Responsible entrepreneurship starts with compliance. We aim to ensure that all our activities adhere to relevant laws, regulations and ethical standards around the world. This also helps us to protect our reputation as an employer and business partner.
Our approach to compliance
As a global company, we have stringent requirements for effective compliance management. Importantly, we seek to emphasize compliance by acting in line with our company values and believe that profitable business operations should go hand in hand with the highest ethical standards.
Roles and responsibilities
Our Group Compliance function is responsible for the framework of the following core topics: our Code of Conduct, anti-corruption and anti-bribery (including healthcare compliance, third-party due diligence, transparency reporting), anti-money laundering, and conflicts of interest.
To cover these topics, we have Group-wide policies, standards and procedures in place to ensure our business activities comply with the relevant laws, regulations and international ethical standards. Other compliance-related issues, including the respective internal regulations and guidelines, such as Pharmacovigilance, Export and Import Controls, and Environment, Health, Safety, Security, Quality, are managed by the responsible functions.
Our Group Compliance function is responsible for our compliance portfolio, which consists of the following elements:
- Risk Assessment: Identifying internal and external critical risks in regular business operations
- Policies & Procedures: Global policies, procedures and standards to mitigate identified risks
- Compliance Committee/Forums: Platform for compliance-related discussion and decision making, including relevant key functions
- Training & Awareness: Appropriate training and additional measures to educate and keep awareness high
- Programs & Tools: Comprehensive compliance programs and supporting tools contributing to internal controls and overall governance
- Monitoring & Reporting: Tracking of compliance-related data; perform internal and external reporting
- Case Management: Timely response to reports of misconduct and implementation of corrective actions
- Continuous Improvement: Based on and applicable to all compliance program elements
We continuously review our compliance portfolio and update our initiatives and programs where necessary. This approach reflects new requirements as well as internal and external risks, such as those resulting from amendments to legislation, relevant industry codes or changes affecting our company. Moreover, we discuss current compliance matters, trends and goals with our stakeholders, both internally within our Compliance organization and externally. We keep the focus on our people by ensuring the availability of appropriate resources and skills, maintaining clear roles and responsibilities and based on employee feedback, setting aligned and harmonized goals. We also want to ensure that our organizational structure is up-to-date and meets business needs.
Our Chief Compliance Officer reports on the status of our compliance activities, potential risks and serious compliance violations to the Executive Board and Supervisory Board twice a year at a minimum. As part of our regular reporting processes, we compile a comprehensive compliance and data privacy report annually for the Executive Board. This includes the status of our compliance program, continuous improvement initiatives and key figures on compliance and data privacy cases. Additionally, we prepare a mid-year update to highlight ongoing developments and the status of relevant projects and initiatives.
Our Chief Compliance Officer oversees all Compliance departments and the subordinate Compliance Officers and Compliance experts around the world. The Compliance Officers implement our compliance program within their respective areas of responsibility (adapting to local regulations) and receive guidance from our Group Compliance Center of Expertise. This is a centralized body that drives the design and evolution of our compliance program across all business sectors and Group functions.
Our commitment: Guidelines and standards
Our compliance program builds on our company values and integrates these into our compliance framework, which consists of Group-wide policies, standards and procedures for entrepreneurial conduct. The following are mandatory for all our employees:
- Our Code of Conduct guides our workforce in conducting business ethically – in line with our values and the law. It is available to all employees worldwide in 22 languages.
- Our Human Rights Charter supplements our Code of Conduct with globally recognized principles on human rights.
- Our Anti-Corruption Standard stipulates that all business activities must be conducted in line with applicable anti-corruption regulations and standards. All forms of bribery are strictly prohibited.
- Our global Anti-Money Laundering Group Standard defines and describes the internal global process and assurance measures to protect our company from being misused by third parties for money laundering or terrorist financing activities.
- Our Conflict of Interest Policy sets a framework to explain the nature of a conflict of interest and the related risks. It advises how to prevent these kinds of situations or how to set rules for identifying, disclosing, mitigating, and managing the risks that could arise from such situations.
- Our Group-wide Antitrust and Competition Law Policy states that all business activities across the Group must be conducted in compliance with applicable competition regulations at all times. We acknowledge the importance of fair competition and expect the same of parties acting on our behalf.
