Our Principles and Other Priorities
We believe it is important that our Board is composed of individuals reflecting the diversity represented by our employees, our patients, and our communities. In recent years, our Nominating and Governance Committee has taken this priority to heart in its nominations process, and the diversity of our Board has grown significantly. With the addition of Linda Maxwell, M.D. in 2020, we have continued to expand the diversity of our Board, which is among the most diverse of our peers.
BOARD DIVERSITY MATRIX (AS OF APRIL 29, 2022)
|Total Number of Directors||12|
|Number of directors based on gender identity||7||5||0||0|
|Number of directors who identify in any of the categories below:|
|African American or Black||1||1||0||0|
|Alaskan Native or American Indian||0||0||0||0|
|Hispanic or Latinx||0||1||0||0|
|Native Hawaiian or Pacific Islander||0||0||0||0|
|Two or More Races or Ethnicities||0||2||0||0|
Corporate Governance Best Practices
We have taken great strides over recent years to implement corporate governance best practices, often acting ahead of the curve in terms of our industry peers and the Russell 3000, and through a thoughtful and responsive shareholder engagement program.
In 2015, we adopted a majority voting standard with a director resignation policy.
In 2020, we began a destaggering process for director elections. Going forward, directors will be elected to one-year terms.
In 2015, we adopted a market-standard form of proxy access.
We reduced our overboarding limit to four public company boards in 2020 (down from the previous limit of five), in direct response to shareholder feedback.
Board and Committee Refreshment
We added Linda Maxwell, MD as a new director in 2020, joining three new women directors added over the last eight years. As part of our Board refreshment strategy and to increase the diversity of voices on our Board committees, we refreshed our Compensation Committee, Nominating and Governance Committee, and Audit Committee composition in 2020.
Our four newest directors also bring strong sustainability backgrounds. In 2021, we amended the Nominating and Governance Committee’s charter to expressly include ESG oversight.
Board Risk Oversight
We take risk oversight very seriously. Our Board committees each tackle various risks facing our company to ensure management is focused on identifying and mitigating the material risks to our company.
|Board Committee||Key Risk Oversight Areas|
|Nominating and Governance Committee||Enterprise risk management system and corporate compliance program; PBC/ESG activities|
|Audit Committee||Auditing, accounting, and financial matters, as well as cybersecurity|
|Compensation Committee||Compensation programs, as well as diversity and other human capital priorities|
Ethics and Compliance
One of our strategic objectives is to achieve our goals by doing the right thing and using the highest ethical standards. This is evidenced by our commitment to a robust compliance program, ethical operations, scientific integrity, responsible sourcing, and environmental sustainability. Ethics is one of our core values, and we continue to enhance our programs across all of these areas.
One important aspect of our approach to business ethics is a well-defined set of Compliance Principles that outlines how we behave, and clear leadership attributes that we expect from all Unitherians. Our Compliance Principles revolve around the overarching tenet that WE DO THE RIGHT THING.
Other principles include:
We are Passionate for Patients
- We get the right products, to the right patients, for the right reasons
- We manufacture with the highest quality standards
- We promptly report adverse events and product complaints
We Don't Pay to Play
- We operate with the highest standards of integrity
- We don’t use money or favors to inappropriately advance business objectives
- We ensure all of our interactions have an appropriate and legitimate purpose
We Respect Privacy
- We protect the privacy of our patients, caregivers, customers, and employees
- We use and share information carefully and sensibly
- We avoid or disclose conflicts of interest
We Communicate Ethically and Honestly
- We communicate at the right time, to the right people, with the right message
- We communicate in an honest, transparent, and accurate way
- We document our books, records, and actions with integrity and attention to detail
Code of Conduct
Our Code of Conduct serves as a foundational tool to ensure employees do the right thing in their day-to-day operations. The biotechnology industry is dynamic and ever-changing, and no one can assume that the right course of action is always clear. Our Code, with support from our existing principles, policies, and procedures, described in more detail below, provides guidelines for our decisions and actions.
