Combating corruption and bribery
The METRO AG Management Board is committed to complying with applicable laws, rules and regulations. METRO employs a group-wide compliance management system (CMS) to ensure compliance with laws and a self-imposed Code of Conduct, including key risks such as the fight against corruption and bribery and the prevention of antitrust law violations. The aim of the CMS is to systematically and sustainably prevent, detect and sanction regulatory infringements within the company.
The METRO Business Principles are at the heart of our compliance initiatives and are firmly anchored throughout the group by ongoing training measures. The CMS is based on the METRO Business Principles. Business Principle number 2, for example, explicitly prohibits corruption and bribery in dealing with business partners and authorities. The METRO CMS is based on the auditing standard IDW PS 980. It operationalises the 7 CMS elements on a risk basis applying a wealth of organisational, structural, procedural and individual measures for all major group companies.
The METRO AG Management Board and the General Management of the relevant METRO groupcompanies demonstrate proper conduct and lead by example. In addition to informal role model behaviour, frequent ‘tone from the top’ messages are foreseen in the organisations. New members of management committees and other executives undergo compliance onboarding at the beginning of their job. Indications of compliance incidents are investigated in a clearly defined and objective process involving all relevant functions including compliance, legal, auditing and HR.
The defined goal of the CMS is additionally implemented in the organisation via human resources management tools. As part of the regular performance reviews, compliance aspects are included in the evaluation as part of the METRO Guiding Principles.
Generally, the CMS compliance risks control is risk-based. As part of regular risk audits, for example in the form of workshops with relevant stakeholders in the respective units, the compliance risks are continuously checked for completeness and relevance. In addition, each relevant group unit is classified in one of 3 risk classes. External and internal indicators are used for this purpose, such as Transparency International’s indices, employee turnover rates and compliance maturity in past periods.
A compliance programme with different intensities is defined for each risk class. It is based on the guidelines developed for each significant compliance risk and adopted by the Management Board. When it comes to combating corruption and bribery, there are 2 guidelines for dealing with business partners, including a business partner assessment and dealing with public officials.
The CMS is implemented by the compliance organisation. A compliance officer has been appointed to each relevant METRO group company for this purpose, who reports directly to the METRO AG Corporate Compliance department as part of Corporate Legal Affairs & Compliance. The overall responsibility lies with the Chief Compliance Officer of METRO AG, who reports directly to the Chairman of the Management Board of METRO AG. The compliance organisation is centrally managed by Corporate Compliance. Corporate Compliance keeps the CMS conceptually on a risk-appropriate level and provides the concepts and tools for implementation in the METRO group companies of each CMS element. The disciplinary and technical leadership of the compliance officers takes place via institutionalised reporting dates as well as target agreements. The compliance officers regularly report directly to the local management in their units. Moreover, identified key compliance risks are recognised within the GRC subsystems Internal Controls Operations and Internal Controls Finance and integrated into the systems there.
An IT-based whistle-blower system provides employees and external third parties with an opportunity to provide information (under the protection of anonymity, if preferred) on regulatory infringements within the company. All reported regulatory infringements, irrespective of whether the measures for ensuring compliance with these rules falls within the area of responsibility of the compliance organisation, are investigated and sanctioned systematically by the compliance management system, which relies on the compliance incident handling system operated by the compliance organisation. The responsibility for regulatory compliance measures that fall outside of the area of responsibility of the compliance organisation, with the exception of compliance incident handling, lies with the respective departments.
Compliance topics and measures are systematically communicated to the workforce through a variety of channels in the company in a targeted manner. A core tool is compulsory compliance training, which is either carried out in person or through e-training. In the most recent financial year, compliance training was executed in all relevant METRO group companies. The selection of relevant employee groups is risk-based with practical training content. A variety of other communication formats are used in addition to training, such as compliance talks, posters, flyers, intranets, department visits, function and leadership conferences, personnel development events and similar.
Proper implementation of the defined risk-based measures for the implementation of the CMS is ensured through frequent KPI reporting for each relevant METRO group company. Through KPI reporting, a compliance maturity level is determined annually, which in turn is incorporated into risk classification and definition of measures. The efficacy of our internal compliance controls is regularly assessed by our internal audit unit. As part of METRO’s GRC approach, the Group Audit department evaluates the effectiveness of the group-wide CMS every year. This assessment is presented to the Management Board and the Supervisory Board as part of the regular reporting on compliance issues. Besides internal reviews and audits, the need for further development of the compliance management system is ascertained from the results of regular employee surveys.
Overall, the mentioned control and monitoring measures demonstrate an appropriate level of compliance maturity.