Embedding anti-corruption ethics into the culture of an organisation and integrating compliance into the business model is essential in both practice and law.
The thyssenkrupp Compliance programme was set up in 1999 and further developed over time. As part of a broad-based process for the strategic development of our Compliance approach, a groupwide bottom-up risk assessment was carried out in 2014/15. The aim was to make the specific challenges for implementing an effective Compliance programme visible for each and every unit, particularly in our priority regions, and to create the conditions for the efficient management of our Compliance activities. This also included a detailed analysis of all Compliance risks actually confronting us. With our bottom-up risk assessment, we developed a risk map which creates a significant benefit and has a major importance for our daily work.
The risk analysis and the correlating risk map are continuously updated with the help of internal and external audits as well as with the results and experiences from workshops and business advice in our daily Compliance work. This leads to a continuous re-assessment of Compliance risks at thyssenkrupp.
The bottom-up Compliance risk assessment is flanked and complemented with various further risk analysis formats to assess our risk exposure, e.g. the Internal Control System, the Compliance Dialogs (cf. Question 2 in the Section "Internal Controls"), Risk Assessments on the specific topics such as anti-money laundering, trade compliance, joint ventures, etc. Apart from these risk analysis formats, various other risk assessment approaches are continuously integrated into our business processes.
Our Compliance approach has not only been certified as "suitable", but also as "effective" and thus the highest rating - as certified by independent specialized experts. We were one of the first companies in Germany to be certified according to the IDW standard PS 980.
Important related documents and links:
Compliance Strategy: https://www.thyssenkrupp.com/en/company/compliance/compliance-strategy
Audit reports: https://www.thyssenkrupp.com/en/company/compliance/audit-reports/
As stated above under 2.1 we developed a risk map with our Group wide bottom-up risk assessment in 2014/15, which is continuously updated with the help of internal and external audits as well as with the results and experiences from workshops, and business advice in our daily Compliance work as well as the results of the annual Group-wide assessment of the internal control system.
In addition to the groupwide bottom-up risk analyses to identify objective compliance risks in the companies of the thyssenkrupp group, above all in the areas of anticorruption, antitrust law, data protection, anti-money laundering, and trade compliance, and to review the degree of implementation of the compliance program, we introduced Compliance Dialogs as a further important element of thyssenkrupp's compliance risk management. The Compliance Dialogs make a significant contribution to reducing risk and increasing compliance awareness. The Compliance Dialogs are held in workshop format and promote an active exchange between corporate management, segment/business unit management and the compliance function. They serve to continuously update the bottom-up risk assessment and the implementation status of the thyssenkrupp compliance program and include continuous reviews of the mitigations.
The results of the risk analysis enable compliance activities to be managed in a very targeted and efficient way, both at group level and in the regions. The segments can include the results of the analysis in their strategies and manage their business activities on a risk-oriented basis. At operating level, the responsible officers can focus more on risk aspects in day-to-day business and reduce compliance risks.
We have further implemented an IT-Tool for the assessment, due diligence and integrity check as well as regular reapproval of our sales agents. This is in particular due to media-effective cases such as the "Israel" case, which made us aware of potential improvements in our Compliance programme, but also serves to illustrate our approach to further developing our Compliance programme:
Due to the “Israel” case inter alia, we today carry out extensive Compliance checks before hiring and at regular intervals in the course of the engagement of sales agents. By means of complex due diligence processes, we have the opportunity to identify risks as early as possible and to minimize them as far as possible. If there are indications of irregularities, we investigate them in full at any time and may sort out doubtful business partners from the outset. Furthermore, we insist on very clear contractual terms with our sales agents, especially with regard to the adherence of antitrust and anti-corruption laws. Our sales agents are further required to regularly provide reports on the activities they have performed on behalf of thyssenkrupp.
It is particularly important to us to continuously exchange ideas with external experts. Our Compliance approach has not only been certified as "suitable", but also as "effective" and thus the highest rating - as certified by independent specialized experts. We were one of the first companies to be certified according to the IDW standard PS 980. It is written in our Annual Report 21/22, p. 111, 112, and therefore certified by an auditor, that our Compliance programme comprises the three elements “inform & advise”, “identify”, and “report & act”. „Identify“ refers to the aspect, that in the reporting year, our Compliance Officers once again conducted proactive and event-driven audits and investigations in our core Compliance topics (anti-corruption, antitrust, anti-money laundering, data protection and trade compliance). The aim of these is to regularly examine critical business operations based on a risk-oriented, structured audit process.
