Risk Management & Compliance

Roche has a robust system in place to identify and manage risks to its business. As in any undertaking, there are a variety of possibilities that could prevent us from achieving our goals. This is vital to effectively attain and sustain Roche’s business objectives, to protect the investments of shareholders, and to meet legal requirements.

Roche’s Risk Management Policy sets out an approach to risk management and accompanying responsibilities within the Group.

Risk management has been mandated to Roche’s business units and employees who are fully empowered, responsible and accountable within the legal and ethical framework of Roche as well as their delegated authority. Every business unit and global function conducts a formal risk assessment process at least once a year and must develop risk management plans for their most material risks, which are approved as an integral part of its overall business plan. These are monitored and deviations reviewed in regular performance dialogues. A regular review of the risk management environment is also part of this process.

Risks are managed locally where they arise and where there is the appropriate expertise for managing them. Employees and managers identify risks promptly and line managers are responsible for ensuring appropriate action is taken and internal controls are in place. Where there are conflicts of interest, separate roles and functions ensure effective risk management.

The Group Risk Management team is responsible for coordinating and aligning this overall process within the Group. The team reports directly to the Chief Audit Executive.

The Corporate Sustainability Committee is responsible for assessing social, environmental and ethical (SEE) risks identified through regular workshops involving a diverse selection of employees from relevant functions. Participants use their expertise and experience, as well as feedback from stakeholder dialogue, to identify emerging topics that are flagged to management.

The Chief Compliance Officer monitors that Roche Group Code of Conduct is understood and applied by line management and employees throughout the Group and serves as a contact person for our stakeholders, including shareholders, employees, customers, suppliers, and the public on complaints relating to violations of our Code of Conduct

At a local level

We have also a Compliance Officer in each of our affiliate who liaises with the Chief Compliance Officer. Currently we have more than 110 local Compliance Officers; their role is to:

• Conduct compliance risk assessments together with the affiliate’s management team;
• Organize and perform compliance training;
• Ensure every employee knows they can raise compliance concerns with their local line Management, the local Compliance Officer or the Chief Compliance Officer;
• Inform the Chief Compliance Officer of ethical incidents which represent a material compliance or reputational risk;
• Document all ethical incidents and steps taken to address and remedy the situation;
• Record complete and accurate data in the Business Ethics Incident Reporting (BEIR) system (see below).

Roche Group Code of Conduct features an e-learning programme called Roche Behaviour in Business (“RoBiB”), which informs employees to whom they can raise without suffering any disadvantage compliance concerns, including anonymous complaints, and compliance questions. The programme is available in several languages.

Our Business Ethics Incident Reporting (BEIR) system enables the Chief Compliance Officer to capture, track and monitor alleged violations from initial reports by local Compliance Officers through to resolution. Business ethics incidents are recorded in the system when the local Compliance Officer receives specific and concrete information about a material alleged violation of the Roche Group Code of Conduct in one of certain pre-defined categories.

In 2011, 114 material business ethics incidents were reported in total, including 81 cases reported through the SpeakUp line. After investigating each incident and taking corrective action where necessary, we terminated 69 employment contracts as a result of unethical behaviour.

The Roche Group SpeakUp Line can be used for compliance concerns when employees encounter that Roche’s compliance standards are disregarded. The service comprises a global web and telephone service, where employees can report any compliance concern in their local language, on a confidential and anonymous basis.

Launched in December 2009, SpeakUp operates in 47 languages and 98 countries, making it available to almost 70,000 employees. Between 1 December 2009 and 31 December 2010, 122 reports were made via the system. Roughly half were general comments about Roche’s business, which are not classed as non-compliances. The other half related to alleged violations of the Code of Conduct. Analysis of the issues reported shows that employees are using the SpeakUp Line responsibly.