First and foremost, responsible entrepreneurship means acting in accordance with the law, a practice commonly known as compliance. All our activities must adhere to laws, regulations and international ethical standards around the world. Compliance violations would not only result in possible legal prosecution but could also seriously compromise our reputation as an employer and as a business partner.
Our approach to compliance
Compliance is one of our primary considerations worldwide. As an international company with operations in low- and middle-income countries, we have very stringent requirements for effective compliance management. In our view, however, compliance means much more than simply adhering to regulatory provisions. We aspire to always act in accordance with the principles set forth in our company values and believe that profitable business operations should go hand-in-hand with the highest ethical standards.
How we ensure compliance
Our Group Compliance function manages the core topics of anti-corruption, healthcare compliance, antitrust, anti-money laundering, third-party due diligence, data privacy, transparency reporting, and dawn raid preparedness. To cover these core compliance topics, we have Group-wide policies, procedures and processes in place that ensure our business activities align with the relevant laws, regulations and international ethical standards. Other compliance related issues, including respective internal regulations and guidelines (such as Pharmacovigilance, Export and Import Controls, and Environment, Health, Safety, Security, Quality, are managed by the responsible functions.
Supported by our Group Compliance function, our Group Compliance Officer is responsible for our compliance program, which consists of the following elements:
- Risk Assessment
- Policies & Procedures
- Compliance Committee
- Training & Awareness
- Programs & Tools
- Monitoring & Reporting
- Case Management
- Continuous Improvement
- Whistleblowing hotline (our SpeakUp Line for anonymous and non-anonymous reporting of potential breaches of rules and regulations).
Our compliance program is regularly updated to reflect new requirements, such as those resulting from amendments to legislation, relevant industry codes or changes within our company.
Our Group Compliance Officer reports to the Executive Board every six months on the status of our compliance activities, possible risks and serious compliance violations. In turn, the Executive Board updates our supervisory bodies at least twice a year on key compliance issues. As part of regular reporting processes, we annually compile a comprehensive compliance and data privacy report for the Executive Board detailing the status of our compliance program, updates that have been made, compliance and data privacy cases and training figures. Additionally, we prepare an update at the mid-year mark to highlight current developments and the status of relevant projects and initiatives.
Our Group Compliance Officer oversees approximately 85 Compliance Officers around the world, who implement our compliance program within their respective areas of responsibility. These Compliance Officers receive guidance from our Group Compliance Programs and Support team, a centralized body that drives the design and update of our compliance program across all business sectors and Group functions and is responsible for initiating necessary measures.
Our global Transparency Operations team is responsible for incorporating current and upcoming transparency reporting requirements in the health sector – such as those of the European Federation of Pharmaceutical Industries and Associations (EFPIA) and the United States Physician Payments Sunshine Act.
Various Compliance Ambassador programs exist in all our regions to take the different needs and cultures throughout our Group into account. In general, the main objective of the Compliance Ambassador programs is to spread the culture of compliance across the local organizations. The ambassadors act as the primary points of contact for their own teams in compliance aspects. They are not compliance representatives and do not replace the work of the Compliance Officers. The Compliance Ambassadors aim to influence the behavior of their colleagues on a daily and permanent -basis, using different compliance-related activities specifically designed for their teams. From the Compliance Offices across the world we encourage and support the development of these programs as they are an excellent way to increase accountability and ownership of business ethics across our businesses and functions.
Clear chain of command for reporting violations
Reports of potential compliance violations that we receive via our SpeakUp Line are reviewed by the Compliance Investigations and Case Management team and appropriate investigative steps are initiated. Exposed cases with a certain risk profile are additionally presented to the Compliance Case Committee, which consists of senior representatives from Compliance, Corporate Security, Data Privacy, Human Resources, Internal Auditing and Legal. The committee’s duties include assessing and classifying ethical issues, investigating their background and addressing these issues through appropriate measures. If, during the investigation, a root cause is identified that could lead to further compliance violations, it is continuously monitored and preventive or corrective actions are taken. An associated sub-committee advises on disciplinary action, if necessary.
