ESRS Governance & Business Conduct (G1) Explained: Policies, Controls, and Proof

If environmental and social ESRS test data, ESRS G1 tests credibility.

Under the Corporate Sustainability Reporting Directive (CSRD), governance disclosures are not about ethics statements or codes on a website. They are about whether a company can prove it governs sustainability risks in practice, across its organisation and value chain.

This page explains ESRS G1 in full:

• what governance and business conduct disclosures are required,
• how materiality applies (and where it does not),
• what evidence auditors expect,
• and why weak G1 disclosures undermine every other ESRS topic.

How ESRS G1 Fits Into CSRD

Unlike environmental and social standards, ESRS G1 is largely cross-cutting.

It connects directly to:

• double materiality governance,
• risk management,
• internal controls,
• supplier oversight,
• whistleblowing and remediation.

In practice, G1 failures invalidate E and S disclosures, because they raise a single question regulators care about:

Can this company actually control what it claims to manage?

What ESRS G1 Covers (In Scope)

ESRS G1 focuses on business conduct and governance mechanisms, including:

• corporate ethics and integrity,
• anti-corruption and anti-bribery,
• conflicts of interest,
• whistleblowing mechanisms,
• investigations and remediation,
• supplier governance and enforcement,
• oversight responsibilities and escalation.

This is not theoretical governance. It is operational governance.

ESRS G1 and Materiality: A Critical Distinction

Many companies misunderstand materiality under G1.

Key reality:

• Some governance disclosures apply regardless of materiality outcome
• Others are triggered when governance risks are material

You cannot exclude governance topics simply because impacts or risks seem “low.” If governance mechanisms exist, they must be disclosed.

Auditors treat unjustified G1 exclusions as red flags.

Policies Are Not Enough

Under ESRS G1, companies must disclose:

• policies and
• how those policies are implemented, monitored, and enforced.

Common failure patterns:

• codes of conduct with no enforcement logic,
• whistleblowing systems with no evidence of use,
• supplier policies without monitoring or consequences,
• governance structures with unclear accountability.

If you cannot show how a policy works in practice, it does not meet ESRS expectations.

Anti-Corruption and Business Integrity

What Is Required

Companies must disclose:

• anti-corruption and anti-bribery policies,
• training and awareness measures,
• monitoring and controls,
• incidents, investigations, and outcomes (where applicable).

Key Reality

Zero incidents does not automatically mean zero risk.

Auditors assess:

• whether controls exist,
• whether reporting channels are credible,
• whether investigations are independent,
• whether remediation actually occurs.

Silence is not evidence.

Whistleblowing and Grievance Mechanisms

What G1 Expects

Companies must disclose:

• availability of whistleblowing channels,
• accessibility to employees and relevant third parties,
• protection against retaliation,
• handling and resolution processes.

Key Reality

A whistleblowing policy that has never been tested is a risk indicator.

Auditors look for:

• documented procedures,
• usage metrics (where appropriate),
• escalation pathways,
• governance oversight.

Supplier Governance and Business Conduct

G1 extends beyond internal governance.

Companies must explain:

• how suppliers are governed,
• how codes of conduct are enforced,
• how non-compliance is identified,
• what corrective actions are taken.

This is where supplier data and campaign workflows become governance evidence, not operational extras.

If suppliers are out of control, governance is weak by definition.

Governance Roles, Responsibilities, and Oversight

Under ESRS G1, companies must clearly disclose:

• who is responsible for sustainability governance,
• how responsibilities are assigned across management and boards,
• how issues are escalated and resolved.

Vague statements like “management is responsible” do not pass.

Auditors expect named roles, decision pathways, and accountability.

Documentation and Evidence Expectations

For G1, auditors will test:

• existence of formal policies,
• implementation procedures,
• monitoring and control mechanisms,
• records of training and communication,
• investigation and remediation documentation,
• governance approvals and oversight.

Governance disclosures must be traceable, repeatable, and defensible.

Common ESRS G1 Failure Patterns

Across CSRD readiness reviews, the same issues recur:

• policies without enforcement,
• supplier codes without monitoring,
• whistleblowing channels without governance,
• governance described narratively but not operationally,
• no linkage between governance and risk management.

Any one of these can undermine CSRD assurance.

Why ESRS G1 Determines Audit Outcomes

Auditors use G1 to assess:

• whether sustainability data can be trusted,
• whether risks are actually controlled,
• whether disclosures reflect reality.

Strong E and S data with weak G1 governance still fail assurance scrutiny.

Governance is the multiplier.

ESRS G1 Is Not Optional “Good Practice”

ESRS G1 disclosures are not aspirational.

They are:

• legally required under CSRD,
• subject to assurance,
• enforceable by regulators.

Companies that treat governance as a narrative exercise expose themselves to regulatory risk even if environmental and social metrics look strong.

Final Reality Check

If your organisation cannot clearly show:

• how business conduct policies are enforced,
• how issues are reported and resolved,
• how suppliers are governed,
• who is accountable for decisions,

then ESRS G1 compliance is not defensible.

Under CSRD, governance weakness is not hidden — it is disclosed.