Annual Report 2021

Compliance management

As a global company, we have stringent requirements for effective compliance management. Importantly, we seek to emphasize compliance by acting in line with our company values and believe that profitable business operations should go hand in hand with the highest ethical standards.

Roles and responsibilities

Our Group Compliance function is responsible for the policies on the following core topics: anti-corruption and anti-bribery (including healthcare compliance, third-party due diligence, transparency reporting), anti-money laundering, antitrust, conflict of interest, and dawn raid preparedness.

To cover these compliance topics, we have Group-wide policies and procedures in place that ensure our business activities align with the relevant laws, regulations, and international ethical standards. Other compliance-related issues, including the respective internal regulations and guidelines, such as Pharmacovigilance, Export and Import Controls, and Environment, Health, Safety, Security, Quality, are managed by the responsible functions.

Our Group Compliance function is responsible for our compliance portfolio, which consists of the following elements:

  • Risk Assessment: Identifying internal and external critical risks in regular business operations
  • Policies & Procedures: Global policies, procedures and standards to mitigate identified risks (see the “Our commitment: guidelines and standards” section for more details)
  • Compliance Committee/Forums: Platform for compliance-related discussion and decision-making, including relevant key functions
  • Training & Awareness: Appropriate training and additional measures to educate and keep awareness high
  • Programs & Tools: Comprehensive compliance programs and supporting tools contributing to internal controls and overall governance
  • Monitoring & Reporting: Tracking of compliance-related data; performing internal and external reporting
  • Case Management: Timely response to reports of misconduct and implementation of corrective actions
  • Continuous Improvement: Based on and applying to all compliance program elements

Our Group Compliance Officer reports on the status of our compliance activities, potential risks and serious compliance violations to the Executive Board and Supervisory Board twice a year at a minimum. As part of our regular reporting processes, we compile a comprehensive compliance and data privacy report annually for the Executive Board. This includes the status of our compliance program, continuous improvement initiatives and key figures on compliance and data privacy cases. Additionally, we prepare a mid-year update to highlight ongoing developments and the status of relevant projects and initiatives.

Our Group Compliance Officer oversees approximately 94 Compliance Officers and Compliance experts around the world. The Compliance Officers implement our compliance program within their respective areas of responsibility (adapting to local legislation, if legally required) and receive guidance from our Group Compliance Center of Expertise. This is a centralized body that drives the design and evolution of our compliance program across all business sectors and Group functions.

Our commitment: Guidelines and standards

Our compliance program builds on our company values and integrates these into our compliance framework, which contains Group-wide policies and procedures for entrepreneurial conduct. The following are mandatory for all our employees:

Risk assessment

Proper compliance risk management is crucial in order to identify undetected risks and keep our company protected. In 2021, we launched a global, redesigned risk identification process for all our business sectors. The new process enables objectivity and a more data-driven risk approach. We established a comprehensive risk matrix that focuses on bribery and corruption risks, which are illustrated through in-depth risk categorization and risk scenarios. The matrix consists of a questionnaire to detect the risk exposure level of the business sectors and another mitigation questionnaire that checks the implementation of the compliance program. These risk questionnaires are primarily answered by the business heads.

We are implementing the risk identification process in a staggered, top-down approach. We started the risk assessment with global functions in 2021. In a second step, we will conduct country-specific assessments in 2022.

Conflicts of interest

We take all potential conflicts of interest seriously. Employees must avoid situations where their professional judgment may come into conflict with their personal interests. They must also disclose every potential conflict of interest to their manager and document the disclosure. Such issues are typically resolved directly between the employee and the manager but can also be routed to Human Resources, Legal, Compliance, or other relevant functions.

In 2021, we further raised employees’ awareness of conflicts of interest by establishing a dedicated global interactive training program and enhancing our communication. In addition, as described under “Avoidance of conflicts of interest”, Executive Board and Supervisory Board members are exclusively committed to the interests of the company and neither pursue personal interests nor grant unjustified advantages to third parties.

Management and requirements of our business partners

Our global Third Partner Risk Management process governs interactions with sales partners, such as agents, distributors, and dealers. We expect our business partners worldwide to adhere to our compliance principles. We collaborate only with partners who pledge to comply with relevant laws, reject all forms of bribery and adhere to environmental, health, and safety guidelines.

We apply a risk-based approach to selecting business partners. The greater the estimated risk regarding a certain country, region, or type of service, the more in-depth we examine the company before entering into a business relationship. We also explore background information from various databases and information reported by our business partners.

