First and foremost, responsible entrepreneurship means acting in accordance with the law, a practice commonly known as compliance. All our activities must adhere to laws, regulations and international ethical standards around the world because compliance violations don’t just result in possible legal prosecution but could also seriously compromise our reputation as an employer and business partner.
Our approach to compliance
Compliance is one of our primary considerations worldwide. As an international company with operations in developing and emerging countries, we have extremely stringent requirements for effective compliance management. For us, however, there is more to compliance than simply adhering to regulatory provisions. We consistently aspire to act in accordance with the principles defined in our Values and believe that profitability should go hand in hand with the highest ethical standards.
How we ensure compliance
Our Group Compliance function manages the core topics of anti-corruption, healthcare compliance, antitrust, anti-money laundering, fraud prevention, third party due diligence, data privacy, transparency reporting, and dawn raid preparedness. To cover these core compliance topics, we have Group-wide policies, procedures and processes in place that ensure our business activities align with the relevant laws, regulations and international ethical standards. Other compliance related issues, including respective internal regulations and guidelines, are managed by the responsible functions (such as Pharmacovigilance, Export and Import Controls and Environment, Health, Safety, Security, Quality).
Supported by our Group Compliance function, our Group Compliance Officer is responsible for our compliance program, which consists of the following elements:
- Efficient solution-oriented systems and processes
- Enabling policies
- Monitoring and controls
- Investigations and case management
- Whistleblowing hotline (SpeakUp Line for anonymous and non-anonymous reporting)
- Continuous improvement tailored to business risks
- Target-group focused training
Our compliance program is regularly updated to reflect new requirements such as those resulting from amendments to legislation, relevant industry codices or changes within our company.
Our Group Compliance Officer reports to the Executive Board every six months on the status of our compliance activities, possible risks and serious compliance violations. In turn, the Executive Board updates our supervisory bodies at least twice a year on key compliance issues. As part of regular reporting processes, we annually compile a comprehensive compliance and data privacy report for the Executive Board detailing the status of our compliance program, updates that have been made, compliance and data privacy cases, and training figures. Additionally, an update is prepared at the mid-year mark to highlight current developments and the status of relevant projects and initiatives.
Our Group Compliance Officer oversees 77 Compliance Officers around the world, who are assigned to business sector teams and implement the measures of our compliance program within their respective areas of responsibility. In executing their tasks, these Compliance Officers receive guidance from our Group Compliance Programs and Support team, a centralized body that drives the design and update of our compliance program across all business sectors and Group functions and is responsible for initiating necessary measures.
Our global Transparency Operations team has the responsibility of incorporating current and upcoming transparency reporting requirements in the health sector – such as those of the European Federation of Pharmaceutical Industries and Associations (EFPIA) and the United States Physician Payments Sunshine Act.
We have successfully integrated our compliance framework more closely within our business sectors. For example, a new holistic concept is being developed, which combines the existing monitoring controls into a single system, providing a dashboard view of potential compliance risks across the organization. Compliance requirements specific to each business sector are also integrated into employee training material.
Designated Compliance Ambassadors support local compliance implementation and operate independently of our Compliance Organization. Located in the various regions in which we operate, these Compliance Ambassadors are global compliance representatives who support compliance initiatives across our businesses and functions, increasing accountability and ownership of business ethics.
Our Compliance Ambassadors are located in the following regions:
- Europe: Austria, Germany, Switzerland
- Africa: Algeria, Angola, Botswana, Egypt, Ghana, Kenya, Mauritius, Morocco, Mozambique, Namibia, Nigeria, South Africa, Tanzania, Tunisia, Uganda
- Middle East: Bahrain, Iran, Iraq, Jordan, Kuwait, Lebanon, Oman, Palestine, Qatar, Saudi Arabia, Syria, United Arab Emirates, Yemen
- Asia Pacific: China, Japan, Korea
- Latin America: Argentina, Chile
Clear chain of command for reporting violations
Any reports of potential compliance violations that we receive via our whistleblowing hotline “SpeakUp Line” are reviewed by the Compliance Investigations and Case Management team and appropriate investigative steps are initiated. Exposed cases showing a certain risk profile are additionally presented to the Compliance Case Committee, which consists of senior representatives from Compliance, Corporate Security, Data Privacy, Human Resources, Internal Auditing, and Legal. Duties of the committee include assessing and classifying ethical issues, investigating their background and terminating these issues through appropriate measures. If during the investigation a root cause is identified that could lead to further compliance violations, it is monitored continuously, and preventive or corrective actions are applied. An associated sub-committee advises on disciplinary action if necessary.
