Combating corruption and bribery
The Management Board of METRO AG is committed to complying with applicable laws, rules and regulations. METRO employs a group-wide compliance management system (CMS) to ensure compliance with laws and a self-imposed code of conduct, including key risks such as combating corruption and bribery. The aim of the CMS is to systematically and permanently prevent, detect and sanction violations within the company and to take measures to achieve future compliance.
The METRO Business Principles are at the heart of our compliance initiatives and are firmly anchored throughout the group particularly by ongoing training measures. The CMS is based on the METRO Business Principles. Business Principle no. 2, for example, explicitly prohibits corruption and bribery in dealing with business partners and authorities. When setting up the CMS, METRO was guided by the basic elements of such a system described in the IDW PS 980 auditing standard (principles for the proper performance of reasonable assurance engagements relating to compliance management systems). It operationalises the 7 CMS elements on a risk basis applying a wealth of organisational, structural, procedural and individual measures for all major group companies.
The Management Board of METRO AG and the management of the relevant METRO group companies demonstrate proper conduct. In addition to informal role model behaviour, frequent ‘tone from the top’ messages are foreseen in the organisations. New members of management committees and other executives undergo compliance onboarding at the beginning of their job. Indications of compliance incidents are investigated in a clearly defined and objective process. It involves all relevant functions including compliance, legal, auditing and HR.
The defined goal of the CMS is additionally implemented in the organisation via human resources management tools. As part of the regular performance reviews, compliance aspects from the METRO Guiding Principles are included in the evaluation.
Generally, the CMS compliance risks control is risk-based. As part of regular risk audits, for example in the form of workshops with relevant stakeholders in the respective units, the compliance risks are continuously checked for completeness and relevance. In addition, each relevant group unit is classified in 1 of 3 risk classes. External and internal indicators are used for this purpose, such as Transparency International’s indices, employee turnover rates and compliance maturity in past periods.
A compliance programme with different intensities is defined for each risk class. It is based on the guidelines developed for each significant compliance risk and adopted by the Management Board. When it comes to combating corruption and bribery, this is one guideline for dealing with business partners, including guidelines for a business partner assessment, and dealing with public officials.
The CMS is implemented by the compliance organisation. A compliance officer has been appointed to each relevant METRO group company for this purpose, who reports directly to the METRO AG Corporate Compliance department as part of Corporate Legal Affairs & Compliance. Corporate Compliance keeps the concept and content of the CMS on a risk-appropriate level and provides the concepts and tools for implementation in the METRO group companies of each CMS element. The disciplinary and technical leadership of the compliance officers takes place via institutionalised reporting dates as well as target agreements. The compliance officers regularly report directly to the local management in their units. Moreover, identified key compliance risks are addressed in the context of the other GRC subsystems and integrated into the systems there.
An IT-based whistle-blower system provides employees and external third parties with an opportunity to provide information (under the protection of anonymity, if preferred) on regulatory infringements within the company. All reported regulatory infringements, irrespective of whether the measures for ensuring compliance with these rules fall within the area of responsibility of the compliance organisation, are investigated and – where appropriate and necessary – sanctioned systematically by the CMS, which relies on the compliance incident handling system operated by the compliance organisation.
Compliance topics and measures are systematically communicated to the workforce through a variety of channels in the company in a targeted manner. A core tool is compulsory compliance training, which is either carried out in person or through e-training. In financial year 2019/20, compliance training was executed in all relevant METRO group companies. The selection of relevant employee groups is risk-based. Practical content is taught in the training courses. A variety of other communication formats are used in addition to training, such as compliance talks, posters, flyers, intranet, department visits, function and leadership conferences as well as personnel development events.
The METRO companies collaborate with a large number of external business partners. Before entering into specific contractual relationships, a risk-based examination is performed to determine whether there are reasons from a compliance perspective not to engage a third party. Certain groups of business partners, such as consultants with contact to public officials as part of the order fulfilment, require an in-depth audit that is appropriate for the risk. To this end, the existing process has been digitalised. The group-wide roll-out of the digital tool for compliance verification of business partners, which began in the last financial year, is almost complete. The goal is to have it fully operational for relevant METRO group companies in the coming financial year. The audit approach is risk-based in various degrees of intensity, for example in the form of self-disclosure, but also by examining external databases with relevant risk information.
Proper implementation of the defined risk-based measures for the implementation of the CMS is ensured through frequent KPI reporting for each relevant METRO group company. Through KPI reporting, a compliance maturity level is determined annually, which in turn is incorporated into risk classification and definition of measures. The efficacy of our internal compliance controls is regularly assessed by our Internal Audit unit. As part of METRO’S GRC approach, the Group Audit department evaluates the effectiveness of the group-wide CMS every year. This assessment is presented to the Management Board and the Supervisory Board as part of the regular reporting on compliance issues.
Overall, the mentioned control and monitoring measures demonstrate an appropriate level of compliance maturity.