First and foremost, responsible entrepreneurship means acting in accordance with the law, a practice also known as compliance. All our activities must adhere to laws and regulations worldwide because compliance violations might not only involve legal prosecution but could also seriously compromise our reputation as an employer and business partner.
Our approach to compliance
Compliance is one of our primary considerations worldwide. Particularly as an international company with operations in developing and emerging countries, we have extremely stringent requirements for effective compliance management. Yet for us, there is more to compliance than adhering to regulatory provisions. We consistently aspire to act in accordance with the principles defined in our Values and believe that profitability should go hand in hand with the very highest ethical standards.
How we ensure compliance
Our Group Compliance organization manages the core topics of anti-corruption, antitrust, data privacy, dawn raid preparedness, healthcare compliance, and transparency reporting. Other compliance related issues are managed by the responsible functions (such as Quality, Pharmacovigilance, and Environment, Health, and Safety (EHS)). To cover the core compliance topics, we have Group-wide compliance policies, procedures and processes in place to ensure that our business activities align with the relevant laws and regulations.
Supported by our Group Compliance organization, our Group Compliance Officer is responsible for our compliance program, which consists of the following elements:
- Efficient solution oriented systems and processes
- Enabling policies
- Monitoring and controls
- Case management
- Anonymous reporting
- Continuous improvement tailored to business risks
- Target-group focused training
Our compliance program is regularly updated to reflect new requirements such as those resulting from amendments to legislation, relevant industry codices or changes within our company.
The Group Compliance Officer reports to the Executive Board every six months on the status of our compliance activities, possible risks and serious compliance violations. In turn, the Executive Board updates our supervisory bodies at least twice a year on key compliance issues. As part of regular reporting processes, we annually compile a comprehensive compliance and data privacy report detailing the status of our compliance program, updates that have been made, compliance and data privacy cases, and training figures. Additionally, an update is prepared at the mid-year mark highlighting current developments and the status of relevant projects and initiatives.
Worldwide, our Group Compliance Officer oversees 79 Compliance Officers who are assigned to business sector teams and implement the measures of our compliance program within their respective areas of responsibility. In executing their tasks, these Compliance Officers receive guidance from our Group Compliance Programs & Support team, a centralized body that drives the design and update of our compliance program across all business sectors and Group functions and is responsible for initiating necessary measures.
Compliance organization
In addition to these efforts we have created a global Transparency Operations team to incorporate current and upcoming transparency reporting requirements in the health sector – such as those of the European Federation of Pharmaceutical Industries and Associations (EFPIA) and the U.S. Physician Payments Sunshine Act.
Since 2017, our compliance framework has been integrated more closely within the business sectors. For example, we are developing a new holistic concept that combines the existing monitoring controls into a single system, providing a dashboard view of potential compliance risks across the organization.
In updating guidelines and training curricula, we also link compliance requirements specific to each business sector by integrating them into employee training material.
To support local Compliance implementation, we introduced designated Compliance Ambassadors who operate independently of our Compliance Organization. We appointed ambassadors in the following regions:
- Africa: Algeria, Angola, Botswana, Egypt, Ghana, Kenya, Mauritius, Morocco, Mozambique, Namibia, Nigeria, South Africa, Tanzania, Tunisia, Uganda
- Middle East: Bahrain, Iran, Iraq, Jordan, Kuwait, Lebanon, Oman, Palestine, Qatar, Saudi Arabia, Syria, United Arab Emirates, Yemen
- South America: Argentina, Chile
- China
- Germany
Clear chain of command for reporting violations
Reports of potential compliance violations received via our SpeakUp Line are reviewed by Group Compliance before being submitted to the Group Compliance Case Committee, which consists of senior representatives from Internal Auditing, Group Compliance, Corporate Security, Data Privacy, and Human Resources. Stefan Oschmann, Executive Board Chairman and CEO, heads the committee. An associated sub-committee advises on disciplinary action if necessary.
Conflicts of Interest
We take all potential conflicts of interest seriously. Every conflict is disclosed to the employee’s supervisor and the disclosure is documented. Such issues are mainly managed in a direct relationship between employee and supervisor, but can also be routed to superior HR or employment law functions. To involve the Executive Board, we have implemented a specific governance process, including a periodical request for information on potential conflicts to be provided to shareholders and related parties.
Furthermore, we document our commitment to an appropriate conflict of interest process in our Annual Report.
