Risk management is a continuous process. The aim of risk management is to identify potential risks as early as possible in order to assess their impact on business and, if necessary, to take appropriate mitigating measures. The ability to identify, assess, and manage risks that put the achievement of our business goals at risk is an important element of solid corporate governance. The Fresenius risk management- (RMS) and internal control system (ICS) is therefore closely linked to its corporate strategy. It explicitly takes into account all types of risk, including non-financial risks associated with our business activities or our business relationships, products, and services. In this context, sustainability-related risks are also taken into account in accordance with the GCGC.
We consider short-, medium-, and long-term risks. For example, we consider a period of 10 years and beyond when analyzing product development, investment and acquisition decisions.
Due to the constantly changing external and internal requirements and environment, our risk management and internal control system is being continuously developed. In the past fiscal year, for example, the risk management and internal control systems were linked even more closely. The completeness and validity of the risk information within our risk management approach was also strengthened by analyzing our risk-bearing capacity and our aggregated risk position.
The adequacy and effectiveness of our risk management and internal control system is audited by Internal Audit. The findings from these audits are used to continuously advance our risk management and internal control system.
The structure of the Fresenius risk management and internal control system is based on the internationally recognized framework for corporate risk management, the "Enterprise Risk Management ‒ Integrated Framework“ from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and on the “Three Lines of Defense“ model of the Institute of Internal Auditors (IAA). The “Three Lines of Defense“ model distinguishes between three essential roles within the risk management and internal control system as well as within the general governance system: While the “First Line of Defense“ acts as a direct, active participant in the risk management and internal control process, the “Second Line of Defense“ at entity, segment, and Group level and the “Third Line of Defense“ in the form of the Internal Audit function each represent an independent monitoring and quality assurance function in the Fresenius Group’s governance system. The “Second Line of Defense“ also sets guidelines and minimum requirements for the Group. On the basis of these guidelines, Group-wide standards are established and documented for the risk management and internal control system.
In addition, the core principles of the risk culture and of the risk strategy are defined and integrated into the business processes.
The organization and responsibilities of the risk management process and process control are defined as follows:
- The business segments and their operational business units are responsible for identifying, assessing, and managing risks.
- The managers of each organizational unit are required to report any relevant changes in the risk profile to the Management Board without delay.
- A dedicated Risk Management and ICS function at Group level defines standards valid for the entire Group and supports and monitors risk management and internal control system structures and processes. Specialized sub-departments have been set up within this Group function.
- The Group function is supplemented by risk management functions at segment or entity level. The tasks and responsibilities between the different organizational levels are clearly defined and documented.
- A Risk Steering Committee chaired by the Member of the Management Board for Risk Management is an advisory body that discusses internal and external developments regarding the risk management and internal control system. In addition, the Risk Steering Committee advises on significant risks and prepares decision proposals for the Fresenius Management Board. The Management Board of the Fresenius Group has the overall responsibility for effective risk management and regularly discusses the current risk situation. Within the Fresenius Group Management Board, the Member of the Management Board for Risk Management is responsible for the risk management and internal control system, as well as their organization.
- The Supervisory Board’s Audit Committee monitors the effectiveness of the risk management and internal control system.
ORGANIZATION OF THE RISK MANAGEMENT PROCESS
The risk situation is evaluated regularly and compared with specified requirements using standardized processes. If relevant changes to the risk profile or new risks arise between the regular reporting cycles, these are recorded and evaluated as part of the ad hoc reporting process. Should negative trends arise, we can then take countermeasures at an early stage.
In addition to risk reporting, regular financial reporting to management is an important tool for managing and controlling risks. Detailed monthly and quarterly reports are used to identify and analyze deviations of actual versus planned business development.
In addition, the risk management and internal control system includes organizational processes and safeguards, as well as internal controls and audits incorporated in our business processes, which help us to identify significant risks at an early stage and to counteract them.
Risk assessment and risk-bearing capacity
Fresenius uses standardized processes to assess risks. These include both quantitative and qualitative valuation methods. The assessment of a risk takes into account its likelihood of occurrence, its potential impact on our assets, liabilities, financial position and financial performance, and the time horizon. Fresenius assesses the potential impact on the results of operations consistently on the basis of the key figure EBIT. The risks are presented taking into account already initiated and implemented mitigating measures (net assessment of risks). Risks are evaluated for a period of 12 months in order to assess the impact of the risk situation on the one-year forecast for the Fresenius Group. In addition, potential risks with an impact on the medium- and long-term company goals are analyzed and estimated.
Fresenius categorizes the likelihood of occurrence of a risk as follows:
| Probability | Classification |
|---|---|
| Almost certain | > 90% |
| Likely | > 50 to ≤ 90% |
| Possible | > 10 to ≤ 50% |
| Unlikely | ≤ 10% |
The following overview shows how the potential impact on assets, liabilities, financial position and financial performanceis classified:
| Potential impact | Classification |
|---|---|
| Severe | Significant negative impact |
| Major | Considerable negative impact |
| Medium | Moderate negative impact |
| Low | Low negative impact |
As part of this process, the potential impact on our assets, liabilities, financial position and financial performanceis usually assessed on a three-point basis, namely the impact in the best-case, the realistic, and the worst-case scenario.
