Key characteristics of the Fresenius risk management and internal control system
Risk management is a continuous process. The aim of risk management is to identify potential risks as early as possible to assess their impact on business activities and, if necessary, to take appropriate mitigating measures. The ability to identify, assess, and manage risks that put the achievement of our business goals at risk is an important element of solid corporate governance. The Fresenius risk management and internal control system is therefore closely linked to its corporate strategy. It explicitly considers all types of risks, including non-financial risks associated with our business activities or our business relationships, products, and services. In this context, sustainability-related risks are also considered in accordance with the German Corporate Governance Code.
We consider short-, medium-, and long-term risks. For example, we consider a period of 10 years and beyond when analyzing product development, investment, and acquisition decisions.
Due to the constantly changing external and internal requirements and environment, our risk management and internal control system is being continuously developed. In 2025, among other topics, the risk strategy was updated, and the risk appetite statement was further operationalized. Additionally, in 2024 the Management Board commissioned audits of the risk management system (RMS), the compliance management system (CMS), and the internal control system (ICS) to assess their adequacy and effectiveness in accordance with auditing standards PS 981, PS 980, and PS 982, in order to further improve our management systems. Recommendations from these audits have been, and will be taken into account, for the ongoing development of the risk management system, the compliance management system, and the internal control system (ICS).
Our risk management and internal control system is regularly audited by the Internal Audit department. The findings from these audits are additionally used to continuously improve our risk management and internal control system.
The structure of the Fresenius risk management and internal control system is based on the internationally recognized framework for corporate risk management, the “Enterprise Risk Management – Integrated Framework” from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and on the “Three Lines of Defense” model from the Institute of Internal Auditors (IIA), as well as on requirements set by applicable audit standards. Based on those requirements, the Group function Risk Management & Internal Controls sets guidelines and minimum requirements for the Group. Based on these guidelines, group-wide standards are established and documented for the risk management and internal control system.
In addition, the core principles of the risk culture and of the risk strategy and risk appetite are defined and integrated into the business processes.
The organization and responsibilities of the risk management process and process control are defined as follows:
The business segments and their operational business units are responsible for identifying, assessing, and managing risks.
The managers of each organizational unit are required to report any relevant changes in the risk profile to the Management Board without delay.
A dedicated Risk Management function at Group level defines standards valid for the entire Group and supports and monitors risk management and internal control system structures and processes. Specialized sub-departments have been set up within this Group function.
The Group function is supplemented by risk management functions at business or entity level. The tasks and responsibilities between the different organizational levels are clearly defined and documented.
The Risk Steering Committee chaired by the member of the Management Board for Risk Management is an advisory body that discusses internal and external developments regarding the risk management and internal control system. In addition, the Risk Steering Committee advises on significant risks, test results of internal controls, and prepares decision proposals for the Fresenius Management Board.
The Management Board of the Fresenius Group has the overall responsibility for effective risk management and regularly discusses the current risk situation. Within the Fresenius Group Management Board, the member of the Management Board for Risk Management is responsible for the risk management and internal control system, as well as their organization.
The Audit Committee of the Supervisory Board monitors whether the Management Board fulfills its obligations to establish an adequate and effective internal control system and risk management system, has their effectiveness regularly monitored by the Internal Audit department, and appropriately remedies any weaknesses identified. If necessary, it also consults an external body (e.g., an external auditing company) for monitoring purposes.
The risk situation is evaluated regularly via a company-wide IT tool and compared with specified requirements. If relevant changes to the risk profile or new risks arise between the regular reporting cycles, these are recorded and evaluated as part of the ad hoc reporting process. Should negative trends arise, we can then take countermeasures at an early stage.
In addition to risk reporting, regular financial reporting to management as well as short- and medium-term financial planning are important tools for managing and controlling risks. Detailed monthly and quarterly reports are used to identify and analyze deviations of actual versus planned business development.
Organization of the Risk Management process
Risk assessment and risk-bearing capacity
Fresenius uses standardized processes to assess risks. These include both quantitative and qualitative evaluation methods. The assessment of a risk considers its likelihood of occurrence, its potential impact on assets, liabilities, financial position, and financial performance, and the time horizon. The potential impact on the results of operations is consistently based on the key figure EBIT. The risks are presented after consideration, description, and evaluation of already initiated and implemented mitigating measures. Risks are evaluated for a period of 12 months to assess the impact of the risk situation on the 1-year forecast for the Fresenius Group. In addition, potential risks with an impact on the medium- and long-term company goals are analyzed and estimated.