If we encounter compliance concerns, we further analyze and verify the relevant information. Based on the outcome, we decide whether to reject the potential business partner, impose conditions to mitigate identified risks, or terminate the existing relationship.

Until the end of 2023, we plan that all subsidiaries of our company will have a Third Partner Risk Management process and tool that follows a risk-based approach to conduct business only with legally compliant third parties. To enable stepwise implementation, we already launched this new process and tool in selected pilot countries in 2021..

Compliance training

We provide regular compliance classroom and online training courses on our Code of Conduct, anti-corruption, antitrust, data privacy, money laundering prevention, and healthcare compliance standards. We require employees to take these courses based on their exposure to risk. Some courses also apply to independent contractors and supervised workers, such as temporary employees.

In 2021, we launched two new versions of our antitrust e-learning training courses: a fundamental and an advanced course. Both courses are available in ten languages. 12,560 employees completed the fundamental training. In addition to the fundamental training, 6,057 employees with potentially higher risk exposure took the advanced training course. The mandatory training courses must be completed by all relevant employees.

We regularly update our training plan and adapt it to new developments to continuously educate our employees on existing and new compliance requirements, guidelines, and projects.

Anti-money laundering

We have implemented a global Anti-Money Laundering (AML) program consisting of a global policy, training, and a dedicated process to report and investigate red flags as well as any high-risk transactions and to report suspicious transactions to the German Financial Intelligence Unit.

It is our aim to continuously improve our AML program. In 2021, we conducted a worldwide risk analysis to identify jurisdictions that impose the strictest AML legal and regulatory framework applicable to our businesses, so that we can improve our AML program accordingly. Based on this analysis, we initiated in-depth AML risk assessments for high-risk jurisdictions, where we can implement a stricter AML program, if required.

Reporting potential compliance violations

We encourage all employees worldwide to report potential compliance violations to their supervisors, Legal, HR or other relevant departments. Globally, they can also use our central whistleblowing compliance hotline free of charge and anonymously to report violations in their local language by telephone or via a web-based application. Reports of potential compliance violations that we receive via our compliance hotline are reviewed by the Compliance Investigations and Case Management team. Cases with a certain risk profile are presented to the Compliance Case Committee, which comprises senior representatives from our Compliance, Corporate Security, Data Privacy, Human Resources, Internal Auditing, and Legal departments.

The Committee’s duties include assessing and classifying ethical issues, investigating their background and addressing these issues using appropriate measures. Based on the investigation outcome and recommendations from the compliance investigation team or the Compliance Case Committee, appropriate disciplinary action may be taken against employees who have committed a compliance violation. If, during the investigation, a root cause is identified that could lead to further compliance violations, we take preventive and corrective actions.

The compliance hotline is also available to external stakeholders. The relevant information can be found in the Compliance and Ethics section of our website.

Both the number of suspected compliance violations reported and the number of actual compliance cases were stable compared with the previous year. In 2021, we received 79 compliance-related reports via the compliance hotline and other channels that led to investigations. There were 42 confirmed cases of violations of the Code of Conduct or other internal and external rules.

Reported compliance violations









2021 Group


2021 thereof: Merck KGaA, Darmstadt,

Total number of reported compliance violations











Number of reported compliance incidents











Number of confirmed cases











Confirmed cases by category











Bribery and corruption











Violation of cartel laws and fair competition rules











Fraudulent actions against Merck KGaA, Darmstadt, Germany











Other violations of the Group Compliance Principles for the relations with business partners











Other violations of Group values, internal guidelines or legal requirements











Compliance audits

Compliance is ensured by Group Compliance and Group Internal Auditing as the second and third lines of defense. As part of the audits, Group Internal Auditing regularly reviews functions, processes, and legal entities worldwide. These reviews include an assessment of the effectiveness of the respective compliance guidelines, processes, and structures in place. The unit also checks for violations of our Code of Conduct and our Anti-Corruption Policy. Moreover, they request and check a self-assessment of the workplace requirements set out in our Human Rights Charter.

Our audit planning aims to provide comprehensive risk assurance through the best possible audit coverage of our processes. We take a risk-based approach to our annual audit planning process, considering factors such as sales, employee headcount, systematic stakeholder feedback, and the Corruption Perceptions Index (CPI) published by the non-governmental organization Transparency International. If an internal audit gives rise to recommendations, Group Internal Auditing performs a systematic follow-up and monitors the implementation of the recommended corrective actions. In 2021, Group Internal Auditing conducted 84 internal audits that included bribery and corruption-related risks, thereof 55 operational, 28 IT and one special audits (for example, incident-specific internal investigations).

Share this page: