As a global company, we have stringent requirements for effective compliance management. Importantly, we seek to emphasize compliance by acting in line with our company values and believe that profitable business operations should go hand in hand with the highest ethical standards.
Roles and responsibilities
Our Group Compliance function is responsible for the framework of the following core topics: our Code of Conduct, anti-corruption and anti-bribery (including healthcare compliance, third-party due diligence, transparency reporting), anti-money laundering, antitrust, and conflicts of interest.
To cover these topics, we have Group-wide policies, standards and procedures in place that ensure our business activities comply with the relevant laws, regulations and international ethical standards. Other compliance-related issues, including the respective internal regulations and guidelines, such as Pharmacovigilance, Export and Import Controls, and Environment, Health, Safety, Security, Quality, are managed by the responsible functions.
Our Group Compliance function is responsible for our compliance portfolio, which consists of the following elements:
- Risk Assessment: Identifying internal and external critical risks in regular business operations
- Policies & Procedures: Global policies, procedures and standards to mitigate identified risks
- Compliance Committee/Forums: Platform for compliance-related discussion and decision-making, including relevant key functions
- Training & Awareness: Appropriate training and additional measures to educate and keep awareness high
- Programs & Tools: Comprehensive compliance programs and supporting tools contributing to internal controls and overall governance
- Monitoring & Reporting: Tracking of compliance-related data; perform internal and external reporting
- Case Management: Timely response to reports of misconduct and implementation of corrective actions
- Continuous Improvement: Based on and applying to all compliance program elements
Our Chief Compliance Officer reports on the status of our compliance activities, potential risks and serious compliance violations to the Executive Board and Supervisory Board twice a year at a minimum. As part of our regular reporting processes, we compile a comprehensive compliance and data privacy report annually for the Executive Board. This includes the status of our compliance program, continuous improvement initiatives and key figures on compliance and data privacy cases. Additionally, we prepare a mid-year update to highlight ongoing developments and the status of relevant projects and initiatives.
Our Chief Compliance Officer oversees all Compliance departments and the underlying Compliance Officers and Compliance experts around the world. The Compliance Officers implement our compliance program within their respective areas of responsibility (adapting to local regulations) and receive guidance from our Group Compliance Center of Expertise. This is a centralized body that drives the design and evolution of our compliance program across all business sectors and Group functions.
Our commitment: Guidelines and standards
Our compliance program builds on our company values and integrates these into our compliance framework, which consists of Group-wide policies, standards and procedures for entrepreneurial conduct. The following are mandatory for all our employees:
- Code of Conduct of Merck KGaA, Darmstadt, Germany
- Human Rights Charter
- Anti-Corruption Standard
- Anti-Money Laundering Group Standard
- Conflict of Interest Policy
- Antitrust and Competition Law Policy
- Compliance Reporting and Investigation Policy
- Dawn Raid Policy
- Standard on Local Compliance Standards
- Supplier Code of Conduct (formerly Responsible Sourcing Principles)
Risk assessment
Proper compliance risk management is crucial to identify undetected risks and ensure our company remains protected. For this purpose, we are implementing a compliance risk identification process. We started this initiative by launching a global compliance risk process for all our business sectors to improve objectivity and enable a more data-driven risk approach. In addition, we established a comprehensive risk matrix that focuses on bribery and corruption risks, illustrated through in-depth risk categorization and risk scenarios. As a next step, in 2022, we started conducting country-based risk assessments. This approach considers gross and net risks while looking at tangible risk scenarios for the respective business. During this process, Group Compliance works closely with the businesses to enhance their risk awareness and create a better understanding of compliance risks. The first round of this process includes high-risk countries. By 2022, we rolled out a risk identification process to get a better risk overview on bribery and corruption related risks.
Conflicts of interest
We take all potential conflicts of interest seriously. Employees must avoid situations where their professional judgment may come into conflict with their personal interests. They must also disclose every potential conflict of interest to their supervisor and document the disclosure. Such issues are typically resolved directly between the employee and the supervisor but can also be routed to Human Resources, Legal, Compliance, or other relevant functions.
Management and requirements of third parties
For compliance management to be effective, it must not be restricted to the boundaries of our own company. While our supplier management processes focus on vendor compliance with our standards, our global Third Party Risk Management process governs interactions with sales parties, such as commercial agents, distributors and dealers. We expect our third parties worldwide to adhere to our compliance principles. We collaborate only with parties who pledge to comply with relevant laws, reject all forms of bribery, and adhere to environmental, health and safety guidelines.
We apply a risk-based approach to select the third parties with whom we do business. The greater the estimated risk regarding a particular country, region, or type of service, the more in-depth we examine the third party before entering into a business relationship. We also explore background information from various databases and information reported by third parties.
