The Management Board of METRO AG is committed to responsible corporate conduct; therefore, we consider it important to comply with regulations and laws and to conduct ourselves with integrity and ethics at all times. For example, this applies to our tax strategy. METRO sees corporate responsibility and integrity as a key element of a sustainable business model.
With regard to our customers, this commitment is primarily reflected in the sensitive handling of customer data in accordance with our claim to protect personal data as well as in responsible marketing. Our self-image is characterised by compliance with product labelling regulations as well as by transparent, clear, honest and correct information about our products. It allows us to reinforce our customers’ trust in our company. We want to help customers make informed purchasing decisions. Through customer surveys, we also include their needs in our marketing topics and thus contribute to transparent communication. We maintain a close dialogue with our brand suppliers as well as advertising and media agencies with regard to ethical conduct in terms of brand protection. This way, we can ensure that our suppliers and thus our brand do not appear in an ethically critical context. Furthermore, our business partners and consultants are committed to brand protection due to contractual agreements.
The lawful and careful handling of intellectual property is also a substantial part of our business ethics. The intellectual property protection strategy comprises a bundle of legal, organisational and technical measures. They ensure that METRO’s intellectual property and confidential information are protected and that existing property rights of third parties are not infringed.
The strategic cornerstone of responsible corporate action is the compliance management system, which is overseen by the Management Board of METRO AG as an indispensable element of good corporate governance. It provides a structure for permanent avoidance, detection and sanctioning of violations in the main risk areas and is part of the governance, risk and compliance system (GRC system) alongside the risk management system, the internal control system and Internal Audit. The group’s Governance, Risk and Compliance Committee (GRCC) is chaired by the Chief Financial Officer of METRO AG and regularly discusses methods and further developments of the GRC subsystems. The GRC Committee also reports to and strategically involves the Management Board of METRO AG at least every 6 months.
Compliance – including the fight against corruption and bribery as well as antitrust violations
METRO employs a group-wide compliance management system (CMS) to ensure compliance with laws and a self-imposed code of conduct, including key risks such as combating corruption and bribery as well as antitrust violations. The aim of the CMS is to systematically and permanently prevent, detect and sanction violations within the company and to take measures to achieve future compliance.
The METRO Business Principles are at the heart of our compliance initiatives and are firmly anchored throughout the group particularly by ongoing training measures. The CMS is based on the METRO Business Principles. Business Principle no. 2, for example, explicitly prohibits corruption and bribery in dealing with business partners and authorities. Business Principle no. 5 clarifies that the rules of fair competition must be respected. When setting up the CMS, METRO was guided by the basic elements of such a system described in the IDW PS 980 auditing standard (Principles for the Proper Performance of Reasonable Assurance Engagements Relating to Compliance Management Systems). It operationalises the 7 CMS elements on a risk basis applying a wealth of organisational, structural, procedural and individual measures for all major group companies.
The Management Board of METRO AG and the management of the METRO group companies demonstrate proper conduct. In addition to informal role model behaviour, frequent ‘tone from the top’ messages are standard in the organisations. New members of management committees and other executives undergo compliance onboarding at the beginning of their job. Indications of compliance incidents are investigated in a clearly defined and objective process. It involves all essential functions including compliance, legal, auditing and HR.
The defined goal of the CMS is additionally implemented in the organisation via human resources management tools. As part of the regular performance reviews, compliance aspects from the METRO Guiding Principles are included in the evaluation.
Generally, the CMS compliance risks control is risk-based. As part of regular risk audits, for example in the form of workshops in the respective units, the compliance risks are continuously checked for completeness and relevance. In addition, each relevant group unit is classified in 1 of 3 risk classes. External and internal indicators are used for this purpose, such as Transparency International’s indices, number of employees and compliance maturity in past periods.
A compliance programme with different intensities is defined for each risk class. It is based on the guidelines developed for each significant compliance risk and adopted by the Management Board. When it comes to combating corruption and bribery, these are guidelines for dealing with business partners, public officials and external consultants, including guidelines for a business partner assessment. With regard to avoiding antitrust violations, this is an antitrust guideline, which includes guidelines for conduct in the context of association activities and other encounters with competitors.
The CMS is implemented by the compliance organisation. A compliance officer has been appointed to each relevant METRO group company for this purpose, who reports directly to the METRO AG Corporate Compliance department as part of Corporate Legal Affairs & Compliance. Corporate Compliance keeps the concept and content of the CMS on a risk-appropriate level and provides the concepts and tools for implementation in the METRO companies of each CMS element. The disciplinary and technical leadership of the compliance officers takes place via institutionalised reporting dates as well as target agreements. The compliance officers regularly report directly to the local management in their units. Moreover, identified key compliance risks are addressed in the context of the other GRC subsystems and tracked in the systems there.
