As a global science and technology enterprise, identifying risks and opportunities is an intrinsic part of making our businesses resilient and generating value. We operate in a highly complex, global and interconnected business environment that further necessitates the competent management of risks and opportunities. Therefore, managing risks and opportunities is an imperative and a core component of our internal business planning and forecasting. We have processes, tools and responsibilities in place to enable the early identification of risks and to supply effective and efficient mitigation strategies.
In our internal risk reporting framework, we define risks as potential future events or developments that could result in unfavorable deviations from our financial and non-financial targets. Risk parameters in this context are the probability of financial (quantitative) impact (EBITDA pre/operating cash flow) or non-financial (qualitative) impact (reputation/brand; strategy; operations; and, environment, social and governance (ESG) in relation to workforce, ethics and other factors).
Opportunities imply favorable deviations from targets. Future events and expected developments are considered in internal planning if a likely occurrence can be assumed within the planning period. The following section presents the risks and opportunities that could result in favorable and unfavorable deviations from existing plans and targets.
The following report is relevant from the perspective of both Merck KGaA, Darmstadt, Germany, and the overarching Group. For additional information and details regarding the non-financial topics, please refer to the Non-Financial Statement.
Three Lines of Defense
To organize risk management and controls, we use the well-established “Three Lines of Defense Model”, which was developed by the Federation of European Risk Management Associations (FERMA), the European Confederation of Institutes of Internal Auditing (ECIIA) and the Institute of Internal Auditors (IIA). The model divides our company functions for controlling risks properly and effectively into three areas, the so-called lines of defense:
The first line of defense consists of all functions that are responsible for the operational business and whose day-to-day business risks can have an impact. Risk owners (i.e. the heads of the business units, enabling Group functions and local Managing Directors) establish processes in accordance with the requirements set by the second line of defense to identify, assess and monitor risks and to develop measures for proper risk mitigation. Results of these assessments are regularly communicated to the Executive Board.
The second line of defense includes enabling functions at both Group and local level that control and monitor the operational business (first line of defense). This includes, among other things, the design and implementation of methods and procedures for risk management and the internal control system (financial and non-financial) as well as its regular monitoring.
The third line of defense is our Internal Auditing function. As an objective and independent auditing body, it examines both the operational business (first line of defense) and the controls and monitoring functions (second line of defense) to ensure that risks are effectively identified, evaluated and controlled vis-à-vis the Executive Board and the Supervisory Board.
Both the second and third line of defense functions regularly report to the Executive Board and the Audit Committee of the Supervisory Board.
Internal control system
Internal control system for the (Group) financial reporting process
The objective of the internal control system for the financial reporting process is to implement controls that provide assurance that the financial statements are prepared in compliance with the relevant accounting laws and standards. This system covers measures designed to ensure the complete, correct and timely reporting and presentation of information that is relevant for the preparation of the Consolidated Financial Statements and the Combined Management Report.
Our internal control system for financial reporting is based on the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework, a globally recognized standard divided into five components: control environment, risk assessment, control activities, information and communication as well as monitoring activities. Each of these components is regularly documented, reviewed and/or assessed. This control system aims to ensure the accuracy of the consolidated accounting process through functioning internal controls with reasonable assurance.
The Group Financial Reporting function centrally steers the preparation of the Consolidated Financial Statements of Merck KGaA, Darmstadt, Germany, as the parent company of the Group. This Group function defines the reporting requirements that all companies of the Group must meet. At the same time, the function steers and monitors the scheduling and process-related requirements of the Consolidated Financial Statements. The Business Services organization manages all changes to the equity holding structure and correspondingly adapts the Group’s scope of consolidation. The consolidation process ensures the proper elimination of intragroup transactions. Group-wide accounting guidelines form the basis for the preparation of the financial statements in accordance with the International Financial Reporting Standards (IFRS), which are submitted to Group Financial Reporting; the guidelines are adapted in a timely manner to reflect changes in the financial regulatory environment and are updated to reflect internal reporting requirements. For special issues, such as the accounting treatment of intangible assets within the scope of business combinations in accordance with IFRS 3 or defined benefit obligations, external experts are additionally involved where necessary.
The individual legal entities, including Merck KGaA, Darmstadt, Germany, have a local internal control system within a global framework. Where financial processes are handled by the Business Services organization, the internal control system of the Business Services organization is additionally applied. Both ensure that accounting complies with IFRS and with the Group accounting guidelines.
