Risk Management & Compliance

Roche has a robust system in place to identify and manage risks to its business. As in any undertaking, there are a variety of possibilities that could prevent us from achieving our goals. This is vital to effectively attain and sustain Roche’s business objectives, to protect the investments of shareholders, and to meet legal requirements.

Roche’s Risk Management Charter sets out an approach to risk management and accompanying responsibilities within the Group.

Risk management has been mandated to Roche’s business units and employees who are fully empowered, responsible and accountable within the legal and ethical framework of Roche as well as their delegated authority. Every business unit and global function conducts a formal risk assessment process at least once a year and must develop risk management plans for their most material risks, which are approved as an integral part of its overall business plan. These are monitored and deviations reviewed in regular performance dialogues. A regular review of the risk management environment is also part of this process.

Risks are managed locally where they arise and where there is the appropriate expertise for managing them. Employees and managers identify risks promptly and line managers are responsible for ensuring appropriate action is taken and internal controls are in place. Where there are conflicts of interest, separate roles and functions ensure effective risk management.

The Corporate Risk Management team is responsible for coordinating and aligning this overall process within the Group. The team reports directly to the Head of Corporate Audit.

The Corporate Sustainability Committee is responsible for assessing social, environmental and ethical (SEE) risks identified through regular workshops involving a diverse selection of employees from relevant functions. Participants use their expertise and experience, as well as feedback from stakeholder dialogue, to identify emerging topics that are flagged to management.

The Group Compliance Officer monitors that Roche’s Code of Conduct is understood and applied by line management and employees throughout the Group and serves as a contact person for our stakeholders, including shareholders, employees, customers, suppliers, and the public on complaints relating to violations of our Code of Conduct

At a local level

We have also a Compliance Officer in each of our affiliate who liaises with the Group Compliance Officer. Currently we have more than 110 local Compliance Officers; their role is to:

• Conduct compliance risk assessments together with the affiliate’s management team;
• Organize and perform compliance training;
• Ensure every employee knows they can raise compliance concerns with their local line Management, the local Compliance Officer or the Group Compliance Officer;
• Inform the Group Compliance Officer of ethical incidents which represent a material compliance or reputational risk;
• Document all ethical incidents and steps taken to address and remedy the situation;
• Record complete and accurate data in the Business Ethics Incident Reporting (BEIR) system (see below).

Roche’s Code of Conduct features an e-learning programme called Roche Behaviour in Business (“RoBiB”), which informs employees to whom they can raise without suffering any disadvantage compliance concerns, including anonymous complaints, and compliance questions. The programme is available in several languages.

Our Business Ethics Incident Reporting (BEIR) system enables the Group Compliance Officer to capture, track and monitor alleged violations from initial reports by local Compliance Officers through to resolution. Business ethics incidents are recorded in the system when the local Compliance Officer receives specific and concrete information about a material alleged violation of the Code of Conduct in one of certain pre-defined categories.

In 2008 143 ethical incidents were reported.