Combating corruption and bribery
The Management Board of METRO AG is committed to complying with applicable laws, rules and regulations. METRO employs a group-wide compliance management system (CMS) to ensure compliance with laws and a self-imposed code of conduct, including key risks such as combating corruption and bribery and the prevention of antitrust law violations. The aim of the CMS is to systematically and sustainably prevent, detect and sanction regulatory infringements within the company.
The METRO Business Principles are at the heart of our compliance initiatives and are firmly anchored throughout the group particularly by ongoing training measures. The CMS is based on the METRO Business Principles. Business Principle no. 2, for example, explicitly prohibits corruption and bribery in dealing with business partners and authorities. To set up the CMS, METRO was guided by the basic elements of such a system described in the IDW PS 980 audit standard. It operationalises the 7 CMS elements on a risk basis applying a wealth of organisational, structural, procedural and individual measures for all major group companies.
The Management Board of METRO AG and the General Management of the relevant METRO group companies demonstrate proper conduct and lead by example. In addition to informal role model behaviour, frequent ‘tone from the top’ messages are foreseen in the organisations. New members of management committees and other executives undergo compliance onboarding at the beginning of their job. Indications of compliance incidents are investigated in a clearly defined and objective process involving all relevant functions including compliance, legal, auditing and HR.
The defined goal of the CMS is additionally implemented in the organisation via human resources management tools. As part of the regular performance reviews, compliance aspects are included in the evaluation as part of the METRO Guiding Principles.
Generally, the CMS compliance risks control is risk-based. As part of regular risk audits, for example in the form of workshops with relevant stakeholders in the respective units, the compliance risks are continuously checked for completeness and relevance. In addition, each relevant group unit is classified in 1 of 3 risk classes. External and internal indicators are used for this purpose, such as Transparency International’s indices, employee turnover rates and compliance maturity in past periods.
A compliance programme with different intensities is defined for each risk class. It is based on the guidelines developed for each significant compliance risk and adopted by the Management Board. When it comes to combating corruption and bribery, this is one guideline for dealing with business partners, including a business partner assessment, and dealing with public officials.
The CMS is implemented by the compliance organisation. A compliance officer has been appointed to each relevant METRO group company for this purpose, who reports directly to the METRO AG Corporate Compliance department as part of Corporate Legal Affairs & Compliance. The overall responsibility lies with the Chief Compliance Officer of METRO AG, who reports directly to the Chairman of the Management Board of METRO AG. The compliance organisation is centrally managed by Corporate Compliance. Corporate Compliance keeps the CMS conceptually on a risk-appropriate level and provides the concepts and tools for implementation in the METRO group companies of each CMS element. The disciplinary and technical leadership of the compliance officers takes place via institutionalised reporting dates as well as target agreements. The compliance officers regularly report directly to the local management in their units. Moreover, identified key compliance risks are recognised within the GRC subsystems Internal Control Operations and Internal Control Finance and integrated into the systems there.
An IT-based whistle-blower system provides employees and external third parties with an opportunity to provide information (under the protection of anonymity, if preferred) on regulatory infringements within the company. All reported regulatory infringements, irrespective of whether the measures for ensuring compliance with these rules fall within the area of responsibility of the compliance organisation, are investigated and sanctioned systematically by the compliance management system, which relies on the compliance incident handling system operated by the compliance organisation. The respective departments are responsible for regulatory compliance measures that fall outside of the area of responsibility of the compliance organisation, with the exception of compliance incident handling.
Compliance topics and measures are systematically communicated to the workforce through a variety of channels in the company in a targeted manner. A core tool is compulsory compliance training, which is either carried out in person or through e-training. In financial year 2018/19, compliance training was executed in all relevant METRO group companies. The selection of relevant employee groups is risk-based with practical training content. A variety of other communication formats are used in addition to training, such as compliance talks, posters, flyers, intranet, department visits, function and leadership conferences as well as personnel development events.
The METRO companies cooperate with a large number of third-party business partners. Before entering into specific contractual relationships, a risk-based examination is performed to determine whether there are reasons from a compliance perspective not to engage a third party. Certain groups of business partners, such as consultants with contact to public officials as part of the order fulfilment, require an in-depth audit that is appropriate for the risk. To this end, the existing process has been digitalised and an IT tool is currently being rolled out throughout the group for auditing purposes. The audit approach is risk-based in various degrees of intensity, for example in the form of self-disclosure, but also by examining external databases with relevant risk information.
Proper implementation of the defined risk-based measures for the implementation of the CMS is ensured through frequent KPI reporting for each relevant METRO group company. Through KPI reporting, a compliance maturity level is determined annually, which in turn is incorporated into risk classification and definition of measures. The efficacy of our internal compliance controls is regularly assessed by our Internal Audit unit. As part of METRO’s GRC approach, the Group Audit department evaluates the effectiveness of the group-wide CMS every year. This assessment is presented to the Management Board and the Supervisory Board as part of the regular reporting on compliance issues. Besides internal reviews and audits, the need for further development of the compliance management system is ascertained from the results of regular employee surveys.
Overall, the mentioned control and monitoring measures demonstrate an appropriate level of compliance maturity.