Conflicts of interest
We take all potential conflicts of interest seriously. Employees must strictly avoid situations where their professional judgment may come into conflict with their personal interests. Also, they must disclose every potential conflict of interest to their manager and document the disclosure. Such issues are usually resolved directly between the employee and his or her manager, but can also be routed to Human Resources or other relevant functions. Furthermore, we have implemented a specific governance process that includes the Executive Board and ensures that shareholders and related parties are regularly provided with information on potential conflicts.
Beyond this, our processes for handling conflicts of interest are detailed in our Annual Report.
Data Privacy integrated into Group Compliance
Our Data Privacy unit is part of our Group Compliance organization. As required by law, this unit acts independently and submits frequent data privacy updates in addition to compiling a regular comprehensive data privacy report as a part of the compliance report. Besides a central Group Data Privacy Officer, we also have local Data Privacy Officers at various sites around the world.
Integration of Versum Materials and Intermolecular
Both Versum Materials and Intermolecular have robust compliance programs in place. We will be implementing our compliance program and the corresponding processes step-by-step until December 2020.
Our commitment: guidelines and standards
Our compliance program builds on our company values and integrates these into our compliance framework, which contains Group-wide guidelines for entrepreneurial conduct that are mandatory for all our employees:
- The Merck Code of Conduct guides our people in conducting business ethically – in accordance with our values and the law. It is available to all employees worldwide in 22 languages, both electronically and as a print brochure.
- Our Human Rights Charter supplements our Code of Conduct with globally recognized principles regarding human rights.
- Our Anti-Corruption Policy stipulates that all business activities must be conducted in accordance with legally applicable anti-corruption standards. All forms of bribery – whether giving or receiving – are strictly prohibited.
- Our Pharma Code for prescription medicines as well as underlying policies and additional guideline documents set out key principles for interactions with our partners in the health industry.
- Our Group-wide Antitrust and Competition Law Policy sets forth that all business activities across the Group are to be conducted in compliance with applicable competition regulations at all times. We acknowledge the importance of fair competition and expect the same of contract organizations acting on our behalf.
- Our Compliance Reporting and Investigation Policy includes the basic steps for an internal compliance investigation. Its purpose is to ensure an appropriate, timely and thorough response to compliance-related reports of potential misconduct relating to any kind of internal or external regulations or policies.
- Our global Money Laundering Prevention Policy defines and describes the internal global processes and assurance measures in place to protect our company from being misused by third parties for money laundering purposes.
We use an online confirmation process to send Group-wide policies to relevant managers and employees, including Group Legal and Compliance colleagues. Recipients confirm receipt of the policies and commit to adherence and appropriate implementation at the relevant sites.
Rules for the provision of healthcare items
Our company occasionally provides healthcare professionals with items of medical utility or informational and educational materials. We require the provision of such items to be for legitimate and lawful purposes, in accordance with our Code of Conduct as well as applicable policies, laws and codes. The rules on such provisions are laid out in our Healthcare Items Policy, which was updated in 2019 to include EMD Serono, Allergopharma and the Merck Foundation within its scope.
Requirements we place on our business partners
To be effective, compliance management must not be restricted to the boundaries of our own company. While our supplier management processes focus on vendor compliance with our standards, our global Business Partner Risk Management process governs interactions with sales partners, such as sales agents, distributors, dealers and wholesalers. We expect all our business partners worldwide to comply with our compliance principles. We only collaborate with partners who pledge to comply with all applicable laws, reject all forms of bribery and adhere to environmental, health and safety guidelines. Furthermore, we contractually require our business partners to demonstrate a commitment to internationally recognized human rights and labor standards as well as to our own compliance requirements. We also monitor adherence to these standards for existing business relationships with a certain risk-level via our established global Business Partner Risk Management process – typically every three years or ad hoc when new risks are identified.
Requirements of our business partners
We employ a global approach for responding to Code of Conduct acknowledgment requests from our business partners. The framework guiding this practice is laid out in our internal Merck Corporate Responsibility Letter, which was reviewed and updated in 2019.
Harmonizing data privacy Group-wide
Our Policy for Data Protection and Personal Data Privacy defines our standards for processing, saving, using and transmitting data. This approach allows us to achieve a high level of protection for the data belonging to our employees, contract partners, customers and suppliers as well as patients and participants in clinical studies. Our Group-wide understanding of data privacy is based on European legislation, which also entails the EU General Data Protection Regulation (EU GDPR). We also consider local data privacy requirements, as not all requirements at all sites are covered by EU standards.
