found are used to improve the policies over time.
For a small company, this does not need to sound like a large corporate compliance department. It is entirely reasonable to write something like: "our founder reviews these policies annually and communicates any changes directly to the team during a company meeting," or "new employees are walked through our code of conduct and data handling practices as part of onboarding." What matters is showing that the policy is actually used, not simply written and forgotten.
Keep it proportionate to your company's size
A five-person consultancy does not need a compliance officer, a formal whistleblowing hotline, or quarterly external audits to have a credible governance disclosure. It is entirely appropriate, and more honest, to describe simpler, informal practices that genuinely reflect how your company operates, rather than copying language that implies a level of formality you do not actually have.
If a category genuinely does not apply (for example, a company with no international suppliers might have very little to say about third-party anti-corruption due diligence), it is fine to note that briefly rather than inventing detail that is not real.
Common mistakes to avoid
- Copying generic governance language that does not reflect what your company actually does.
- Listing policy names without explaining implementation. Saying "we have a data protection policy" means little without explaining how it is applied.
- Overstating formality. Describing an "annual compliance audit programme" when in reality it is an informal yearly check creates a mismatch that can undermine credibility.
- Forgetting communication and training. A policy that exists but was never communicated to employees is much weaker evidence of real governance.
- Ignoring smaller, real practices. Simple habits, like a clear rule about supplier gifts or a known process for raising concerns, count and are worth describing plainly.
How Wardn helps
Wardn provides a structured template with example wording to guide your response across all five governance areas, so you do not need to start from a blank page. Rather than guessing what level of detail is expected, you can work through each policy area, describe how it is implemented and communicated within your own company, and reuse and update the same structure in future reporting years as your governance practices develop.
Frequently asked questions
Do we need a formal written code of conduct to answer this section?
Not necessarily. What matters is describing the actual expectations and practices your company follows, even if they have never been formally documented. A brief, honest description of how your company handles conduct and conflicts of interest is a valid starting point.
Our company is very small, do we still need a whistleblowing policy?
You should describe whatever mechanism genuinely exists for raising concerns, even if it is informal, such as speaking directly to a manager or founder. It does not need to be a formal hotline to be a legitimate practice worth reporting.
What if we don't have anti-corruption due diligence for suppliers?
If this genuinely is not relevant (for example, if you have no third-party business relationships where this risk arises), it is fine to note that briefly rather than describing a process that does not exist.
How detailed does our data protection description need to be?
It should cover, in plain terms, how you handle personal data (collection, storage, and retention) and reference relevant regulations like GDPR if applicable. It does not need to be a legal document, just an honest, clear description of your practices.
What's the biggest mistake companies make in this section?
Listing policy names without explaining how they are implemented, communicated, or monitored. A short, honest description of how a policy actually works in practice is far stronger than a longer list of policy titles with no detail behind them.
Confused about ESG?

Book a free call with our CEO, Anders, and he will guide you through it!
