The Management Board of METRO AG sets high standards for itself and its employees with regard to integrity and ethical behaviour, as well as compliance with regulations and laws, in order to achieve a trusting relationship with customers, shareholders, business partners and the public by means of responsible corporate conduct. The strategic cornerstone of responsible corporate action is the compliance management system, which is overseen by the Management Board of METRO AG as an indispensable element of good corporate governance. It provides a structure for permanent avoidance, detection and sanctioning of violations in the main risk areas and is part of the governance, risk and compliance system (GRC system) alongside the risk management system, the internal control system and Internal Audit. The group’s Governance, Risk and Compliance Committee (GRCC) is chaired by the Chief Financial Officer of METRO AG and regularly discusses methods and further developments of the GRC subsystems. The GRC Committee also reports to and strategically involves the Management Board of METRO AG at least every 6 months.
Compliance – including the fight against corruption and bribery as well as antitrust violations
METRO employs a group-wide compliance management system (CMS) to ensure compliance with laws and a self-imposed code of conduct, including key risks such as combating corruption and bribery as well as antitrust violations. The aim of the CMS is to systematically and permanently prevent, detect and sanction violations within the company and to take measures to achieve future compliance.
The METRO Business Principles are at the heart of our compliance initiatives and are firmly anchored throughout the group particularly by ongoing training measures. The CMS is based on the METRO Business Principles. Business Principle no. 2, for example, explicitly prohibits corruption and bribery in dealing with business partners and authorities. Business Principle no. 5 clarifies that the rules of fair competition must be respected. When setting up the CMS, METRO was guided by the basic elements of such a system described in the IDW AuS 980 auditing standard (Principles for the Proper Performance of Reasonable Assurance Engagements Relating to Compliance Management Systems). It operationalises the 7 CMS elements on a risk basis applying a wealth of organisational, structural, procedural and individual measures for all major group companies.
The Management Board of METRO AG and the management of the METRO group companies demonstrate proper conduct. In addition to informal role model behaviour, frequent ‘tone from the top’ messages are standard in the organisations. New members of management committees and other executives undergo compliance onboarding at the beginning of their job. Indications of compliance incidents are investigated in a clearly defined and objective process. It involves all essential functions including compliance, legal, auditing and HR.
The defined goal of the CMS is additionally implemented in the organisation via human resources management tools. As part of the regular performance reviews, compliance aspects are included in the evaluation.
Generally, the CMS compliance risks control is risk-based. As part of regular risk audits in the respective units based on a standardised audit process, the compliance risks are continuously checked for completeness and relevance. In addition, each relevant group unit is classified in 1 of 3 risk classes. External and internal indicators are used for this purpose, such as Transparency International’s indices, number of employees and compliance maturity in past periods.
A compliance programme with different intensities is defined for each risk class. It is based on the guidelines developed for each significant compliance risk and adopted by the Management Board. When it comes to combating corruption and bribery, these are guidelines for dealing with business partners, public officials and external consultants, including guidelines for a business partner assessment. With regard to avoiding antitrust violations, this is an antitrust guideline, which includes guidelines for conduct in the context of association activities and other encounters with competitors.
The CMS is implemented by the compliance organisation. A compliance officer has been appointed to each relevant METRO group company for this purpose, who reports directly to the METRO AG Corporate Compliance department as part of Corporate Legal Affairs & Compliance. Corporate Compliance keeps the concept and content of the CMS on a risk-appropriate level and provides the concepts and tools for implementation in the METRO companies of each CMS element. The disciplinary and technical leadership of the compliance officers takes place via institutionalised reporting dates and target agreements. The compliance officers regularly report directly to the management in their units. Moreover, identified key compliance risks are addressed in the context of the other GRC subsystems and tracked in the systems there.
An IT-based whistle-blower system and separate report-processing offices in each relevant group company provide employees and external third parties with an opportunity to provide information (under the protection of anonymity, if preferred) on suspected or actual misconduct and risks in the business segment of METRO and its direct and indirect suppliers. All reported regulatory infringements, irrespective of whether the measures for ensuring compliance with these rules fall within the area of responsibility of the compliance organisation, are investigated and (where appropriate and necessary) sanctioned systematically by the CMS, which relies on the compliance incident handling system operated by the compliance organisation.
Compliance topics and measures are systematically communicated to the workforce through a variety of channels in the company in a targeted manner. A core tool is compulsory compliance training, which is either carried out in person or through e-training. In financial year 2022/23, compliance training was executed in all group companies. The selection of employee groups to be trained is risk-based. Practical content is taught in the training courses. A variety of other communication formats are used in addition to training, such as compliance talks, posters, flyers, intranet, department visits, function and leadership conferences as well as personnel development events.
The METRO companies collaborate with a large number of external business partners. Before entering into contractual relationships, a risk-based examination is performed to determine whether there are reasons from a compliance perspective not to engage that party. Certain groups of business partners, such as consultants with contact to public officials as part of the order fulfilment, require an in-depth audit that is appropriate for the risk. A digital tool for compliance auditing is available to all group companies for this purpose. The audit approach is risk-based and the audit can be carried out in various degrees of intensity, for example in the form of self-disclosure or by using external databases with relevant risk information.
Proper implementation of the defined risk-based measures for the implementation of the CMS is ensured through frequent KPI reporting. Based on KPI reporting, a compliance maturity level is determined annually, which in turn is incorporated into risk classification and definition of measures. The efficacy of our internal compliance controls is regularly assessed by our Internal Audit unit. As part of METRO’s GRC approach, the Group Audit department evaluates the effectiveness of the group-wide CMS every year. This assessment is presented to the Management Board and the Supervisory Board as part of the regular reporting on compliance issues.
Overall, METRO has implemented far-reaching processes and measures that are meant to ensure an appropriate level of compliance maturity.
Protection of personal data1
The protection of personal data of customers, employees and business partners is a high priority for METRO. This is particularly true considering the fact that corporate processes are increasingly being digitalised, requiring data collection, processing and storage.
METRO always undertakes to comply with the respective data protection laws of the countries in which METRO is active. In addition, METRO has a group-wide data protection organisation with various responsibilities as well as a binding privacy policy that contains uniform standards for the handling of personal data and is binding for all group companies. In addition, national laws apply. For companies operating in Europe, this includes, in particular, provisions for dealing with the General Data Protection Regulation (GDPR). This is intended to ensure the continuous and comprehensive monitoring of compliance with data protection regulations within the group. In the financial year, follow-up measures were initiated in response to the cyberattack of October 2022 as required under data protection regulations, such as informing the affected parties. Additionally, the internal review process for compliance with data protection regulations by the group companies was developed further.
1 METRO fell victim to a cyberattack in October 2022, which led to a partial breakdown of the IT systems. Detailed explanations of the circumstances are included in the combined management report (including chapter 1 principles of the group).