Responsible entrepreneurship starts with compliance. We take steps to ensure that all our activities adhere to relevant laws, regulations and ethical standards around the world. This also helps us to protect our reputation as an employer and business partner.
Our approach to compliance
Compliance is one of our primary considerations worldwide. As an international company with operations also in low- and middle-income countries, we have stringent requirements for effective compliance management. Importantly, we seek to emphasize compliance by acting in line with our company values and believe that profitable business operations should go hand-in-hand with the highest ethical standards.
How we ensure compliance
Our Group Compliance function is responsible for the policies on the following core topics: anti-corruption and anti-bribery (including healthcare compliance, third-party due diligence, transparency reporting), anti-money laundering,antitrust, and dawn raid preparedness.
To cover these compliance topics, we have Group-wide policies and procedures in place that ensure our business activities align with the relevant laws, regulations and international ethical standards. Other compliance-related issues, including the respective internal regulations and guidelines, such as Pharmacovigilance, Export and Import Controls, and Environment, Health, Safety, Security, Quality, are managed by the responsible functions.
Our Group Compliance function is responsible for our compliance portfolio, which consists of the following elements:
- Risk Assessment: Identifying internal and external critical risks in regular business operations
- Policies & Procedures: Global policies, procedures and standards to mitigate identified risks (see the “Our commitment: guidelines and standards” section for more details)
- Compliance Committees/forums: Platform for compliance-related discussion and decision-making that includes relevant key functions
- Training & Awareness: Appropriate training and additional measures to educate and keep awareness high
- Programs & Tools: Comprehensive compliance programs and supporting tools that contribute to internal controls and overall governance, such as third-party risk management
- Monitoring & Reporting: Tracking of compliance-related data as well as performance of internal and external reporting
- Case Management: Timely response to reports of misconduct and implementation of corrective actions
- Continuous Improvement: Based on and applying to all elements of our compliance program
We continuously review our compliance portfolio and update our initiatives and programs where necessary. This approach reflects new requirements as well as internal and external risks, such as those resulting from amendments to legislation, relevant industry codes or changes affecting our company. We drive regular and targeted communication and exchange internally within our compliance organization and externally with our stakeholders and business partners to discuss current compliance matters, trends and goals. We keep the focus on our people by ensuring the availability of appropriate resources and skills, maintaining clear roles and responsibilities and, based on employee feedback, setting aligned and harmonized goals. We also ensure that our organizational structure is always up to date and suitable for our business needs.
Our Group Compliance Officer reports on the status of our compliance activities, potential risks and serious compliance violations to the Executive Board and supervisory bodies every six months at a minimum. As part of our regular reporting processes, we compile a comprehensive compliance and data privacy report annually for the Executive Board, detailing the status of our compliance program, continuous improvement initiatives and key figures on compliance and data privacy cases. Additionally, we prepare a mid-year update to highlight ongoing developments and the status of relevant projects and initiatives.
Our Group Compliance Officer oversees approximately 95 Compliance Officers and Compliance experts around the world. The Compliance Officers implement our compliance program within their respective areas of responsibility (with local necessary adaptions if legally required) and receive guidance from our Group Compliance Center of Expertise, a centralized body that drives the design and updating of our compliance program across all business sectors and Group functions.
As part of the Group Compliance Center of Expertise, our global team for coordinating transparency reporting is responsible for incorporating current and upcoming transparency reporting requirements in the healthcare sector – including those of the European Federation of Pharmaceutical Industries and Associations (EFPIA) and the United States Physician Payments Sunshine Act.
More information on our Healthcare governance and compliance activities can be found in the Responsible interactions with health systems section.
Integrating acquisitions into our compliance system
The implementation of our compliance program at legacy Versum Materials has been completed. Legacy Versum Materials entities and sites will sometimes be referred to separately to address specific needs but are now included as part of the Performance Materials organization for future compliance program evolution at Merck. Two role-dependent e-learning training courses will be targeted to legacy Versum Materials employees in 2021. These programs, entitled Global Anti-Corruption Standards and Understanding Global Antitrust and Competition Laws, will supplement the Merck Code of Conduct training they have already received.
As of 2020, Versum Materials and Intermolecular are part of the annual audit planning process of Group Internal Auditing. In January 2020, a “post day 1 audit” and in October 2020, an “Integration 12 months post Day 1 audit” for Versum Materials was performed. Further audits, such as those carried out at Versum Materials Korea or Intermolecular, are part of the 2021 Internal Audit Plan, as approved by our Executive Board.
Our commitment: guidelines and standards
Our compliance program builds on our company values and integrates these into our compliance framework, which contains Group-wide policies and procedures for entrepreneurial conduct, which are mandatory for all our employees:
The Merck Code of Conduct guides our people in conducting business ethically – in line with our values and the law. It is available to all employees worldwide in 22 languages.
Our Human Rights Charter supplements our Code of Conduct with globally recognized principles on human rights.
