Key characteristics of the Fresenius risk management and internal control system
Risk management is a continuous process. The aim of risk management is to identify potential risks as early as possible to assess their impact on our business and, if necessary, to take appropriate mitigating measures. The ability to identify, assess, and manage risks that put the achievement of our business goals at risk is an important element of solid corporate governance. The Fresenius risk management and internal control system is therefore closely linked to its corporate strategy. It explicitly considers all types of risk, including non-financial risks associated with our business activities or our business relationships, products, and services. In this context, sustainability-related risks are also considered in accordance with the German Corporate Governance Codex.
We consider short-, medium-, and long-term risks. For example, we consider a period of ten years and beyond when analyzing product development, investment and acquisition decisions.
Due to the constantly changing external and internal requirements and environment, our risk management and internal control system is being continuously developed. In the past financial year, the risk strategy was updated, and the risk appetite concept was further operationalized. In addition, in 2024 the Management Board engaged an external auditor to audit the risk management system and the internal control system for appropriateness and effectiveness in accordance with auditing standards PS 981 and PS 982 to further improve our systems. Recommendations from these audits are directly taken into account in the further development of the risk management system (RMS) and internal control system (ICS).
Our risk management and internal control system is regularly audited by the Internal Audit department. The findings from these audits are used to continuously improve our risk management and internal control system.
The structure of the Fresenius risk management and internal control system is based on the internationally recognized framework for corporate risk management, the “Enterprise Risk Management – Integrated Framework” from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and on the “Three Lines of Defense” model from the Institute of Internal Auditors (IAA) as well as on requirements set by applicable audit standards. Based on those requirements the Group function Risk Management & Internal Controls sets guidelines and minimum requirements for the Group. Based on these guidelines, group-wide standards are established and documented for the risk management and internal control system.
In addition, the core principles of the risk culture and of the risk strategy and risk appetite are defined and integrated into the business processes.
The organization and responsibilities of the risk management process and process control are defined as follows:
- The business segments and their operational business units are responsible for identifying, assessing, and managing risks.
- The managers of each organizational unit are required to report any relevant changes in the risk profile to the Management Board without delay.
- A dedicated Risk Management function at Group level defines standards valid for the entire Group and supports and monitors risk management and internal control system structures and processes. Specialized sub-departments have been set up within this Group function.
- The Group function is supplemented by risk management functions at segment or entity level. The tasks and responsibilities between the different organizational levels are clearly defined and documented.
- The Risk Steering Committee chaired by the member of the Management Board for Risk Management is an advisory body that discusses internal and external developments regarding the risk management and internal control system. In addition, the Risk Steering Committee advises on significant risks, test results of internal controls and prepares decision proposals for the Fresenius Management Board.
- The Management Board of the Fresenius Group has the overall responsibility for effective risk management and regularly discusses the current risk situation. Within the Fresenius Group Management Board, the member of the Management Board for Risk Management is responsible for the risk management and internal control system, as well as their organization.
- The Audit Committee of the Supervisory Board monitors whether the Management Board fulfills its obligations to establish an appropriate and effective internal control system and risk management system, has their effectiveness regularly monitored by the internal audit department and appropriately remedies any weaknesses identified. If necessary, it also consults an external body (e.g., an external auditing company) for monitoring purposes.
The risk situation is evaluated regularly via a company-wide IT tool and compared with specified requirements. If relevant changes to the risk profile or new risks arise between the regular reporting cycles, these are recorded and evaluated as part of the ad hoc reporting process. Should negative trends arise, we can then take countermeasures at an early stage.
In addition to risk reporting, regular financial reporting to management as well as short- and medium-term financial planning are important tools for managing and controlling risks. Detailed monthly and quarterly reports are used to identify and analyze deviations of actual versus planned business development.
Organization of the Risk Management process
Risk assessment and risk-bearing capacity
Fresenius uses standardized processes to assess risks. These include both quantitative and qualitative valuation methods. The assessment of a risk considers its likelihood of occurrence, its potential impact on our assets, liabilities, financial position and financial performance, and the time horizon. Fresenius assesses the potential impact on the results of operations consistently based on the key figure EBIT. The risks are presented after consideration, description, and evaluation of already initiated and implemented mitigating measures. Risks are evaluated for a period of twelve months to assess the impact of the risk situation on the one-year forecast for the Fresenius Group. In addition, potential risks with an impact on the medium- and long-term company goals are analyzed and estimated.
