As a global science and technology enterprise, identifying risks and opportunities is an intrinsic part of making our businesses resilient and generating value. We operate in a highly complex, global and interconnected business environment that further necessitates the competent management of risks and opportunities. Therefore, managing risks and opportunities is an imperative and a core component of our internal business planning and forecasting. We have processes, tools and responsibilities in place to enable the early identification of risks and to supply effective and efficient mitigation strategies.
In our internal risk reporting framework, we define risks as potential future events or developments that could result in unfavorable deviations from our financial and non-financial targets. Risk parameters in this context are the probability of financial (quantitative) impact (EBITDA pre/Operating Cash Flow) or non-financial (qualitative) impact (reputation/brand, Environment, Social, Governance (ESG) including workforce and ethics, strategy, operations).
Opportunities imply favorable deviations from targets. Future events and expected developments are considered in internal planning if a likely occurrence can be assumed within the planning period. The following section presents the risks and opportunities that could result in favorable and unfavorable deviations from existing plans and targets.
The following report is relevant from the perspective of both Merck KGaA, Darmstadt, Germany, and the overarching Group. For additional information and details regarding the non-financial topics, please refer to the “Non-Financial Statement”.
Three Lines of Defense
To organize risk management and controls, we use the well-established “Three Lines of Defense Model”, which was developed by the Federation of European Risk Management Associations (FERMA), the European Confederation of Institutes of Internal Auditing (ECIIA) and the Institute of Internal Auditors (IIA). The model divides our company functions for controlling risks properly and effectively into three areas, the so-called lines of defense:
The first line of defense consists of all functions that are responsible for the operational business and whose day-to-day business risks can have an impact. Risk owners (i.e. the heads of the business units, enabling Group functions and local Managing Directors) establish processes in accordance with the requirements set by the second line of defense to identify, assess, and monitor risks and to develop measures for proper risk mitigation. Results of these assessments are regularly communicated to the Executive Board.
The second line of defense includes enabling functions at both Group and local level that control and monitor the operational business (first line of defense). This includes, among other things, the design and implementation of methods and procedures for risk management and the internal control system (financial and non-financial) as well as its regular monitoring.
The third line of defense is our Internal Auditing function. As an objective and independent auditing body, it examines both the operational business (first line of defense) and the controls and monitoring functions (second line of defense) to ensure that risks are effectively identified, evaluated and controlled vis-à-vis the Executive Board and the Supervisory Board.
Both the second and third line of defense functions regularly report to the Executive Board and the Audit Committee of the Supervisory Board.
Internal control system
Internal control system for the (Group) accounting process
The objective of the internal control system for the accounting process is to implement controls that provide assurance that the financial statements are prepared in compliance with the relevant accounting laws and standards. This system covers measures designed to ensure the complete, correct, and timely reporting and presentation of information that is relevant for the preparation of the Consolidated Financial Statements and the Combined Management Report.
Our internal control system for financial reporting is based on the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework, a globally recognized standard divided into five components: control environment, risk assessment, control activities, information and communication as well as monitoring activities. Each of these components is regularly documented, tested and/or assessed. This control system aims to ensure the accuracy of the consolidated accounting process through functioning internal controls with reasonable assurance.
The Group Accounting function centrally steers the preparation of the Consolidated Financial Statements of Merck KGaA, Darmstadt, Germany, as the parent company of the Group. This Group function defines the reporting requirements that all companies of the Group must meet. At the same time, this function steers and monitors the scheduling and process-related requirements of the Consolidated Financial Statements. Our Business Services organization manages all changes to the equity holding structure and correspondingly adapts the Group’s scope of consolidation. The proper elimination of intragroup transactions within the scope of the consolidation process is ensured. Group-wide accounting guidelines form the basis for the preparation of the financial statements according to International Financial Reporting Standards (IFRS), which are reported to Group Accounting; the guidelines are adapted in a timely manner to reflect changes in the financial regulatory environment and are updated in accordance with internal reporting requirements. For special issues, such as the accounting treatment of intangible assets within the scope of business combinations in accordance with IFRS 3 or defined benefit obligations, external experts are additionally involved where necessary.
The individual legal entities, including Merck KGaA, Darmstadt, Germany, have a local internal control system within a global framework. Where financial processes are handled by our Business Services organization, the internal control system of our Business Services organization is additionally applied. Both ensure that accounting complies with IFRS and with the Group accounting guidelines.
Group Accounting provides support to the local contacts and ensures a consistently high quality of reporting throughout the entire reporting process.
For Group financial reporting purposes, most of our subsidiaries use standard SAP software. Consolidation software from SAP is also used for the elimination of intragroup transactions. A detailed authorization concept ensures the segregation of duties with respect to both single-entity reporting and the Consolidated Financial Statements. The accounting process is generally designed to ensure that all units involved adhere to the principle of dual control.
