Management approach and targets
Compliance is an integral element of our corporate culture. As part of the initiative for a strong compliance organization mandated in 2019 by the Management Board, we continued to develop the Compliance Management System (CMS) at DB Group in 2022 in order to remain at the cutting edge and to develop effective compliance practices for the long term. Compliance is embedded in the Strong Rail strategy.
Our CMS is based on national and international legal requirements and established standards, such as the Institute of Public Auditors (Institut der Wirtschaftsprüfer; IDW) auditing standard IDW PS 980 in Germany. DB Group also applies the directive of the Federal Government on corruption prevention in the German Federal administration by analogy. The CMS aims to ensure that compliance risks are identified at an early stage and appropriate countermeasures are implemented. We continuously monitor the effectiveness of our CMS and make any necessary adjustments. Compliance is a component of the internal control system (ICS). As a result, intra-Group auditors examine, among other things, the CMS within DB Group as part of the ICS audits under the German Accounting Law Modernization Act (Bilanzrechtsmodernisierungsgesetz; BilMoG).
An independent investigation by an auditing and consulting firm into DB Group’s CMS with regard to corruption and corporate crime in the form of fraud and embezzlement launched Group-wide in the previous year was continued in 2022 and completed in early 2023. While the previous audits concentrated on appropriateness and implementation, the CMS audits conducted in 2021 and 2022 included an additional stage: as well as adequacy and implementation, the effectiveness of the CMS was evaluated. In addition, certification with ISO 37001 standard is carried out, in particular for internationally active business units. The effectiveness audits were completed in the business units (with the exception of the DB Arriva business unit, for which the last audit procedures are still outstanding) and in corporate management with an unqualified audit opinion. Resulting recommendations are used to analyze existing processes in detail and to improve them, where applicable. The ISO certification procedures are still ongoing in some cases.
DB Group compliance management is typified by a combination of centralized and decentralized units at the operational and organizational levels. The Chief Compliance Officer (CCO) manages the further development of our CMS and reports directly to the Chairman of the Management Board. The CCO is assisted in his/her duties by more than 250 employees responsible for compliance issues (either full time or with divided responsibilities). Corporate management focuses its compliance work on centralized governance activities in particular, while operational responsibility is exercised in the business and service units. The intensive dialog between centralized and decentralized compliance officers is ensured through various formats, such as a conference, monthly compliance officer meetings, the use of a compliance cockpit as an employment platform and virtual information events for compliance officers and managers that take place at least quarterly.
DB Group is committed to compliance issues in the national and international environment. Corruption, in particular, may harm the confidence of the people in the functioning of the state and its institutions, among other things, and may also lead to financial damage to the state. DB Group is involved in the development of prevention strategies on corruption in the “Corruption Prevention Initiative of the Federal Administration/Economy” of the Federal Ministry of the Interior and Community, as well as through its cooperation with the German Institute for Compliance (DICO). Furthermore, DB Group is an active member of Transparency International. DB Group also participates in the regular exchange of experiences on compliance issues with other international companies.
Specific compliance instruments have been developed to protect DB Group, its employees and executives. This includes binding compliance regulations, risk and process analyses, a compliance reporting system, training and communication measures, and a whistle-blowing management system.
The DB Group Code of Conduct is the cornerstone of our CMS. It defines standards and expectations for the day-to-day actions of our executive bodies, executives and employees and is provided to the employees via the Group rules database and relevant pages on the intranet. In addition, the compliance regulations are part of an app that is installed on all centrally managed company mobile devices in DB Group. As a rule, since 2018, the code of conduct has also been part of the employment contracts of DB Group employees. The code of conduct∞ is also published on DB Group’s Web site in German and English. It is supplemented by binding directives that specify applicable legal provisions governing national and international business and contact with customers. In 2022, the donation policy was revised and adapted to the current legal framework.
Compliance risk analyses are a key component of DB Group risk management and are conducted by the business and service units. A Group-wide survey of compliance risks is conducted in accordance with governance requirements set by corporate management. The binding framework contains minimum requirements for planning, implementation, reporting and follow-up. Within a three-year cycle, all Group companies with operational activities must be audited for risks of corruption. At the business unit level, reports on the relevant compliance risks are to be published annually in a predefined format. A compact compliance annual report provides the Management Board with information on compliance risks related to DB Group’s business activities. The report separately sets out the risk exposure of business units, service units and corporate management functions and highlights existing risk-reducing factors and countermeasures. The Management Board is also kept regularly informed during the business year about the further expansion of the compliance program and any significant compliance cases. The CCO also reports on compliance issues, including Group-related and critical issues, at least once a quarter in the Audit and Compliance Committee formed by the Supervisory Board. Independently of this, the intra-Group auditors report the key findings of the respective financial year – including the key findings of the audit areas and the status of the execution of the audit program – to the Audit and Compliance Committee in March and presents the audit planning for the Group audit for the coming financial year in the December meeting. The General Counsel of DB Group reports on significant legal cases in the March meeting. Depending on the circumstances, the various committees are also informed directly about Group-relevant/critical matters in individual cases.
We are continually optimizing our instruments and consulting on compliance matters so that we can achieve our compliance goals on a sustainable basis. This requires compliance specialists to be informed of current technical developments. For its regular qualification, the Compliance Academy is a learning area implemented within DB Group’s own learning platform as a central instrument for knowledge transfer. The completion of defined courses is mandatory.
