Responsible entrepreneurship starts with compliance. We aim to ensure that all our activities adhere to relevant laws, regulations and ethical standards around the world. This also helps us to protect our reputation as an employer and business partner.
Our approach to compliance
As a global company, we have stringent requirements for effective compliance management. Importantly, we seek to emphasize compliance by acting in line with our company values and believe that profitable business operations should go hand in hand with the highest ethical standards.
Roles and responsibilities
Our Group Compliance function is responsible for the framework of the following core topics: our Code of Conduct, anti-corruption and anti-bribery (including healthcare compliance, third-party due diligence, transparency reporting), anti-money laundering, antitrust, and conflicts of interest.
To cover these topics, we have Group-wide policies, standards and procedures in place that ensure our business activities comply with the relevant laws, regulations and international ethical standards. Other compliance-related issues, including the respective internal regulations and guidelines, such as Pharmacovigilance, Export and Import Controls, and Environment, Health, Safety, Security, Quality, are managed by the responsible functions.
Our Group Compliance function is responsible for our compliance portfolio, which consists of the following elements:
- Risk Assessment: Identifying internal and external critical risks in regular business operations
- Policies & Procedures: Global policies, procedures and standards to mitigate identified risks (see the Our commitment: guidelines and standards section for more details)
- Compliance Committee/Forums: Platform for compliance-related discussion and decision making, including relevant key functions
- Training & Awareness: Appropriate training and additional measures to educate and keep awareness high
- Programs & Tools: Comprehensive compliance programs and supporting tools contributing to internal controls and overall governance
- Monitoring & Reporting: Tracking of compliance-related data; perform internal and external reporting
- Case Management: Timely response to reports of misconduct and implementation of corrective actions
- Continuous Improvement: Based on and applicable to all compliance program elements
We continuously review our compliance portfolio and update our initiatives and programs where necessary. This approach reflects new requirements as well as internal and external risks, such as those resulting from amendments to legislation, relevant industry codes or changes affecting our company. We discuss current compliance matters, trends and goals with our stakeholders, both internally within our compliance organization and externally. We keep the focus on our people by ensuring the availability of appropriate resources and skills, maintaining clear roles and responsibilities and based on employee feedback, setting aligned and harmonized goals. We also ensure that our organizational structure is up to date and meets business needs.
Our Chief Compliance Officer reports on the status of our compliance activities, potential risks and serious compliance violations to the Executive Board and Supervisory Board twice a year at a minimum. As part of our regular reporting processes, we compile a comprehensive compliance and data privacy report annually for the Executive Board. This includes the status of our compliance program, continuous improvement initiatives and key figures on compliance and data privacy cases. Additionally, we prepare a mid-year update to highlight ongoing developments and the status of relevant projects and initiatives.
Our Chief Compliance Officer oversees all Compliance departments and the underlying Compliance Officers and Compliance experts around the world. The Compliance Officers implement our compliance program within their respective areas of responsibility (adapting to local regulations) and receive guidance from our Group Compliance Center of Expertise. This is a centralized body that drives the design and evolution of our compliance program across all business sectors and Group functions.
As part of the Group Compliance Center of Expertise, our global team for coordinating transparency reporting is responsible for implementing current and upcoming transparency reporting requirements in the Healthcare business sector – including those of the European Federation of Pharmaceutical Industries and Associations (EFPIA) and the United States Physician Payments Sunshine Act. More information on our Healthcare governance and compliance activities can be found in the Responsible interactions with health systems section.
Our commitment: Guidelines and standards
Our compliance program builds on our company values and integrates these into our compliance framework, which consists of Group-wide policies, standards and procedures for entrepreneurial conduct. The following are mandatory for all our employees:
- Our Code of Conduct guides our people in conducting business ethically – in line with our values and the law. It is available to all employees worldwide in 22 languages.
- Our Human Rights Charter supplements our Code of Conduct with globally recognized principles on human rights.
- Our Anti-Corruption Standard stipulates that all business activities must be conducted in line with applicable anti-corruption regulations and standards. All forms of bribery are strictly prohibited.
- Our global Anti-Money Laundering Group Standard defines and describes the internal global process and assurance measures to protect our company from being misused by third parties for money laundering or terrorist financing activities.
