As a global life science enterprise, we are exposed to a wide range of internal and external developments and events that could significantly impact the achievement of our financial and nonfinancial objectives. Opportunity and risk management is therefore an integral part of corporate steering at Bayer. We regard opportunities as positive deviations, and risks as negative deviations, from projected or target values for potential future developments. We augment our risk definition process by also taking into account any potential adverse effects that our business operations could have on people and/or the environment.
Opportunity management system
As part of our annual planning activities, we identify opportunities by analyzing internal and external factors that may affect our business. These may be factors of a social, economic or environmental nature, for example. Our planning process involves a comprehensive analysis of the markets. We build on this by analyzing the respective market environments to identify opportunities. We use different time periods across our various planning activities since trends or developments may impact our business over the shorter or longer term. In addition, we identify and leverage opportunities as part of our regular business operations and through our daily monitoring of internal processes and markets. Depending on developments, factors affecting our business, such as market risks, may result in either risks or opportunities.
Risk management system
We have implemented a holistic and integrated risk management system designed to ensure the continued existence and future target attainment of the Group through the early identification and assessment of and response to risks.
Our risk management system is aligned toward internationally recognized standards and principles, such as the ISO 31000 risk management standard of the International Organization for Standardization, and is defined and implemented with the help of binding Group regulations.
Structure of Bayer’s risk management system
Structure of the risk management system
The Board of Management of Bayer AG holds overall responsibility for maintaining an effective risk management system. It examines the appropriateness and effectiveness of the risk management system at least once a year, as does the Supervisory Board’s Audit Committee. In addition, a corresponding report is provided to the full Supervisory Board.
The Assurance Committee is chaired by the Chief Financial Officer, with a second Board of Management member participating on a rotating basis. Besides ensuring that appropriate action is taken to control any substantial risks, the Assurance Committee regularly discusses and reviews the risk portfolio and the status of risk control measures.
Responsibility for identifying, assessing, responding to and communicating risks lies with the operational business units in the divisions and enabling functions.
Enterprise risk management (ERM), including risk early warning system
As per Section 91, Paragraph 2 of the German Stock Corporation Act (AktG), companies are required to operate a risk early warning system to ensure they identify, at an early stage, any developments that are material and/or could endanger their continued existence. We meet this requirement through our enterprise risk management (ERM) system, which establishes a consistent framework and uniform standards for the risk early warning system throughout the Bayer Group.
The Enterprise Risk Management department within the Internal Audit & Risk Management Enabling Function steers and coordinates the ERM system. It provides overarching standards, methods and tools, is responsible for the risk early warning system, steers the annual ERM process and works on ensuring continuous monitoring and improvement. For further details, see Chapter A 3.2.1, section “Basic elements of the Bayer risk management system,” and specifically “ERM: risk management process” and “ERM: monitoring and improvement.” The ERM department also ensures reporting to the Assurance Committee, the Board of Management, the Supervisory Board and the Audit Committee of the Supervisory Board.
Internal control system for (Group) accounting and financial reporting
(Report pursuant to Section 289, Paragraph 4 and Section 315, Paragraph 4 of the German Commercial Code, HGB)
As part of the comprehensive risk management system, we have an internal control system over financial reporting (ICSoFR) in place for the (Group) accounting and financial reporting process. This system comprises suitable structures and workflows that are defined and implemented throughout the organization. The purpose of our ICSoFR is to ensure proper and effective accounting and (Group) financial reporting in compliance with the legal requirements and in accordance with the relevant reporting principles. The ICSoFR is designed to guarantee timely, uniform and accurate recording and documentation of all business transactions based on applicable statutory regulations, accounting and financial reporting standards, and the internal Group regulations that are binding for all consolidated companies. Risks are identified and assessed, and appropriate countermeasures are taken to mitigate them. Mandatory Group-wide standards such as system-based and manual reconciliation processes and functional separation have been derived from these frameworks and promulgated throughout the Bayer Group. These standards are implemented by the Bayer Group companies. Ensuring compliance with these standards is the responsibility of the respective management teams. However, it should be noted that, irrespective of its design, an internal control system cannot provide absolute assurance that material misstatements in the financial reporting will be avoided or identified.