An IT-based whistle-blower system and separate report-processing offices in each relevant group company provide employees and external third parties with an opportunity to provide information (under the protection of anonymity, if preferred) on regulatory infringements within the company. All reported regulatory infringements, irrespective of whether the measures for ensuring compliance with these rules fall within the area of responsibility of the compliance organisation, are investigated and – where appropriate and necessary – sanctioned systematically by the CMS, which relies on the compliance incident handling system operated by the compliance organisation.
Compliance topics and measures are systematically communicated to the workforce through a variety of channels in the company in a targeted manner. A core tool is compulsory compliance training, which is either carried out in person or through e-training. In financial year 2021/22, compliance training was executed in all group companies. The selection of employee groups to be trained is risk-based. Practical content is taught in the training courses. A variety of other communication formats are used in addition to training, such as compliance talks, posters, flyers, intranet, department visits, function and leadership conferences as well as personnel development events.
The METRO companies collaborate with a large number of external business partners. Before entering into contractual relationships, a risk-based examination is performed to determine whether there are reasons from a compliance perspective not to engage that party. Certain groups of business partners, such as consultants with contact to public officials as part of the order fulfilment, require an in-depth audit that is appropriate for the risk. A digital tool for compliance auditing is available to all group companies for this purpose. The audit approach is risk-based and the audit can be carried out in various degrees of intensity, for example in the form of self-disclosure or by using external databases with relevant risk information.
Proper implementation of the defined risk-based measures for the implementation of the CMS is ensured through frequent KPI reporting. Based on KPI reporting, a compliance maturity level is determined annually, which in turn is incorporated into risk classification and definition of measures. The efficacy of our internal compliance controls is regularly assessed by our Internal Audit unit. As part of METRO’s GRC approach, the Group Audit department evaluates the effectiveness of the group-wide CMS every year. This assessment is presented to the Management Board and the Supervisory Board as part of the regular reporting on compliance issues.
Overall, the mentioned control and monitoring measures demonstrate an appropriate level of compliance maturity.
Taxes
As an internationally operating company, METRO is subject to taxation in numerous countries. METRO is aware of the responsibility to make tax payments in all countries in accordance with regulatory obligations. This responsibility is reflected by the group tax guidelines adopted by the Management Board of METRO AG and processes based on them for compliance with the applicable laws and regulatory provisions as well as in cooperative and fair collaboration with the tax authorities. The guidelines are binding throughout the group. They explain and regulate the responsibility of the companies as part of METRO’s tax obligations.
METRO AG has implemented a tax compliance management system (TCMS) that has been certified to be adequate for sales tax in Germany and for sales tax abroad. Certification of the adequacy of the TCMS for payroll tax is planned for financial year 2022/23. An auditing company has already been engaged to perform the audit.
The TCMS is part of the GRC system of METRO AG.
Protection of personal data1
The protection of personal data of customers, employees and business partners is a high priority for METRO. This is particularly true considering the fact that corporate processes are increasingly being digitalised, requiring data collection, processing and storage.
METRO always undertakes to comply with the respective data protection laws of the countries in which METRO is active. In addition, METRO has a group-wide privacy policy that contains uniform standards for the handling of personal data and is binding for all group companies. In addition, national laws apply. For companies operating in Europe, this includes, in particular, provisions for dealing with the General Data Protection Regulation (GDPR).
METRO also has a group-wide data protection organisation, consisting of local data protection officers and data privacy managers responsible for corporate data protection. It facilitates the pursuit of overarching and national data protection and digitalisation developments in order to continue to meet the statutory data protection requirements across the group.
With the help of the structures created by the data protection organisation, METRO has set up a system for continuously and comprehensively monitoring compliance with data protection regulations within the group. The review covers internal requirements and provisions from laws and other legally binding provisions on data protection.
Due to the ongoing pandemic, there continued to be additional needs for processing personal data. These needs were based on the interest to protect customers and employees as well as to implement various legal requirements. During implementation, the applicable data protection requirements were taken into account and special care was taken to collect only absolutely necessary data, especially with regard to health data (for example vaccination status/infection status).
1 METRO fell victim to a cyberattack in October 2022, which led to a partial breakdown of the IT systems. Detailed explanations of the circumstances are included in the combined management report under Events after the reporting period.