Compliance
Management approach and targets
At DB Group, compliance is an integral element of our corporate culture and guides our actions in our business activities. We are consistently refining our compliance management system (CMS) in order to remain at the cutting edge and ensure compliance in the long term. Compliance is embedded in the Strong Rail strategy.
Our CMS is based on national and international legal requirements and established standards, such as the German Institute of Public Auditors (Institut der Wirtschaftsprüfer; IDW) auditing standard IDW PS 980. DB Group also applies the directive of the Federal Government on corruption prevention in the German Federal administration by analogy. The CMS aims to ensure that compliance risks are identified at an early stage and appropriate countermeasures are implemented. We continuously monitor the effectiveness of our CMS and make any necessary adjustments. Compliance is a component of the internal control system (ICS). As a result, intra-Group auditors examine, among other things, the CMS within DB Group as part of the ICS audits under the German Accounting Law Modernization Act (Bilanzrechtsmodernisierungsgesetz; BilMoG).
After the Group-wide independent investigation into the effectiveness of DB Group’s CMS with regard to corruption and white-collar crime in the form of fraud and embezzlement was completed in 2022/2023 by an auditing and consulting firm in all business entities with an unqualified audit opinion, the recommendations made were used to analyze existing processes in detail and improve them where necessary. A follow-up process was introduced in order to monitor implementation.
In terms of structure and process organization, DB Group compliance management is characterized by a combination of centralized and decentralized elements. The Chief Compliance Officer (CCO) manages the further development of our CMS and reports directly to the Chief Executive Officer. The CCO is assisted in his/her duties by more than 250 employees responsible for compliance issues. Group management focuses its compliance work on centralized governance activities in particular, while operational responsibility is exercised in the business and service units. The intensive dialog between centralized and decentralized compliance officers is ensured through various formats, such as a conference, monthly compliance officer meetings, the use of a compliance cockpit as a work platform and virtual information events for compliance officers and managers that take place at least quarterly.
DB Group is committed to compliance issues in the national and international environment. Corruption, in particular, may harm the confidence of the people in the functioning of the state and its institutions, among other things, and can also lead to financial damage to the state. DB Group is involved in the development of corruption prevention strategies through its cooperation with the German Institute for Compliance (DICO) and as an active member of Transparency International. A communication campaign was launched together with Transparency International Deutschland e. V. on the occasion of International Corruption Day. DB Group also contributes its compliance expertise in regular exchanges experience with other international companies.
Compliance instruments
Specific compliance instruments have been developed to protect DB Group, its employees and executives. This includes binding compliance regulations, risk and process analyses, a compliance reporting system, training and communication measures, and a whistle-blowing management system.
The code of conduct of DB Group is the cornerstone of our CMS. It defines standards and expectations for the day-to-day actions of our executive bodies, executives and employees and is provided to the employees via the Group regulations database and relevant pages on the intranet. The compliance regulations are also part of an app updated in 2023, which is installed on all centrally managed business mobile devices in DB Group. As a rule, since 2018, the DB Code of Conduct has also been part of the employment contracts of DB Group employees. The DB Code of Conduct is also published on DB Group’s corporate Web site in German and English. The DB Code of Conduct was expanded by resolution of the Group Management Board in compliance with the German Act on Corporate Due Diligence Obligations in Supply Chains (LkSG). The new version came into force on January 1, 2024. The DB Code of Conduct is supplemented by binding directives that specify applicable legal provisions governing national and international business and contact with customers.
Compliance risk analyses are a key component of DB Group risk management and are conducted by the business and service units. A Group-wide survey of compliance risks is conducted in accordance with governance requirements set by Group management. The binding framework contains minimum requirements for planning, implementation, reporting and follow-up. Within a three-year cycle, all Group companies with operational activities must be audited for risks of corruption. At the business unit level, reports on the relevant compliance risks are to be published annually in a predefined format.
Compliance risk analyses carried out show that the business units are affected by corruption risks in different ways. Some of our companies operate in foreign markets that are highly susceptible to corruption. In addition to DB Schenker and DB E.C.O. Group, this also applies to DB Arriva and DB Cargo. Business units in the Infrastructure division are more likely to be exposed to risks due to high procurement volumes. The Management Board is informed about compliance risks by means of a compact annual compliance report. The report separately sets out the risk exposure of business units, service units and Group management functions and highlights existing risk-reducing factors and countermeasures.
The Management Board is also kept regularly informed during the year about the further expansion of the compliance program and any significant compliance cases. The CCO also reports on compliance issues, including Group-relevant and critical issues, at least once a quarter in the Audit and Compliance Committee formed by the Supervisory Board. Independently of this, the intra-Group auditors report the key findings of the respective financial year – including the key findings of the audit areas and the status of the execution of the audit program – to the Audit and Compliance Committee in March and presents the audit planning for the Group audit for the coming financial year in the December meeting. The General Counsel of DB Group reports on significant legal cases in the March meeting. Depending on the circumstances, the various committees are also informed directly about Group-relevant/critical matters in individual cases.