Data Privacy integrated into Compliance
Our Data Privacy unit has been organizationally integrated into Group Compliance. As required by law, this unit acts independently and compiles a comprehensive data privacy report as a part of the compliance report. Furthermore, the Data Privacy team submits regular data privacy updates as part of our overall Compliance reporting. Since 2017, the team has comprised four employees in Darmstadt. We have Data Safety Officers in place at numerous sites.
Our commitment: Guidelines and standards
Our compliance program builds on our Values and integrates these into our compliance framework, which contains guidelines for entrepreneurial conduct that are mandatory for all our employees Group-wide:
- Our Code of Conduct provides our people with a tool that promotes ethical business practices. At the end of 2017, we started the roll-out of an updated version of our Code of Conduct called “What guides us”. Approved by the Executive Board, this version has a strong relation to our Values along with newer topics such as data protection, supplier due diligence and bioethics. The updated code is available to employees both digitally and as a print brochure. Available in 22 languages, it explains the principles for interacting with business partners, employees, and the communities in which we operate.
- Our Human Rights Charter supplements our Code of Conduct with globally valid principles regarding human rights as well as the core labor standards of the International Labour Organization (ILO).
- Our Anti-Corruption Policy stipulates that all business activities must be conducted in accordance with legally applicable anti-corruption standards. All forms of bribery – whether giving or receiving – are strictly prohibited. We have reinforced our policy by adding and updating relevant corruption prevention sections. One example is the changes made to the gifts and hospitality section. Additionally, we have created guidelines on local limits and thresholds in giving or receiving gifts and hospitality to or from third parties (including public officials and external business partners). Moreover, in 2017 we also incorporated our Global Business Partner Risk Management principles into our Anti-Corruption Policy.
- Our Pharma Code (for prescription medicines) and our Consumer Health Code (for over-the-counter medicines) set out key principles for interactions with our partners in the health industry.
- Our Group-wide Antitrust and Competition Law guideline stipulates that all business activities across the Group are to be carried out in compliance with applicable competition regulations at all times. We acknowledge the importance of fair competition and expect the same of contract organizations acting on our behalf.
Since 2016 we have been using an online confirmation process to send Group-wide policies to relevant managers, Group Compliance and Legal. Recipients then confirm not only receipt of the policies, but also that they are being adhered to and implemented appropriately at the relevant sites.
Guidelines for new business units
Where necessary, we update our policies according to external requirements. In 2017, we integrated the Medical Devices and Services unit into the scope of existing Biopharma Compliance policies and created separate legal and compliance guidance for business interactions with our key stakeholders.
We recognize the fact that we are increasingly interacting with patients and patient organizations and therefore revised our corresponding compliance policy.
Requirements for our business partners
To be effective, compliance management needs to go beyond the boundaries of our own company, which is why we expect all our business partners worldwide to comply with our compliance principles. We only collaborate with partners who pledge to comply with all applicable laws, reject all forms of bribery, adhere to environmental, health and safety guidelines, and refuse to tolerate discrimination. Furthermore, we contractually require our business partners to demonstrate a commitment to internationally recognized human rights and labor standards, as well as to our own compliance requirements. We also monitor adherence to these standards for existing business relationships – usually when a contract is being considered for renewal, or alternatively at least every four years.
While our supplier management processes focus on vendor compliance with our standards, our Global Business Partner Risk Management Process governs interactions with sales partners such as distributors and wholesalers. Our Business Partner Risk Management approach was updated in 2017 and integrated into our Anti-Corruption Policy.
In general, we are not able to negotiate social and environmental responsibility, compliance or integrity issues with each of our customers individually. Therefore in 2017, our Performance Materials business sector compliance team developed a global approach for responding to external Code of Conduct acknowledgment requests. To implement this framework, our Performance Materials Compliance team introduced the Corporate Responsibility Letter of Merck KGaA, Darmstadt, Germany and a correlation clause, starting with the Performance Materials business sector.
Harmonizing data privacy Group-wide
Our “Policy for Data Protection and Personal Data Privacy” defines the standards according to which we process, save, use, and transmit data. This approach allows us to achieve a high level of protection for the data belonging to our employees, contract partners, customers, and suppliers, as well as patients and participants in clinical studies. Our Group-wide understanding of data privacy is based on European and German legislation. However, we also take into account local data privacy requirements, as not all requirements at all sites are covered by EU standards. In case of doubt, the respective national legal obligations take precedence. Whatever the situation, we fundamentally respect the rights of those affected.