Executives have a particular role to play in shaping our corporate culture. Various programs have been implemented in order to train them to comply with the rules in order to protect DB Group and themselves from compliance risks. The mandatory training program for senior executives was further developed in 2022. This supplements the well-established compliance coaching run by the heads of DB Group’s compliance, audit and legal functions. As part of the personnel selection procedure, pre-employment checks were also carried out below the top level of management in 2022.
The compliance awareness plan takes a risk and needs-based approach, which determines the order in which all executives and employees are to be trained. By holding in-person events or conducting e-learning sessions, it is possible to train almost all managers and employees who either need to be trained or are exposed to medium and high risk, over a period of two to two and a half years. In 2022 alone, about 42,000 executives and employees attended events with instructors on the subject of preventing corruption, taking the total number since 2020 to about 117,000. E-learning modules were also extensively used. Together with e-learning that is specially developed by DB Schenker and DB Arriva, about 106,000 e-learning units have been completed to prevent corruption; since 2020, that number has risen to about 299,000 units.
One key focus of consultation in 2022 was on economic and financial sanctions on foreign trade law issues following the Russian attack on Ukraine. In the course of this, processes were adapted and new awareness-raising measures were introduced; among other things, the e-learning module “Export control, scopes and sanctions” was revised.
There is a Group-wide whistle-blower system to obtain information about potential violations of laws or internal regulations. The way in which submitted tip-offs are handled is regulated in detail. The processes implemented protect the whistle-blowers. Clearly defined requirements regarding the rigor and relevance of whistle-blowing tip-offs serve to take account of the interests of the persons concerned.
There are various ways of submitting a tip-off. These include three trusted legal practitioners, who are legally bound to secrecy, in addition to the compliance teams in the corporate management, business units and service units. There is also a Group-wide electronic whistle-blower system, which makes it possible to submit tip-offs anonymously. It can be used in 22 languages and is available not just to employees, but also to customers, suppliers and other stakeholders. In 2022, the whistle-blower system was used for the central reporting of corruption incidents in fewer than ten cases. In 2022, there were no confirmations of allegations of corruption originating from DB Group. Accordingly, no labor law measures were taken against employees in this respect. There were also no ongoing court proceedings in 2022 for such corruption incidents.
The whistle-blower management system processes were analyzed in 2022. This was carried out by an auditing and consulting firm that was not involved in the CMS investigation described above. The analysis did not result in any need for action in relation to the existing intended or actual processes. In view of the adopted European directive for better protection of whistle-blowers and the expected German implementing act law, a project has been set up to analyze the impact and implementation of the requirements. In addition, an agreement was concluded in 2022 on a further multi-year cooperation with a market-leading provider for electronic whistle-blower systems.
Executives and employees are advised by colleagues in the compliance organization on issues relating to compliance. To this end, DB Group has been operating a compliance help desk for many years.
Compliance business partners
Successful long-term business operations require the careful selection of business partners and suppliers, who must then be informed of DB Group’s values and minimum requirements. DB Group has developed various formats to increase awareness among its business partners and incorporate sustainable business practices more firmly in the supply chain.
The e-learning on the DB code of conduct for business partners∞ which, like the internal code of conduct, was passed by the Management Board, is freely accessible on the Internet. It provides information about integrity, binding legal standards, and ethical matters and sets out clear compliance requirements as reflected in our Code of Conduct for Business Partners. Real-world examples demonstrate how our principles should be applied.
Contracts and contractual partners are audited for compliance risks. Integrity clauses in the General Terms and Conditions of Purchase are used to counteract potential compliance risks. Other compliance regulations are agreed based on risks. This applies to the appointment of intermediaries, for example. If serious misconduct occurs, the group of decision makers for exclusions from tender procedures shall decide to suspend the awarding of tenders on the basis of clear criteria that stipulate how to deal with the contractor or supplier. In case of a suspension, the earliest that a business partnership can be reestablished or continued is after the suspension period expires or after the company takes action to clean up its practices, which the orderer deems to be sufficient and which can often take many years to complete. Nine exclusions from tender procedures were imposed in 2022, but none were due to corruption violations.
In 2022, a newly developed concept for Group-wide, standardized and IT-supported compliance audits of business partners was subjected to a proof of concept. In this process, more than 70,000 supplier data sets were reviewed and analyzed for the purpose of detecting anomalies and risks in a multi-level process, and specific supplier-related measures were or are taken as applicable.
Compliance with antitrust laws and preventing antitrust damages
Training courses with on-site instructors ensure that executives and employees are kept aware of antitrust legislation. The formats of the training courses are individually tailored to the requirements of the business units and the central units. The target group includes all executives and employees who are in contact with competitors or have other roles that are critical with regard to competition. The training courses are supplemented, in particular, by regulations specific to business units and close cooperation with (antitrust) legal experts.
Measures to prevent antitrust damage are an important component of antitrust compliance. To this end, we operate a comprehensive antitrust damage prevention system. An important part of this system is to use contractual conditions in markets where antitrust violations are most likely, which obligate suppliers to introduce or maintain antitrust compliance programs.