NBIM Index

A baseline has been established to identify perceptions of the ethical culture/culture of integrity in the company. There is a methodology to measure/gauge changes to the culture over time

We have established a baseline to measure integrity through a question in the quarterly pulse survey, asking employees to rate "BMS has a culture that values integrity." Results of the quarterly survey are regularly reviewed and actioned as needed by leadership teams throughout the organization. Integrity is one of BMS' six Values, expected to be demonstrated consistently by every employee. Integrity is defined as how we demonstrate ethics, integrity and quality in everything we do for patients, customers and colleagues.

The frequency (could be a % or absolute number) of references to ethics and compliance communicated internally and/or externally by the defined C-level persons

Our leadership ensures a continuous emphasis on practicing a culture of integrity. While we do not record the frequency of all such communications, several examples are detailed below:

Internally:

• At Town Halls that occur several times a year, BMS’ Board Chair and CEO emphasizes the importance of Integrity for all employees, and the company leadership team is encouraged to do the same in their communications.
• The Board Chair and CEO and Chief Compliance and Ethics Officer (CCEO) communicate several times each year on integrity-related topics, including company values, our Principles of Integrity, and anti-bribery policy training and compliance.
• The “I” in Integrity initiative has been rolled out across the company under the leadership of the CCEO, and has provided tools and resources to encourage and facilitate conversations related to integrity.
• The Reality Check series of articles, published monthly by the Compliance and Ethics department, based on real incidents, is intended to provide employees with a greater awareness of how to identify and escalate potential concerns.
• The Compliance and Ethics department, under the leadership of the CCEO, publishes regular companywide memos and articles on the internal news platform to support our commitment to ethics and integrity.

Externally:

• The CEO highlighted our commitment to integrity in the 2020 BMS annual report, as well as in the opening remarks and Q&A at the 2020 annual shareholder meeting.
• In the 2020 proxy statement, integrity was highlighted as a measure of CEO performance, Board member selection criteria and employee compensation policies.
• Several references on bms.com.

Does your performance management framework incorporate how ethics and integrity objectives are achieved? (Y/N)

Yes. BMS' performance management process, which impacts employees' compensation and career advancement, equally measures both achievement of individual objectives and how the individual demonstrates BMS Values. Integrity is reflected in our companywide objective of "Demonstrating ethics, integrity and quality in everything we do," which is adopted into every employee's individual objectives. In addition, Integrity is one of six BMS Values.

Ethics and integrity are integral components in leadership decisions

Our performance management process approaches integrity at an individual level. We also embed integrity into our hiring and critical talent decisions with professional and executive interview questions to explore a candidate's integrity. When we look for talent in succession roles, it is a requirement that they possess leadership potential, which includes modeling BMS Values, including Integrity.

The company actively engages in anti-corruption Collective Action

BMS has committed to the following anti-corruption collective action initiatives:

• Industry Association Codes such as the International Federation of Pharmaceutical Manufacturers & Associations (IFPMA) Code of Practice, European Federation of Pharmaceutical Industries and Associations (EFPIA) Code of Practice and the Pharmaceutical Research and Manufacturers of America (PhRMA) Codes.
• UN Global Compact.
• Participant in the 2020 Norges Bank Investment Management and the Basel Institute on Governance working group to develop guidance for companies to report on the effectiveness of their anti-corruption compliance program. This is BMS’ inaugural report in accordance with this guidance.

The company has an anti-corruption compliance risk program, which it uses to give regular updates to senior management and Board on how risks are being managed

BMS' anti-corruption compliance program is a cross-functional effort, including first-, second- and third-line risk management functions. First-line business owners establish systems and processes with anti-corruption controls; second-line functions such as Compliance and the Controller monitor relevant activities for anti-corruption compliance; and the independent internal audit function reviews first- and second-line activities. Results of risk assessments, monitoring and auditing by these functions are shared with the BMS leadership team, other Business Unit leaders, the Board of Directors and its Audit Committee regularly.

