We intend to serve both as a role model for responsible corporate governance in our sector and as a trustworthy company. Ensuring our interactions with business partners, employees, the capital market and the general public are conducted with integrity and within the bounds of the law is vital to maintaining our reputation and is the basis for sustainable business success. We take steps to guarantee an honest and transparent business practice in compliance with the law by focusing on training managers in compliance-relevant content, building cybersecurity skills, shaping sustainable and stable relationships with business partners and fully integrating ESG metrics into management processes and incentive systems.
The rules for ethical conduct included in our Code of Conduct are further specified in our Human Rights Policy Statement as well as our Anti-Corruption and Business Ethics Standards Policy. Our focus at all times is on preventing potential violations of statutory requirements and internal guidelines.
Corporate Internal Audit evaluates the effectiveness of our risk management system, control mechanisms, management and monitoring processes and compliance with Group policies, contributing to their improvement. It does this by performing independent regular and ad hoc audits at all Group companies and at corporate headquarters with the authority of the Board of Management. The audit teams discuss the audit findings and agree on measures for improvement with the audited organizational units and their management. The Board of Management is regularly informed of the findings. The Supervisory Board is provided with a summary once a year.
CORPORATE GOVERNANCE
Material topic
Performance indicators1, further measures
2022
2023
Target 2024
Cybersecurity
External rating1, 2, 3
Points
700
750
At least 690
Compliance
Share of valid compliance training certificates1, 2, 4
%
98.1
98.6
98
Respecting human rights
Internal audits by Corporate Internal Audit
Number
33
53
–
In the workforce
Carry out on-site reviews
Countries
10
10
–
Share of valid training certificates in middle and upper management
%
98.4
99.5
–
Implement standards in the supply chain
Supplier spend covered by an accepted Supplier Code of Conduct
€ billion
>27
>35
–
Potential high-risk suppliers assessed
Number
>2,700
>4,000
–
1 Performance indicators are steering-relevant and are assigned target values (pursuant to Sections 289b to 289e and 315b 315c in conjunction with 289c to 289e HGB).
2 Steering-relevant in the fiscal year.
3 Remuneration-relevant.
4 Middle and upper management.
Trusted business partner thanks to compliance culture
We render all of our services in compliance with current legislation as well as our corporate values as defined in our Group policies. One important aspect of compliance is the legal requirements relating to preventing corruption and bribery. We observe all applicable international anti-corruption standards and statutes and are a member of the Partnering Against Corruption initiative of the World Economic Forum.
Ensuring legally compliant conduct in our business activities and in our interactions with employees is an essential task of all Group management bodies. Our compliance management system (CMS) has been implemented Group-wide. Responsibility for designing the CMS lies with the Chief Compliance Officer, who reports directly to the CFO. This establishes uniform minimum standards to ensure compliance with applicable law, for example anti-corruption legislation, and relevant internal guidelines such as the Anti-Corruption and Business Ethics Policy (Anti-Corruption Policy). The divisional compliance officers are tasked with the implementation of the CMS within the divisions.
With our Code of Conduct and Anti-Corruption Policy, along with training on these topics, we provide clear guidance and help employees identify situations in which the integrity of the company could be called into question.
Participation of executives in middle and upper management, as well as of employees in certain functions, in various types of relevant compliance training is mandatory. In this way, we raise our employees’ awareness for potential compliance risks and enable them to mitigate such risks in an appropriate manner. The compliance training courses comprise our Core Compliance Curriculum (anti-corruption, competition compliance, Code of Conduct) and training on data protection. All employees in the target group are required to repeat the training courses every two years. We use the share of valid training certificates among executives in middle and upper management as a steering-relevant KPI.
Potential violations can be reported 24/7 – if legally permitted, anonymously – via our compliance incident reporting system (whistleblower hotline). In addition, potential violations can also be reported by telephone. Third parties can also use the system to report potential violations. Reports are reviewed and investigated internally for potential violations as part of a standardized process. Key figures on compliance notifications and issues are recorded throughout the Group via the compliance reporting tool (BKMS Dashboard). Information on relevant violations is collected and included in the regular compliance reports made to the Board of Management and to the Supervisory Board’s Finance and Audit Committee.
The importance and value that compliance has for the Group was once again emphasized for employees by means of a campaign – Compliance Awareness Week – which was rounded out by measures tailored to the specific divisions and regions. The campaign was accompanied by statements from the Board of Management members (“tone from the top”) and supported by panel discussions with managers. To strengthen the internal dialogue, our workforce was made aware of and informed about compliance aspects on an ongoing basis by means of further communication measures and via the compliance channels.
