Compliance

The compliance programme, which is firmly anchored in the Group-wide management and supervisory structures, is part of our management culture. It comprises the entire compliance organization within the Group, the set-up of guidelines, and the verification of compliance with these guidelines. The compliance management addresses all compliance topics that Heidelberg Materials has identified as relevant in the compliance risk assessment. These include, in particular, competition law, anti-corruption, and human rights.

The compliance organization is under the authority of the Chairman of the Managing Board, to whom the Director Group Legal & Compliance reports directly. Each country has its own compliance officer with a direct reporting line to the country manager. However, responsibility for ensuring that employees’ conduct complies with the law and regulations lies with all managers and, of course, with the employees themselves.

We have implemented an integrated compliance programme across the Group to achieve conduct that is compliant both with the law and with regulations. A central element of this programme is the self-commitment made by the Group management not to tolerate violations of applicable laws and to impose sanctions. The programme also includes internal policies and measures that express the legal provisions in concrete terms. In addition to regular communication of these policies, there are compliance letters to the management and the entire workforce, such as the annual letter from the Chairman of the Managing Board and ad hoc circulars on current issues, to raise awareness of the topic of compliance.

We offer the internet- and telephone-based reporting system “SpeakUp” and employee training that makes use of modern media, such as electronic learning modules. The range of electronic courses, which must be completed by specified groups of employees, covers topics such as the Code of Business Conduct (e.g. discrimination and harassment at the workplace), competition legislation, and the prevention of corruption.

The entire compliance programme is reviewed on an ongoing basis for any necessary adjustments with regard to current legal and social developments, and it is improved and accordingly. Violations of applicable laws and internal policies are sanctioned. In addition, suitable corrective and preventive measures are taken to help prevent similar incidents in the future. 

Group-wide implementation of the compliance programme is monitored by regular and special audits by Group Internal Audit as well as via special half-yearly compliance reporting by the Director Group Legal & Compliance to the Managing Board and the Audit Committee of the Supervisory Board. The latter monitors the effectiveness of the compliance programme and verifies in particular whether it adequately satisfies the legal requirements and recognised compliance standards. An additional quarterly report regularly informs the Managing Board members with regional responsibility about the most important compliance incidents in their Group areas.

Every two years, we conduct a comprehensive analysis to assess and prevent corruption risks and possible conflicts of interest. A rolling approach ensures that different countries are analysed each year as part of this cycle. First, the potential risks within a country organization are assessed. Then, the measures already in place to limit these risks are evaluated to assess the net risk, and finally, we examine whether further measures are needed. On the basis of this assessment, an action plan is drawn up for each country, and its implementation is monitored by the Group Legal & Compliance department.

In the area of competition legislation, we have a comprehensive cartel reporting system on cartel investigation proceedings. An annual competition legislation update takes place at the level of the Managing Board and of the employees who report directly to the members of the Managing Board with responsibility for sales. Furthermore, annual qualitative assessments of the cartel risks take place in the countries. A regular external audit of the Antitrust Compliance Programme by a specialist law firm is conducted every three years.

Heidelberg Materials' Compliance Management System includes as essential component various risk assessments. On the one hand, compliance risks are regularly evaluated for likelihood and impact on Heidelberg Materials Group in order to review if the Group’s Compliance Management System covers all relevant compliance topics and sets the right focus of compliance work. On the other hand, risk assessments are performed on specific compliance themes like competition law, corruption and human rights and are regularly updated. These specific compliance risk assessments are conducted on the level of the country organizations and monitored by Group Compliance. This is in line with the organizational setup of Heidelberg Materials Group and reflects the different legal requirement in each jurisdiction.
Within each country organization, specifics of different operating lines and potential regional differences need to be taken into account. 

Methodology Corruption Risk Assessments

Our risk assessment methodology starts with defining risk types which the company may be exposed to. For corruption these include active and passive corruption, corruption involving public officials, indirect bribery and conflict of interest. These risks are analysed from different functional views including operations, procurement, sales, human resources and investment project teams. Risks and functional views are defined by Group Compliance experts to have the same comparable structures for all countries.

After establishing the above explained structure the assessment starts with collecting information that forms the basis for assumptions that determine the gross risk. The local compliance team reviews the legal environment of the respective country, the enforcement of law by authorities and external evaluations such as the Corruption Perception Index of Transparency International. Further, the occurrence of historical statistics of compliance violations in the local organization is analysed. Besides these rather objective criteria the compliance team collects information from their expert colleagues from different departments and operating lines how they perceive the specific compliance risks in the building materials industry based on their experience, observations and real-life events. With this input the gross risk is assessed in a qualitative way as high, medium or low.

The next step is a review of the already existing risk mitigation measures in the organization. Mitigation measures may include policies, trainings, process controls etc. Taking these measures into account results in the net risk that the organization is effectively exposed to. Based on this the risk assessment continues with setting up an action plan that defines single action items including responsibility and deadline targeting further net risk reduction.

The entire risk assessment including action plan is reviewed by Group Compliance experts and finally must be approved by the responsible Country General Manager. The action plan is followed up by the compliance staff and subject to regular top management review. The entire assessment process is scheduled to be updated after a cycle of about two years.

As part of Heidelberg Materials Group’s workflow processes for compliance incident reporting and case management all reported incidents are classified in categories including employee relations, harassment, discrimination, corruption, conflict of interest, theft, fraud, etc.

In 2023, a total of 283 incidents were reported in our case management system and investigated under the supervision of compliance employees in the country organization or by the Group Compliance & Data Protection department.

Incidents reported via case management system

Most of the reports concerned employee relations. Other reports related to health and safety; fraud, theft or embezzlement; and corruption or conflicts of interest. Other categories of cases accounted for lower percentages of the total.

Of the 283 incidents reported, around half proved to be unfounded, while for 14%, no final result could be determined by the editorial deadline. In the case of 36% of the incidents, the investigations revealed that they were at least partially substantiated. None of the substantiated incident reports had a material impact on the consolidated financial statements.

In the case of substantiated incidents, measures were generally taken, ranging from root cause analysis, changes to policies and processes, and communication and training through to disciplinary action (such as a written warning or dismissal). In 45% of the substantiated incidents, sanctions were imposed, and for 69% of these incidents, preventive measures were implemented.

The country organizations are required to report key figures, such as the number of compliance incidents reported through the case management system that involve suspected human rights violations. Apart from incidents relating to health and occupational safety, nine incidents of discrimination were reported in relation to human rights issues, one of which is still under investigation while the others have not been confirmed, and four incidents of harassment, with three justified complaints. The investigation of the fourth case is still ongoing. There were also ten complaints about suppliers, of which two were confirmed and three are still under investigation. Of the ten cases, nine were related to possible unfair working conditions, and one concerned occupational safety. 

Looking into further details for incident types of interest for sustainability ratings we received reports for 22 cases of the category corruption or bribery of which 13 turned out to be unsubstantiated. We registered seven cases of conflict of interest of which four were unsubstantiated. No reports were noticed for the categories money laundering or insider trading. The protection and security of personal data is of great importance to us. Our statistics show no cases where sensitive customer data was affected.