On the basis of the quantitative risk assessment, the overall risk position is determined at Group level by means of a Monte-Carlo Simulation. This involves taking correlations and dependencies between risks into account. The calculated overall risk position is compared to the Group’s risk-bearing capacity. The risk-bearing capacity represents the maximum acceptable level of risks beyond which the continued existence of the Fresenius Group could be at risk. Fresenius determines its risk-bearing capacity on the basis of selected key balance sheet figures, such as the liquidity reserve, and rating-related key figures of the Group, such as the leverage ratio. The overall risk position is fully covered by the risk-bearing capacity of the Fresenius Group.
Compliance Management system as part of the risk management system
In all business segments and at Fresenius SE & Co. KGaA, we have set up dedicated risk-oriented compliance management systems. These are based on three pillars: prevention, detection and response. Our compliance measures are primarily aimed at using preventive measures to avoid compliance violations. Key preventive measures include comprehensive risk identification and risk assessment, appropriate and comprehensive policies and processes, regular training, and ongoing consultation. We also carry out internal controls to identify possible compliance violations and ensure that we act in accordance with the rules.
Internal control system as part of the risk management system1
The internal control system is an important part of Fresenius’ risk management. In addition to internal controls with regard to the financial reporting, it includes control objectives for further critical processes, such as quality management and patient safety, cybersecurity and data protection, and sustainability. Fresenius has documented relevant critical control objectives in a Group-wide framework, integrating the various management systems into the internal control system in a holistic manner.
Overall responsibility for our ICS and RMS lies with the Management Board. The Group Risk Management & ICS organization supports the Management Board in designing and maintaining adequate and effective internal control and RMS activities by coordinating, monitoring and reporting these processes. Findings from this functional monitoring of the risk management and internal control system are addressed by appropriate measures.
At the end of each fiscal year, the Management Board performs an evaluation of the adequacy and effectiveness of the ICS and RMS. This evaluation is based on:
- Quarterly reporting in Management Board meetings about the company-wide risk and opportunity situation and the results of the internal control process,
- The review of certification processes by relevant Group Functions and the management of affiliated companies,
- Annual assessment by the Group Risk Management & ICS organization about the adequacy and effectiveness of our ICS or RMS
Based on this, the Management Board has no indication that our ICS or RMS in their respective entirety have not been adequate or effective as of December 31, 2023.
Nevertheless, there are inherent limitations on the effectiveness of any risk management and control system. For example, no management system – even if deemed to be adequate and effective – can guarantee that all risks that will occur will be identified in advance or that any process violations will be ruled out under all circumstances.
Prior to the preparation of the management report, the Audit Committee of the Supervisory Board engages with the assessment of the appropriateness and effectiveness of the RMS and ICS by the Management Board. The evaluation process and the results of the evaluation are explained to the Audit Committee by the Management Board and its questions are discussed with the Management Board.
1 Unaudited
Internal financial reporting controls
Fresenius employs numerous measures and internal controls to ensure that accounting processes are reliable and that financial reporting is correct, including the preparation of annual financial statements, consolidated financial statements, and management reports in compliance with applicable regulations and principles. Our four-tier reporting process especially promotes intensive discussion and ensures control of the financial results. At each reporting level, i.e.,
- the local entity,
- the region,
- the business segment, and
- the Group
financial data and key figures are reported, discussed, and compared with the prior-year figures, budget, and latest forecast on a monthly basis.
In addition, all parameters, assumptions, and estimates that are of relevance for the externally reported Group and segment results are discussed intensively with the department responsible for preparing the Group’s consolidated financial statements. These matters are also reviewed and discussed quarterly by the Supervisory Board’s Audit Committee.
Control mechanisms, such as automated and manual reconciliation processes, are further precautions put in place to ensure that financial reporting is reliable and that transactions are correctly accounted for. All consolidated entities report according to Group-wide standards, which are determined at the head office. These are regularly adjusted to allow for changes made to the accounting regulations. The consolidation proposals are supported by the IT system. In this context, internal Group balances, among other things, are reconciled in a comprehensive manner. To prevent abuse, we take care to maintain a strict separation of functions.
Monitoring and assessments carried out by management also help to ensure that risks with a direct impact on financial reporting are identified and that controls are in place to minimize them. Moreover, changes in accounting principles are closely monitored and employees involved in financial reporting are instructed regularly and comprehensively. External experts and specialists are engaged if necessary. The Treasury, Tax, Controlling, and Legal departments are involved in supporting the preparation of the financial statements. Finally, the information provided is verified once more by the department responsible for preparing the consolidated financial statements.
Contact
Fresenius SE & Co. KGaA
Investor Relations
+49 (0) 6172 608-2485
ir-fre@fresenius.com