Significant characteristics of the Fresenius risk management system and entire internal control system

Risk management is a continuous process. The aim of risk management is to identify potential risks as early as possible in order to assess their impact on business and, if necessary, to take appropriate countermeasures. The ability to identify, assess, and manage risks that put the achievement of our business goals at risk is an important element of sound corporate governance. The Fresenius risk management and internal control system is therefore closely linked to its corporate strategy. It explicitly takes into account all types of risk, including non-financial risks associated with our business activities or our business relationships, products, and services. In the reporting period, for example, we analyzed potential non-financial risks in the areas of climate change and water shortages. In both areas we identified no risks threatening to our business model.

We consider short-, medium-, and long-term risks. For example, we consider a period of 10 years and beyond when analyzing product development, investment and acquisition decisions.

Due to the constantly changing external and internal requirements and environment, our risk management and internal control system is being continuously developed. In the past fiscal year, for example, the risk management and internal control systems were linked even more closely. The completeness and validity of the risk information within our risk management approach was also strengthened by analyzing our risk-bearing capacity and our aggregated risk position.

The Management Board is responsible for the quality and effectiveness of our risk management and internal control system. It is regularly monitored by the Supervisory Board’s Audit Committee as well as audited by the Internal Audit department. The findings from these audits are used to continuously advance our risk management and internal control system.

The structure of the Fresenius risk management and internal control system is based on the internationally recognized framework for corporate risk management, the “Enterprise Risk Management ‒ Integrated Framework” from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and on the “Three Lines of Defense” model of the Institute of Internal Auditors (IAA). The “Three Lines of Defense” model distinguishes between three essential roles within the risk management and internal control system as well as within the general governance system: While the “First Line of Defense” acts as a direct, active participant in the risk management and internal control process, the “Second Line of Defense” at entity, segment, and Group level and the “Third Line of Defense” in the form of the Internal Audit function each represent an independent monitoring and quality assurance function in the Fresenius Group’s governance system. The “Second Line of Defense” also sets guidelines and minimum requirements for the Group. On the basis of these guidelines, Group-wide standards are established and documented for the risk management and internal control system.

In addition, the core principles of the risk culture and of the risk strategy are defined and integrated into the business processes.

The organization and responsibilities of the risk management process and process control are defined as follows:

• The business segments and their operational business units are responsible for identifying, assessing, and managing risks.

• The managers of each organizational unit are required to report any relevant changes in the risk profile to the Management Board without delay.

• A dedicated Risk Management function at Group level defines standards valid for the entire Group and supports and monitors risk management and internal control system structures and processes. Specialized sub-departments have been set up within this Group function.

• The Group function is supplemented by risk management functions at segment or entity level. The tasks and responsibilities between the different organizational levels are clearly defined and documented.

• A Risk Steering Committee chaired by the Member of the Management Board for Human Resources (Labor Relations Director), Risk Management, and Legal, is an advisory body that discusses internal and external developments regarding the risk management and internal control system. In addition, the Risk Steering Committee advises on significant risks and prepares decision proposals for the Fresenius Management Board. The Management Board of the Fresenius Group has the overall responsibility for effective risk management and regularly discusses the current risk situation. Within the Fresenius Group Management Board, the Member of the Management Board for Human Resources (Labor Relations Director), Risk Management, and Legal, is responsible for the risk management and internal control system, as well as their organization.

• The Supervisory Board’s Audit Committee monitors the quality and effectiveness of the risk management and internal control system.

The risk situation is evaluated regularly and compared with specified requirements using standardized processes. If relevant changes to the risk profile or new risks arise between the regular reporting cycles, these are recorded and evaluated as part of ad hoc reporting process. Should negative trends arise, we can then take countermeasures at an early stage.

In addition to risk reporting, regular financial reporting to management is an important tool for managing and controlling risks. Detailed monthly and quarterly reports are used to identify and analyze deviations of actual versus planned business development.

In addition, the risk management and internal control system includes organizational processes and safeguards, as well as internal controls and audits incorporated in our business processes, which help us to identify significant risks at an early stage and to counteract them.