Group Financial Reporting provides support to the local contacts and ensures a consistently high quality of reporting throughout the entire reporting process.
For Group financial reporting purposes, most of our subsidiaries use standard SAP software. Consolidation software from SAP is also used for the elimination of intragroup transactions. A detailed authorization concept ensures the segregation of duties with respect to both single entity reporting and the Consolidated Financial Statements. The accounting process is generally designed to ensure that all units involved adhere to the principle of dual control.
The operational effectiveness of our internal financial control system is regularly tested within the scope of self-assessments by our legal entities and enabling Group functions. The quality is systematically reviewed by a dedicated Group function for internal controls and governance. Control deficiencies are properly recorded and, wherever necessary, adequate countermeasures are taken to remediate them in a timely manner.
The overall effectiveness of our internal financial control system with regard to accounting and the compliance of the relevant individual companies’ financial reporting is confirmed by both the local Managing Director and the local Chief Financial Officer by signing the single entity reporting and a separate confirmation regarding the effectiveness of the control system. For the accounting treatment of balance sheet items, Group Financial Reporting closely cooperates with Risk Management to correctly reflect potential risks in the balance sheet.
All the structures and processes described in the foregoing relate to the Group Financial Reporting procedures and are subject to regular review by Group Internal Auditing based on an annual audit plan set out by the Executive Board.
The results of the self-assessments, quality reviews and internal audits are dealt with by the Executive Board, the Supervisory Board and the Audit Committee. Our internal financial control system makes it possible to lower the risk of material misstatements in accounting. However, residual risk cannot be entirely ruled out as no internal control system is infallible, irrespective of its design.
Non-financial internal control system and overall evaluation*
In the context of constantly evolving external and internal requirements for the management of non-financial risks, work continued in fiscal 2024 on the development of a procedural and organizational concept as well as a roadmap for expanding non-financial risk management.
The non-financial internal control system aligns with the sustainability strategy and is set up corresponding to the requirements of the CSRD regulation. The goal is to continuously prepare for regulatory compliance pursuant to upcoming CSRD requirements by implementing organization-wide measures and controls. In comparison with the previous year, the internal controls for sustainability reporting were further formalized, and integration into the overall internal control system was initiated.
The aim of our internal control system is therefore to prevent and reduce potential risks and to actively steer risks in business processes. In this way, it helps ensure that the company’s activities comply with laws and regulations. The entire internal control system and the applied methods are continuously refined. Responsibility for the effectiveness of the internal control system and the further development of the non-financial key metrics lies with the respective senior leaders or risk and process owners.
In 2024, all relevant aspects for evaluating the overall effectiveness of the internal control system and risk management were integrated in a single confirmation process. This process included respective confirmations of effectiveness by the Group functions, the local Managing Director, the local Chief Financial Officer, and the business functions. The results of this assessment were presented to the Executive Board, considering the recommended opportunities for improvement where applicable.
Given the multi-layered process landscape and the comprehensive changes regarding the catalog of requirements for non-financial information, the maturity of the non-financial internal control system was enhanced. Based on risk-based assessments of the financial and non-financial internal control system, compliance and risk management, stakeholder confirmations, and regular general audits by Internal Auditing, as of December 31, 2024, the Executive Board was not aware of any indications with regard to material issues that this system is not appropriate or effective.
Risk and opportunity management
Group Risk Management provides the organizational framework for risk management and reports to the Group Chief Financial Officer. We have established a holistic risk management system aimed at safeguarding the long-term achievement of our Group's goals and addressing risks to ensure our continued existence and future success. Within the scope of audits, Group Internal Auditing regularly reviews the performance of risk management processes within the units at the local level and, at the same time, the communication of relevant risks from the operating businesses to Group Risk Management. Additionally, the external auditor examines the risk early warning system in accordance with section 317 (4) of the German Commercial Code (HGB) as part of the year-end audit of Merck KGaA, Darmstadt, Germany.
Our risk management activities aim to continuously and promptly identify, assess, and manage risks so that appropriate measures can be implemented to mitigate their potential negative impact. The responsibilities, objectives and procedures of risk management are outlined in our internal group standard for risk management. The designated risk owners, including business heads, managing directors of the subsidiaries and the heads of enabling Group functions, are responsible for overseeing and running local risk management processes. These processes encompass various requirements, such as identifying risks considering internal and external factors (impacting both financial and non-financial targets), analyzing risks, implementing appropriate mitigation actions, establishing preventive measures and contingency plans if applicable, and documenting risks and mitigation efforts.