Compliance audits
As part of operational audits, our Group Internal Auditing function regularly reviews relevant matters at our sites to determine the effectiveness of the respective compliance guidelines, processes and structures in place. The unit also checks for violations of our Code of Conduct and our Anti-Corruption Policy and reviews the workplace requirements set out in our Human Rights Charter.
Our audit planning aims to provide comprehensive risk assurance through the best possible audit coverage. Our annual audit planning process is risk-based and includes factors such as sales, employee headcount, systematic stakeholder feedback and the Corruption Perceptions Index (CPI) published by the non-governmental organization Transparency International. If an internal audit produces recommendations, Group Internal Auditing performs a systematic follow-up and monitors the implementation of the prescribed corrective actions. In 2019, we assessed 50 operations for corruption-related risks.
As of 2020, Versum Materials will be part of the annual audit plan of Group Internal Auditing. In January, a “post day 1 audit” was performed. Further audits, such as of Versum Materials Korea or Delivery Systems and Services, are also part of the 2020 Internal Audit Plan as approved by our Executive Board.
Compliance training
We provide regular compliance classroom and online training courses on our Code of Conduct, anti-corruption, anti-trust, data privacy and healthcare compliance standards. We require employees to take these courses based on their risk indication. Some courses also apply to independent contractors and supervised workers, such as temporary staff.
In June 2019, we completed the full global roll-out of our business sector-specific Code of Conduct e-learning program by publishing it in 20 new languages in addition to German and English, which were already launched in 2018. The training complements our Code of Conduct brochure “What guides us,” by providing practical guidance on how to act ethically in the workplace. In 2019, 50,461 employees and contractors had been trained as part of the program, which we conduct regularly for all new employees and contractors.
We regularly update our training plan and adapt it to new developments to continuously educate our employees on existing and new compliance requirements, guidelines and projects. One example is the e-learning course on our Anti-Corruption Policy, which is available in 15 languages. In total, 35,425 employees and contractors have completed this training since the introduction of the program, which is also being updated for the 2020 training cycle.
In response to the European General Data Protection Regulation (EU GDPR), we redesigned our regular Data Privacy e-learning course, rolling it out in 17 languages in late 2018. In the meantime, a total of 47,650 employees and contractors have completed this course. Additionally, Compliance Officers complement the execution of our Group-wide training plan by conducting mandatory local and business-specific e-learning courses.
SpeakUp Line for potential compliance violations
We encourage all Group employees to report potential compliance violations to their superiors, Legal, HR or other relevant departments. Worldwide, they can also use our central whistleblowing SpeakUp Line free of charge and anonymously to report violations in their local language by telephone or via a web-based application. Based on recommendations from the Compliance Investigation Team or the Compliance Case Committee, disciplinary actions may also be taken against employees who have committed a compliance violation, where necessary. These actions may range from a simple warning to dismissal, depending on the severity of the violation. In May 2019, the SpeakUp Line was also made available to external stakeholders. The relevant information can be found in the Compliance and Ethics section of our website, where we consolidate key compliance information such as our values, Code of Conduct, and information on transparency and data privacy for external audiences.
To continuously strengthen employees’ awareness of the SpeakUp Line, we rolled out a global SpeakUp Line communication campaign in May 2019, using digital and internal print channels.
Both the number of reports of suspected compliance violations and the number of actual compliance cases was stable compared with the previous year. In 2019, we received 75 compliance-related reports via the SpeakUp Line and other channels that led to investigations. In 2019, there were 30 confirmed cases of violations of the Code of Conduct or other internal and external rules.
Risk analysis: Compliance Risk Reporting and Self-Monitoring
In 2019, the Compliance Programs and Support team launched a redesigned compliance risk management process. We adapted the process for risk evaluation and added a new self-monitoring component. The risk management process for compliance-related topics consists of two major core elements: Compliance Risk Reporting and Self-Monitoring.
Compliance Risk Reporting:
Compliance Risk Reporting is the process where compliance risks are evaluated. The Compliance Officer of the respective legal entity or department evaluates designated risks based on the business sector. The risk evaluation is conducted by determining a monetary impact and the extent to which the risk is likely to occur. In line with the best practice for risk evaluation, the Compliance Officers assess the inherent risk followed by the residual risk.
