First and foremost, responsible entrepreneurship means legally compliant conduct. All our activities must adhere to laws and regulations worldwide. Failure to comply with these might not only involve legal prosecution, but could also seriously compromise our reputation as a business partner and employer.
Stringent compliance requirements
Compliance is our primary consideration worldwide. Particularly as an international company with operations in developing and emerging countries, we have extremely high standards for effective compliance management. Yet for us, there is more to compliance than adhering to regulatory provisions. We consistently aspire to act in accordance with the ethical principles defined in our Values and believe that profitability should go hand in hand with the very highest ethical standards.
Our guidelines governing entrepreneurial conduct are mandatory for all our employees Group-wide:
- The Merck KGaA, Darmstadt, Germany Code of Conduct provides our workforce with a tool that promotes ethical business practices. A copy is given to all employees, explaining the principles for dealing with business associates, general partners and employees, as well as the communities in which we operate.
- Our Human Rights Charter supplements our Code of Conduct with globally valid principles regarding human rights as well as the core labor standards of the International Labour Organization (ILO).
- Our anti-corruption guideline provides that all business activities must be conducted in accordance with applicable anti-corruption standards. All forms of bribery – whether giving or receiving – are strictly prohibited. In 2016, we revised our anti-corruption guideline to reflect the tightened provisions of the German Criminal Code.
- Our Pharma Code (for prescription medicines) and our Consumer Health Code (for over-the-counter medicines) set out important principles for interactions with our partners in the health industry.
- In 2016, our principles regarding antitrust and competition law, which were already integral to our Code of Conduct as well as to various business-specific guidelines, were consolidated Group-wide. This new antitrust and competition law guideline stipulates that all business activities across the entire Group are to be carried out in compliance with applicable competition regulations at all times. We acknowledge the importance of fair competition and expect the same of contractual partners acting on our behalf.
Realigned Compliance organization
Our Group Compliance Officer and other specialists within our Group Compliance function are responsible for defining our compliance program, which is continuously updated to reflect new requirements, such as those resulting from changes in legislation.
In 2016, we restructured Group Compliance to align it more closely with the specific compliance needs of our businesses. For each of our business sectors (Healthcare, Life Science and Performance Materials), we appointed a Compliance Officer who in turn oversees regional teams. Compliance Officers have also been appointed for our Group functions and are responsible for implementing the measures set out in our compliance program in their respective areas.
Furthermore, in 2016 we also improved our internal processes. Guidelines are now sent to relevant managers, Group Compliance and Legal via an online confirmation process. Recipients then confirm not only receipt of the relevant guidelines, but also that they are being adhered to and implemented appropriately at the relevant sites.
Data Privacy as part of compliance management
During the restructuring of our Compliance organization, we integrated our Data Privacy unit into Group Compliance. As required by law, this unit will continue to act independently and will report directly to the Executive Board as well as the Supervisory Board. The Data Privacy team comprises four employees in Darmstadt and is supported by around 80 data privacy officers at our various sites.
Our 85 Compliance Officers worldwide report to the Group Compliance Officer, who informs the Executive Board at least twice a year on the status of our compliance activities, possible risks and serious compliance violations. In turn, the Executive Board updates our supervisory bodies at least twice a year on key compliance issues.
Our Internal Auditing Group function regularly reviews matters relating to compliance at our sites. Its audits determine which compliance guidelines, processes and structures are in place and how effective they are. In addition, Internal Auditing also checks for violations of our Code of Conduct and reviews the workplace requirements set out in our Human Rights Charter. The topic of corruption is also part of our standard audit program. Beyond internal audits, we also undergo external audits, such as the external assessment conducted by an auditing firm in early 2015. This led to the conclusion that the design of the compliance management system meets the key baseline requirements of the IDW PS 980 standard, in parts even going above and beyond its requirements.
We regularly provide compliance training in the form of classroom and online courses, which focus on topics related to our Code of Conduct such as corruption, handling conflicts of interest and competition law. These courses are attended by employees of all levels as well as independent contractors and supervised workers (such as temps). We regularly review our training plan, adapting it to new developments.