Our Compliance policies and procedures include, but are not limited to:
- Advisory Boards SOP
- Business Engagements with Healthcare Professionals Policy
- Business Meals Policy
- Charitable Contributions Policy
- Consultant and Fee-For-Service SOP
- Fair Competition (Antitrust) Policy
- Global Anti-Bribery and Corruption Policy
- Grant Review Committee SOP
- Interactions with Healthcare Professionals Policy
- Medical Education Grants Policy
- Patient Assistance Program Policy
- Promotional Communications Policy
- Promotional Speaker Program SOP
- Sponsorships Promotional Exhibits and Non-Promotional Medical Information Booths Policy
- Support for Independent Third-Party Patient Assistance Programs Policy
In 2020, we updated our Code of Conduct to continuously improve this foundational tool. We also rolled out new interactive training with the goal of making learning more engaging and interesting and with an emphasis on real-world and role-specific training. In 2021, we updated most of our Compliance policies and procedures and provided role-specific training to key functions at the Company.
Data Privacy and Security
One of our core values is “We respect privacy.” Gathering and using certain personal information from various sources, including patients, clinical trial subjects, customers, health care providers, and our employees, is essential to what we do as a business. We are committed to protecting the privacy and integrity of this information. We do this through a robust data privacy program and by driving training and awareness for our Unitherians.
Data Privacy Program
We established a Data Privacy Office (DPO) to manage our approach to privacy-related matters. We follow all applicable General Data Protection Regulations (GDPR) and other privacy laws, leveraging input from outside legal counsel and operational advisors to help us administer our program and navigate key issues.
- We have an external privacy notice, as well as an internal policy and related standard operating procedures
- Our DPO collaborates across the business to ensure that any data shared internally is with the right people and for the right reasons
- Before we use software programs or applications, Information Technology and the DPO determine whether any personal information will be transmitted
- If so, the DPO partners with the business owner to conduct a Data Privacy Impact Assessment (DPIA) to ensure data is handled in line with the GDPR and other applicable laws
- The DPIA assessment is conducted for all new software programs or applications with privacy considerations, and we are undergoing a retroactive assessment of our existing critical applications as per our Critical Applications and Systems List
- We have a standardized process for responding to data subject requests from our patients, clinical trial subjects, customers, health care providers, and employees
Training and Awareness
- Privacy is a key pillar of our Compliance program. All Unitherians receive periodic training on privacy as part of our annual Code of Conduct training
- Our DPIA and data subject request processes provide real-time and real-world training opportunities and help drive awareness on data privacy issues
- We ran several data privacy protection awareness campaigns via email, our internal UT-Facebook platform, and text messaging
- We procured and implemented a state-of-the-art Data Privacy Protection management tool to streamline our processes and demonstrate accountability to our stakeholders and data protection agencies
Our approach to cybersecurity is organized around the following key pillars:
- Board-level oversight assigned to our Audit Committee; our Audit Committee is 100% comprised of independent directors
- Led by our head of Information Security, Risk and Compliance, who reports directly to our Chief Information Officer (CIO)
- Provides written reports to the Chair of the Audit Committee each quarter, and the head of Information Security, Risk and Compliance leads discussion with the full Audit Committee each year
- Leverage the National Institute of Standards and Technology Cybersecurity Framework
- Consult with our Data Privacy Office and IT operations teams on implementing proper controls for data protection and data use
- All members of IT security team have industry-leading security certifications such as CISSP, CRISC, CIPM, CISA, and HITRUST
In March 2021, we established the Unither Security Council, composed of leaders from Risk Management, Corporate Security, IT and IT Security, Legal, and Compliance operations to evolve our controls over the protection of sensitive data and systems. The group will focus on educating key business leaders about internal and external risks and assist them in identifying and protecting corporate assets.
- Use of a 24/7/365 managed security service provider to monitor our cyber environment and alert us of any suspicious activity
- Ongoing managed vulnerability scanning and patching through our vulnerability management program
- Targeted audits and penetration tests conducted throughout the year by internal and external entities
In 2021, we conducted quarterly threat hunts to identify potential threats and dubious patterns in our environment and completed SSL decryption to inspect encrypted traffic for security threats.