In order to achieve our compliance objectives, we are continually optimizing our instruments and providing advice on compliance matters. This requires compliance specialists to be informed of current technical developments. For its regular qualification, the Compliance Academy is a learning area implemented within DB Group’s own learning platform as a central instrument for knowledge transfer. The completion of defined courses is mandatory.
Executives have a particular role to play in shaping our corporate culture. Various programs have been implemented in order to train them in compliant behavior in order to protect the Group and themselves from compliance risks. The mandatory training program for top management executives was expanded to include new modules in 2023. This supplements the established compliance coaching provided by the heads of DB Group’s compliance, audit and legal functions. As part of the personnel selection procedure, preemployment checks were also carried out for executives below the level of top management in 2023.
The compliance awareness plan takes a risk and needs-based approach, which determines the frequency in which all executives and employees are to be trained. By holding in-person events or conducting e-learning sessions, it is possible to train almost all executives and employees who either need to be trained or are exposed to medium and high risk, over a period of two to two and a half years. In 2023 alone, some 37,000 executives and employees attended events with instructors on the subject of preventing corruption. E-learning modules were also extensively used. Together with the e-learning modules developed specifically for DB Schenker and DB Arriva, over 157,000 e-learning units on preventing corruption were completed.
Further tightening of sanctions against Russia in 2023 meant that ongoing advice and adjustments to processes, contractual clauses and awareness-raising on foreign trade law issues were once again a focal point of compliance work.
There is a Group-wide whistle-blower system to obtain information about potential violations of laws or internal regulations. The way in which submitted tip-offs are handled is regulated in detail. The processes implemented protect the whistle-blowers. Clearly defined requirements regarding the rigor and relevance of whistle-blowing tip-offs serve to take account of the interests of the persons concerned.
There are various ways of submitting a tip-off. These include three trusted legal practitioners, who are legally bound to secrecy, in addition to the compliance teams in the Group management, business units and service units. There is also a Group-wide electronic whistle-blower system, which makes it possible to submit tip-offs anonymously. It can be used in 22 languages and is available not just to employees, but also to customers, suppliers and other stakeholders. In 2023, the whistle-blower system was used for the central reporting of corruption incidents in fewer than ten cases. In 2023, there were no confirmations of allegations of corruption originating from DB Group. Accordingly, no labor law measures were taken against employees in this respect. There were also no ongoing court proceedings in 2023 for such corruption incidents.
In view of the German and European implementation laws relating to the EU Directive for better protection of whistleblowers, adjustments were made to processes and communication in the reporting system, including the establishment of new reporting points.
Executives and employees are advised by colleagues in the compliance organization on issues relating to compliance. To this end, DB Group has been operating a compliance help desk for well over ten years.
Business partner compliance
Successful long-term business operations require the careful selection of business partners and suppliers, who must then be informed of DB Group’s values and minimum requirements. DB Group has developed various formats to increase awareness among its business partners and incorporate sustainable business practices more firmly in the supply chain.
The e-learning module on the DB Code of Conduct for Business Partners, updated in 2023, is freely accessible online. It provides information about integrity, binding legal standards and ethical issues, and sets out clear compliance requirements as defined in our DB Code of Conduct for Business Partners. Real-world examples demonstrate how our principles should be applied. The DB Code of Conduct for Business Partners was amended in 2023 in compliance with the German Act on Corporate Due Diligence Obligations in Supply Chains (LkSG) and adopted by the Management Board. The new version came into force on February 1, 2024.
Contracts and contractual partners are audited for compliance risks. Integrity clauses in the General Terms and Conditions of Purchase are used to counteract potential compliance risks. Other compliance regulations are agreed based on risks. This applies to the appointment of intermediaries, for example. If serious misconduct occurs, the group of decision makers for exclusions from tender procedures (Entscheiderkreis Vergabesperre; EKV) shall decide to suspend the awarding of tenders on the basis of clear criteria that stipulate how to deal with the contractor or supplier. In case of a suspension, the earliest that a business partnership can be reestablished or continued is after the suspension period expires or after the company takes action to clean up its practices, which the client body deems to be sufficient and which can often take many years to complete. In 2023, the group of decision makers imposed seven exclusions from tender procedures, none of which were due to corruption. In addition, an exclusion from tender procedures was imposed on two sanctioned creditors.
Compliance with antitrust laws and preventing antitrust damages
Training courses with on-site instructors ensure that executives and employees are kept aware of antitrust legislation. The formats of the training courses are individually tailored to the requirements of the business units and the central functions. The target group includes all executives and employees who are in contact with competitors or have other roles that are critical with regard to competition. The training courses are supplemented, in particular, by regulations specific to business units and close (antitrust) legal advice.
Measures to prevent antitrust damage are an important component of antitrust compliance. To this end, we operate a comprehensive antitrust damage prevention system. An important part of this system is to use contractual conditions in markets where antitrust violations are most likely, which obligate suppliers to introduce or maintain antitrust compliance programs.
