Ethics, risk and compliance

We have an extensive ethics, risk and compliance approach, comprising:

Ethics

  • Ethics (including our Code of Ethics)
  • Human rights
  • Ethical culture and impact

Risk

  • Enterprise risk and crisis management
  • Enterprise policy and control management
  • Third-party risk management
  • Health, safety and environment (HSE) governance

Compliance

  • Compliance management system
  • SpeakUp Office (our whistleblower program)
  • Centralized team for monitoring and remediation

This approach is overseen by our Ethics, Risk & Compliance (ERC) function; it ensures clear alignment between risk management, policies and controls. We have specific internal policies in place in areas such as data privacy, non-discrimination, anti-bribery, human rights and HSE, which help us maintain high standards of ethics and integrity across our business.

Central to our approach is the Novartis Code of Ethics, which comprises 23 commitments on topics such as human rights, drug safety, data use, and access to medicines. The code guides employees in daily decision-making and provides an ethical framework to our risk management approach. For more information on how we embed our Code of Ethics across the organization, see “Holding ourselves to high ethical standards.”

Many of our policies and controls are based on international norms and standards, including the United Nations Global Compact, the OECD Guidelines for Multinational Enterprises, and standards published by the International Labor Organization. We regard ethics, compliance and good risk management as crucial to maintaining public trust.

Risk management

The Enterprise Risk Management (ERM) process at Novartis is a series of coordinated activities designed to identify risks, promote accountability and support balanced decision-making. Our objective is to prevent or minimize risks that may affect our business, while ensuring that we can still capture opportunities for growth.

Our objective is to prevent or minimize risks that may affect our business, while ensuring that we can still capture opportunities for growth

Regular workshops are held across the company to identify risks and possible mitigation measures. These are consolidated into the Novartis Risk Compass, which provides an overview of strategic, operational and emerging risks for use by senior management (see “How we manage risk”).

The Chief Ethics, Risk & Compliance Officer is responsible for the overall risk management process at Novartis. The ERC function oversees the company’s risk management and compliance functions, including risk-based companywide policy and internal control management, as well as crisis and business continuity management. The ECN, led by the CEO, reviews and endorses the risk portfolio.

The Board of Directors provides the highest layer of oversight. It focuses on the most significant risks, while the Board-level Risk Committee reviews the entire risk portfolio and actions implemented by management. For further details on the Risk Committee and its activities, please see our 2021 Annual Report.

In 2021, we integrated global governance of our HSE activities within ERC, merging it with our Business Continuity Management and Novartis Emergency Management teams to create a new function called Global HSE & Resilience. The goal is to reduce risks, increase resilience and generate further positive impact on our people, patients and planet.

Compliance

As part of our ERC approach, we have a comprehensive compliance management system to detect and prevent systemic misconduct. This system covers five principal risk areas: ethical dilemmas, bribery and corruption, third-party misconduct, professional practices, and conflicts of interest. Within our ERC function, we have a team responsible for monitoring compliance and taking action to address any misconduct with internal units and third parties.

In 2021, the Novartis SpeakUp Office, which enables employees and external parties to raise concerns about potential misconduct while being protected against retaliation, was integrated into the ERC function to further align our efforts and embed our Code of Ethics across the organization (see “Holding ourselves to high ethical standards.”).