Conflicts of interest
We take all potential conflicts of interest seriously, which is why we have dedicated a section of our Anti-Corruption Policy to this topic. It states that employees must strictly avoid situations where their professional judgment may come into conflict with their personal interests, that they disclose every potential conflict of interest to their superior and that they document the disclosure. Such issues are usually resolved directly between the employee and their manager but can also be routed to superordinate HR or employment law functions. We have therefore implemented a specific governance process that also includes the Executive Board and ensures that shareholders and related parties are regularly provided information on potential conflicts.
Beyond this, our commitment to an appropriate conflict of interest process is documented in our Annual Report.
Data Privacy integrated into Group Compliance
Our Data Privacy unit is integrated into our Group Compliance organization. As required by law, this unit acts independently and submits frequent data privacy updates as well as compiling a regular comprehensive data privacy report as a part of the compliance report. Besides a central Group Data Privacy Officer, we also have Local Data Privacy Officers at various sites around the world.
Our commitment: Guidelines and standards
Our compliance program builds on our Values and integrates these into our compliance framework, which contains guidelines for entrepreneurial conduct that are mandatory for all our employees Group-wide:
- Our Code of Conduct provides our people with a tool that promotes ethical business practices. In 2018, we completed the roll-out of an updated version called “What guides us”. This version is closely linked to our Values and includes newer topics such as data protection, supplier due diligence and bioethics. The code has been provided to all employees worldwide both digitally and as a print brochure. Available in 22 languages, it explains the principles for interacting with business partners, employees and the communities in which we operate.
- Our Human Rights Charter supplements our Code of Conduct with globally valid principles regarding human rights, as well as the core labor standards of the International Labour Organization (ILO).
- Our Anti-Corruption Policy stipulates that all business activities must be conducted in accordance with legally applicable anti-corruption standards. All forms of bribery – whether giving or receiving – are strictly prohibited. We have reinforced our policy by adding and updating relevant corruption prevention sections. One example is the changes made to the gifts and hospitality section. Additionally, we have created guidelines on local limits and thresholds in giving or receiving gifts and hospitality (especially transportation and accommodation) to or from third parties (including public officials and external business partners).
- Our Pharma Code (for prescription medicines) and our Consumer Health Code (for over-the-counter medicines) as well as underlying policies and additional guideline documents, set out key principles for interactions with our partners in the health industry.
- Our Group-wide Antitrust and Competition Law guideline stipulates that all business activities across the Group are to be carried out in compliance with applicable competition regulations at all times. We acknowledge the importance of fair competition and expect the same of contract organizations acting on our behalf.
We use an online confirmation process to send Group-wide policies to relevant managers, Group Compliance and Legal. Recipients then confirm not only receipt of the policies, but also that they are being adhered to and implemented appropriately at the relevant sites. This confirmation process was also used to roll out our Code of Conduct. With this initiated process, we are striving to draw the attention of all our managers and employees to take note of the updated Code of Conduct.
Guidelines for new business units
Where necessary, we update our policies according to external requirements. Our Medical Devices and Services unit falls under the scope of existing Biopharma Compliance policies and we have separate legal and compliance guidance for business interactions with our key stakeholders. We recognize the fact that we are increasingly interacting with patients and patient organizations and have therefore revised our corresponding compliance policy. More information on our commitment to our Code of Conduct and healthcare compliance regulations can be found under Responsible marketing.
Requirements for our business partners
To be effective, compliance management must not be restricted to the boundaries of our own company, which is why we expect all our business partners worldwide to comply with our compliance principles. We only collaborate with partners who pledge to comply with all applicable laws, reject all forms of bribery, adhere to environmental, health and safety guidelines and refuse to tolerate discrimination. Furthermore, we contractually require our business partners to demonstrate a commitment to internationally recognized human rights and labor standards, as well as to our own compliance requirements. We also monitor adherence to these standards for existing business relationships via our established global Business Partner Risk Management process – usually every three years, or ad hoc when new risks are identified.