Compliance management system
Trust serves as the foundation for our business activities and is crucial to our success. It requires a daily commitment to building awareness and ensuring compliance with laws, regulations and ethical principles. Integrity is a central element of our corporate culture and guides our actions. Our Code of Conduct serves as a compass for maintaining compliance with all applicable legal requirements.
We have implemented an effective compliance management system (CMS) to promote and strengthen compliant conduct. The CMS is managed by a central compliance organization that is headed by our General Counsel in their role as Group Compliance Officer. In this function, the Group Compliance Officer reports directly to the Chief Financial Officer (CFO) and the Supervisory Board’s Audit Committee. The CFO is responsible for the compliance organization, while the Audit Committee oversees the effectiveness and further development of compliance within the Group.
As part of the CMS, potential compliance risks are identified, assessed and recorded together with the operational functions. We use policies, procedures, training courses and controls to integrate preventive measures into daily business activities. The respective training courses are mandatory, with our employees required to complete them on time. We also provide information, adequate resources and guidance to support all employees in acting with integrity and proactively avoiding potential violations.
Compliance with laws and company regulations is monitored as part of analyses and reviews conducted by the Law, Patents & Compliance department as well as audits performed by Internal Audit. The heads of these organizations provide regular reports on the results to the Audit Committee. Audits are planned according to a function- and risk-based approach.
We foster a culture of openness and transparency. We encourage employees and third parties to raise their concerns regarding compliance. They can use our global Speak Up Channel, which gives them the opportunity to report suspected compliance violations confidentially and, where permitted by local law, anonymously. They can also contact the compliance department directly via Speak.Up@Bayer.com. If employees believe an activity or behavior could represent a material compliance violation, they have an obligation to report it. In the case of suspected violations, we conduct thorough investigations to conclusively verify whether any such violation has taken place. Confirmed violations are sanctioned according to our internal standards. Depending on the severity of the compliance violation, it can have disciplinary, civil or criminal consequences for the employees in question, including implications for their compensation.
The various elements of the CMS promote a positive compliance culture throughout our organization and help to ensure integrity in the day-to-day business activities of every employee.
Independent internal and external monitoring
The Internal Audit department conducts independent, risk-based and objective audit activities, employing a targeted and systematic approach to assess and help improve the effectiveness of corporate governance, risk management and monitoring processes. The mandate of Internal Audit, its tasks and responsibilities, as well as its position within the Bayer Group are defined and established in the Internal Audit Charter. The department’s management adheres to the mandatory elements of the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors (IIA). The Chief Audit Executive (CAE) regularly reports to the Board of Management and the Audit Committee on Internal Audit’s compliance with these standards. The CAE also regularly reports to the Board of Management and Audit Committee on the results of the audit assignments, as well as on Internal Audit’s quality assurance and improvement program. This includes aspects such as relevant results of internal and external quality assessments carried out at least once every five years by a qualified independent external assessor. The most recent assessment was concluded in the fourth quarter of 2022, yielding the best results possible.
In addition, the fundamental suitability of the early warning system is assessed by the external auditor as an independent external body as part of its audit of the annual financial statements.
Basic elements of the Bayer risk management system
Objectives of the risk management system
The risk management system is largely aimed at protecting the Bayer Group against significant risks. We therefore place great emphasis on maintaining compliance with legal and regulatory requirements, ensuring proactive risk management, and promoting our risk culture.
All levels of the company are included in risk management in order to heighten the awareness and understanding of risks. This lays the foundation for a risk culture with independent, proactive and systematic risk management involving clearly defined roles and responsibilities, principles, standards, methods, tools and training measures. Building this risk culture and promoting proactive risk management are the basis for generating risk transparency around the material risks within the Group. The risk management system helps us deliver on our commitment to pursue opportunities while taking account of the related risks in our business decisions.