We are already applying the new requirements of the European General Data Protection Regulation. In line with this regulation, we have established working groups to review the compliance of our various business units and improve existing measures where necessary.
Compliance audits
As part of operational audits, our Group function Internal Auditing regularly reviews matters relating to compliance at our sites to determine which compliance guidelines, processes and structures are in place and how effective they are. In addition, Internal Auditing also checks for violations of our Code of Conduct and our Anti-Corruption Policy, and reviews the workplace requirements set out in our Human Rights Charter.
Our audit planning aims to provide comprehensive risk assurance through the best possible audit coverage. Our annual audit planning process is risk-based and includes factors such as sales, employee headcount, systematic stakeholder feedback, and the Corruption Perceptions Index (CPI) published by the non-governmental organization Transparency International. If an internal audit results in recommendations, Group Internal Auditing performs a systematic follow-up and monitors the implementation of the prescribed corrective actions.
Compliance training
We regularly provide compliance training in the form of classroom and online courses that cover our Code of Conduct, anti-corruption, antitrust awareness, data privacy, and healthcare compliance standards. These courses are attended by employees at all levels as well as independent contractors and supervised workers (such as temporary staff). We regularly update our training plan and adapt it to new developments.
11,521
people were trained on our Code of Conduct and sensitized to the consequences of compliance violations through our e-learning system in 2017. A further component of this training focuses on preventing compliance violations.
We are currently working on a business sector-specific e-learning program centered on our new Code of Conduct. We plan to roll this program out in 2018.
We continually educate our employees on new compliance requirements, guidelines and projects, and also offer an online course on our Anti-Corruption Policy in 15 languages. In 2017, a total of 7,315 employees and contractors took part in anti-corruption training.
Some seminars on special topics are specifically developed for professionals in certain roles. When participating in pharma-specific training, for example, employees in our Healthcare business sector also receive training on relevant compliance issues.
To complement the online courses we offer, numerous classroom courses are also held for employees Group-wide with a particular focus on local issues. In 2017, we furthermore developed a game for our sales representatives that simulates typified behaviors tailored to a multitude of compliance scenarios that our sales heads experience on a regular basis.
In addition to these training offerings, Group Compliance has partnered with our Chief Medical Office team to develop a training course for our Medical employees. Accessible via our education portal, this course comprises important modules containing compliance-related topics such as Medical Education Funding, Medical and Commercial Interactions and Patient Support Programs. The course is also open to all interested employees, including those from other units.
We also regularly provide data privacy training courses that new employees must complete, focusing especially on data privacy rules and the new European General Data Protection Regulation. Furthermore, we keep all employees up to date through regular refresher training.
“Compliance. Because we care”
Our internal “Compliance. Because we care” initiative aims to increase awareness of compliance throughout our Group. Harnessing the power of emotion, we have incorporated evocative visuals to bring key compliance aspects closer to our employees, thus heightening their sensitivity to these issues. Launched in 2017, the initiative is being implemented gradually Group-wide.
In addition to providing training in the form of webinars, Skype meetings and on-site events, we inform our staff about compliance issues through a variety of media, including our Intranet, newsletters, our employee magazine “pro”, and posters.
SpeakUp Line for potential compliance violations
All Group employees are encouraged to report potential compliance violations to their superiors, Legal, HR, or other relevant departments. Worldwide, they can also use our central SpeakUp hotline to report violations by telephone or via a web-based application in their respective national language, free of charge – and, if desired, anonymously. Based on recommendations from the Group Compliance Case Committee, where necessary disciplinary actions may also be taken by the responsible superiors against employees who have committed a compliance violation. These actions may range from a simple warning to dismissal of the employee, depending on the severity of the violation. Our Business Partners who have undergone the Business Partner Risk Management Process can also use the SpeakUp Line to report violations of internal or external rules.
Both the number of reports of suspected compliance violations and the number of actual compliance cases has remained largely stable in recent years. In 2017, 39 compliance-related reports leading to investigations were received via the SpeakUp Line and other channels. In 2017, there were 14 confirmed cases of violations of the Code of Conduct. The majority of these constituted minor, isolated incidents resulting from the misconduct of individual persons, and appropriate disciplinary action was taken. One case concerned a testing facility and comprised issues relating to site management as well as control deficiencies in certain areas. Another case related to interactions with healthcare professionals and organizations where local practices did not meet the requirements of our Group policy.
