Fresenius risk management system
Risk management is a continuous process. The aim of risk management is to identify potential risks as early as possible in order to assess their impact on business and, if necessary, to take appropriate countermeasures. The ability to identify, assess, and manage risks that put the achievement of our business goals at risk is an important element of sound corporate governance. The Fresenius risk management and internal control system is therefore closely linked to its corporate strategy. It explicitly takes into account all types of risk, including non-financial risks associated with our business activities or our business relationships, products, and services. In the reporting period, for example, we analyzed potential non-financial risks in the areas of climate change and water shortages. In both areas we identified no risks threatening to our business model.
We consider short-, medium-, and long-term risks. For example, we consider a period of 10 years and beyond when analyzing product development, investment and acquisition decisions. Opportunities are not recorded in the risk management system.
Due to the constantly changing external and internal requirements and environment, our risk management and internal control system is being continuously developed. In the past fiscal year, for example, the risk management and internal control systems were linked even more closely. The completeness and validity of the risk information within our risk management approach was also strengthened by applying a newly defined concept for analyzing our risk-bearing capacity and our aggregated risk position.
The Management Board is responsible for the quality and effectiveness of our risk management and internal control system. It is regularly monitored by the Supervisory Board’s Audit Committee as well as audited by the Internal Audit department. The findings from these audits are used to continuously advance our risk management and internal control system.
The structure of the Fresenius risk management and internal control system is based on the internationally recognized framework for corporate risk management, the “Enterprise Risk Management ‒ Integrated Framework” from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and on the “Three Lines of Defense” model of the Institute of Internal Auditors (IAA). The “Three Lines of Defense” model distinguishes between three essential roles within the risk management and internal control system as well as within the general governance system: While the “First Line of Defense” acts as a direct, active participant in the risk management and internal control process, the “Second Line of Defense” at entity, segment, and Group level and the “Third Line of Defense” in the form of the Internal Audit function each represent an independent monitoring and quality assurance function in the Fresenius Group’s governance system. The “Second Line of Defense” also sets guidelines and minimum requirements for the Group. On the basis of these guidelines, Group-wide standards are established and documented for the risk management and internal control system.
In addition, the core principles of the risk culture and of the risk strategy are defined and integrated into the business processes.
The organization and responsibilities of the risk management process and process control are defined as follows:
- The business segments and their operational business units are responsible for identifying, assessing, and managing risks.
- The managers of each organizational unit are required to report any relevant changes in the risk profile to the Management Board without delay.
- A dedicated Risk Management function at Group level defines standards valid for the entire Group and supports and monitors risk management and internal control system structures and processes. Specialized sub-departments have been set up within this Group function.
- The Group function is supplemented by risk management functions at segment or entity level. The tasks and responsibilities between the different organizational levels are clearly defined and documented.
- A Risk Steering Committee chaired by the Member of the Management Board for Human Resources (Labor Relations Director), Risk Management, and Legal is an advisory body that discusses internal and external developments regarding the risk management and internal control system. In addition, the Risk Steering Committee advises on significant risks and prepares decision proposals for the Fresenius Management Board. The Management Board of the Fresenius Group has the overall responsibility for effective risk management and regularly discusses the current risk situation. Within the Fresenius Group Management Board, the Member of the Management Board for Human Resources (Labor Relations Director), Risk Management, and Legal is responsible for the risk management and internal control system, as well as their organization.
- The Supervisory Board’s Audit Committee monitors the quality and effectiveness of the risk management and internal control system.
Organization of the risk management process
The risk situation is evaluated regularly and compared with specified requirements using standardized processes. If relevant changes to the risk profile or new risks arise between the regular reporting cycles, these are recorded and evaluated as part of ad hoc reporting process.
Should negative trends arise, we can then take countermeasures at an early stage.
In addition to risk reporting, regular financial reporting to management is an important tool for managing and controlling risks. Detailed monthly and quarterly reports are used to identify and analyze deviations of actual versus planned business development. In addition, the risk management and internal control system includes organizational processes and safeguards, as well as internal controls and audits incorporated in our business processes, which help us to identify significant risks at an early stage and to counteract them.
Risk assesment and capacity to bear risk
Fresenius uses standardized processes to assess risks. These include both quantitative and qualitative valuation methods. The assessment of a risk takes into account its likelihood of occurrence, its potential impact on our business, financial position, and operational result, and the time horizon. Fresenius assesses the potential impact on the results of operations on the basis of the key figure EBIT-at-risk. The risks are presented taking into account already initiated and implemented countermeasures (net assessment of risks). Risks are evaluated for a period of 12 months in order to assess the impact of the risk situation on the one-year forecast for the Fresenius Group. In addition, potential risks with an impact on the medium-term plan are analyzed and estimated.
