Risk assessment and capacity to bear risk
Fresenius uses standardized processes to assess risks. These include both quantitative and qualitative valuation methods. The assessment of a risk takes into account its likelihood of occurrence, its potential impact on our business, financial position, and operational result, and the time horizon. Fresenius assesses the potential impact on the results of operations on the basis of the key figure EBITEBIT (Earnings before Interest and Taxes)EBIT does include depreciation and write-ups on property, plant and equipment. EBIT is calculated by subtracting costs of revenue, selling, general and administrative expenses, and research and development expenses from revenue.-at-risk. The risks are presented taking into account already initiated and implemented countermeasures (net assessment of risks). Risks are evaluated for a period of 12 months in order to assess the impact of the risk situation on the one-year forecast for the Fresenius Group. In addition, potential risks with an impact on the long-term company goals are analyzed and estimated.
Fresenius categorizes the likelihood of occurrence of a risk as follows:
| Probability | Classification |
|---|---|
| Almost certain | ≥ 90% |
| Likely | ≥ 50 to < 90% |
| Possible | ≥ 10 to < 50% |
| Unlikely | < 10% |
The following overview shows how the potential impact on our business, financial position, and operational result is classified:
| Potential impact | Classification |
|---|---|
| Severe | Significant negative impact |
| Major | Considerable negative impact |
| Medium | Moderate negative impact |
| Low | Low negative impact |
As part of this process, the potential impact on our business, financial position, and operational result is usually assessed on a three-point basis, namely the impact in the best-case, the realistic, and the worst-case scenario.
On the basis of the quantitative risk assessment, the overall risk position is determined at Group level by means of a Monte-Carlo Simulation. This involves taking correlations and dependencies between risks into account. The calculated overall risk position is compared to the Group’s risk-bearing capacity. The risk-bearing capacity represents the maximum acceptable level of risks beyond which the continued existence of the Fresenius Group could be jeopardized. Fresenius determines its risk-bearing capacity on the basis of selected key balance sheet figures, such as the liquidity reserve, and rating-related key figures of the Group, such as the leverage ratio. The overall risk position is fully covered by the risk-bearing capacity of the Fresenius Group.
Compliance Management system as part of the risk management system
In all business segments and at Fresenius SE & Co. KGaA, we have set up dedicated risk-oriented compliance management systems. These are based on three pillars: prevention, detection and response. Our compliance measures are primarily aimed at using preventive measures to avoid compliance violations. Key preventive measures include comprehensive risk identification and risk assessment, appropriate and comprehensive policies and processes, regular training, and ongoing consultation. We also carry out internal controls to identify possible compliance violations and ensure that we act in accordance with the rules.
Internal control system as part of the risk management system
The internal control system is an important part of Fresenius’ risk management. In addition to internal controls with regard to the financial reporting, it includes control objectives for further critical processes, such as quality management and patient safety, cybersecurity and data protection, and sustainability. Fresenius has documented relevant critical control objectives in a Group-wide framework, integrating the various management systems into the internal control system in a holistic manner.
The risk management and internal control system is regularly reviewed by the Management Board, the Supervisory Board’s Audit Committee, and the Internal Audit department. Moreover, the external auditor reviews whether the monitoring system set up by the Management Board is suitable for the early identification of risks that would jeopardize the continued existence of the Company.
Based on this, the Management Board has no indication that our risk management and internal control system in their respective wholes, have not been adequate or effective as of December 31, 2022.1
1 unaudited
Nevertheless there are inherent limitations on the effectiveness of any risk management and internal control system. For example, no system-even if deemed to be adequate and effective-can guarantee that all risks that will actually occur will be identified and managed in advance or that any process violations will be ruled out under all circumstances.
Internal financial reporting controls
Fresenius employs numerous measures and internal controls to ensure that accounting processes are reliable and that financial reporting is correct, including the preparation of annual financial statements, consolidated financial statements, and management reports in compliance with applicable regulations and principles. Our four-tier reporting process especially promotes intensive discussion and ensures control of the financial results. At each reporting level, i.e.,
- the local entity,
- the region,
- the business segment, and
- the Group,
financial data and key figures are reported, discussed, and compared with the prior-year figures, budget, and latest forecast on a monthly basis.
In addition, all parameters, assumptions, and estimates that are of relevance for the externally reported Group and segment results are discussed intensively with the department responsible for preparing the Group’s consolidated financial statements. These matters are also reviewed and discussed quarterly by the Supervisory Board’s Audit Committee.
Control mechanisms, such as automated and manual reconciliation processes, are further precautions put in place to ensure that financial reporting is reliable and that transactions are correctly accounted for. All consolidated entities report according to Group-wide standards, which are determined at the head office. These are regularly adjusted to allow for changes made to the accounting regulations. The consolidation proposals are supported by the IT system. In this context, internal Group balances, among other things, are reconciled in a comprehensive manner. To prevent abuse, we take care to maintain a strict separation of functions. Monitoring and assessments carried out by management also help to ensure that risks with a direct impact on financial reporting are identified and that controls are in place to minimize them. Moreover, changes in accounting principles are closely monitored and employees involved in financial reporting are instructed regularly and comprehensively. External experts and specialists are engaged if necessary. The Treasury, Tax, Controlling, and Legal departments are involved in supporting the preparation of the financial statements. Finally, the information provided is verified once more by the department responsible for preparing the consolidated financial statements.
Fresenius Medical Care is also subject to the controls of Section 404 of the Sarbanes-Oxley Act.