The compliance training certification rate was 98.6% in middle and upper management in the year under review (previous year: 98.1%), meaning we exceeded our target of 98% in the year under review. In the context of its 219 audits, Corporate Internal Audit also reviewed compliance management system processes and the implementation of agreed-upon follow-up measures. Findings from the regular audits facilitate the identification of other compliance risks and the refinement of the compliance program.
Respecting human rights
Our commitment to respect for human rights includes adherence to the principles of the UN Global Compact and the International Labor Organization (ILO), which we have embedded in our Code of Conduct and outlined in greater detail in our Human Rights Policy Statement. These stipulate clear responsibilities and requirements for our employees and managers as well as our suppliers and subcontractors and contribute to the general understanding and implementation of the principles of the UN Global Compact.
Our human rights activities focus on the prevention of child and forced labor, decent working conditions (working hours, occupational health and safety, remuneration), equal opportunities, data protection and the right to freedom of association. With the Supplier Code of Conduct, we obligate suppliers and subcontractors to comply with our ethical, social and environmental principles and implement them in their own supply chains.
With our measures for respecting human rights in the workforce and in the supply chain, we are in compliance with the requirements of the Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz – LkSG). Implementation of the measures is monitored by the LkSG Council. The board is made up of executives in upper management from the Group functions Human Resources, Corporate Development, Corporate Public Affairs, Legal Services and Global Compliance, Corporate Procurement and Corporate Internal Audit.
As part of its audits, Corporate Internal Audit also conducted reviews relating to respect for human rights and verified that the agreed-upon follow-up measures had been implemented. In the reporting year, 53 such reviews took place.
Human rights in the workforce
With our internal management system, we ensure that our Human Rights Policy Statement is implemented among our workforce. In addition, it ensures that we adhere to due diligence requirements. Our management system is comprised of annual as well as ad hoc assessments of human rights risks, measures to raise awareness among employees and managers, annual reporting on Group-wide fulfillment of due diligence requirements and the professional compliance incident reporting system.
We carry out both an abstract and a concrete risk analysis to determine human rights risks. First, the risk is analyzed using external data (Verisk Maplecroft). Then, it is substantiated by evaluating questionnaires completed by our country organizations on the basis of their specific risk profile.
Targeted on-site reviews are carried out based on the risk assessments. These reviews are conducted by specially trained and externally SMETA-certified (Sedex Members Ethical Trade Audit) professionals from our divisions and corporate headquarters. The countries are selected based on the results of weighting and prioritization of the identified risks, including – among other factors – the findings from the questionnaires, the number of employees, the assessments of relevant Group committees and responsible experts and recommendations from international trade union confederations. If there are violations identified at locations, these are then immediately addressed as part of a structured action plan. In the year under review, on-site reviews under the leadership of the HR department were carried out at more than 30 subsidiaries in ten countries, including in Asia, Latin America, Africa and Europe.
We encourage our employees to participate in the training courses for raising awareness for respect for human rights. Participation is mandatory, however, for executives in middle and upper management; the certification rate was 99.5% in the reporting period (previous year: 98.4%).
Standards in the supply chain
Corporate Procurement selects suppliers that meet our ethical, social and environmental standards. This selection process is based on a standardized assessment process that also takes aspects such as diversity and respect for human rights into account, as well as external criteria such as those from Transparency International (Corruption Perceptions Index) and Verisk Maplecroft. In the year under review, the supplier assessment was supplemented with additional internal measures and expanded with external audits (including in accordance with the SMETA method). In the event of findings, remedial measures are discussed and plans for corrective measures are agreed upon.
Procurement employees are regularly trained to identify potential supplier-related risks early on. We convey our expectations to our suppliers and subcontractors via our Supplier Portal and introduce our selection processes. Suppliers can also use our portal to familiarize themselves with our Supplier Code of Conduct, which we make available in numerous languages along with the corresponding training module. From there, they can also access our professional compliance whistleblower system that they can use to report potential violations of the Code or statutory provisions as well as cybersecurity incidents.
In the year under review, we continued developing the Group-wide risk management system for supplier assessments. We calculate the potential for risk of suppliers at the level of purchase categories (material groups). The risk assessment is influenced by 46 types of risk within eight risk domains (ESG, economic, technical, legal and political risks, as well as cybersecurity) that are evaluated for each individual purchasing category. The ultimate classification of the risk potential is based on the evaluation of the probability and the possible impact. More than 4,000 potential high-risk suppliers were assessed in the year under review (previous year: >2,700).
