Responsible entrepreneurship starts with compliance. We take steps to ensure that all our activities adhere to relevant laws, regulations and ethical standards around the world. This also helps us to protect our reputation as an employer and business partner.
Our approach to compliance
As global company, we have stringent requirements for effective compliance management. Importantly, we seek to emphasize compliance by acting in line with our company values and believe that profitable business operations should go hand in hand with the highest ethical standards.
Roles and responsibilities
Our Group Compliance function is responsible for the policies on the following core topics: anti-corruption and anti-bribery (including healthcare compliance, third-party due diligence, transparency reporting), anti-money laundering, antitrust, conflict of interest, and dawn raid preparedness.
To cover these compliance topics, we have Group-wide policies and procedures in place that ensure our business activities align with the relevant laws, regulations and international ethical standards. Other compliance-related issues, including the respective internal regulations and guidelines, such as Pharmacovigilance, Export and Import Controls, and Environment, Health, Safety, Security, Quality, are managed by the responsible functions.
Our Group Compliance function is responsible for our compliance portfolio, which consists of the following elements:
- Risk Assessment: Identifying internal and external critical risks in regular business operations
- Policies & Procedures: Global policies, procedures and standards to mitigate identified risks (see the “Our commitment: guidelines and standards” section for more details)
- Compliance Committee/Forums: Platform for compliance-related discussion and decision making, including relevant key functions
- Training & Awareness: Appropriate training and additional measures to educate and keep awareness high
- Programs & Tools: Comprehensive compliance programs and supporting tools contributing to internal controls and overall governance
- Monitoring & Reporting: Tracking of compliance-related data; performing internal and external reporting
- Case Management: Timely response to reports of misconduct and implementation of corrective actions
- Continuous Improvement: Based on and applying to all compliance program elements
We continuously review our compliance portfolio and update our initiatives and programs where necessary. This approach reflects new requirements as well as internal and external risks, such as those resulting from amendments to legislation, relevant industry codes or changes affecting our company. We discuss current compliance matters, trends and goals with our stakeholders, both internally within our compliance organization and externally with our stakeholders and business partners. We keep the focus on our people by ensuring the availability of appropriate resources and skills, maintaining clear roles and responsibilities and based on employee feedback, setting aligned and harmonized goals. We also ensure that our organizational structure is up to date and meets business needs.
Our Group Compliance Officer reports on the status of our compliance activities, potential risks and serious compliance violations to the Executive Board and Supervisory Board twice a year at a minimum. As part of our regular reporting processes, we compile a comprehensive compliance and data privacy report annually for the Executive Board. This includes the status of our compliance program, continuous improvement initiatives and key figures on compliance and data privacy cases. Additionally, we prepare a mid-year update to highlight ongoing developments and the status of relevant projects and initiatives.
Our Group Compliance Officer oversees approximately 94 Compliance Officers and Compliance experts around the world. The Compliance Officers implement our compliance program within their respective areas of responsibility (adapting to local legislation, if legally required) and receive guidance from our Group Compliance Center of Expertise. This is a centralized body that drives the design and evolution of our compliance program across all business sectors and Group functions.
As part of the Group Compliance Center of Expertise, our global team for coordinating transparency reporting is responsible for implementing current and upcoming transparency reporting requirements in the Healthcare business sector – including those of the European Federation of Pharmaceutical Industries and Associations (EFPIA) and the United States Physician Payments Sunshine Act. More information on our Healthcare governance and compliance activities can be found in the Responsible interactions with health systems section.
Our commitment: Guidelines and standards
Our compliance program builds on our company values and integrates these into our compliance framework, which contains Group-wide policies and procedures for entrepreneurial conduct. The following are mandatory for all our employees:
- Our Code of Conduct guides our people in conducting business ethically – in line with our values and the law. It is available to all employees worldwide in 22 languages.
- Our Human Rights Charter supplements our Code of Conduct with globally recognized principles on human rights.
- Our Anti-Corruption Policy stipulates that all business activities must be conducted in line with legally applicable anti-corruption standards. All forms of bribery are strictly prohibited.