- Our new Whistleblowing and Investigations Standard, effective since July 2023, reinforces our commitment to maintaining and strengthening our “speak up” culture. The standard provides guidance on reporting potential violations and our procedures for investigating reports of misconduct while ensuring confidentiality and protecting whistleblowers.
- Additionally, we introduced a new Supplier Code of Conduct (SCoC) in January 2023 to replace our Responsible Sourcing Principles. The SCoC outlines our expectations and standards for suppliers and business partners regarding human rights, health and safety, business integrity, environmental protection, continuous improvement and managing their respective suppliers.
To maintain compliance, we annually review and compile a list of changes to the applicable laws and regulations and update the policies, standards and procedures accordingly. While for major countries we rely on external legal counsel to stay abreast of these changes, for other countries, we rely on our Compliance Officers. Our annual reviews also identify whether any corrective actions from investigations or internal audits require us to update our policies, standards or procedures.
Risk assessment
Proper compliance risk management is crucial to identify undetected risks and ensure our company remains protected. For this purpose, we have a compliance risk assessment process covering all of our business sectors. The assessment is based on a comprehensive risk matrix that improves objectivity and enables a data-driven risk approach. It focuses on bribery and corruption risks, illustrated through in-depth risk categorization and risk scenarios. It also utilizes country risk segmentation, classifying countries where we actively operate in terms of their risk exposure regarding bribery and corruption by applying objective and consistent criteria. We use the outcome as a model to prioritize initiatives and intensify activities in countries with higher risk levels.
The risk assessment follows a staggered approach focusing on global business units first, extending to high-risk countries and finishing with low-risk countries. After completing risk assessments in all countries, we align the top risks per country with our Global Mitigation Plan and Compliance Monitoring Scope to ensure we address all identified high-level risks with appropriate mitigation measures. In addition, we perform regular antitrust risk assessments in a separate process.
Conflicts of interest
We take all potential conflicts of interest seriously. Employees must avoid situations where their professional judgment could come into conflict with their personal interests. They must also disclose every potential conflict of interest to their supervisor and document the disclosure. Such issues are typically resolved directly between the employee and the supervisor but can also be routed to Human Resources, Legal, Compliance or other relevant functions.
In 2023, our conflict of interest e-learning course had a 95% completion rate.
In addition, as described in the Annual Report under Avoidance of conflicts of interest, Executive Board and Supervisory Board members are exclusively committed to the company’s objectives and neither pursue personal interests nor grant unjustified advantages to third parties.
We also actively prevent bribery by enforcing strict value limits for gifts and entertainment. These limits are embedded in the company tool we use to reimburse travel and expenses. All submissions are subject to an approval process, which includes an additional internal review if they exceed certain cost thresholds. Additionally, we have specific rules and procedures for dealing with healthcare professionals, as outlined under Responsible interactions with health systems.
Management and requirements of third parties
For compliance management to be effective, it must not be restricted to the boundaries of our own company. While our supplier management processes focus on vendor compliance with our standards, our global Third Party Risk Management process governs interactions with sales parties, such as commercial agents, distributors, dealers, and high-risk vendors. We expect our third parties worldwide to adhere to our compliance principles. We collaborate only with parties who pledge to comply with relevant laws, reject all forms of bribery, and adhere to environmental, health and safety guidelines.
We apply a risk-based approach to select the third parties with whom we do business. The greater the estimated risk regarding a particular country, region, or type of service, the more in-depth we examine the third party before entering into a business relationship. We also explore background information from various databases and information reported by third parties.
If we encounter compliance concerns, we further analyze and verify the relevant information. Based on the outcome, we decide whether to reject the potential third party, impose conditions to mitigate identified risks or terminate the existing relationship.
In 2023, we started implementing a new workflow-based process for third-party risk management. In addition to the existing high-risk categories, we introduced new general categories to strengthen our due diligence and legal compliance in all countries
Compliance training
We provide regular compliance training (both classroom and online) on our Code of Conduct and critical compliance topics such as anti-corruption, conflict of interest, antitrust, data privacy, anti-money laundering and healthcare compliance standards. We require employees to take these courses based on their exposure to risk. Some courses also apply to independent contractors and supervised workers, such as temporary employees.
We also continually update our training curricula and adapt them to new developments. These efforts ensure we continuously educate our employees on existing and new compliance requirements, guidelines and projects.
In 2023, we launched a new Anti-Corruption, Anti-Bribery and Anti-Money Laundering e-learning course based on the updated Global Anti-Corruption and Anti-Money Laundering standards introduced in 2022.