ERM: risk management process
The ERM risk management process is divided into the following steps: risk identification, assessment, response and communication. Sustainability risks are responded to in the same way as risks in other categories as part of the risk management process, and also include risks related to environmental, employee and social issues, human rights, and corruption and bribery. To ensure consistency and enhance efficiency, the risk management process is carried out in close cooperation with the Public Affairs, Sustainability & Safety Enabling Function, with the disclosure requirements set out in the European Sustainability Reporting Standards (ESRS) also being taken into account. For more details on sustainability management, see Chapter A 4 Sustainability Statement.
Identification: Risks are identified by risk owners in the divisions and enabling functions. To help ensure we identify risks as comprehensively as possible, we maintain a risk universe that reflects the company’s potential risk categories. The Bayer Risk Universe, which is regularly updated, also expressly accounts for risks of a nonfinancial nature that are linked to our business activities or to our business relationships, products and services. Further information on the nonfinancial statement can be found in the “About this Report” section.
Assessment: Where possible, the identified risks are evaluated to determine their potential impact and likelihood of occurrence using the matrix below. Risks are assessed on a net basis, taking into account the risk control measures in place to mitigate the potential impact and/or likelihood of occurrence.
Risk assessment matrix
Risks are classified as high, medium or low when assessing their materiality within the overall risk portfolio. The scale of the impact is rated in quantitative and/or qualitative terms. The quantitative assessment reflects a potentially negative effect on cash flows, while the qualitative evaluation is based on criteria such as strategic impact, effects on our reputation, or potential loss of trust among stakeholder groups. The higher rating – qualitatively or quantitatively – determines the overall assessment. Where applicable, we take into account the potential impact on people and/or the environment as an additional criterion in our assessment. The likelihood of occurrence is calculated based on a maximum period of 10 years.
We aggregate risks to ensure the early detection of risks that, in combination or through correlation, could potentially endanger our company’s continued existence. Using methods such as Monte Carlo simulations, we estimate the potential aggregated impact that our main risks could have on our cash flow. We compare the resulting aggregated risk situation with the risk-bearing capacity approved by the Board of Management. The outcome of this comparison is factored into the Board of Management’s overall assessment of the company’s risk status.
Response: The risk owners decide on a target risk level based on a cost-benefit analysis and define a risk management strategy as well as risk management measures. These include risk avoidance, reduction, transfer and acceptance.
Communication: The results are reported to the Assurance Committee by the Enterprise Risk Management department. In addition, new risks above a defined threshold are reported to Enterprise Risk Management on an ad hoc basis and, if relevant, to the Assurance Committee. A report on the risk portfolio is submitted to the Board of Management and the Audit Committee at least once a year.
ERM: monitoring and improvement
The Enterprise Risk Management department continuously evaluates whether the principles, standards, methods and tools are appropriate and up to date.
Assessment of the risk management and internal control systems pursuant to Section 91, Paragraph 3 of the German Stock Corporation Act (AktG)
The fundamental requirements for all management systems are based on the relevant international standards and practices. Controls and monitoring are generally performed as part of the respective management systems, focusing on the risks that need to be mitigated.
The Board of Management has defined and implemented a procedure to ensure compliance with the requirements pursuant to Section 91, Paragraph 3 of the German Stock Corporation Act (AktG) with regard to the risk management system and the internal control system. This procedure is regularly reviewed and updated as required.
Accordingly, the Board of Management is focused particularly on the four management systems of enterprise risk management, internal control system over reporting, compliance, and internal audit. These four management systems form the core of our risk management and internal control systems.
For further information on the core management systems, see Chapter A 3.2.1 and particularly “Enterprise risk management (ERM) including risk early warning system,” “ERM: risk management process” and “ERM: monitoring and improvement,” “Internal control system for (Group) accounting and financial reporting processes” and “Compliance management system,” as well as “Independent internal and external monitoring.”
These core management systems are regularly monitored and reviewed as part of audits within the respective management system and audits by Internal Audit and/or external auditors. The results of these reviews are regularly reported to the Board of Management.
The review by the Board of Management did not identify any relevant indications that, in their entirety, would call into question the appropriateness and effectiveness of these systems for the fiscal year.
However, it is important to bear in mind that, irrespective of their design or evaluation, risk management and internal control systems cannot ensure with absolute certainty that all risks are identified before they materialize and that the envisaged controls detect all vulnerabilities.