Central SpeakUp Line
All Group employees are called upon to report compliance violations to their supervisor, Legal, HR, or other relevant departments. They can also use the SpeakUp Line, a central reporting system, to report violations by telephone or via a web-based application, doing so in their respective national language, free of charge and, if desired, anonymously. Business partners can also use our SpeakUp Line to report improper behavior.
SpeakUp Line reports are reviewed by Group Compliance before being submitted to the Group Compliance Case Committee, which consists of senior representatives from Internal Auditing, Compliance, Group Security, Data Privacy, and Human Resources. The committee coordinates the processing of reported violations and initiates corrective measures if necessary. Disciplinary actions are also taken, where needed, against employees who have committed a compliance violation. These actions may range from a simple warning to dismissal of the employee, depending on the severity of the violation.
In addition to the SpeakUp Line, there is also a central hotline to the Group Compliance Office, which employees can call for advice on ethical and compliant conduct.
Requirements for suppliers and business partners
If it is to be effective, compliance management needs to go beyond our own company – all our business partners worldwide must also follow our compliance principles. While our supplier management processes focus on vendor compliance with our standards, our Global Business Partner Risk Management Guideline governs relations with sales partners such as distributors and wholesalers. We only collaborate with partners who comply with all applicable laws, reject all forms of bribery, adhere to environmental, health and safety guidelines, and refuse to tolerate discrimination. Furthermore, we require our business partners to demonstrate a commitment to internationally recognized human rights and labor standards, as well as to our own compliance requirements. We monitor adherence to these standards even for existing business relationships – usually when a contract is being considered for renewal.
Risk analysis of business partners
We apply a risk-based approach to selecting sales-related business partners. The greater we estimate the risk to be regarding a certain country, region or type of service, the closer and more carefully we examine the company before entering into a business relationship with them. For these risk assessments, we use the Corruption Perceptions Index (CPI) maintained by Transparency International; we also tap into background information from various databases and information reported by the business partners themselves on aspects such as their own compliance programs.
If we encounter compliance violations, we decide whether to reject the potential business partner or terminate the existing relationship. However, our partners are generally willing to adapt their structures and processes in line with our strict compliance requirements. Since launching this process in 2013, we have assessed nearly 2,000 business partners.
EFPIA Transparency initiative
Since 2016, companies in the EU have been required to publish all contributions to medical professionals and organizations in the healthcare industry that are not related to research activities, along with the names of the individual recipients. This practice is stipulated by the Transparency initiative of the European Federation of Pharmaceutical Industries and Associations (EFPIA). The EFPIA published a revised version of these guidelines in 2016. Moreover, in the same year several countries introduced legislation requiring varying degrees of transparency in the pharmaceutical industry. We will include these amended requirements in our EFPIA report for 2016.
Alliance for Integrity
In October 2015, we joined the Alliance for Integrity. Established by the German Society for International Cooperation (GIZ), the German Global Compact Network (DGCN) and the Federation of German Industries (BDI), this initiative aims to achieve a corruption-free business world in developing and emerging countries. Its activities are concentrated in Ghana, India, Indonesia, Brazil, and Argentina.
We are a member of the Alliance for Integrity's Steering Committee, which leads the decision-making process for developing measures in its target countries. Advisory groups arrange implementation at the country level. Our local Compliance organizations collaborate with these groups and participate in training that is offered to small and medium-sized companies. We also help to organize conferences on fighting corruption, such as the World Conference held by the German Chamber of Commerce in May 2016 in Berlin.
Uniform data protection management system
We operate a data protection management system that has been harmonized across the Group. Our Policy for Data Protection and Personal Data Privacy defines the standards according to which we process, save, use, and transmit data. This approach allows us to achieve a high level of protection for the data belonging to our employees, contract partners, customers, and suppliers, as well as patients and participants in clinical studies.