- Our global Money Laundering Prevention Policy defines and describes the internal global process and assurance measures to protect our company from being misused by third parties for money laundering activities.
- Our Conflict of Interest Policy sets a framework to explain the nature of a Conflict of Interest and the related risks. It explains how to prevent these kinds of situations or if prevention is not possible, sets rules for identifying, disclosing, mitigating and managing the risks that could arise from a conflict of interest situation.
- Our Group-wide Antitrust and Competition Law Policy states that all business activities across the Group must be conducted in compliance with applicable competition regulations at all times. We acknowledge the importance of fair competition and expect the same of partners acting on our behalf.
- Our Compliance Reporting and Investigation Policy includes the basic steps for an internal compliance investigation. Its purpose is to ensure an appropriate, timely and thorough response to compliance-related reports of potential misconduct relating to any kind of internal or external regulations or policies.
- Our Dawn Raid Policy defines courses of action, sets out general rules of conduct, and advises on rights and obligations during unannounced investigations, searches and seizures by authorities on our premises.
- Our Healthcare Ethical Guiding Principles provide our healthcare employees with ethical guidance for decision making and activities, while taking the particular challenges and responsibilities of this business sector into consideration. See the Responsible interactions with health systems section for more details.
- Our Pharma Code for prescription medicines as well as underlying policies and additional guideline documents define key principles for interactions with stakeholders in the health industry.
- Our Standard on Local Compliance Standards implements a review and approval process for local governance documents in areas under the responsibility of the Group Compliance function. This helps to ensure a uniform approach, while retaining sufficient flexibility to address stricter or more specific requirements and needs at a local level. In this way, our local teams can adhere to our compliance principles and guidance while implementing specific local policies or procedures that comply with local regulations.
Proper compliance risk management is crucial in order to identify undetected risks and keep our company protected. In 2021, we launched a global, redesigned risk identification process for all our business sectors. The new process enables objectivity and a more data-driven risk approach. We established a comprehensive risk matrix that focuses on bribery and corruption risks, which are illustrated through in-depth risk categorization and risk scenarios. The matrix consists of a questionnaire to detect the risk exposure level of the business sectors and another mitigation questionnaire that checks the implementation of the compliance program. These risk questionnaires are primarily answered by the business heads.
We are implementing the risk identification process in a staggered, top-down approach. We started the risk assessment with global functions in 2021. In a second step, we will conduct country-specific assessments in 2022.
Conflicts of interest
We take all potential conflicts of interest seriously. Employees must avoid situations where their professional judgment may come into conflict with their personal interests. They must also disclose every potential conflict of interest to their manager and document the disclosure. Such issues are typically resolved directly between the employee and the manager but can also be routed to Human Resources, Legal, Compliance or other relevant functions.
In 2021, we further raised employees’ awareness of conflicts of interest by establishing a dedicated global interactive training program and enhancing our communication.
In addition, as described in the Annual Report under “Avoidance of conflicts of interest”, Executive Board and Supervisory Board members are exclusively committed to the interests of the company and neither pursue personal interests nor grant unjustified advantages to third parties.
Management and requirements of our business partners
To be effective, compliance management must not be restricted to the boundaries of our own company. While our supplier management processes focus on vendor compliance with our standards, our global Third Partner Risk Management process governs interactions with sales partners, such as agents, distributors, and dealers. We expect our business partners worldwide to adhere to our compliance principles. We collaborate only with partners who pledge to comply with relevant laws, reject all forms of bribery and adhere to environmental, health and safety guidelines.
We apply a risk-based approach to selecting business partners. The greater the estimated risk regarding a certain country, region or type of service, the more in-depth we examine the company before entering into a business relationship. We also explore background information from various databases and information reported by our business partners.
If we encounter compliance concerns, we further analyze and verify the relevant information. Based on the outcome, we decide whether to reject the potential business partner, impose conditions to mitigate identified risks or terminate the existing relationship.