Risk analysis and management of business partners
We apply a risk-based approach to selecting sales-related business partners. The greater we estimate the risk to be regarding a certain country, region or type of service, the closer and more carefully we examine the company before entering into a business relationship with them. For these risk assessments, we use the Corruption Perceptions Index (CPI) maintained by Transparency International and assess potential partners against other parameters such as the nature of the intended service. We also tap into background information from various databases and information reported by the business partners themselves, for instance on their own compliance programs.
In 2017, we re-designed our Business Partner Risk Management Process and automated certain processes. This change allows us better scrutiny of our business partners in high-risk environments such as countries with a CPI rating below 50 (0 = highly corrupt/100 = very clean). This enables us to further reduce legal and reputational risks that may arise from bribery committed by third parties.
If we encounter compliance violations, we decide whether to reject the potential business partner or terminate the existing relationship. However, our partners are generally willing to adapt their structures and processes in line with our strict compliance requirements. Since launching this process in 2013, we have assessed more than 2,800 business partners, and in 2017 we used this process to assess 690 new business partners.
In 2017, we continued our compliance training for the employees of our business partners as part of our Business Partner Risk Management Process. This training is mandatory for all personnel who come into contact with our company or products. It is available in eight languages and focuses on general compliance, corruption prevention and competition law. In 2017, 3,699 employees from our partner companies completed this training.
Ensuring data privacy and information security
We operate a data privacy management system as part of our Group Compliance organization. This system has been harmonized across the Group. Moreover, we also protect our information systems, their contents and our communication channels against criminal activities (eCrime, cyber attacks) of any kind, including unauthorized access, information leaks and misuse. To do so, we work with our Group Security unit to undertake a variety of technical, organizational and process-based measures based on recognized international standards. We have harmonized electronic and physical security measures (such as access control) to bolster our ability to handle sensitive data such as trade secrets. Group Internal Auditing verifies that we are implementing and complying with our data privacy policy and data security programs.
Our data privacy management system aligns with the PDCA principle (plan, do, check, act), which is intended to ensure that data privacy policies and tools (plan), data privacy training (do), inspections and assessments (check), and an incident and issue management process (act) are all in place.
To support local Data Privacy Officers at our sites, we have introduced standardized data privacy consulting services that can be requested by data controllers and processors as needed. We have also implemented a central IT tool to provide a single source for data privacy processes, e.g. answering data privacy questions and reporting potential data privacy incidents.
EFPIA Transparency Initiative
Since 2016, members of the Transparency Initiative of the European Federation of Pharmaceutical Industries and Associations (EFPIA) have been required to publish all contributions to medical professionals and organizations in the health sector, along with the names and addresses of individual recipients. Beyond this initiative, several countries have introduced legislation to further increase transparency in the pharmaceutical industry. We comply with these requirements and additional standards governing interactions in the healthcare industry and have been including them in our EFPIA reporting since 2016.
Alliance for Integrity
We are a member of the Alliance for Integrity Steering Committee. Established by the German Society for International Cooperation (GIZ), the German Global Compact Network (DGCN) and the Federation of German Industries (BDI), this initiative aims to achieve a corruption-free business world in developing and emerging countries. Its activities are concentrated in Argentina, Brazil, Ghana, India, and Indonesia. The Steering Committee leads the decision-making process for developing measures in these countries, while local advisory groups oversee implementation at the country level. Our local Compliance organizations also collaborate with these groups and provide training that is offered to small and medium-sized companies. We furthermore support anti-corruption conferences such as the World Conference hosted by the German Chamber of Commerce, which will be held in February 2018 in Frankfurt. Beyond these efforts, we continuously assist the Alliance for Integrity through business-to-business workshops and training courses, and by sharing best practices on how to develop and implement effective corruption prevention systems.
Engaging stakeholders
In 2017 as well, we engaged stakeholders in a dialogue primarily through our memberships in various associations. Amongst other organizations, we are members of the German Chemical Industry Association e.V. (VCI), the German Institute for Compliance (DICO), the European Federation of Pharmaceutical Industries and Associations (EFPIA), the German Association of Voluntary Self-Regulation for the Pharmaceutical Industry (FSA), the International Federation of Pharmaceutical Manufacturers and Associations (IFPMA), the Alliance for Integrity, and the German Association for Supply Chain Management, Procurement and Logistics e.V. (BME).