Compliance management

Central Compliance Management System helps ensure compliance requirements are met

The Lufthansa Group has a central Compliance Management System to give substance to the framework for integrity-based business activities provided by the Code of Conduct and to maintain a clear system of rules. The Compliance Management System follows the auditing standard of the Institute of Public Auditors in Germany (IDW PS 980) and is based on the following pillars: compliance culture, compliance targets, identification of compliance risks, compliance programme, compliance organisation, compliance communication and compliance monitoring.

The Compliance Management System is continuously improved and optimised in line with legal requirements, court rulings and the specific compliance risks specific applicable to the Lufthansa Group’s business activities. of the Lufthansa Group. Currently, it comprises the following modules: Integrity (Anti-Corruption), Capital Market Compliance, Competition Compliance, Embargo Compliance, and Export Compliance, External Workforce Compliance and Anti-Money Laundering Compliance. Each module includes one or more guidelines that are intended to support the boards, managers and employees in making decisions that comply with the rules.

Fighting corruption and bribery is an integral part of the Compliance Management System

Its global operations mean that the Lufthansa Group is obliged to comply with national anti-corruption and anti-bribery legislation around the world and, in some cases, with extraterritorially applicable anti-corruption and anti-bribery laws. Breaches of these legislative requirements hinder fair competition and jeopardise confidence in the integrity of economic entities as well as the state, its authorities and representatives. That is why fighting corruption and bribery is a priority for the Lufthansa Group’s compliance efforts. The Lufthansa Group has established rules in several guidelines for transparent and compliant conduct with business partners and government representatives as well as its own conduct to avoid conflicts of interest. In particular, the guidelines include instructions on how to handle gifts, invitations and other benefits as well as donations and sponsorships.

Group-wide compliance culture is promoted

The Lufthansa Group’s Compliance Management System is based on the above-mentioned pillars and pursues various approaches with reference to the individual modules to ensure that its boards, managers and employees act in accordance with the law and the rules. As part of its measures to promote a compliance culture aimed at ensuring that all Group employees internalise the notion of acting in accordance with the rules, the boards and managers in all of the Lufthansa Group companies with operative businesses provide regular information about these approaches. They thus continuously express to the Group’s employees their expectations regarding the integrity of all business decisions and business activities of the Lufthansa Group. The Corporate Compliance Office prepares the compliance topics for this, which the corresponding boards of the Group company then communicate to their employees so that they reach every level in the hierarchy. Twice a year, it is recorded whether the boards of the Group companies with business operations are living up to their role model function by communicating such a message.

Advisory services are an integral part of the Compliance Management System

Advisory services are an integral part of the Compliance Management System. Any employee can contact the local compliance managers or the Corporate Compliance Office with questions related to compliance at any time. In addition, the Corporate Compliance Office provides an app which is designed to help employees comply with the applicable guidelines even while on business trips and on an ad hoc basis. This app currently covers how to deal with business partners and public officials as well as proper conduct in situations where there may be a conflict of interest. These advisory services are intended to support decision-making in the Lufthansa Group that is in compliance with the rules.

Web-based compliance training increases risk awareness

Boards, managers and employees in relevant areas or functions are required to complete compliance training where this is necessary from the point of view of compliance risks. Depending on the specific level of risk they are exposed to and the content of the training, the target groups are obliged to attend either web-based or on-site training. The objective is to raise awareness of potential compliance risks, to identify alternative courses of action that comply with the law and rules, and to provide contacts for any advice that may be required. Web-based compliance training is offered for all compliance modules. To obtain the required certificate, the knowledge acquired must be demonstrated in a test at the end of the training. The training courses are designed to be completed when joining the Lufthansa Group and then every two years after that. If the courses are not completed within the given time limits, the participants will be sent a reminder and, if they fail to complete the training on a timely basis after receipt, their supervisors will be informed. On-site training for all compliance modules is offered for functions exposed to risk in accordance with the level of need or on demand. The Corporate Compliance Office has defined target groups for each compliance module in order to assign employees to training courses as required, in line with their level of risk exposure. In case of organisational changes, the Corporate Compliance Office will cooperate with the Lufthansa Group companies closely in order to adjust the target groups in a dynamic and timely manner.

Risk-based business partner due diligence aims to ensure integrity of suppliers and service providers

The Lufthansa Group has implemented a risk-based business partner due diligence in its purchasing processes which is intended to safeguard the integrity of suppliers and service providers. Before a business relationship is entered into with an external business partner, the potential partner will be assessed from a risk perspective in order to identify early on any potential compliance risks which may arise if a cooperation is entered into. Depending on the risk classification, further steps may be implemented within the scope of the business partner due diligence process which include a more in-depth assessment, more detailed questionnaires and careful identification and clarification of any irregularities or warning signs detected. This may result in a decision not to enter into a business relationship or else to terminate it. Depending on the specific risk classification, existing business relationships will likewise be regularly reviewed within the scope of this due diligence.

Whistleblower channels make it possible to report compliance violations

The Lufthansa Group has various whistleblower channels in place which can be used to report possible compliance violations, including potential breaches of anti-corruption legislation and regulations. All employees can contact their direct supervisors, the compliance managers in their Group company or the Corporate Compliance Office directly. In addition, the Lufthansa Group has an electronic whistleblower system and an ombudsperson. Both are also publicly accessible to external whistleblowers. The electronic whistleblower system is provided in ten different languages and enables whistleblowers to pass on any information or observations in writing at any times. The electronic whistleblower system allows any whistleblower to decide whether they wish to remain anonymous. The electronic whistleblower system is available on the Lufthansa Group website. A lawyer acts as the ombudsperson. This person is external, independent and not employed by the Lufthansa Group. Whistleblowers can provide information to the ombudsperson by phone, in writing or in person. The ombudsperson’s contact information is available on the Lufthansa Group website.

