3.1 Compliance and ethics Siemens offers a range of reporting channels to enable all Compliance risk management employees and outside third parties to flag potential compli- To be effective, the Siemens compliance system needs to be ance violations to the company. For instance, complaints can continuously adjusted in order to meet business-specific be reported by way of the protected whistle-blower system risks and multiple local legal requirements. The findings “Tell Us” or to the independent Siemens Ombudsperson. from compliance risk assessments, along with compliance Reports received through these channels are forwarded to controls and audits, help us identify opportunities to further our Compliance organization. Complaints can also be develop the compliance system. reported directly to the Compliance Officers in our business units or to the senior management. Whistle-blowers at The goal of compliance risk management is to detect compli- Siemens are protected by national laws and also by internal ance risks early and take appropriate steps to prevent or company regulations that prohibit the punishment or other mitigate risks. Risk assessments and tool solutions that detrimental treatment of anyone who reports a suspicious support risk evaluations are also integrated into individual activity in good faith. business processes to support our employees in taking appropriate risk mitigation steps. Every complaint is taken seriously. If the allegations prove to be sufficiently plausible, the Compliance organization deter- Compliance risk management is an integral part of the mines whether there is sufficient information to justify an company-wide Siemens Enterprise Risk Management (ERM) internal investigation. Indications about other matters are program SIEMENS FINANCIAL REPORT FOR FISCAL 2023, COMBINED MANAGEMENT REPORT, 8.3.1 STRATEGIC RISKS forwarded to the affected Siemens department or business , which provides a unit for further action. holistic view of all identified risks throughout the Group. Every entity and region assesses their business risks in rela- Internal investigations are conducted based on binding, tion to compliance risks. Current developments are also clearly defined standards to ensure the fair and respectful systematically evaluated. treatment of employees. These standards prohibit unlawful or disproportionate actions. However, if an internal investiga- As a core part of our risk management process, we collabo- tion leads to the finding that an employee has demonstrably rate closely with relevant business units to identify and violated any laws or internal regulations, they can expect assess compliance risks within new digital business models. appropriate disciplinary consequences. Continuous Compliance Risk Management implements a bottom-up evaluation of the local risk environment in each All circumstances within a compliance case, including the of Siemens’ entities on a worldwide basis in all activity fields locally applicable legal environment and any participation defined by Compliance. CEOs, business leaders, Compliance rights of the competent employee representative bodies, are Officers, and experts from every entity meet during the fiscal duly considered during the proceedings. year to identify and assess compliance risks.1 The risks iden- tified are then aggregated and presented during annual Affected Siemens entities are obligated to implement the Compliance Risk and Performance Reviews to the Compli- additional recommendations of the investigation reports, ance Management Council. The risks are documented in the including measures to effectively remedy the situation. Compliance Risk Tracking tool. Additional information from internal data sources is included to provide a holistic overview of compliance risks. Cross- functional knowledge exchanges take place at regular meetings, and an annual Corporate Compliance Risk Work- shop helps us identify and monitor emerging or changing risks. The results of the risk assessments are a key starting point for the ongoing development of our compliance system. 1 At SHS, formal Compliance Risk Assessments are conducted every three years, with the last being performed in fiscal 2023. SIEMENS SUSTAINABILITY REPORT 2023 36