The operational effectiveness of our internal financial control system is regularly tested within the scope of self-assessments by our legal entities and enabling Group functions including our Business Services organization. The quality is systematically reviewed by a dedicated global financial control and governance team. Control deficiencies are properly recorded and, wherever necessary, adequate countermeasures are taken to remediate control deficiencies in a timely manner.
The overall effectiveness of our internal financial control system with regard to accounting and compliance with financial reporting on the part of the relevant individual companies is confirmed by both the local Managing Director and the local Chief Financial Officer by signing the single-entity reporting and a separate confirmation regarding the effectiveness of the financial control system (internal financial control system sign-off letter). For the accounting treatment of balance sheet items, Group Accounting closely cooperates with Group Risk Management to correctly present potential risks in the balance sheet.
All the structures and processes described in the foregoing relate to the Group Accounting procedures and are subject to regular review by Group Internal Auditing based on an annual audit plan set out by the Executive Board.
The results of the self-assessments, quality reviews, and internal audits are dealt with by the Executive Board, the Supervisory Board and the Audit Committee. Our internal financial control system makes it possible to lower the risk of material misstatements in accounting. However, residual risk cannot be entirely ruled out as no internal control system is infallible, irrespective of its design.
Non-financial internal control system and overall evaluation*
In the context of constantly evolving external and internal requirements for the management of non-financial risks, work continued in fiscal 2023 on the development of a procedural and organizational concept as well as a roadmap for expanding non-financial risk management. An important decision was to consolidate the management of financial and non-financial risks under unified organizational leadership (with the Chief Financial Officer being responsible commencing with fiscal 2024) to increase efficiency and quality. This also includes the non-financial internal control system.
For fiscal 2023, the Group Legal & Compliance function provides the organizational framework for the non-financial internal control system. In line with the risk situation of the Group and to ensure regulatory compliance, non-financial topics such as sustainability, cyber security and supply chain are core areas of the internal control system. We base this on international standards, such as the framework for the governance of Group Cyber Security, which includes organizational, process-related, and technical measures for information security. The existing process of Cyber Security Risk Management is designed pursuant to ISO 27005:2018. In comparison with the previous year, a monthly Group Security Forum has been established, where new risks from the risk register are reported, and actions are tracked.
Additionally, the non-financial internal control system aligns with the sustainability strategy and ongoing projects for implementing sustainability reporting (e.g. CSRD). The goal is to continuously improve regulatory compliance pursuant to CSRD requirements through the implementation of organization-wide measures and controls.
The aim of our internal control system as the entirety of all systematically defined controls is therefore to prevent and reduce the probability of potential risks occurring as well as actively steer risks in business processes. Thereby, it helps to ensure the compliance of the company’s activities with laws and regulations. The entire internal control system and the applied methods are continuously developed further. The responsibility for the effectiveness of the internal control system and the further development of the non-financial key metrics lies with the respective responsible senior leaders or risk and process owners.
Relevant representatives from the business sectors and the enabling Group functions reported to the Executive Board through the implemented control system in 2023. In this context, areas where potential for improvement and optimization had been identified and relevant ongoing projects were also presented to the Executive Board. Finally, the individual Group functions and business sectors issued an assessment to the Executive Board regarding the appropriateness and effectiveness of the control system, considering the recommended improvement opportunities, where applicable. Based on this as well as the review of the non-financial internal control system, and reporting by Internal Auditing, as of December 31, 2023, the Executive Board was not aware of any indications with regard to material issues that the system is not appropriate or effective.
Given the multi-layered process landscape and the high speed of change regarding the catalog of requirements for non-financial information, the degree of development of the non-financial internal control system does not yet match that of the (Group) accounting-related internal control system. Based on risk-based assessments of the financial and non-financial internal control system, compliance and risk management and reporting by Internal Auditing, as of December 31, 2023 the Executive Board was not aware of any indications with regard to material issues that this system is not appropriate or effective.
Risk and opportunity management
Group Controlling & Risk Management provides the organizational framework for risk management and reports to the Group Chief Financial Officer. We have established a holistic risk management system aimed at safeguarding the long-term achievement of our Group’s goals and addressing risks to ensure our continued existence and future success. Within the scope of audits, Group Internal Auditing regularly reviews the performance of risk management processes within the units on local level and, at the same time, the communication of relevant risks from the operating businesses to Group Risk Management. Additionally, the external auditor examines the risk early warning system in accordance with section 317 (4) of the German Commercial Code (HGB) as part of the year-end audit of Merck KGaA, Darmstadt, Germany.