While our supplier management processes focus on vendor compliance with our standards, our Global Business Partner Risk Management Process governs interactions with sales partners such as sales agents, distributors and wholesalers. Our Business Partner Risk Management approach is integrated in our Anti-Corruption Policy.
In general, we are not able to negotiate social and environmental responsibility, compliance or integrity issues with each of our customers individually. We therefore employ a global approach for responding to external Code of Conduct acknowledgment requests. To implement this framework, the Corporate Responsibility Letter of Merck KGaA, Darmstadt, Germany and a correlation clause were introduced in 2017.
Harmonizing data privacy Group-wide
Our “Policy for Data Protection and Personal Data Privacy” defines our standards for processing, saving, using and transmitting data. This approach allows us to achieve a high level of protection for the data belonging to our employees, contract partners, customers and suppliers, as well as patients and participants in clinical studies. Our Group-wide understanding of data privacy is based on European legislation, which also entails the EU General Data Protection Regulation (EU GDPR) that came into effect in May 2018. We also consider local data privacy requirements, as not all requirements at all sites are covered by EU standards. When in doubt, the respective national legal obligations take precedence.
As part of operational audits, our Group Internal Auditing function regularly reviews relevant matters at our sites to determine which compliance guidelines, processes and structures are in place and how effective they are. The unit also checks for violations of our Code of Conduct and our Anti-Corruption Policy and reviews the workplace requirements set out in our Human Rights Charter.
Our audit planning aims to provide comprehensive risk assurance through the best possible audit coverage. Our annual audit planning process is risk-based and includes factors such as sales, employee headcount, systematic stakeholder feedback, and the Corruption Perceptions Index (CPI) published by the non-governmental organization Transparency International. If an internal audit produces recommendations, Group Internal Auditing performs a systematic follow-up and monitors the implementation of the prescribed corrective actions. In 2018, 54 operations were assessed for corruption-related risks.
We provide regular compliance training in the form of classroom and online courses that cover our Code of Conduct, anti-corruption, antitrust awareness, data privacy, and healthcare compliance standards. Employees are requested to attend these courses based on their risk indication, and some are also extended to independent contractors and supervised workers (such as temporary staff). We regularly update our training plan and adapt it to new developments. In 2018, our training concept was reviewed thoroughly with a special focus on formats, media usage, target groups, and frequency, and a refresher concept was included to strengthen learning measures. Additionally, a large amount of the training material was reviewed to make sure it addresses the compliance topics in a way that allows employees to better connect to their working environment.
In 2018, we started the roll-out of our business sector-specific e-learning program that is centered on our new Code of Conduct and aims to make employees aware of the consequences of compliance violations. 10,421 people have already been trained as part of the program, which will be made available to all new employees on a regular basis.
Using global slide deck materials that can be adapted for local use according to business und country-specific regulations and situations, local Compliance Officers are now providing classroom training sessions on the Code of Conduct. We specifically develop some seminars on special topics with certain roles in mind. When participating in pharma-specific training, for example, employees in our Healthcare business sector also receive training on relevant compliance issues.
We continually educate our employees on new compliance requirements, guidelines and projects. One example is an online course on our Anti-Corruption Policy, which is available in 15 languages. In 2018, a total of 11,404 employees and contractors took part in anti-corruption training.
Also in 2018, in response to the European General Data Protection Regulation (EU GDPR), we redesigned our regular Data Privacy eLearning course, rolling it out in 17 languages.
“Compliance. Because we care”
Our internal “Compliance. Because we care” initiative aims to increase awareness of compliance throughout our Group. Harnessing the power of emotion, this communications campaign engages our employees in the key compliance aspects and thus heightens their sensitivity to and understanding of these issues. Launched in 2017, the initiative is being implemented gradually Group-wide. This style of communicating has also been incorporated in the Code of Conduct and was used to enhance our compliance training materials during 2018.
In addition to providing training via webinars, Skype meetings and on-site events, we inform our staff about compliance issues through a variety of media, including our Intranet, newsletters, posters and our employee magazine “pro”. Video clips from all board members strengthen the tone from the top and have been in use since 2018 across different channels including our Compliance Learning Management Platform.