The Group-wide level of data protection is based on European and German legislation. At the same time, we also adapt our data security policies to local circumstances, as not all sites are covered by the European standards. We fundamentally respect the rights of those affected.
Data security measures
To protect our data against information theft and manipulation, we undertake technical and organizational measures based on ISO 27001, the standard for information security management. Technical measures include precautions for hardware and software, such as the creation of separate user accounts. Organizational measures cover formal review and release rules for all data we process, as well as clear access rules at our sites and visitor registration and tracking. Implementation of and compliance with our data security policy is also reviewed by Group Internal Auditing.
Our data privacy management system is reviewed during an annual audit. In a benchmark survey carried out by Ernst & Young in 2015, our Group was rated as above average. In particular, the maturity of our data privacy culture and Data Privacy organization scored very well.
In 2015, 49 internal audits were conducted with regards to corruption, with 55 having been conducted in 2016.
In 2015, 41 of these audits, which focused on the workplace requirements of our Human Rights Charter, were conducted in 31 countries. In 2016, 47 such audits were performed in 19 countries, including 22 audits at our global headquarters. No violations were observed.
The annual audit planning process is risk-based and includes factors such as sales, employee headcount and corruption risk, the latter of which is derived from the Corruption Perceptions Index published by Transparency International.
The sites of the company AZ Electronic Materials, which we acquired in 2014, have been fully covered by our Internal Audit process since January 2015. Since 2016, this has also applied to the subsidiaries of the U.S.-based life science company Sigma-Aldrich, which we acquired in 2015.
Training on Code of Conduct and anti-corruption guidelines
In 2015, we used our e-learning system to train 8,673 people on the Code of Conduct and increase awareness of the consequences of compliance violations. In 2016, 18,697 people received such training, which also focused on how to prevent compliance violations..
We also regularly inform our employees of new compliance requirements. In 2015, a total of 20,404 people received anti-corruption training, with 29,764 employees having been trained in 2016. In 2015, we had an online course on our anti-corruption guideline translated into 15 languages, thus allowing roughly 96% of employees to do the training in their native language. In 2015, we furthermore created an online course for the pharmaceutical business, which explains the specific regulations relevant to this area. To support the introduction of our new antitrust and competition law guideline, we also provided an online training course in 2016, which is to be available in 13 languages in 2017.
Some seminars on special topics are specifically developed for managers in certain roles. These include, for example, training courses on competition law, which were updated in 2016 due to the introduction of our new Group-wide guideline. To complement the online courses we offer, numerous classroom courses on compliance are also for employees Group-wide with a particular focus on local issues.
Reports via the SpeakUp Line
Both the number of reports of suspected compliance violations and the number of actual compliance cases has remained largely stable in recent years. In 2015, 33 compliance-related reports that led to investigations were received via the SpeakUp Line and other channels, with 36 in 2016. In 2015, there were eight confirmed cases of violations to the Code of Conduct, with 12 in 2016. The majority of these violations constituted minor, isolated incidents resulting from the misconduct of individual persons; appropriate disciplinary action was taken.
In the 2015-2016 period, there were two cases of improper business practices involving managers. These incidents were related to improper incentives for our sales force to increase sales and similar practices in associated parties (distributors). Both cases have been addressed with comprehensive action plans and independent review by Compliance and Internal Auditing. There was one case of sexual harassment, which led to the dismissal of the employee.
First EFPIA Transparency Report published
In 2015, our work focused on making our partners in the health industry understand just how important the EFPIA’s Transparency initiative is to us. We furthermore took measures to ensure data quality and security. Based on these efforts, in mid-2016 we published our first EFPIA report for all affected subsidiaries on a central website.
Compliance training for business partners
In 2015, we introduced compliance training for the employees of our business partners. This training is mandatory for all personnel who come into contact with our company or our products. It is available in eight languages and focuses on general compliance, preventing corruption and competition law. By the end of 2016, 3,875 employees from our partner companies had received this training, with 3,026 having been trained in 2015.