Fresenius categorizes the likelihood of occurrence of a risk as follows:
Probability |
|
Classification |
|---|---|---|
Almost certain |
|
|
Likely |
|
|
Possible |
|
|
Unlikely |
|
The following overview shows how the potential impact on assets, liabilities, financial position, and financial performance is classified:
Potential impact |
|
Classification |
|---|---|---|
Severe |
|
≥ €75 million |
Major |
|
≥ €50 million |
Medium |
|
≥ €15 million |
Low |
|
≥ €5 million |
As part of this process, the potential impact on our assets, liabilities, financial position, and financial performance is usually assessed on a three-point basis, the impact in the best-case, the realistic-case, and the worst-case scenario.
Risk groups that could lead to deviations from the expected development of the business are displayed in the table of the top 10 risk groups in the major risk groups section.
Based on the quantitative risk assessment, the overall aggregated risk position is determined at Group level by means of a Monte-Carlo simulation. This involves taking correlations and dependencies between risks into account. The calculated aggregated risk position for the one-year forecast period is compared to the Group’s risk-bearing capacity. The risk-bearing capacity represents the maximum acceptable level of risk exposure beyond which the continued existence of the Fresenius Group could be at risk. Fresenius determines its risk-bearing capacity based on selected key balance sheet figures, such as the liquidity reserve, and rating-related key figures of the Group, such as the leverage ratio.
Opportunities management
Managing opportunities is an ongoing, integral part of corporate activity. To be successful over the long term, we consolidate and improve on what we have already achieved and create new opportunities. The Fresenius Group and its business segments are organized and managed in a way that enables them to identify and analyze trends, requirements, and opportunities in often-fragmented markets, and to focus their actions accordingly.
Opportunities in the sense of risk management are positive deviations with regard to the corporate goals that have not yet been taken into account in the annual financial statements or financial planning. These opportunities in the sense described above are also systematically recorded as part of the risk management system. The Fresenius Group continues to see steadily growing demand for its products, services, and therapies worldwide. This is not least due to the growing need for healthcare services resulting from the aging population with their increasing need for comprehensive care, and technical progress worldwide.
Opportunities presented by the Group’s global position shall be taken advantage of: Access to healthcare in developing and emerging countries will continue to improve and, over time, efficient healthcare systems with appropriate compensation structures will develop. Growth options are continuously reviewed here, and opportunities are sought to introduce further products into attractive markets.
The market for biopharmaceutical drugs represents a further opportunity. The Fresenius Group expects high growth rates here in the coming years. It is assumed that the pipeline of molecules, the stake in mAbxience, and the positioning in the market will increase earnings in the coming years.
We expect the trend towards digitalization in the healthcare sector to become even more important. The degree of digitalization will be increasingly crucial for the future viability of a hospital. Networks and the use of digital solutions create new opportunities to make processes more efficient and safer and thus to break new ground in patient care. We will continue to make consistent use of these opportunities, for example among other things, as part of the strategic partnership with SAP, to jointly advance the development of an individualized, scalable healthcare platform that enables connected, data‑driven healthcare processes. In addition, the Fresenius Group is working on the rigorous utilization of the opportunities offered by artificial intelligence.
The continued positive development of our cost and efficiency programs, resulting from process optimization, the reduction of cost of sales, administration, and procurement costs, as well as further digitalization measures, would have a positive impact on our assets, liabilities, financial position, and financial performance. We monitor and manage these programs and the associated developments centrally at Group level.
Compliance management system as part of the risk management system
In all business segments and at Fresenius SE & Co. KGaA, we have set up dedicated risk-oriented compliance management systems. These are based on three pillars: prevention, detection, and response. Our compliance measures are primarily aimed at using preventive measures to avoid compliance violations. Key preventive measures include comprehensive risk identification and risk assessment, appropriate and comprehensive policies and processes, regular training, and ongoing consultation. Internal controls are also carried out to identify possible compliance violations and to ensure that actions are taken in accordance with the internal and external requirements. For additional information about our compliance management system, please refer to the chapter on compliance.
Internal control system as part of the risk management system
The internal control system is an important part of Fresenius’ risk management. In addition to internal controls with regard to the financial reporting, it includes control objectives for further critical processes, such as quality management and patient safety, cybersecurity and data protection, and sustainability. The Fresenius Group has documented relevant critical control objectives in a Group-wide framework, integrating the various management systems into the internal control system in a holistic manner. As risk-mitigating measures, internal controls are a key component of risk management. In addition, weaknesses in the internal control system can indicate risks, which are then recorded and evaluated in risk management.
Internal financial reporting controls
Fresenius employs numerous measures and internal controls to ensure that accounting processes are reliable, and that financial reporting is correct, including the preparation of annual financial statements, consolidated financial statements, and management reports in compliance with applicable regulations and principles. A four-tier reporting process especially promotes intensive discussion and ensures control of the financial results. At each reporting level, i.e.,
the local entity,
the business unit,
the business segment, and
the Group,
financial data and key figures are reported, discussed, and compared with the prior-year figures, budget, and latest forecast on a monthly basis.
