Conduct that Complies with the Law and Policy


The company discloses which measures, standards, systems and processes are in place to prevent unlawful conduct and, in particular, corruption, how they are verified, which results have been achieved to date and where it sees there to be risks. The company depicts how corruption and other contraventions in the company are prevented and exposed and what sanctions are imposed.


Unlawful conduct and corruption are not only prosecutable – they also harm a company’s corporate culture, its reputation and its business relations. Clear guidelines and monitoring of those guidelines are needed in order to prevent corruption. In particular in markets where corruption is common, companies must analyse the potential conflicts and raise awareness among their employees. This calls for the topic to be firmly enshrined in the management culture. Internal processes which ensure conduct that complies with the law and policy from a company’s own employees and those of its business partners can minimise business risks and improve cooperation. 

What needs to be borne in mind?

This criterion relates both to the observance of the law and policy in general (including, for example, the relevant environmental legislation) and to the prevention of corruption in particular. You should report on any formalised processes such as due diligence processes and compliance systems and also on specific measures such as the two-person-check principle. State how any violations of external rules and internal standards are identified and what action is then taken and who within the management bears responsibility for the area of conduct that complies with the law and policy. You may name standards that you use for guidance (e.g. the United Nations Global Compact).
You should also give details of whether and how the topic is enshrined in the corporate culture, for example whether the employees and executives are given regular training on the topics of compliance and integrity and whether and how people can turn to someone in confidence in the event of suspicions (ombudsperson, external/internal whistle-blowing systems) without fearing sanctions from their line manager.

Aspect 1:

Report on the strategies, concrete measures, standards, systems and processes in place to prevent unlawful conduct and, in particular, corruption. Give details of how corruption and other contraventions in the company are prevented and exposed and what sanctions are imposed.

Aspect 2:

State how implementation of the strategies, measures, standards, systems and processes is verified.

Aspect 3:

State who within your company is responsible for the topic of compliance and how management is involved.

Aspect 4:

State how managers and staff are made aware of this topic.

Aspect 5:

State whether previous goals were achieved and, if so, to what extent, and disclose any goals which were not achieved and why.

Aspect 6:

Report on the material risks arising from your business activities, your business relations and your products and/or services that are likely to have a negative impact on conduct that complies with the law and policy .

Conduct that complies with the law relates to the avoidance of corruption and cartel arrangements and the observance of statutory provisions, e.g. regarding data protection, environmental protection or occupational health and safety (compliance). In contrast, conduct that complies with policy is about an organisation observing the rules of conduct it sets itself in the form of codes of conduct etc. (integrity). This criterion therefore encompasses both legality and legitimacy.

Due diligence relates to exercising due care when assessing risks with a view to identifying all the risks relevant to an organisation. The negative effects that exist or could arise as a result of a company’s business activities, products and services in terms of conduct that complies with the law and policy should be monitored and, in the event of violations, appropriate remedial action should be offered.

Key Performance Indicator GRI SRS-205-1: Operations assesed for risks related to corruption

a. Total number and percentage of operations assessed for risks related to corruption.
b. Significant risks related to corruption identified through the risk assessment.

Key Performance Indicator GRI SRS-205-3: Incidents of corruption

a. Total number and nature of confirmed incidents of corruption.
b. Total number of confirmed incidents in which employees were dismissed or disciplined for corruption.
c. Total number of confirmed incidents when contracts with business partners were terminated or not renewed due to violations related to corruption.
d. Public legal cases regarding corruption brought against the organization or its employees during the reporting period and the outcomes of such cases.

Key Performance Indicator GRI SRS-419-1: Non-compliance with laws and regulations

a. Significant fines and non-monetary sanctions for non-compliance with laws and/or regulations in the social and economic area in terms of:
i. total monetary value of significant fines;
ii. total number of non-monetary sanctions;
iii. cases brought through dispute resolution mechanisms.
b. If the organization has not identified any non-compliance with laws and/or regulations, a brief statement of this fact is sufficient.
c. The context against which significant fines and non-monetary sanctions were incurred.

Key Performance Indicator EFFAS V01-01
Expenses and fines on filings, lawsuits related to anti-competitive behaviour, anti-trust and monopoly practices. Link

Key Performance Indicator EFFAS V02-01
Percentage of revenues in regions with a Transparency International corruption index below 60. Link

Reporting in line with the German CSR Directive Implementation Act   
(German legislation implementing the Directive 2014/95/EU)

Preventing corruption and bribery
If you also wish to use your Code declaration to comply with the reporting obligation in accordance with the CSR Directive Implementation Act (CSR-RUG), the checklist below will give you guidance regarding how the Code Office checks it for formal completeness. You can provide the relevant information concerning preventing corruption and bribery under Code criteria 19 and 20. Questions set in italics are already covered in your responses to the corresponding Code aspects.

1. Report on the management policy pursued:
a. Goals and planned goal achievement time frames.
b. How corporate governance is incorporated into the policy (criterion 20, aspect 3).
c. Strategies and concrete measures for achieving the goals (criterion 20, aspect 1).
d. Internal processes for monitoring implementation of the measures (criterion 20, aspect 2).

2. Report on the results of the policy:
a. Whether and to what extent previous goals were achieved (criterion 20, aspect 4).
b. Whether and how it is determined that the policy needs modifying and what conclusions are then drawn.

3. Report on the risks:
a. How the risks were identified and the material risks were filtered out (due diligence processes).
b. Material risks arising from your business activities that are highly likely to have a negative impact on conduct that complies with the law and policy (criterion 20, aspect 6).
c. Material risks arising from your business relations that are highly likely to have a negative impact on conduct that complies with the law and policy (criterion 20, aspect 6).
d. Material risks arising from your products and services that are highly likely to have a negative impact on conduct that complies with the law and policy (criterion 20, aspect 6).

Further Information

Here you will find further insights into DNK reports.


Do you already know this function? Using the Code database, you can compare answers from different users and read what companies reported on individual criteria and performance indicators.

Learn more