Furthermore, pursuant to the German Commercial Code (HGB = Handelsgesetzbuch) an independent auditor has to also assess the company’s tools against bribery and corruption for the mandatory independent auditor’s report on the consolidated financial statements.
At thyssenkrupp, every internal and external audit report contains recommendations to business processes as well as individual behavior. These are constantly reviewed by our Group Function Legal & Compliance to further evolve and update our set of guidelines and policies, training material etc. In the end, internal and external audits are part of our regular “Plan-Do-Check-Act” improvement cycle to regularly re-evaluate and adapt our policies and procedures as well as the whole Compliance management system.
Important related documents and links:
Annual Report 21/22: https://www.thyssenkrupp.com/en/investors
The Compliance Organization at thyssenkrupp also comprises its own Investigations Department which – in close collaboration with internal auditing – systematically tracks, investigates and responds to bribery and corruption allegations or incidents, explicitly including those reported through our various whistleblowing channels.
Extract from the annual report 21/22, p. 110:
“In a healthy corporate and management culture, commitment and shared values go hand-in-hand. Violations of the law or internal rules are not compatible with our understanding of Compliance. The following rules therefore apply unequivocally:
■ We systematically investigate all reports of legal violations and clear up the facts.
■ We treat all information received confidentially and use all appropriate measures to protect whistleblowers from any disadvantages arising from their notification. When clarifying such reports, we protect the legitimate interests of the people affected by the allegations.”
Bona fide reports help counteract violations at an early stage and limit the damage for our company, our employees, and our business partners. We have therefore set up several channels for contacting us – anonymously if required – to report infringements. This system for reporting information is open to all thyssenkrupp employees as well as third parties such as customers, suppliers and others. thyssenkrupp and the Group Function Legal & Compliance safeguard the interests of the whistleblower not only through this secure Whistleblowing System, but also by providing assurances that all information received by Group Function Legal & Compliance at thyssenkrupp AG will be treated in confidence. We also provide assurance that all means at our disposal will be used to protect whistleblowers acting in good faith from any disadvantages as a result of their disclosures.
During its investigations, thyssenkrupp will also strive to protect the legitimate interests of other persons affected by a disclosure. Casting suspicion on another person can have serious consequences for that person. It is therefore essential that the Whistleblowing System is used responsibly.
Important related documents and links:
Annual Report 21/22: https://www.thyssenkrupp.com/en/investors
https://www.thyssenkrupp.com/en/company/compliance/submitting-a-report/
https://www.thyssenkrupp.com/en/company/compliance/compliance-organization
Our Compliance Officers in the Investigations Department have a professional background in either law or economics or other related studies. They continuously receive trainings covering updates of applicable laws and investigation techniques. In case of complaints in the investigation procedure, the Head of Investigation Department and the Chief Compliance Officer are overseeing complaints. The Compliance Function is also in the scope of potential audits of Internal Auditing.
To ensure independent investigation at all times, our Investigation Department is further strictly separated from the preventive part of our Compliance Organization in charge inter alia for Compliance advice.
For verification, see Appendix 1/7 of external Compliance Auditing IDW PS 980.
Important related documents and links:
Audit reports: https://www.thyssenkrupp.com/en/company/compliance/audit-reports/
Material findings of bribery and corruption are reported to the thyssenkrupp AG Board and to the Supervisory Board according to a clearly defined process.
A cooperative relationship with public authorities is important for us. thyssenkrupp is considering itself a good corporate citizen. To provide a recent example: in the investigations carried out by the Israel state attorney in connection with naval projects thyssenkrupp shared internal findings with the relevant public authorities in Germany and Israel by handing over the preliminary internal investigation report.
See reporting in our Annual Report.
Important related documents and links:
We publish high-level investigation results in an aggregated way. Depending on the case at hand and subject to legal requirements and restrictions, we also consider publicly reporting or commenting on individual actions.
On average, we have received a lower three-digit number of whistleblowing reports annually over the last years. We investigate every single case thoroughly. In case of proven violations of our policies or even legal violations, action is taken to remedy the violation immediately, risks are eliminated or at least mitigated and individual sanctions on employees imposed which might range from warnings to immediate dismissals. Where appropriate we also consider suing former employees for damages they have caused to thyssenkrupp.