Fresenius categorizes the likelihood of occurrence of a risk as follows:
Probability |
|
Classification |
|---|---|---|
Almost certain |
|
> 90% |
Likely |
|
> 50 bis ≤ 90% |
Possible |
|
> 10 bis ≤ 50% |
Unlikely |
|
≤ 10% |
The following overview shows how the potential impact on assets, liabilities, financial position and financial performance is classified:
Potential impact |
|
Classification |
|---|---|---|
Severe |
|
≥ EUR 75 million |
Major |
|
≥ EUR 50 million |
Medium |
|
≥ EUR 15 million |
Low |
|
≥ EUR 5 million |
As part of this process, the potential impact on our assets, liabilities, financial position and financial performance is usually assessed on a three-point basis, being the impact in the best-case, the realistic-case, and the worst-case scenario.
Risk groups that could lead to deviations from the expected development of the business are displayed in the table of the top 10 risk groups.
Based on the quantitative risk assessment, the overall aggregated risk position is determined at Group level by means of a Monte-Carlo Simulation. This involves taking correlations and dependencies between risks into account. The calculated overall aggregated risk position is compared to the Group’s risk-bearing capacity. The risk-bearing capacity represents the maximum acceptable level of risk exposure beyond which the continued existence of the Fresenius Group could be at risk. Fresenius determines its risk-bearing capacity based on selected key balance sheet figures, such as the liquidity reserve, and rating-related key figures of the Group, such as the leverage ratio.
Opportunities management
Managing opportunities is an ongoing, integral part of corporate activity. To be successful over the long term, we consolidate and improve on what we have already achieved and create new opportunities. The Fresenius Group and its business segments are organized and managed in a way that enables us to identify and analyze trends, requirements, and opportunities in our often-fragmented markets, and to focus our actions accordingly.
Opportunities in the sense of our risk management are positive deviations with regard to our corporate goals that have not yet been taken into account in the annual financial statements or financial planning. These opportunities in the sense described above are also systematically recorded in our risk management system. We continue to see steadily growing demand for our products, services and therapies worldwide. This is not least due to the growing need for healthcare services resulting from the ageing population with their increasing need for comprehensive care and technical progress worldwide.
We also want to take advantage of the opportunities presented by our global position: Access to healthcare in developing and emerging countries will continue to improve and, over time, efficient healthcare systems with appropriate remuneration structures will develop. We are continuously reviewing our growth options here and looking for opportunities to introduce further products into attractive markets.
The market for biopharmaceutical drugs represents a further opportunity. We expect high growth rates here in the coming years. We assume that our pipeline of molecules, our stake in mAbxience and our positioning in the market will increase our earnings in the coming years.
We expect the trend towards digitalization in the healthcare sector to become even more important. The degree of digitalization will be increasingly crucial for the future viability of a hospital. Networking and the use of digital solutions create new opportunities to make processes more efficient and safer and thus to break new ground in patient care. We will continue to make consistent use of these opportunities, for example in the establishment and operation of “virtual hospitals” and the consistent use of the possibilities that artificial intelligence offers us.
The continued positive development of our cost and efficiency programs, resulting from process optimization, the reduction of sales, administration, and procurement costs, as well as further digitalization measures, would have a positive impact on our assets, liabilities, financial position and financial performance. We monitor and manage these programs and the associated developments centrally at Group level. Furthermore, we expect an additional positive development due to the normalization of general cost inflation.
Compliance Management System as part of the Risk Management System
In all business segments and at Fresenius SE & Co. KGaA, we have set up dedicated risk-oriented compliance management systems. These are based on three pillars: prevention, detection and response. Our compliance measures are primarily aimed at using preventive measures to avoid compliance violations. Key preventive measures include comprehensive risk identification and risk assessment, appropriate and comprehensive policies and processes, regular training, and ongoing consultation. We also carry out internal controls to identify possible compliance violations and ensure that we act in accordance with the rules. For additional information about our Compliance Management System, we refer to section Compliance.
Internal Control System as part of the Risk Management System
The internal control system is an important part of Fresenius’ risk management. In addition to internal controls with regard to the financial reporting, it includes control objectives for further critical processes, such as quality management and patient safety, cybersecurity and data protection, and sustainability. Fresenius has documented relevant critical control objectives in a Group-wide framework, integrating the various management systems into the internal control system in a holistic manner. As risk-mitigating measures, internal controls are a key component of risk management. In addition, weaknesses in the internal control system can indicate risks, which are then recorded and evaluated in risk management.