In addition, all parameters, assumptions, and estimates that are of relevance for the externally reported Group and segment results are discussed intensively with the department responsible for preparing the Group’s consolidated financial statements. These matters are also reviewed and discussed quarterly by the Supervisory Board’s Audit Committee.
Control mechanisms, such as automated and manual reconciliation processes, are further precautions put in place to ensure that financial reporting is reliable and that transactions are correctly accounted for. All consolidated entities report according to Group-wide standards, which are determined at the Group accounting level. These are regularly adjusted to allow for changes made to the accounting regulations. The consolidation proposals are supported by the IT system. In this context, internal Group balances, among other things, are reconciled in a comprehensive manner. To prevent abuse, we take care to maintain a strict separation of functions.
Monitoring and assessments carried out by management also help to ensure that risks with a direct impact on financial reporting are identified and that controls are in place to minimize them. Moreover, changes in accounting principles are closely monitored and employees involved in financial reporting are instructed regularly and comprehensively. External experts and specialists are engaged if necessary. The Treasury, Tax, Controlling, and Legal departments are involved in supporting the preparation of the financial statements. Finally, the information provided is verified once more by the department responsible for preparing the consolidated financial statements.
Assessment of the aggregated risk position for the one-year forecast period and the overall aggregated risk position
The established risk management and internal control system is fundamental to the assessment of the aggregated risk position for the one-year forecast period and the assessment of the Fresenius Group’s overall aggregated risk position. Risks for the Fresenius Group arise from factors that cannot be influenced directly. These include, for example, the general economic trend, which is analyzed regularly. In addition, there are risks that can be influenced directly, mostly of an operational nature, which are anticipated as early as possible and against which measures are initiated if necessary.
Overall, there are currently no identifiable risks to the future development of the Fresenius Group that could have a lasting and material adverse effect on our assets, liabilities, financial position, and financial performance.
The aggregated risk position for the one-year forecast period is fully covered by the Fresenius Group’s risk-bearing capacity. In order to be informed of possible changes in the risk situation at an early stage and to be able to take appropriate risk-mitigating measures, we have introduced further observation limits below the risk-bearing capacity. To this end, we have included risk appetite and risk tolerance in our risk-bearing capacity approach. The aggregated risk position for the one-year forecast period is also fully covered with regard to these limits. The overall aggregated risk position for all reported periods, including those beyond the one-year forecast period, is also fully covered by the Fresenius Group’s risk-bearing capacity.
Statement of the Management Board on the appropriateness and effectiveness of the RMS and ICS
Overall responsibility for our RMS and ICS lies with the Management Board. The Group Risk Management & Internal Controls organization supports the Management Board in designing and maintaining adequate and effective internal control and risk management activities by coordinating, monitoring, and reporting on these processes. Findings from this functional monitoring of the risk management and internal control system are addressed through appropriate measures.
At the end of each fiscal year, the Management Board performs an evaluation of the adequacy and effectiveness of the ICS and RMS. This evaluation is based on:
quarterly reporting in Management Board meetings about the company-wide risk and opportunity situation and the results of the internal control process;
the review of certification processes for our risk management and internal control system by relevant Group functions and the management of affiliated companies;
the assessment of the appropriateness and effectiveness of our RMS and ICS by Internal Audit based on the findings of the audits conducted in this reporting period;
the supplementary annual assessment by the Group Risk Management & Internal Controls organization regarding the adequacy and effectiveness of our RMS and ICS;
the results of the externally commissioned adequacy audit of the internal audit system and the risk management system as of December 31, 2024;
the results of the externally commissioned effectiveness audit of the internal audit system and the risk management system for the period from January 1, 2025 to June 30, 2025;
the results of the externally commissioned adequacy audits of the compliance management system and the internal control system as of December 31, 2025.
Based on this, the Management Board has no indication that our RMS or ICS in their respective entirety have not been adequate or effective as of December 31, 2025.1
Nevertheless, there are inherent limitations on the effectiveness of any risk management and control system. For example, no management system – even if deemed to be adequate and effective – can guarantee that all risks that occur will be identified in advance or that any process violations will be ruled out under all circumstances.
Prior to the preparation of the management report, the Audit Committee of the Supervisory Board also engages with the Management Board’s statement on the appropriateness and effectiveness of the risk management system and internal control system. The Audit Committee asks the Management Board to explain how it has derived its opinion and discusses the procedure with the Management Board.
1 unaudited
EBIT is calculated by subtracting costs of revenue, selling, general, and administrative expenses, and research and development expenses from revenue.