Anti-money laundering
We have implemented a global anti-money laundering (AML) program consisting of a global Anti-Money Laundering Group Standard, training and a dedicated process to report and investigate red flags and any high-risk transactions. Suspicious transactions are reported to the German Financial Intelligence Unit or other authorities as required.
We continuously work to improve our AML program. Following in-depth AML risk assessments of jurisdictions with stricter regulatory frameworks than our AML program, we implemented additional local AML programs where required.
Reporting potential compliance violations
We encourage all employees worldwide to report potential compliance violations. Depending on the type of misconduct and the reporting person’s preference, they can choose from various reporting channels. We recommend using one of our central channels that are directly received and reviewed by a dedicated, independent and qualified team within Group Compliance. Depending on the nature, content and type of report, Compliance may investigate a submission directly or assign it to another responsible function for further investigation. One central reporting channel is our global whistleblowing compliance hotline, which can be used free of charge and anonymously to report violations. It is available in several languages by telephone or a web-based application.
The compliance hotline is also available to external stakeholders. The relevant information can be found in the “contact us” and the Compliance and Ethics section of our website.
Compliance-relevant cases with a particular risk profile are presented to the Compliance Case Committee, comprising senior members of our Compliance, Legal, Data Privacy, Internal Auditing, and Human Resources departments. The Committee’s duties include assessing and classifying specific compliance issues and addressing identified issues using appropriate measures.
In all Compliance-relevant cases, based on the investigation outcome and recommendations from Compliance or the Compliance Case Committee, we aim to take appropriate remediation measures. These can include disciplinary actions against employees who have committed a compliance violation. If the investigation identifies a root cause that could lead to the risk of further compliance violations, we take additional preventive and corrective actions.
Both the number of new Compliance-relevant cases and the number of cases with confirmed compliance violations increased compared with the previous year. In 2023, 106 Compliance-relevant new cases with reports via the compliance hotline and other channels were created. In 32 concluded cases, it was confirmed that the principles of the Code of Conduct or other internal or external guidelines had been violated.
Compliance audits
Compliance is ensured by Group Compliance and Group Internal Auditing as the second and third lines of defense. As part of the audits, Group Internal Auditing regularly reviews functions, processes and legal entities worldwide. These reviews include an assessment of the effectiveness of the respective compliance guidelines, processes and structures in place. The units also check for violations of our Code of Conduct, Anti-Corruption Standard, Anti-Money Laundering Group Standard, and Antitrust and Competition Law Policy.
Our audit planning aims to provide comprehensive risk assurance through the best possible audit coverage of our processes, countries and projects. We take a risk-based approach to our annual audit planning process, considering factors such as sales, employee headcount, systematic stakeholder feedback and the Corruption Perceptions Index (CPI) published by the non-governmental organization Transparency International. If an internal audit gives rise to recommendations, Group Internal Auditing performs a systematic follow-up and monitors the implementation of the recommended corrective actions. In 2023, Group Internal Auditing conducted 80 internal audits involving bribery and corruption-related risks, including 52 operational and 27 IT audits and 1 special audit which may be conducted to meet legal requirements.
External Certification of Compliance Management System
In 2022, we initiated an external review and certification of our Compliance Management System (CMS). The focus is on anti-bribery, anti-corruption and anti-money laundering to identify potential areas of improvement and to assess whether the measures we have taken ensure that regulations, policies and processes are adhered.
The CMS assessment started in November 2022 and will cover three phases until August 2025. The first two phases, pre-assessment and adequacy assessment, were completed by the second quarter of 2023 with positive results. They indicate that the processes and measures in our CMS are adequately designed and implemented to manage our compliance risks. We have also designed and implemented our CMS to identify significant rule breaches in advance and prevent any violations during assessments. The third phase, effectiveness assessment, will be conducted region by region until 2025.
Engaging stakeholders
We are members of various organizations, including the German Chemical Industry Association (VCI), the German Institute for Compliance (DICO), the European Federation of Pharmaceutical Industries and Associations (EFPIA), the German Association of Voluntary Self-Regulation for the Pharmaceutical Industry (FSA), the International Federation of Pharmaceutical Manufacturers and Associations (IFPMA), the Alliance for Integrity, the German Association for Supply Chain Management, Procurement and Logistics (BME), and the International Association of Privacy Professionals (IAPP).