Internal Financial Reporting Controls
Fresenius employs numerous measures and internal controls to ensure that accounting processes are reliable, and that financial reporting is correct, including the preparation of annual financial statements, consolidated financial statements, and management reports in compliance with applicable regulations and principles. Our four-tier reporting process especially promotes intensive discussion and ensures control of the financial results. At each reporting level, i.e.,
- the local entity,
- the region,
- the business segment, and
- the Group
financial data and key figures are reported, discussed, and compared with the prior-year figures, budget, and latest forecast on a monthly basis.
In addition, all parameters, assumptions, and estimates that are of relevance for the externally reported Group and segment results are discussed intensively with the department responsible for preparing the Group’s consolidated financial statements. These matters are also reviewed and discussed quarterly by the Supervisory Board’s Audit Committee.
Control mechanisms, such as automated and manual reconciliation processes, are further precautions put in place to ensure that financial reporting is reliable and that transactions are correctly accounted for. All consolidated entities report according to Group-wide standards, which are determined at the head office. These are regularly adjusted to allow for changes made to the accounting regulations. The consolidation proposals are supported by the IT system. In this context, internal Group balances, among other things, are reconciled in a comprehensive manner. To prevent abuse, we take care to maintain a strict separation of functions.
Monitoring and assessments carried out by management also help to ensure that risks with a direct impact on financial reporting are identified and that controls are in place to minimize them.
Moreover, changes in accounting principles are closely monitored and employees involved in financial reporting are instructed regularly and comprehensively. External experts and specialists are engaged if necessary. The treasury, tax, controlling, and legal departments are involved in supporting the preparation of the financial statements. Finally, the information provided is verified once more by the department responsible for preparing the consolidated financial statements.
Assessment of the aggregated risk position for the one-year forecast period and the overall aggregated risk position
The established risk management and internal control system is fundamental to the assessment of the aggregated risk position for the one-year forecast period and the assessment of the Fresenius Group’s overall aggregated risk position. Risks for Fresenius arise from factors that we cannot influence directly. These include, for example, the general economic trend, which we analyze regularly. In addition, there are risks that we can influence directly, mostly of an operational nature, which we anticipate as early as possible and against which we initiate measures if necessary.
Overall, there are currently no identifiable risks to the future development of Fresenius that could have a lasting and material adverse effect on the assets, liabilities, financial position and financial performance of the Fresenius Group.
The aggregated risk position for the one-year forecast period is fully covered by the Fresenius Group’s risk-bearing capacity. In order to be informed of possible changes in the risk situation at an early stage and to be able to take appropriate risk-mitigating measures, we have introduced further observation limits below the risk-bearing capacity. To this end, we have included risk appetite and risk tolerance in our risk-bearing capacity approach. The aggregated risk position for the one-year forecast period is also fully covered with regard to these limits. The overall aggregated risk position for all reported periods, including those beyond the one-year forecast period, is also fully covered by the Fresenius Group’s risk-bearing capacity.
Statement of the Management Board on the appropriateness and effectiveness of the RMS and ICS
Overall responsibility for our RMS and ICS lies with the Management Board. The Group Risk Management & Internal Controls organization supports the Management Board in designing and maintaining appropriate and effective internal control and risk management activities by coordinating, monitoring and reporting on these processes. Findings from this functional monitoring of the risk management and internal control system are addressed through appropriate measures.
At the end of each fiscal year, the Management Board per-forms an evaluation of the adequacy and effectiveness of the ICS and RMS. This evaluation is based on:
- quarterly reporting in Management Board meetings about the company-wide risk and opportunity situation and the results of the internal control process;
- the review of certification processes for our risk management and internal control system by relevant Group functions and the management of affiliated companies;
- the assessment of the appropriateness and effectiveness of our RMS and ICS by Internal Audit based on the audits carried out in this reporting period;
- the annual assessment by the Group Risk Management & Internal Controls organization regarding the adequacy and effectiveness of our RMS or ICS;
- the results of the adequacy audit of the internal audit system and the risk management system as of December 31, 2024.
Based on this, the Management Board has no indication that our RMS or ICS in their respective entirety have not been adequate or effective as of December 31, 2024.1
Nevertheless, there are inherent limitations on the effectiveness of any risk management and internal control system. For example, no management system – even if deemed to be adequate and effective – can guarantee that all risks that will occur will be identified in advance or that any process violations will be ruled out under all circumstances.
Prior to the preparation of the management report, the Audit Committee of the Supervisory Board also engages with the Management Board’s statement on the appropriateness and effectiveness of the risk management system and internal control system. The Audit Committee asks the Management Board to explain how it has derived its opinion and discusses the procedure with the Management Board.
1 unaudited