Our compliance program includes: • Written standards of conduct, including our Code of Conduct and policies and procedures • Risk assessments • Training and communication • Monitoring and testing • Confidential reporting channels and internal investigations • Continuous improvement, including corrective action and/or preventive action, where necessary Our Board has a standing Compliance Committee, whose purpose is to assist the Board in overseeing McKesson’s compliance programs and management’s identification and evaluation of the Company’s principal legal and regulatory compliance risks. The Compliance Committee meets regularly throughout the year, including in separate executive sessions with the Chief Compliance Officer and the Chief Legal Officer. In FY21, the Compliance Committee conducted discussions with multiple members of management about McKesson’s compliance programs relating to certain legal and regulatory risks. The Compliance Committee also meets jointly with the Audit Committee to review management’s assessment of its regulatory and compliance programs. Written standards of conduct Our company operates in multiple business and regulatory environments. To help ensure that all employees uphold high legal and ethical standards, we embed our expectations in our Code of Conduct . A foundational document across our company, our Code of Conduct is based on our ICARE shared values. It describes the fundamental principles and policies that shape our work, covering a wide range of topics that may occur when interacting with customers, industry partners, regulators and each other. It gives helpful guidance regarding where to turn with questions or concerns about the right thing to do. The Code of Conduct is available in 10 languages. As noted in our Code of Conduct, we seek business partners who share our values and commitment to doing business with integrity. In addition to our Code of Conduct, McKesson has established compliance policies and procedures that are designed to prevent and detect potential violations of applicable laws, regulations, and ethical standards. These policies are accessible to employees on our intranet and other means. Compliance risk assessment We regularly assess compliance and regulatory risks across our operations. Our approach includes conducting regular risk assessments and developing comprehensive work plans to mitigate compliance risks, with many actions owned by the business. Compliance leaders also participate in the company’s annual enterprise risk assessment which focuses on risks that could impact the organization in achieving its strategic and operational objectives. Our compliance program includes: • Written standards of conduct, including our Code of Conduct and policies and procedures • Risk assessments • Training and communication • Monitoring and testing • Confidential reporting channels and internal investigations • Continuous improvement, including corrective action and/or preventive action, where necessary Introduction Stories Employees Access Equity Climate Operations >Table of Contents | 59 FY21 Impact Report