We use supplier spend covered by an accepted Supplier Code of Conduct to measure the successful implementation of our standards in the supply chain. We record progress regarding the key figure via the central financial systems, report to management on a monthly basis and discuss developments with the CEO and the CFO. In the year under review, supplier spend covered by an accepted Supplier Code of Conduct rose to more than €35 billion (previous year: >€27 billion).
Cybersecurity
Our cybersecurity management activities protect the information of the Group, our business partners and our employees as well as IT systems from unauthorized access or manipulation and data misuse. In addition, this ensures uninterrupted availability and enables reliable operations. Our internal guidelines and processes are based on ISO 27002 and our data centers are certified in accordance with ISO 27001.
Since January 1, 2024, the Group Chief Information Security Officer (Group CISO) has reported directly to the CEO (previous year: Corporate Board Member for Global Business Services). The IT Board determines the cybersecurity strategy and defines and manages Group-wide measures for cybersecurity, for protecting systems and data and for digitalization processes. The Information Security Committee is made up of the central functions of Group CISO, IT Audit, Human Resources, Legal Services, Data Protection and Corporate Security, as well as the divisional CISOs. The committee assesses potential threats on an ongoing basis, evaluates the potential of new risks and monitors compliance with our security standards.
We limit access to our systems and data such that employees can only access the data they need to perform their duties. All systems and data are backed up on a regular basis, and critical data are replicated across data centers. Additionally, by performing continuous software updates, we can fix potential security vulnerabilities and protect system functionality.
A variety of communication measures and training sessions help our workforce become more aware of possible cybersecurity risks. All employees and managers with a corporate email address are continuously made aware of risks via phishing simulations. We also draw attention to current risks using IT crisis simulations. Participation in Information Security Awareness training is mandatory for all employees with a computer workstation. All participants who have already completed their training must update their certification every two years.
Our cybersecurity undergoes independent assessment by the external rating agency BitSight. This rating is based on the technical analysis of any weak points and brings potential security risks to the attention of the rated company; this is carried out by an automated service on a daily basis. Unlike with a self-assessment, a cybersecurity rating offers greater transparency and enables comparison with other companies thanks to standardization. We compare our performance with DAX 40 companies as well as with major customers and logistics companies that are not covered by the DAX 40. The target amount is determined by the aspiration to be within the upper quarter of this comparison group.
The cybersecurity rating has been remuneration-relevant since this reporting period. This performance indicator makes up 10% of the annual bonus calculation for the Board of Management. As announced, the rating scale for the cybersecurity rating in the year under review has changed due to adjustments to the method of the rating agency. In line with the change, we adjusted our target for the 2023 fiscal year from 710 to 690 points. The rating amounted to 750 of 820 achievable points as of the end of the year under review (previous year: 700 points). The target for the year under review was thus exceeded.
Tax strategy as a standard adhered to worldwide
Our tax strategy is aligned with our Group strategy and must be adhered to throughout the Group. The overarching approach applied by the Group is that taxes are always incidental to and follow business needs.
We do not undertake aggressive tax planning or enter into artificial arrangements with the goal of avoiding taxes. Our Group maintains locations in more than 220 countries and territories, including some with lower tax rates than those in Germany. These locations are necessary for carrying out our operational business in those regions. None of our companies was established with the purpose of obtaining tax benefits or is currently used to pursue aggressive tax structuring.
In interpreting and applying tax legislation, we follow the letter of the law; in case of ambiguity, we follow the law’s spirit and intended purpose. As a globally active group of companies, our activities necessarily include operations in countries where uncertainty is high. In order to mitigate this uncertainty and obtain the greatest possible degree of legal certainty, we are in continual dialogue with tax authorities and tax advisers. This allows us to meet tax compliance requirements in the countries in which we operate. Our Group risk management system incorporates a tax risk management framework that enables us to monitor tax risks and respective countermeasures.
In the year under review, we recognized taxes and social security contributions totaling €5,274 million.
TAXES AND SOCIAL SECURITY CONTRIBUTIONS
€m
2022
2023
+/–%
Total
5,354
5,274
–1.5
Income taxes paid1
1,782
1,625
–8.8
Other business taxes1
380
363
–4.5
of which taxes on capital, real estate and vehicles