SpeakUp Line for potential compliance violations
All Group employees are encouraged to report potential compliance violations to their superiors, Legal, HR or other relevant departments. Worldwide, they can also use our central whistleblowing SpeakUp Line free of charge and anonymously to report violations in their local language by telephone or via a web-based application. Based on recommendations from the Compliance investigation team or the Compliance Case Committee, disciplinary actions may also be taken, where necessary, by the responsible superiors against employees who have committed a compliance violation. These actions may range from a simple warning to dismissal, depending on the severity of the violation. Our business partners who have undergone the Business Partner Risk Management Process can also use the SpeakUp Line to report violations of internal or external rules.
Both the number of reports of suspected compliance violations and the number of actual compliance cases has increased last year. In 2018, 72 compliance-related reports that led to investigations were received via the SpeakUp Line and other channels. In 2018, there were 19 confirmed cases of violations of the Code of Conduct.
Risk analysis and management of business partners
We apply a risk-based approach to selecting sales-related business partners. The greater we estimate the risk to be regarding a certain country, region or type of service, the closer and more carefully we examine the company before entering into a business relationship with them. For these risk assessments, we use the Corruption Perceptions Index (CPI), which is maintained by Transparency International, and assess potential partners against other parameters such as the nature of the intended business and sales volume. We also tap into background information from various databases and information reported by the business partners themselves, for instance on their own compliance programs.
If we encounter compliance violations, we decide whether to reject the potential business partner, terminate the existing relationship, or impose conditions to mitigate identified risks. However, our partners are generally willing to adapt their structures and processes in line with our strict compliance requirements. Since launching this process in 2013, we have assessed more than 3,500 business partners, and in 2018, we used this process to assess 335 business partners.
Ensuring data privacy and information security
Our data privacy management system applies the PDCA principle (plan, do, check, act), to ensure that data privacy policies and tools (plan), data privacy training (do), inspections and assessments (check), and incident and issue management processes (act) are all in place.
To support local Data Privacy Officers at our sites, we have introduced standardized data privacy consulting services that can be requested by data controllers and processors as needed. We have also implemented a central IT tool to provide a single source for data privacy processes, e.g. answering data privacy questions, registering data processing activities and reporting potential data privacy incidents. We had zero sanctioned complaints or incidents concerning breaches of customer privacy leaks, thefts or losses of customer data in 2018. In one case, a minor personal data breach was reported to the supervisory authority, which was not sanctioned.
EFPIA and other transparency initiatives
Members of the Transparency Initiative of the European Federation of Pharmaceutical Industries and Associations (EFPIA) are required to publish all contributions to medical professionals and organizations in the health sector, along with the names and addresses of individual recipients. Beyond this initiative, several countries have introduced legislation to further increase transparency in the pharmaceutical industry. We comply with these requirements and additional standards governing interactions with health systems and include them in our transparency reporting.
Alliance for Integrity
We are a member of the Alliance for Integrity Steering Committee. Established by the German Society for International Cooperation (GIZ), the German Global Compact Network (DGCN) and the Federation of German Industries (BDI), this initiative aims to achieve a corruption-free business world in developing and emerging countries. Its activities are concentrated in Argentina, Brazil, Ghana and India. The Steering Committee leads the decision-making process for developing measures in these countries, while local advisory groups oversee implementation at the country level. In 2018, our company was elected chair of the advisory group of Ghana. Our local Compliance organizations also collaborate with these groups and offer training to small and medium-sized companies. We furthermore support anti-corruption conferences such as the Global Conference of the Alliance for Integrity, which takes place once a year. Beyond these efforts, we continuously assist the Alliance for Integrity through business-to-business workshops and training courses, and by sharing best practices on how to develop and implement effective corruption prevention systems.
In 2018, we engaged stakeholders in dialogue primarily through our memberships in various associations. Amongst other organizations, we are members of the German Chemical Industry Association e. V. (VCI), the German Institute for Compliance (DICO), the European Federation of Pharmaceutical Industries and Associations (EFPIA), the German Association of Voluntary Self-Regulation for the Pharmaceutical Industry (FSA), the International Federation of Pharmaceutical Manufacturers and Associations (IFPMA), the Alliance for Integrity, the German Association for Supply Chain Management, Procurement and Logistics e. V. (BME) and the International Association of Privacy Professionals (IAPP).