- Our Conflict of Interest Policy sets a framework to explain the nature of a Conflict of Interest and the related risks. It advises how to prevent these kinds of situations or how to set rules for identifying, disclosing, mitigating and managing the risks that could arise from such situations.
- Our Group-wide Antitrust and Competition Law Policy states that all business activities across the Group must be conducted in compliance with applicable competition regulations at all times. We acknowledge the importance of fair competition and expect the same of parties acting on our behalf.
- Our Compliance Reporting and Investigation Policy includes the basic steps for an internal compliance investigation. Its purpose is to ensure an appropriate, timely and thorough response to compliance-related reports of potential misconduct pertaining to any kind of internal or external regulations or policies.
- Our Dawn Raid Policy defines courses of action, sets out general rules of conduct, and advises on rights and obligations during unannounced investigations, searches and seizures by authorities on our premises.
- Our Standard on Local Compliance Standards implements a review and approval process for local governance documents in areas under the responsibility of the Group Compliance function. In this way, our local teams can adhere to our compliance principles and guidance while implementing specific local policies or procedures that comply with local regulations.
- Furthermore, we developed a new Supplier Code of Conduct (SCoC) in 2022. It took effect in and is implemented as of January 2023, thus replacing our Responsible Sourcing Principles. The SCoC will lay out the minimum standards our suppliers and business partners are expected to fulfill regarding human rights, health and safety, business integrity, environmental protection, continuous improvement, and management of their respective suppliers.
To maintain compliance, we annually review and compile a list of changes to the applicable laws and regulations and update the policies, standards and procedures accordingly. While for major countries we rely on external legal counsel to stay abreast of these changes, for other countries, we rely on our Compliance Officers. Our annual reviews also identify whether any corrective actions from investigations or internal audits require us to update our policies, standards or procedures.
Proper compliance risk management is crucial to identify undetected risks and ensure our company remains protected. For this purpose, we are implementing a compliance risk identification process. We started this initiative by launching a global compliance risk process for all our business sectors to improve objectivity and enable a more data-driven risk approach. In addition, we established a comprehensive risk matrix that focuses on bribery and corruption risks, illustrated through in-depth risk categorization and risk scenarios. As a next step, in 2022, we started conducting country-based risk assessments. This approach considers gross and net risks while looking at tangible risk scenarios for the respective business. During this process, Group Compliance works closely with the businesses to enhance their risk awareness and create a better understanding of compliance risks. The first round of this process includes high-risk countries.
Furthermore, in 2022, we updated our country risk segmentation approach. With it, we determine the risk exposure of the countries where our company is actively operating. The primary aim of this analysis is to classify countries in terms of their risk exposure relating to bribery and corruption by applying objective and consistent criteria. We then use the resulting outcome as a basic model to prioritize projects and initiatives and support or intensify activities in countries with specific risk levels.
Conflicts of interest
We take all potential conflicts of interest seriously. Employees must avoid situations where their professional judgment may come into conflict with their personal interests. They must also disclose every potential conflict of interest to their supervisor and document the disclosure. Such issues are typically resolved directly between the employee and the supervisor but can also be routed to Human Resources, Legal, Compliance, or other relevant functions.
In 2022, we further raised employee awareness of conflicts of interest by establishing a dedicated global e-learning course and enhancing our communication.
In addition, as described in the Annual Report under Avoidance of conflicts of interest, Executive Board and Supervisory Board members are exclusively committed to the company’s objectives and neither pursue personal interests nor grant unjustified advantages to third parties.
Management and requirements of third parties
For compliance management to be effective, it must not be restricted to the boundaries of our own company. While our supplier management processes focus on vendor compliance with our standards, our global Third Party Risk Management process governs interactions with sales parties, such as commercial agents, distributors and dealers. We expect our third parties worldwide to adhere to our compliance principles. We collaborate only with parties who pledge to comply with relevant laws, reject all forms of bribery, and adhere to environmental, health and safety guidelines.
We apply a risk-based approach to select the third parties with whom we do business. The greater the estimated risk regarding a particular country, region, or type of service, the more in-depth we examine the third party before entering into a business relationship. We also explore background information from various databases and information reported by third parties.
If we encounter compliance concerns, we further analyze and verify the relevant information. Based on the outcome, we decide whether to reject the potential third party, impose conditions to mitigate identified risks or terminate the existing relationship.