Any information received is assessed for plausibility using an established procedure. If a compliance violation is indeed suspected, the report will be investigated by the Corporate Compliance Office in cooperation with Corporate Business Security under strict observance of confidentiality and control by the responsible Compliance Committee. If, at the end of a procedure, a violation of the Lufthansa Group’s compliance guidelines is determined, depending on the circumstances of the individual case, the Lufthansa Group may pursue appropriate disciplinary measures against those involved, from training and awareness measures up to termination of their employment.

Protecting whistleblowers is of great importance to the Lufthansa Group. The Lufthansa Group will therefore not tolerate any actions to the detriment of employees who report compliance violations. A compliance policy states clearly and with binding effect that any violation of this ban on retaliation and discrimination will itself be considered a compliance violation and penalised accordingly.

Internal Audit department audits the effectiveness and appropriateness of the Compliance Management System

The Compliance Management System is monitored at several different levels. The annual inspections of the Internal Control System include a check as to whether the companies which are required to maintain this system have up-to-date documentation of all of the relevant measures, processes and tools of the Compliance Management System. As part of the compliance reporting, the Group companies must also regularly monitor the effective implementation of and compliance with the risk-related requirements of the compliance management system in their processes and business procedures and report the results to the Corporate Compliance Office. Moreover, within the scope of regular audits, Internal Audit reviews the appropriateness and effectiveness of the Compliance Management System at the Group companies and identifies any previously undetected weak points.

In the 2023 financial year, Internal Audit carried out a total of 21 compliance-related audits at 23 Group companies.

Organisational foundations and responsibilities

The Group-wide implementation, development and communication of the Lufthansa Group Compliance Management System is the responsibility of the Corporate Compliance Office, which is part of the central Legal department. The head of the Legal department and Chief Compliance Officer reports directly to the Human Resources & Infrastructure Executive Board member and presents two compliance reports per year to the Executive Board and the Supervisory Board’s Audit Committee and one per year to the Supervisory Board. The Executive Board has created a network of committees, consisting of a Group Compliance Committee and central compliance committees in the top-level subsidiaries for the respective business segments and individual service companies, to provide support with steering and implementing the central Compliance Management System across all companies. A worldwide network of compliance managers at the Group companies supports the Corporate Compliance Office as well as the ongoing development and implementation of the Compliance Management System. In addition to cooperation on specific compliance tasks, the Corporate Compliance Office regularly notifies the compliance managers of changes to the Compliance Management System and of other compliance topics, including via the regularly used communication platform, Compliance Manager Academy. The compliance managers responsible for a Group company report to the Corporate Compliance Office twice a year on compliance issues specific to the Group companies via a standardised process.

Compliance Management System aims to ensure rules-compliant conduct and prevent unlawful conduct

The aim of the Compliance Management System is to ensure conduct in compliance with rules and prevent unlawful conduct across the Group. Violations of the law can result, in particular, in criminal penalties, fines, damages and reputational damage for the companies concerned, as well as personal criminal and labour law consequences for the employees concerned, the responsible managers and the boards. ↗ Opportunities and risk report

Code of Conduct and various compliance policies updated

In view of the changing regulatory requirements and stakeholders’ expectations, the Corporate Compliance Office coordinated the update of the Lufthansa Group Code of Conduct in 2023. The updated version features a modern design which reflects the diversity of the various companies in the Lufthansa Group. Using examples and questions intended to prompt self-reflection, it offers employees a more specific framework to guide their actions. In addition, key compliance guidelines were also revised, for example the guideline on benefits.

IT-based compliance risk analysis launched throughout the Group

Regular assessment of compliance risks is an important aspect of any compliance management system. The Corporate Compliance Office had already developed a new concept for Group-wide identification and assessment of compliance risks in 2022. In the reporting year, this concept was implemented in collaboration with Lufthansa Industry Solutions GmbH via an IT system. Based on this IT tool, the Corporate Compliance Office initiated a Group-wide compliance risk analysis from June 2023 onwards. In staggered stages, all Group companies with operative businesses were invited to identify and assess their compliance risks and to document the degree to which they had implemented the recommended risk-minimising compliance measures. By the end of 2023, a total of 162 Group companies had taken part in this risk analysis. The remaining Group companies with operative businesses had been included in the risk analysis by the end of January 2024. Based on the results, the Corporate Compliance Office will subsequently draw up a risk and measures report in order to manage the mitigation of identified risks.

New web-based compliance training improves learning experience and outcome thanks to modern approach and design

In collaboration with an external e-learning provider, the Lufthansa Group developed new, web-based compliance training courses for all six compliance modules. With a strongerrisk- and needs-based approach and a modern and attractive design, the new training courses aim to provide employees with a contemporary learning experience and ensure efficient and long-lasting learning success. This is intended to reinforce employees’ awareness of compliance risks.

Performance indicators

The Lufthansa Group monitors its Compliance Management System via various performance indicators in line with its defined purposes. Following a review of the informative value of the previously used performance indicators, these were revised in the reporting year. They now comprise training ratios and the number of reports submitted.

Overall in 2023, a total of 39,824 employees in 168 Group companies took part in web-based compliance training. This corresponds to a participation ratio of 97.9%.

The Lufthansa Group received a total of 81 reports of possible irregularities in the reporting year via its various channels. 24 of these were compliance-related. Seven reports were investigated in detail via the described procedure.

Lufthansa Group Annual Report 2023