- Our Anti-Corruption Policy stipulates that all business activities must be conducted in line with legally applicable anti-corruption standards. All forms of bribery are strictly prohibited.
- Our global Money Laundering Prevention Policy defines and describes the internal global process and assurance measures to protect our company from being misused by third parties for money laundering activities.
- Our Group-wide Antitrust and Competition Law Policy states that all business activities across the Group must be conducted in compliance with applicable competition regulations at all times. We acknowledge the importance of fair competition and expect the same of partners acting on our behalf.
- Our Compliance Reporting and Investigation Policy includes the basic steps for an internal compliance investigation. Its purpose is to ensure an appropriate, timely and thorough response to compliance-related reports of potential misconduct relating to any kind of internal or external regulations or policies.
- Our new Healthcare Ethical Guiding Principles provide our healthcare employees with ethical guidance for decision making and activities while taking the particular challenges and responsibilities of this business sector into consideration. See the Responsible interactions with health systems section for more details.
- Our Pharma Code for prescription medicines as well as underlying policies and additional guideline documents set out key principles for interactions with stakeholders in the health industry.
- Our new Standard on Local Compliance Standards implements a review and approval process for local governance documents in areas under the responsibility of the Group Compliance function. This helps to ensure a uniform approach while retaining sufficient flexibility to address stricter or more specific requirements and needs on a local level. Our local teams can thus adhere to our compliance principles and guidance while implementing specific local policies or procedures that comply with local regulations.
Impact of the Covid-19 pandemic on our compliance mechanisms
Due to travel restrictions and in order to keep our employees safe, we had to conduct audits from Darmstadt. Audits were either postponed or adapted so that they could be performed remotely from Darmstadt.
The number of virtual meetings held by our employees grew significantly due to the pandemic, increasing compliance complexity as regards data privacy and IFPMA, EFPIA as well as local pharmaceutical industry code requirements. We responded by providing appropriate guidance on how to comply with international and local regulations in the fast-changing virtual environment and we are adapting our requirements and procedures accordingly.
We contributed to the fight against the Covid-19 pandemic by donating protective equipment to healthcare organizations as well as other organizations around the world. We also defined global processes and requirements to ensure these kinds of donations are made in line with our compliance principles as well as international and local codes and regulations.
Risk assessment
Proper compliance risk management is crucial to identify undetected risks and keep our company protected. In 2019, we rolled out a new overarching cross-sector compliance risk management process. This “Compliance Risk Reporting & Self-Monitoring Process” comprises two components. Compliance Risk Reporting is the component in which compliance risks are evaluated. The risk evaluation is conducted by the Compliance Officer, who determines the monetary impact and the extent to which the risk is likely to occur, starting with the inherent risk, followed by the residual risk evaluation. The self-monitoring component allows us to monitor the effectiveness of our compliance program within a business. The respective Managing Director of the legal entity or head of department is provided with specific risk-mitigating statements that must be confirmed on an agreement scale from “fully agree” to “fully disagree”.
After completing the first cycle in the previous year, in 2020, we focused on the key risks identified by running different analyses and dedicated follow-up activities for risk mitigation. Additionally, we also started to run sector-specific risk assessments to highlight specific business sector risks and take a targeted approach to risk reduction that help us to continuously adjust our compliance program.
Conflicts of interest
We take all potential conflicts of interest seriously. Employees must avoid situations where their professional judgment may come into conflict with their personal interests. They must also disclose every potential conflict of interest to their manager and document the disclosure. Such issues are typically resolved directly between the employee and manager but can also be routed to Human Resources or other relevant functions.
To further enhance the existing process, a new Policy and Procedure as well as a new tool for transparent documentation of potential conflicts of interest, including decisions and mitigations taken, was rolled out in 2020.
In addition, as described in the Annual Report under “Avoidance of conflicts of interest,” Executive Board and Supervisory Board members are exclusively committed to the interests of the company and neither pursue personal interests nor grant unjustified advantages to third parties.
Management and requirements of our business partners
To be effective, compliance management must not be restricted to the boundaries of our own company. While our supplier management processes focus on vendor compliance with our standards, our global Third Partner Risk Management process governs interactions with sales partners, such as agents, distributors, and dealers. We expect our business partners worldwide to adhere to our compliance principles. We collaborate only with partners who pledge to comply with relevant laws, reject all forms of bribery and adhere to environmental, health and safety guidelines.
We apply a risk-based approach to selecting business partners. The greater the estimated risk regarding a certain country, region or type of service, the more in-depth we examine the company before entering into a business relationship. We also explore background information from various databases and information reported by our business partners.
If we encounter compliance concerns, we further analyze and verify the existing adverse information. Based on the outcome, we decide whether to reject the potential business partner, impose conditions to mitigate identified risks or terminate the existing relationship.
Compliance forums
This year, Group Compliance reinforced compliance awareness and encouraged compliance discussions by establishing a dedicated platform for local Compliance forums or committees. This platform enables discussion of updates and alignment on certain matters in order to maintain a high standard of corporate compliance throughout the global organization. At the same time, they make it possible to remain agile when new business and compliance challenges arise. Group Compliance has developed them using a structured methodology framework to enhance consistency and complementation across the globe, which will further support our risk assurance. Each local forum contributes to our consistent compliance framework approach and has sufficient flexibility to cater to their local sector-specific needs.