Training and Awareness
- IT security training provided at hiring and annually to all employees
- Ongoing training around “phishing,” with frequent changes and differing levels of difficulty to improve awareness; Rewards for Unitherians that recognize and report phishing exercises
- Additional training for employees identified as high risk
- Collaborate with Enterprise Risk Management to ensure organizational business resilience Incident Response Program in place
- Disaster Recovery Program to identify critical business systems, real-time replication, and periodic recovery testing
- Cyber insurance coverage in place that covers data privacy and data security events
Identifying and Mitigating Cyber Risk
- Leverage the ISO 27005 model, CoBIT, and Coso frameworks to manage cyber risk
- Ensure systems are built to comply, and remain in compliance, with regulatory requirements including SOX and GxP programs
United Therapeutics is not aware of any information security breaches during 2019, 2020, and 2021.
The Organizational Resilience (OR) Program is a central component of our risk management strategy and is an integrated framework designed to assess, mitigate, and respond to key operational risks throughout the enterprise. Our program provides a comprehensive approach that aims to reduce the impact of unplanned business disruptions and protect employee life and safety, critical business processes, and key applications and systems.
Under the OR Program umbrella, we have developed a comprehensive set of safety, security, and risk management plans, processes, and procedures to assess, mitigate, and respond to risks and recover from crises. These resources, and the dedicated Unitherians that execute and support OR, facilitate the rapid, efficient, and cost-effective recovery of our critical operations and enable us to react quickly, decisively, and cooperatively to any crisis or emergency.
The United Therapeutics OR framework includes four key components:
coordinate crisis response at the executive and site/facility level
continue critical business processes and functions during a disruption
protect and recover IT systems and applications
protect people and assets
Organizational Resilience is the ability of the organization to survive and prosper in the face of sudden disruptions or crises. The United Therapeutics Organizational Resilience Program:
- Promotes and enhances the safety and security of our employees, their families, physical assets, and the communities in which we operate.
- Enables United Therapeutics to continue, recover, and restore critical business processes and systems following a disruption.
- Safeguards the interests of our clients and the integrity and continuity of United Therapeutics operations.
- Protects United Therapeutics’ public reputation, shareholder value, and standing as an industry leader.
Environmental Health and Workplace Safety
United Therapeutics is a safe place to work. Our Environmental, Health, Safety, and Sustainability (EHSS) team oversees our environmental, health, workplace safety, and sustainability programs. We are committed to work with internal and external stakeholders to promote a culture of safety, focusing on environmental stewardship and sustainability, and to ensure our global operations meet regulatory requirements and compliance obligations. We empower our people to promote a strong safety culture and build community trust.
Overview of our Safety Program
In 2021, our EHSS team selected an EHSS management system to effectively and efficiently engage our workforce, control risks, manage centralized sustainability reporting, and oversee key aspects of safety and health. We utilize project reviews, proactive engagement, industrial hygiene monitoring, compliance training, and medical surveillance to drive continuous improvement throughout our organization. Business leaders incorporate health and safety engineering practices in current processes and future projects. We also encourage employees at all levels to actively contribute to our positive safety culture by promoting employee participation on our safety-focused committees and other collaborative initiatives.
2021 Safety Focus Areas
People Empowerment + Safety Culture
As part of a broader safety outreach initiative with the goal of promoting a strong safety culture, EHSS established regular safety meetings with various groups. In 2021 EHSS worked with the Organ Manufacturing Group (OMG) in Manchester, NH to establish a site safety committee. The OMG safety committee consists of members representing individual contributors and site leadership. The OMG Safety Committee meets routinely to encourage, assess, and contribute to the positive safety culture.
Occupational Health and Safety
We had four work-related injuries, including one classified as an OSHA recordable, for our US operations in 2021. This resulted in a recordable injury incidence rate of 0.1 cases per 100 full-time workers, significantly below the incidence rate of 1.6 cases per 100 full-time workers in private industry.
In addition, we had one Notice of Violation for a self-reported wastewater discharge in April 2021 in RTP representing 0.001 millions of gallons per day (MGD) over permitted average monthly flow values.
2021 SAFETY AND HEALTH INITIATIVES
Flammable Storage and Handling
Aligning with Business Strategy Site Expansion
The EHSS team aligns with our Corporate Real Estate department by collaborating with our design and construction project consultants to ensure new facilities are a safe place to work and meet EHSS regulatory, compliance, and sustainability obligations. EHSS team members were active on multiple projects across the enterprise.