We provide regular compliance classroom and online training courses on our Code of Conduct, anti-corruption, antitrust, data privacy, anti-money laundering, and healthcare compliance standards. We require employees to take these courses based on their exposure to risk. Some courses also apply to independent contractors and supervised workers, such as temporary employees.
We introduced a new Conflicts of Interest e-learning module that explains what conflicts of interests are and how these should be managed within our company. The course is available in nine languages. Furthermore, we launched a new e-learning course to provide an overview of our Third-Party Risk Management and to emphasize the importance of Third-Party Risk Assessments.
We also regularly update our training curricula and adapt it to new developments. These ongoing efforts ensure we continuously educate our employees on existing and new compliance requirements, guidelines and projects.
As part of our targeted awareness campaigns, our two Anti-Money Laundering and Anti-Corruption standards were rolled out to senior management in 2022 via our internal communication channels.
We have implemented a global anti-money laundering (AML) program consisting of a global Anti-Money Laundering Group Standard, training and a dedicated process to report and investigate red flags as well as any high-risk transactions. Suspicious transactions are reported to the German Financial Intelligence Unit or other authorities as required.
We aim to continuously improve our AML program. Following a worldwide risk assessment in 2021 to identify jurisdictions imposing the strictest legal and regulatory frameworks applicable to our businesses, we initiated in-depth AML risk assessments for higher-risk jurisdictions. Based on these assessments and constant review of changes in the legal environment, we are implementing stricter local AML programs where required.
Reporting potential compliance violations
We encourage all employees worldwide to report potential compliance violations to their supervisors, Legal, HR or other relevant departments. Globally, they can also use our central whistleblowing compliance hotline free of charge and anonymously to report violations in their local language by telephone or via a web-based application. Reports of potential compliance violations that we receive via our compliance hotline are reviewed by the Compliance Investigations and Case Management team.
Cases with a certain risk profile are presented to the Compliance Case Committee, which comprises senior representatives from our Compliance, Corporate Security, Data Privacy, Human Resources, Internal Auditing, and Legal departments. The Committee’s duties include assessing and classifying certain compliance issues, investigating their background, and addressing these issues using appropriate measures.
Based on the investigation outcome and recommendations from the compliance investigation team or the Compliance Case Committee, appropriate disciplinary action may be taken against employees who have committed a compliance violation. If, during the investigation, a root cause is identified that could lead to the risk of further compliance violations, we take preventive and corrective actions.
The compliance hotline is also available to external stakeholders. The relevant information can be found in the Compliance and Ethics section of our website.
The number of suspected compliance violations reported remained stable compared with the previous year, while the number of confirmed compliance violations decreased. In 2022, we received 79 compliance-related reports via the compliance hotline and other channels that were processed as cases. 28 violations of the Code of Conduct or other internal and external rules were confirmed.
Compliance is ensured by Group Compliance and Group Internal Auditing as the second and third lines of defense. As part of the audits, Group Internal Auditing regularly reviews functions, processes and legal entities worldwide. These reviews include an assessment of the effectiveness of the respective compliance guidelines, processes and structures in place. The units also check for violations of our Code of Conduct and our Anti-Corruption Standard.
Our audit planning aims to provide comprehensive risk assurance through the best possible audit coverage of our processes. We take a risk-based approach to our annual audit planning process, considering factors such as sales, employee headcount, systematic stakeholder feedback and the Corruption Perceptions Index (CPI) published by the non-governmental organization Transparency International. If an internal audit gives rise to recommendations, Group Internal Auditing performs a systematic follow-up and monitors the implementation of the recommended corrective actions. In 2022, Group Internal Auditing conducted 79 internal audits involving bribery and corruption-related risks, including 52 operational and 24 IT audits and 3 special audits which may, for example, be initiated as part of incident-specific internal investigations.
We are members of various organizations, including the German Chemical Industry Association (VCI), the German Institute for Compliance (DICO), the European Federation of Pharmaceutical Industries and Associations (EFPIA), the German Association of Voluntary Self-Regulation for the Pharmaceutical Industry (FSA), the International Federation of Pharmaceutical Manufacturers and Associations (IFPMA), the Alliance for Integrity, the German Association for Supply Chain Management, Procurement and Logistics (BME), and the International Association of Privacy Professionals (IAPP).