Our risk management activities aim to continuously and promptly identify, assess and manage risks so that appropriate measures can be implemented to mitigate their potential negative impact. The responsibilities, objectives, and procedures of risk management are outlined in our internal group standard for risk management. The designated risk owners, including business heads, managing directors of Group subsidiaries, and the heads of enabling Group functions, are responsible for overseeing and running local risk management processes. These processes encompass various requirements, such as identifying risks considering internal and external factors (impacting both financial and non-financial targets), analyzing risks, implementing appropriate mitigation actions, establishing preventive measures and contingency plans if applicable, and documenting risks and mitigation efforts.
The risk owners continuously assess the status of risks and report their risk portfolio to Group Risk Management twice a year. To facilitate and support these activities, we employ dedicated risk management tools. Group Risk Management coordinates and supervises the bottom-up risk reporting process. This includes validating the plausibility of the reported risks, assessing the effectiveness of mitigation measures and time frames, and determining the residual risk. The net risk is then presented in the internal risk report.
For the internal bottom-up risk reporting process, reporting is based on defined thresholds, and a variety of distribution functions are used to reflect scenarios with varied occurrence probabilities. Risks below the global reporting threshold are managed and monitored at a local level. The timeframe applied for internal risk and opportunity reporting is five years. It may extend beyond this timeframe in specific cases, such as for regulatory risks related to climate change. The outlined risks and their evaluation are based on respective annual values within the reporting period. The assessment of the risks presented relates to December 31, 2023. No significant changes occurred after the balance sheet date that would necessitate an amended presentation of the Group’s risk situation.
Group Risk Management analyzes the reported information to determine the current risk portfolio of the Group. This assessment is presented in a comprehensive report, accompanied by detailed explanations, to the Executive Board, the Supervisory Board, and relevant committees twice a year. This also encompasses a quantitative aggregation of risks at Group level, using a Monte Carlo simulation. Moreover, any notable changes in the assessment of existing risks or the identification of new significant risks can be reported at any time and promptly communicated to the Executive Board.
Our internal controlling processes incorporate the opportunity management process, which is aligned with the Group’s strategy within the operating units. As part of the strategy and planning processes, the business sectors analyze and evaluate possible business-related opportunities. In this context, investment opportunities are carefully examined and prioritized primarily in terms of their potential value proposition, ensuring optimal resource allocation. We target investment in growth markets to leverage the opportunities of dynamic development and customer proximity at a local level.
Identified opportunities that are deemed likely to occur are integrated into the business plans and forecasts. Additionally, trends and events that have the potential to positively impact EBITDA pre or Operating Cash Flow. These opportunities have the potential to have a positive effect on our medium-term prospects.
Risk and opportunity assessment
The significance of a risk is evaluated based on its potential unfavorable deviation from our financial and non-financial targets in conjunction with the probability of occurrence of the respective risk.
The underlying scales for measuring these factors are shown below:
Probability of occurrence |
|
Explanation |
|---|---|---|
< 1% |
|
Highly improbable |
1 – 5% |
|
Improbable |
5 – 20% |
|
Possible |
20 – 50% |
|
Likely |
> 50% |
|
More likely than not |
Degree of impact |
|
Explanation |
|---|---|---|
> € 500 million |
|
Critical negative impact on EBITDA pre and/or Operating Cash Flow |
€ 100 – 500 million |
|
Significant negative impact on EBITDA pre and/or Operating Cash Flow |
€ 25 – 100 million |
|
Moderate negative impact on EBITDA pre and/or Operating Cash Flow |
€ 10 – 25 million |
|
Minor negative impact on EBITDA pre and/or Operating Cash Flow |
< € 10 million |
|
Immaterial negative impact on EBITDA pre and/or Operating Cash Flow |
To enable a thorough evaluation of both financial and non-financial risks, a qualitative rating scale is available to evaluate the indirect financial impact. The use of this scale is mandatory for the assessment of non-quantifiable and qualitative risks such as Environmental, Social, and Governance (ESG), reputational, strategic, and operational risks as well as for material risks that also require a qualitative evaluation. The scale categorizes the risks as low, moderate, significant, or critical and provides a comprehensive reference for assessment.
Opportunities are assessed within their respective business environment. During short-term and strategic planning, general measures of business functions are quantified, typically in relation to EBITDA pre (earnings before interest, taxes, depreciation, and amortization), and operating cash flow. In addition, we identify and leverage opportunities as part of our regular business operations and through our daily observation of internal processes and markets.
Investment opportunities are primarily evaluated and prioritized using metrics such as net present value, internal rate of return, return on capital employed (ROCE), and the payback period of the investment. These indicators are used to assess the potential of investment projects and prioritize them accordingly. Similarly, scenarios are used to simulate the impact of possible fluctuations and changes in the respective parameters on results.
* The contents of this chapter or section are voluntary and therefore not audited. However, our auditor has read the text critically.