As a global company, we have stringent requirements for effective compliance management. Importantly, we seek to emphasize compliance by acting in line with our company values and believe that profitable business operations should go hand in hand with the highest ethical standards.
Roles and responsibilities
Our Group Compliance function is responsible for the framework of the following core topics: the Merck Code of Conduct, anti-corruption and anti-bribery (including healthcare compliance, third-party due diligence, transparency reporting), anti-money laundering, and conflicts of interest.
To cover these topics, we have Group-wide policies, standards and procedures in place that ensure our business activities comply with the relevant laws, regulations and international ethical standards. Other compliance-related issues, including the respective internal regulations and guidelines, such as Pharmacovigilance, Export and Import Controls, and Environment, Health, Safety, Security, Quality, are managed by the responsible functions.
Our Group Compliance function is responsible for our compliance portfolio, which consists of the following elements:
- Risk Assessment: Identifying internal and external critical risks in regular business operations
- Policies & Procedures: Global policies, procedures and standards to mitigate identified risks
- Compliance Committee/Forums: Platform for compliance-related discussion and decision making, including relevant key functions
- Training & Awareness: Appropriate training and additional measures to educate and keep awareness high
- Programs & Tools: Comprehensive compliance programs and supporting tools contributing to internal controls and overall governance
- Monitoring & Reporting: Tracking of compliance-related data; perform internal and external reporting
- Case Management: Timely response to reports of misconduct and implementation of corrective actions
- Continuous Improvement: Based on and applicable to all compliance program elements
Our Chief Compliance Officer reports on the status of our compliance activities, potential risks and serious compliance violations to the Executive Board and Supervisory Board twice a year at a minimum. As part of our regular reporting processes, we compile a comprehensive compliance and data privacy report annually for the Executive Board. This includes the status of our compliance program, continuous improvement initiatives and key figures on compliance and data privacy cases. Additionally, we prepare a mid-year update to highlight ongoing developments and the status of relevant projects and initiatives.
Our Chief Compliance Officer oversees all Compliance departments and the subordinate Compliance Officers and Compliance experts around the world. The Compliance Officers implement our compliance program within their respective areas of responsibility (adapting to local regulations) and receive guidance from our Group Compliance Center of Expertise. This is a centralized body that drives the design and evolution of our compliance program across all business sectors and Group functions.
Our commitment: Guidelines and standards
Our compliance program builds on our company values and integrates these into our compliance framework, which consists of Group-wide policies, standards and procedures for entrepreneurial conduct. The following are mandatory for all our employees:
- Code of Conduct
- Human Rights Charter
- Anti-Corruption Standard
- Anti-Money Laundering Group Standard
- Conflict of Interest Policy
- Antitrust and Competition Law Policy
- Whistleblowing and Investigations Standard
- Supplier Code of Conduct
Risk assessment
Proper compliance risk management is crucial to identify undetected risks and ensure our company remains protected. For this purpose, we have a compliance risk assessment process covering all of our business sectors. The assessment is based on a comprehensive risk matrix that improves objectivity and enables a data-driven risk approach. It focuses on bribery and corruption risks, illustrated through in-depth risk categorization and risk scenarios. It also utilizes country risk segmentation, classifying countries where we actively operate in terms of their risk exposure regarding bribery and corruption by applying objective and consistent criteria. We use the outcome as a model to prioritize initiatives and intensify activities in countries with higher risk levels.
Conflicts of interest
We take all potential conflicts of interest seriously. Employees must avoid situations where their professional judgment could come into conflict with their personal interests. They must also disclose every potential conflict of interest to their supervisor and document the disclosure. Such issues are typically resolved directly between the employee and the supervisor but can also be routed to Human Resources, Legal, Compliance or other relevant functions.
Management and requirements of third parties
For compliance management to be effective, it must not be restricted to the boundaries of our own company. While our supplier management processes focus on vendor compliance with our standards, our global Third Party Risk Management process governs interactions with sales parties, such as commercial agents, distributors, dealers, and high-risk vendors. We expect our third parties worldwide to adhere to our compliance principles. We collaborate only with parties who pledge to comply with relevant laws, reject all forms of bribery, and adhere to environmental, health and safety guidelines.
We apply a risk-based approach to select the third parties with whom we do business. The greater the estimated risk regarding a particular country, region, or type of service, the more in-depth we examine the third party before entering into a business relationship. We also explore background information from various databases and information reported by third parties.
If we encounter compliance concerns, we further analyze and verify the relevant information. Based on the outcome, we decide whether to reject the potential third party, impose conditions to mitigate identified risks or terminate the existing relationship.