If we encounter compliance concerns, we further analyze and verify the relevant information. Based on the outcome, we decide whether to reject the potential third party, impose conditions to mitigate identified risks or terminate the existing relationship. By end of 2023, we plan that all subsidiaries of our company will have a new Third Party Risk Management process and tool, for due diligence of all high risk third parties – to conduct business only with those that are legally compliant.
Compliance training
We provide regular compliance classroom and online training courses on our Code of Conduct, anti-corruption, antitrust, data privacy, anti-money laundering, and healthcare compliance standards. We require employees to take these courses based on their exposure to risk. Some courses also apply to independent contractors and supervised workers, such as temporary employees.
We introduced a new Conflicts of Interest e-learning module that explains what conflicts of interests are and how these should be managed within our company. The course is available in nine languages. Furthermore, we launched a new e-learning course to provide an overview of our Third-Party Risk Management and to emphasize the importance of Third-Party Risk Assessments.
Anti-money laundering
We have implemented a global anti-money laundering (AML) program consisting of a global Anti-Money Laundering Group Standard, training and a dedicated process to report and investigate red flags as well as any high-risk transactions. Suspicious transactions are reported to the German Financial Intelligence Unit or other authorities as required.
We aim to continuously improve our AML program. Following a worldwide risk assessment in 2021 to identify jurisdictions imposing the strictest legal and regulatory frameworks applicable to our businesses, we initiated in-depth AML risk assessments for higher-risk jurisdictions. Based on these assessments and constant review of changes in the legal environment, we are implementing stricter local AML programs where required.
Reporting potential compliance violations
We encourage all employees worldwide to report potential compliance violations to their supervisors, Legal, HR or other relevant departments. Globally, they can also use our central whistleblowing compliance hotline free of charge and anonymously to report violations in their local language by telephone or via a web-based application. Reports of potential compliance violations that we receive via our compliance hotline are reviewed by the Compliance Investigations and Case Management team.
Cases with a certain risk profile are presented to the Compliance Case Committee, which comprises senior representatives from our Compliance, Corporate Security, Data Privacy, Human Resources, Internal Auditing, and Legal departments. The Committee’s duties include assessing and classifying certain compliance issues, investigating their background, and addressing these issues using appropriate measures.
Based on the investigation outcome and recommendations from the compliance investigation team or the Compliance Case Committee, appropriate disciplinary action may be taken against employees who have committed a compliance violation. If, during the investigation, a root cause is identified that could lead to the risk of further compliance violations, we take preventive and corrective actions.
The compliance hotline is also available to external stakeholders. The relevant information can be found in the Compliance and Ethics section of our website.
The number of suspected compliance violations reported remained stable compared with the previous year, while the number of confirmed compliance violations decreased. In 2022, we received 79 compliance-related reports via the compliance hotline and other channels that were processed as cases. 28 violations of the Code of Conduct or other internal and external rules were confirmed.
|
|
2019 |
|
2020 |
|
2021 |
|
2022 |
|
2022 |
|---|---|---|---|---|---|---|---|---|---|---|
Total number of reported compliance violations |
|
|
|
|
|
|
|
|
|
|
Number of reported compliance incidents |
|
75 |
|
81 |
|
79 |
|
79 |
|
3 |
Number of confirmed cases |
|
30 |
|
41 |
|
42 |
|
28 |
|
0 |
Confirmed cases by category |
|
|
|
|
|
|
|
|
|
|
Bribery and corruption |
|
9 |
|
6 |
|
1 |
|
2 |
|
0 |
Violation of cartel laws and fair competition rules |
|
0 |
|
0 |
|
0 |
|
1 |
|
0 |
Fraudulent actions against the Group |
|
8 |
|
11 |
|
6 |
|
11 |
|
0 |
Other violations of the Group Compliance Principles for the relations with business partners |
|
4 |
|
0 |
|
0 |
|
2 |
|
0 |
Other violations of Group values, internal guidelines or legal requirements |
|
9 |
|
24 |
|
35 |
|
12 |
|
0 |
Compliance audits
Compliance is ensured by Group Compliance and Group Internal Auditing as the second and third lines of defense. As part of the audits, Group Internal Auditing regularly reviews functions, processes and legal entities worldwide. These reviews include an assessment of the effectiveness of the respective compliance guidelines, processes and structures in place. The units also check for violations of our Code of Conduct and our Anti-Corruption Standard.
Our audit planning aims to provide comprehensive risk assurance through the best possible audit coverage of our processes. We take a risk-based approach to our annual audit planning process, considering factors such as sales, employee headcount, systematic stakeholder feedback and the Corruption Perceptions Index (CPI) published by the non-governmental organization Transparency International. If an internal audit gives rise to recommendations, Group Internal Auditing performs a systematic follow-up and monitors the implementation of the recommended corrective actions. In 2022, Group Internal Auditing conducted 79 internal audits involving bribery and corruption-related risks, including 52 operational and 24 IT audits and 3 special audits which may, for example, be initiated as part of incident-specific internal investigations.