We provide regular compliance classroom and online training courses on our Code of Conduct, anti-corruption, antitrust, data privacy, money laundering prevention, and healthcare compliance standards. We require employees to take these courses based on their exposure to risk. Some courses also apply to independent contractors and supervised workers, such as temporary employees.
In 2021, we launched two new versions of our antitrust e-learning training courses: a fundamental and an advanced course. Both courses are available in ten languages. 12,560 employees completed the fundamental training. In addition to the fundamental training, 6,057 employees with potentially higher risk exposure took the advanced training course. The mandatory training courses must be completed by all relevant employees.
We regularly update our training plan and adapt it to new developments to continuously educate our employees on existing and new compliance requirements, guidelines and projects.
We have implemented a global Anti-Money Laundering (AML) program consisting of a global policy, training and a dedicated process to report and investigate red flags as well as any high-risk transactions and report suspicious transactions to the German Financial Intelligence Unit.
It is our aim to continuously improve our AML program. In 2021, we conducted a worldwide risk analysis to identify jurisdictions that impose the strictest AML legal and regulatory framework applicable to our businesses, so that we can improve our AML program accordingly. Based on this analysis, we initiated in-depth AML risk assessments for high-risk jurisdictions, where we can implement a stricter AML program, if required.
Reporting potential compliance violations
We encourage all employees worldwide to report potential compliance violations to their supervisors, Legal, HR or other relevant departments. Globally, they can also use our central whistleblowing “compliance hotline” free of charge and anonymously to report violations in their local language by telephone or via a web-based application. Reports of potential compliance violations that we receive via our “compliance hotline” are reviewed by the Compliance Investigations and Case Management team. Cases with a certain risk profile are presented to the Compliance Case Committee, which comprises senior representatives from our Compliance, Corporate Security, Data Privacy, Human Resources, Internal Auditing, and Legal departments.
The Committee’s duties include assessing and classifying ethical issues, investigating their background and addressing these issues using appropriate measures. Based on the investigation outcome and recommendations from the compliance investigation team or the Compliance Case Committee, appropriate disciplinary action may be taken against employees who have committed a compliance violation. If, during the investigation, a root cause is identified that could lead to further compliance violations, we take preventive and corrective actions.
The “compliance hotline” is also available to external stakeholders. The relevant information can be found in the Compliance and Ethics section of our website.
Both the number of suspected compliance violations reported and the number of actual compliance cases were stable compared with the previous year. In 2021, we received 79 compliance-related reports via the “compliance hotline” and other channels that led to investigations. There were 42 confirmed cases of violations of the Code of Conduct or other internal and external rules.
Compliance is ensured by Group Compliance and Group Internal Auditing as the second and third lines of defense. As part of the audits, Group Internal Auditing regularly reviews functions, processes and legal entities worldwide. These reviews include an assessment of the effectiveness of the respective compliance guidelines, processes and structures in place. The unit also checks for violations of our Code of Conduct and our Anti-Corruption Policy. Moreover, they request and check a self-assessment of the workplace requirements set out in our Human Rights Charter.
Our audit planning aims to provide comprehensive risk assurance through the best possible audit coverage of our processes. We take a risk-based approach to our annual audit planning process, considering factors such as sales, employee headcount, systematic stakeholder feedback and the Corruption Perceptions Index (CPI) published by the non-governmental organization Transparency International. If an internal audit gives rise to recommendations, Group Internal Auditing performs a systematic follow-up and monitors the implementation of the recommended corrective actions. In 2021, Group Internal Auditing conducted 84 internal audits that included bribery and corruption-related risks, thereof 55 operational and 28 IT audits as well as one special audit (for example incident specific internal investigations).
We are members of various organizations, including the German Chemical Industry Association (VCI), the German Institute for Compliance (DICO), the European Federation of Pharmaceutical Industries and Associations (EFPIA), the German Association of Voluntary Self-Regulation for the Pharmaceutical Industry (FSA), the International Federation of Pharmaceutical Manufacturers and Associations (IFPMA), the Alliance for Integrity, the German Association for Supply Chain Management, Procurement and Logistics (BME), and the International Association of Privacy Professionals (IAPP).