Compliance training
We provide regular compliance training (both classroom and online) on our Code of Conduct and critical compliance topics such as anti-corruption, conflict of interest, antitrust, data privacy, anti-money laundering and healthcare compliance standards. We require employees to take these courses based on their exposure to risk. Some courses also apply to independent contractors and supervised workers, such as temporary employees. In 2023, we launched a new Anti-Corruption, Anti-Bribery and Anti-Money Laundering e-learning course based on the updated Global Anti-Corruption and Anti-Money Laundering standards introduced in 2022.
Anti-money laundering
We have implemented a global anti-money laundering (AML) program consisting of a global Anti-Money Laundering Group Standard, training and a dedicated process to report and investigate red flags and any high-risk transactions. Suspicious transactions are reported to the German Financial Intelligence Unit or other authorities as required. We continuously work to improve our AML program. Following in-depth AML risk assessments of jurisdictions with stricter regulatory frameworks than our AML program, we implemented additional local AML programs where required.
Reporting potential compliance violations
We encourage all employees worldwide to report potential compliance violations. Depending on the type of misconduct and the reporting person’s preference, they can choose from various reporting channels. We recommend using one of our central channels that are directly received and reviewed by a dedicated, independent and qualified team within Group Compliance. Depending on the nature, content and type of report, Compliance may investigate a submission directly or assign it to another responsible function for further investigation. One central reporting channel is our global whistleblowing compliance hotline, which can be used free of charge and anonymously to report violations. It is available in several languages by telephone or as a web-based application. The compliance hotline is also available to external stakeholders. The relevant information can be found in the “contact us” and the Compliance and Ethics section of our website.
Compliance-relevant cases with a particular risk profile are presented to the Compliance Case Committee, comprising senior members of our Compliance, Legal, Data Privacy, Internal Auditing, and Human Resources departments. The Committee’s duties include assessing and classifying specific compliance issues and addressing identified issues using appropriate measures.
In all Compliance-relevant cases, based on the investigation outcome and recommendations from Compliance or the Compliance Case Committee, we aim to take appropriate remediation measures. These can include disciplinary actions against employees who have committed a compliance violation. If the investigation identifies a root cause that could lead to the risk of further compliance violations, we take additional preventive and corrective actions.
Both the number of new Compliance-relevant cases and the number of cases with confirmed compliance violations increased compared with the previous year. In 2023, 106 Compliance-relevant new cases with reports via the compliance hotline and other channels were created. In 32 concluded cases, it was confirmed that the principles of the Code of Conduct or other internal or external guidelines had been violated.
|
|
2020 |
|
2021 |
|
2022 |
|
2023 Merck Group |
|
2023 |
|---|---|---|---|---|---|---|---|---|---|---|
Total number of reported compliance violations |
|
|
|
|
|
|
|
|
|
|
Number of reported compliance incidents |
|
81 |
|
79 |
|
79 |
|
106 |
|
9 |
Number of confirmed cases |
|
41 |
|
42 |
|
28 |
|
32 |
|
1 |
Confirmed cases by category |
|
|
|
|
|
|
|
|
|
|
Bribery and corruption |
|
6 |
|
1 |
|
2 |
|
1 |
|
0 |
Violation of cartel laws and fair competition rules |
|
0 |
|
0 |
|
1 |
|
0 |
|
0 |
Fraudulent actions against Merck |
|
11 |
|
6 |
|
11 |
|
3 |
|
0 |
Other violations of the Merck Compliance Principles for the relations with business partners |
|
0 |
|
0 |
|
2 |
|
3 |
|
0 |
Other violations of Merck values, internal guidelines or legal requirements |
|
24 |
|
35 |
|
12 |
|
25 |
|
1 |
Compliance audits
Compliance is ensured by Group Compliance and Group Internal Auditing as the second and third lines of defense. As part of the audits, Group Internal Auditing regularly reviews functions, processes and legal entities worldwide. These reviews include an assessment of the effectiveness of the respective compliance guidelines, processes and structures in place. The units also check for violations of our Code of Conduct, Anti-Corruption Standard, Anti-Money Laundering Group Standard, and Antitrust and Competition Law Policy.
Our audit planning aims to provide comprehensive risk assurance through the best possible audit coverage of our processes, countries and projects. We take a risk-based approach to our annual audit planning process, considering factors such as sales, employee headcount, systematic stakeholder feedback and the Corruption Perceptions Index (CPI) published by the non-governmental organization Transparency International. If an internal audit gives rise to recommendations, Group Internal Auditing performs a systematic follow-up and monitors the implementation of the recommended corrective actions. In 2023, Group Internal Auditing conducted 80 internal audits involving bribery and corruption-related risks (2022: 79), including 52 operational and 27 IT audits and 1 special audit which may be conducted to meet legal requirements.