The risk owners continuously assess the status of risks and report their risk portfolio to Group Risk Management twice a year. To facilitate and support these activities, we employ dedicated risk management tools. Group Risk Management coordinates and supervises the bottom-up risk reporting process. This includes validating the plausibility of the reported risks, assessing the effectiveness of mitigation measures and time frames, and determining the residual risk. The net risk is then presented in the internal risk report.
For the internal bottom-up risk reporting process, reporting is based on defined thresholds, and a variety of distribution functions are used to reflect scenarios with varied occurrence probabilities. Risks below the global reporting threshold are managed and monitored at a local level. The time frame applied for internal risk and opportunity reporting is five years. It may extend beyond this time frame in specific cases, such as for regulatory risks related to climate change. The outlined risks and their evaluation are based on respective annual values within the reporting period. The assessment of the risks presented relates to December 31, 2024. No significant changes occurred after the balance sheet date that would necessitate an amended presentation of the Group’s risk situation.
Group Risk Management analyzes the reported information to determine the current risk portfolio of the Group. This assessment is presented in a comprehensive report, accompanied by detailed explanations, to the Executive Board, the Supervisory Board and relevant committees twice a year. This also encompasses a quantitative aggregation of risks at Group level, using a Monte Carlo simulation. Moreover, any notable changes in the assessment of existing risks or the identification of new significant risks can be reported at any time and promptly communicated to the Executive Board.
Our internal controlling processes incorporate the opportunity management process, which is aligned with the Group’s strategy within the operating units. As part of the strategy and planning processes, the business sectors analyze and evaluate possible business-related opportunities. In this context, investment opportunities are carefully examined and prioritized primarily in terms of their potential value proposition, ensuring optimal resource allocation. We target investment in growth markets to leverage the opportunities of dynamic development and customer proximity at a local level.
Identified opportunities that are deemed likely to occur are integrated into the business plans and forecasts. Additionally, trends and events that have the potential to positively impact EBITDA pre or operating cash flow are considered. These opportunities have the potential to have a positive effect on our medium-term prospects.
Risk and opportunity assessment
The significance of a risk is evaluated based on its potential unfavorable deviation from our financial and non-financial targets in conjunction with the probability of occurrence of the respective risk.
The underlying scales for measuring these factors are shown below:
Probability of occurrence |
|
Explanation |
|---|---|---|
<1% |
|
Highly improbable |
1 – 5% |
|
Improbable |
5 – 20% |
|
Possible |
20 – 50% |
|
Likely |
>50% |
|
More likely than not |
Degree of impact |
|
Explanation |
|---|---|---|
>€ 500 million |
|
Critical negative impact on EBITDA pre and/or operating cash flow |
€ 100 – 500 million |
|
Significant negative impact on EBITDA pre and/or operating cash flow |
€ 25 – 100 million |
|
Moderate negative impact on EBITDA pre and/or operating cash flow |
€ 10 – 25 million |
|
Minor negative impact on EBITDA pre and/or operating cash flow |
<€ 10 million |
|
Immaterial negative impact on EBITDA pre and/or operating cash flow |
To enable a thorough evaluation of both financial and non-financial risks, a qualitative rating scale is available to evaluate the indirect financial impact. The use scale includes dimensions like Environmental, Social and Governance (ESG), reputational, strategic, and operational aspects and is mandatory for the assessment of non-quantifiable and qualitative risks. The scale categorizes the risks as low, moderate, significant, or critical and provides a comprehensive reference for assessment.
Opportunities are assessed within their respective business environment. During short-term and strategic planning, general measures of business functions are quantified, typically in relation to EBITDA pre (earnings before interest, taxes, depreciation, and amortization) and operating cash flow. In addition, we identify and leverage opportunities as part of our regular business operations and through our daily observation of internal processes and markets.
Investment opportunities are primarily evaluated and prioritized using metrics such as net present value, internal rate of return, return on capital employed (ROCE), and the payback period of the investment. These indicators are used to assess the potential of investment projects and prioritize them accordingly. Similarly, scenarios are used to simulate the impact of possible fluctuations and changes in the respective parameters on results.
* The contents of this chapter or section are voluntary and therefore not audited. However, our auditor has read the text critically.