Governance
Based upon risk considerations, the Kuehne+Nagel Ethics and Compliance programme assumes a central role within the material topic of ‘business integrity’. Reviewed annually, the programme transforms the essence from laws and regulations, as well as our ethical business principles into a comprehensive day-to-day manual for managers and employees. This includes, but is not limited to guidelines, trainings, processes and controls. It is supported by a comprehensive policy framework including the
■ Code of Conduct
■ Anti-Bribery Guideline
■ Antitrust Guideline
■ Gift and Entertainment Guideline
■ Conflict of Interest Guideline
Ongoing, risk-based and mandatory compliance trainings are a key element to ensure that members at all levels of the company are and remain adequately knowledgeable to act in line with the programme in their day-to-day work. To highlight its importance to the company, the average results of their team’s compliance knowledge tests form part of a team manager’s performance rating for confirming their ability to demonstrate ethical leadership.
| in per cent | Target | 2022 | 2021 | 2020 |
|---|---|---|---|---|
| Live Induction Training | >95 | 86 | 86 | 90 |
| Live Induction Training Top and Senior Managers | >99 | 98 | 98 | 98 |
| Computer-based Training | >95 | 92 | 93 | 94 |
| Annual Confirmation | >95 | 96 | 95 | 98 |
Further integrity-related training is carried out at Kuehne+Nagel. In 2022, Ethical Leadership awareness campaigns were held at regional levels including in-person and online sessions as well as computer-based trainings.
For a risk-based selected target audience of about 3,000 managers, a two-year dedicated online training campaign was concluded with an antitrust advanced course. Starting in 2023, a similar two-year online training campaign will be launched for around 7,000 managers with anti-bribery and anti-corruption basics and advanced courses. All employees are encouraged to prevent, detect and report any suspected breaches or violations of applicable laws and regulations or the principles of the Kuehne+Nagel Code of Conduct through the anonymous Confidential Reporting Line that is available 24/7 in 50+ languages. The CRL can optionally be contacted anonymously. Submitted reports are assessed by the Independent Allegation Management Committee and as needed, independent investigations are initiated thereupon, prior to any form of remediation for preventing reoccurrence. Cases with material impact are disclosed in the Annual Report. Any significant legal proceedings and main outcomes of completed legal actions are disclosed in the Annual Report, as well as significant confirmed incidents and public legal cases regarding corruption.
As a global company, we have a responsibility to be prepared for and manage a crisis at occurrence, aiming to ensure best practice for a continued operation of global supply chains. Kuehne+Nagel applies an emergency and disaster response that is outlined in our Emergency Preparedness and Response Guideline. All sites comply with ISO 22301 for Business Continuity Management.
Every national organisation is equipped with a business continuity plan (BCP) that is regularly reviewed and updated and managed on a national level. As part of this plan, risks are assessed and reviewed at least annually. The effectiveness of BCPs is assessed by conducting annual audits and effectiveness checks, with every site being assessed at least once every three years, and crisis simulation trainings at corporate level. As part of this training, Kuehne+Nagel has taken preventative measures to ensure BCPs and critical data can be accessed even in the event of a cyberattack.
All our European sites were classified according to the type of energy supply and criticality during 2022. By November, BCPs for all our critical sites had been reviewed and updated and alternative back-up infrastructure was established.
As with many global companies, we have experienced challenging events throughout the reporting year. Yet, even during Covid-19, we did not experience any government-ordered shutdowns or penalties, thanks to the effectiveness of our response.
The war in Ukraine offered our biggest challenge this year, and our thoughts remain with all those affected by this ongoing conflict. While it was particularly challenging to keep in contact with affected staff in the country, we are happy to report that our sites in Ukraine were kept operational whenever possible, despite the exceptionally difficult circumstances. Through our global network, we were also able to support and host affected staff.
The war in Ukraine offered our biggest challenge this year, and our thoughts remain with all those affected by this ongoing conflict. While it was particularly challenging to keep in contact with affected staff in the country, we are happy to report that our sites in Ukraine were kept operational whenever possible, despite the exceptionally difficult circumstances. Through our global network, we were also able to support and host affected staff.
Our customers, employees and other stakeholders expect their personal information to be protected with the greatest possible care. We take this responsibility very seriously and manage this through our Data Protection Management System (DPMS) and our data protection management organisation.
We identify and manage privacy risks at the operational process level based upon an established and tailored data privacy framework to ensure risks are measured, monitored and mitigated across our core businesses. Privacy Compliance Assessments of high exposure systems and processes that use personal data enable the early identification of risks to ensure they are managed appropriately.
Incidents relating to data protection occurring in processes subject to the provisions of the General Data Protection Regulation (GDPR) are handled by the data protection department, which is supported in its investigations by local incident sources. During the year, a small number of cases were reported to the responsible data protection supervisory authorities. The authorities did not take any measures against the company in response.
To meet the GDPR standard globally, Kuehne+Nagel’s Privacy Framework sets out six privacy principles that all employees must respect, wherever they are in the world: reasonable care, purpose limitation, reasonable restriction, transparency and openness about where personal information is stored and used, choice and consent, and privacy by design.
In 2022, we launched our Privacy Policy Center in which we clearly state the type of information we collect and process. In addition, we provided a refresher data privacy training for all employees involved in processing personal data, in line with regulatory requirements. As part of their onboarding process, new employees are required to participate in a global data privacy training. Altogether, these trainings aim to ensure that employees across the organisation have a thorough level of knowledge about principles of confidentiality and data privacy.
Kuehne+Nagel has created a robust and mature information security governance framework that is aligned with international standard ISO 27001 and includes guidelines that apply globally.
In Germany, Kuehne+Nagel has been ISO 27001 certified since 2019 with a renewal of the certification in 2022. As part of this process, the global Information Security Management System undergoes a continuous improvement process that is monitored by the Chief Information Security Officer (CISO).
In addition, regional Information Security Officers (ISOs), managers and experts provide support to the functional and business units in the design phase of products and customer solutions.
In regard to Cyber Security, a special focus is the protection against ransomware. Several technical and organisational measures have been implemented to increase protection and decrease the vulnerability against this type of threat, mitigate the impact and have processes in place to react appropriately in case of an event.