Fresenius categorizes the likelihood of occurrence of a risk as follows:
|Almost certain||≥ 90%|
|Probable||≥ 50 to < 90%|
|Possible||≥ 10 to < 50%|
The following overview shows how the potential impact on our business, financial position, and operational result is classified:
|Severe||Significant negative impact|
|Significant||Considerable negative impact|
|Moderate||Moderate negative impact|
|Low||Low negative impact|
As part of this process, the potential impact on our business, financial position, and operational result is usually assessed on a three-point basis, namely the impact in the best-case, the realistic, and the worst-case scenario.
The risk matrix in the section Assessment of overall risk shows the significant risks that could lead to deviations from the expected business performance within the one-year forecast period. Since the past fiscal year, significant risks have been categorized within this four-tier risk matrix taking into account the likelihood of occurrence and the potential impact on our business, financial position, and operational result.
On the basis of the quantitative risk assessment, the overall risk position is determined at Group level by means of a Monte-Carlo Simulation. This involves taking correlations and dependencies between risks into account. The calculated overall risk position is compared to the Group’s risk-bearing capacity. The risk-bearing capacity represents the maximum acceptable level of risks beyond which the continued existence of the Fresenius Group could be jeopardized. Fresenius determines its risk-bearing capacity on the basis of selected key balance sheet figures, such as the liquidity reserve, and rating-related key figures of the Group, such as the leverage ratio. The overall risk position is fully covered by the risk-bearing capacity of the Fresenius Group.
Internal control system as part of the risk management system
The internal control system is an important part of Fresenius’ risk management. In addition to internal controls with regard to the financial reporting, it includes control objectives for further critical processes, such as quality management and patient safety, cybersecurity and data protection, and sustainability. Fresenius has documented relevant critical control objectives in a Group-wide framework, integrating the various management systems into the internal control system in a holistic manner.
The risk management and internal control system is regularly reviewed by the Management Board, the Supervisory Board’s Audit Committee, and the Internal Audit department. Moreover, the external auditor reviews whether the monitoring system set up by the Management Board is suitable for the early identification of risks that would jeopardize the continued existence of the Company.
Fresenius has ensured that the organizational structure and systems for identifying, assessing, and controlling risks, and for developing countermeasures, are designed appropriately and that they are properly functional. However, there can be no absolute certainty that this will enable us to fully identify and manage all risks.
Internal financial reporting controls
Fresenius employs numerous measures and internal controls to ensure that accounting processes are reliable and that financial reporting is correct, including the preparation of annual financial statements, consolidated financial statements, and management reports in compliance with applicable regulations and principles. Our four-tier reporting process especially promotes intensive discussion and ensures control of the financial results. At each reporting level, i.e.,
- the local entity,
- the region,
- the business segment, and
- the Group,
financial data and key figures are reported, discussed, and compared with the prior-year figures, budget, and latest forecast on a monthly basis.
In addition, all parameters, assumptions, and estimates that are of relevance for the externally reported Group and segment results are discussed intensively with the department responsible for preparing the Group’s consolidated financial statements. These matters are also reviewed and discussed quarterly by the Supervisory Board’s Audit Committee.
Control mechanisms, such as automated and manual reconciliation processes, are further precautions put in place to ensure that financial reporting is reliable and that transactions are correctly accounted for. All consolidated entities report according to Group-wide standards, which are determined at the head office. These are regularly adjusted to allow for changes made to the accounting regulations. The consolidation proposals are supported by the IT system. In this context, internal Group balances, among other things, are reconciled in a comprehensive manner. To prevent abuse, we take care to maintain a strict separation of functions. Monitoring and assessments carried out by management also help to ensure that risks with a direct impact on financial reporting are identified and that controls are in place to minimize them. Moreover, changes in accounting principles are closely monitored and employees involved in financial reporting are instructed regularly and comprehensively. External experts and specialists are engaged if necessary. The Treasury, Tax, Controlling, and Legal departments are involved in supporting the preparation of the financial statements. Finally, the information provided is verified once more by the department responsible for preparing the consolidated financial statements.
Fresenius Medical Care is also subject to the controls of Section 404 of the Sarbanes-Oxley Act.