Compliance training
We provide regular compliance classroom and online training courses on our Code of Conduct, anti-corruption, antitrust, data privacy, and healthcare compliance standards. We require employees to take these courses based on their exposure to risk. Some courses also apply to independent contractors and supervised workers, such as temporary staff.
In 2020, we rolled out two new mandatory e-learning training courses. The training courses are assigned to all relevant employees. We launched an updated version of our anti-corruption e-learning training course in 13 languages. In 2020, 28,805 employees completed the training course. We also rolled out a new money laundering prevention e-learning training course, which is available in eight languages. The final rollout took place in November 2020 and 12,829 employees completed the training in 2020.
In September 2020, we migrated to a Group-wide learning management platform to simplify learner accessibility.
We regularly update our training plan and adapt it to new developments to continuously educate our employees on existing and new compliance requirements, guidelines and projects.
Compliance monitoring and reporting activities
In 2020, we further enhanced our monitoring and reporting activities. Since we have different tools within Compliance, our efforts were targeted to create a single platform that displays all relevant information (KPIs and metrics for trend analysis) from the various tools. Therefore, we initiated a new governance and monitoring project that ensures a more efficient tracking of compliance-related KPIs and metrics.
Reporting potential compliance violations
We encourage all employees worldwide to report potential compliance violations to their supervisors, Legal, HR, or other relevant departments. Worldwide, they can also use our central whistleblowing SpeakUp Line free of charge and anonymously to report violations in their local language by telephone or via a web-based application. Reports of potential compliance violations that we receive via our SpeakUp Line are reviewed by the Compliance Investigations and Case Management team. Cases with a certain risk profile are presented to the Compliance Case Committee, which comprises senior representatives from Compliance, Corporate Security, Data Privacy, Human Resources, Internal Auditing, and Legal.
The committee’s duties include assessing and classifying ethical issues, investigating their background and addressing these issues using appropriate measures. Based on the investigation outcome and recommendations from the compliance investigation team or the Compliance Case Committee, appropriate disciplinary action may be taken against employees who have committed a compliance violation. If, during the investigation, a root cause is identified that could lead to further compliance violations, we take preventive and corrective actions.
The SpeakUp Line is also available to external stakeholders. The relevant information can be found in the Compliance and Ethics section of our website, where we consolidate key compliance information, such as our values, Code of Conduct (CoC) and information on transparency and data privacy for external audiences.
Both the number of reports of suspected compliance violations and the number of actual compliance cases were stable compared with the previous year. In 2020, we received 81 compliance-related reports via the SpeakUp Line and other channels that led to investigations. There were 41 confirmed cases of violations of the CoC or other internal and external rules.
Compliance audits
As part of operational audits, our Group Internal Auditing function regularly reviews relevant matters at our sites to determine the effectiveness of the respective compliance guidelines, processes and structures in place. The unit also checks for violations of our CoC and our Anti-Corruption Policy and reviews the workplace requirements set out in our Human Rights Charter.
Our audit planning aims to provide comprehensive risk assurance through the best possible audit coverage. Our annual audit planning process is risk-based and includes factors such as sales, employee headcount, systematic stakeholder feedback, and the Corruption Perceptions Index (CPI) published by the non-governmental organization Transparency International. If an internal audit produces recommendations, Group Internal Auditing performs a systematic follow-up and monitors the implementation of the prescribed corrective actions. In 2020, we assessed 52 operations for corruption-related risks.
Alliance for Integrity
We are a member of the Alliance for Integrity Steering Committee, which was established by the German Society for International Cooperation (GIZ), the German Global Compact Network (DGCN) and the Federation of German Industries (BDI). This initiative aims to achieve corruption-free business in low- and middle-income countries. Its activities focus on Latin America, Ghana, and Asian countries, particularly India and Indonesia. The Steering Committee leads the decision-making process for developing national measures, while local advisory groups oversee implementation at country level.
Our local compliance organizations also collaborate with these groups and offer training to small and medium-sized companies. Beyond these efforts, we continuously assist the Alliance for Integrity through business-to-business workshops and training courses and by sharing best practices on how to develop and implement effective corruption prevention systems.
Engaging stakeholders
In 2020, we conducted stakeholder dialogues primarily through our memberships of various associations. We are members of various organizations, including the German Chemical Industry Association (VCI), the German Institute for Compliance (DICO), the European Federation of Pharmaceutical Industries and Associations (EFPIA), the German Association of Voluntary Self-Regulation for the Pharmaceutical Industry (FSA), the International Federation of Pharmaceutical Manufacturers and Associations (IFPMA), the Alliance for Integrity, the German Association for Supply Chain Management, Procurement and Logistics (BME), and the International Association of Privacy Professionals (IAPP).