The percentage of business functions that are included in the anti-corruption risk assessment

100% of business functions are represented in BMS' anti-corruption risk assessments.

The company has established anti-corruption compliance KPIs that are used to measure the compliance program

Several risk management functions capture and track metrics related to anti-corruption compliance. Examples include results of risk assessment and related mitigation activities, number and types of exceptions based on 100% review of expenditures and SOX control deficiencies.

Percentage of third-party reviews conducted

Third-party reviews span the life cycle of a relationship, are coordinated among the second and third-line functions, and are based on risk. Specifically:

• 100% of high-risk third parties from an anti-corruption perspective (as determined based on several factors, including their services, location and prior experience with BMS) are subject to due diligence at the time of selection or contract renewal, with a reassessment at regular intervals thereafter.
• Additional deep-dive ongoing monitoring reviews, which include site visits and transaction testing, are also conducted on certain third parties based on risk.
• Internal audit scopes select third parties into their annual plan based on their risk assessment.

How the findings from third-party reviews are addressed

Second line risk management and the internal audit functions liaise with the relevant BMS business owner to share findings and expectations with third parties. Compliance standards are memorialized in third-party agreements, and BMS provides additional support where needed, such as anti-bribery training to third parties.

Percentage of third parties that improve their anti-corruption compliance programs

A vast majority (>95%) of third parties improve their anti-corruption programs in response to our findings, and doing so is a critical factor for BMS to continue its relationship with a third party. Results of due diligence, ongoing monitoring and internal audits are shared with third parties and tracked regularly for on-time completion.

The organizational structure of the company is transparent, including the location of the compliance function within the structure, and it identifies where the Chief Compliance Officer is situated

Our CCEO is part of the company leadership team and reports to the General Counsel, with accountability to the CEO and the Audit Committee of the Board of Directors. Our CCEO's role on the company leadership team is detailed on the company's external website and annual reports.

The governance structure of the company enables the Chief Compliance Officer to execute her/his responsibilities impartially

The CCEO's direct and private access to the CEO and the Audit Committee of the Board of Directors on a regular basis enables the CCEO to act independently.

Ethics and integrity are integral components in all talent and leadership development programs

All our Growth and Development programs are anchored to, and aligned with, the six BMS Values, one of which is Integrity. Our leadership development programs are designed around our Values, which inform expected leadership capabilities. Nominations for these programs are based on consistent high performance, which includes demonstrating our Values as well as achieving our companywide objectives, which requires “Demonstrating ethics, integrity and quality in everything we do.”

The program is adequately resourced and empowered to function effectively

BMS' Compliance and Ethics organization and its relevant partners are fully resourced to deliver on our anti-corruption compliance program priorities. Budget is evaluated several times a year and adjusted as needed. The CCEO's independent role (access to CEO and Board) empowers the program to function effectively. BMS has also been awarded the Compliance Leader Verification seal by the Ethisphere Institute since 2012; results of this independent assessment indicate a strong and continuously improving compliance program.

The frequency of the Board actively reviewing the sufficiency of resources allocated to the global anti-corruption and bribery program including the compliance function

Our CCEO presents to, and has private sessions with, the Audit committee several times a year. The CCEO also presents annually to the full Board of Directors. While resourcing is not an explicit agenda item in every meeting, these meetings provide the opportunity to address resource topics.

Access by the Chief Compliance Officer to the Board, including the Board Committees (i.e., the supervisory level of the company) on a formalized basis and the actual frequency of that access

Our CCEO is present at every Audit Committee meeting, and presents at several. In addition, the CCEO has scheduled private sessions with the Audit Committee at least once a quarter and presents annually to the full Board of Directors. In 2020, the CCEO attended all eight Audit Committee meetings, presented at three of these meetings and had five private sessions with the Audit Committee. The CCEO also presented to the full Board of Directors in 2020.