Self-Monitoring:
The new Self-Monitoring component allows us to monitor the effectiveness of our compliance program within a business. The respective Managing Director of the legal entity or business head of a department in scope is provided with specific risk-mitigating statements that must be attested to on an agreement scale.
Once the process is completed, the collected data will be further analyzed and specific risk and control reports will be generated. Based on the results, follow-up activities will be initiated to further enhance our Compliance Management System.
Management of business partners
We apply a risk-based approach to selecting business partners for sales activities. The greater we estimate the risk to be regarding a certain country, region or type of service, the more in-depth we examine the company before entering into a business relationship. For these risk assessments, we use the Corruption Perceptions Index (CPI) maintained by Transparency International and assess potential partners based on other parameters such as the nature of the intended business and sales volume. We also explore background information from various databases and information reported by the business partners themselves, for instance, on their own compliance programs.
If we encounter compliance violations, we decide whether to reject the potential business partner, terminate the existing relationship or impose conditions to mitigate identified risks. However, our partners are generally willing to adapt their structures and processes in line with our strict compliance requirements. Since launching this process in 2013, we have assessed more than 3,700 business partners. In 2019, we used this process to assess more than 300 business partners.
Ensuring data privacy and information security
We operate a data privacy management system as part of our Group Compliance function. This system is harmonized across the whole Group. Furthermore, it is necessary to protect our information systems, their contents and our communication channels against criminal activities of any kind, like e-crime and cyberattacks, including unauthorized access, information leakage and misuse of data or systems. Our Group Security and IT Security units implement organizational, process-related and technical information security countermeasures based on recognized international standards. We harmonized our electronic and physical security measures (e.g. access control) to bolster our ability to handle sensitive data such as trade secrets. Aside from active security monitoring, our Group Internal Auditing verifies that we are implementing and complying with our data privacy policy and data security programs.
Our data privacy management system applies the PDCA principle (plan, do, check, act) to ensure that data privacy policies and tools (plan), data privacy training (do), inspections and assessments (check) and incident and issue management processes (act) are all in place.
To support local Data Privacy Officers at our sites, we have introduced standardized data privacy consulting services that can be requested by data controllers and processors as needed. We also implemented a central IT tool to provide a single source for data privacy processes like answering data privacy questions, registering data processing activities and reporting potential data privacy incidents. We had zero sanctioned complaints or incidents concerning breaches of customer privacy leaks, thefts or losses of customer data in 2019. In one case, a minor personal data breach was reported to the supervisory authority which was not sanctioned.
EFPIA Transparency Initiative
Members of the Transparency Initiative of the European Federation of Pharmaceutical Industries and Associations (EFPIA) are required to publish all contributions to medical professionals and organizations in the health sector, along with the names and addresses of individual recipients. Beyond this initiative, several countries have introduced legislation to further increase transparency in the pharmaceutical industry. We comply with these requirements and additional standards governing interactions with health systems and include them in our transparency reporting.
Alliance for Integrity
We are a member of the Alliance for Integrity Steering Committee. Established by the German Society for International Cooperation (GIZ), the German Global Compact Network (DGCN) and the Federation of German Industries (BDI), this initiative aims to achieve a corruption-free business world in low- and middle-income countries. Its activities focus on Latin American countries, Ghana and Asian countries, in particular India and Indonesia. The Steering Committee leads the decision-making process for developing measures in the countries, while local advisory groups oversee implementation at country level. Our company has chaired the advisory group of Ghana since 2018. Our local compliance organizations also collaborate with these groups and offer training to small and medium-sized companies. Beyond these efforts, we continuously assist the Alliance for Integrity through business-to-business workshops and training courses and by sharing best practices on how to develop and implement effective corruption prevention systems.
Engaging stakeholders
In 2019, we engaged stakeholders in dialogue primarily through our memberships in various associations. Among other organizations, we are members of the German Chemical Industry Association e. V. (VCI), the German Institute for Compliance (DICO), the European Federation of Pharmaceutical Industries and Associations (EFPIA), the German Association of Voluntary Self-Regulation for the Pharmaceutical Industry (FSA), the International Federation of Pharmaceutical Manufacturers and Associations (IFPMA), the Alliance for Integrity, the German Association for Supply Chain Management, Procurement and Logistics e. V. (BME), and the International Association of Privacy Professionals (IAPP).