In the context of constantly evolving external and internal requirements for the management of non-financial risks, work continued in 2024 on the development of a procedural and organizational concept as well as a roadmap for expanding non-financial risk management. The non-financial internal control system aligns with the sustainability strategy and is set up in accordance with the requirements of the Corporate Sustainability Reporting Directive (CSRD). The objective is to continuously improve compliance pursuant to CSRD requirements by implementing organization-wide actions and controls. The Group’s internal control system is oriented toward the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework, a globally recognized standard divided into five components: control environment, risk assessment, control activities, information, and communication as well as monitoring. In comparison with the previous year, the internal controls for sustainability reporting were further formalized and integration into the overall internal control system was initiated.
Our risk assessment follows predefined approaches for quantitative and qualitative assessments. Depending on the impact and probability, subsequent prioritization is possible. Mitigation actions for all relevant identified risks are key for their appropriate management and thus for reducing their impact and likelihood. The implementation of actions to reduce the likelihood of relevant risks can include creating provisions to reduce gross impacts or adjusting insurance coverage. Based on the remaining risk, the risk owner and, if relevant, the Executive Board decide whether the implemented actions are sufficient or if the remaining risk needs further mitigation actions. Every mitigation action is reviewed twice a year to confirm its effectiveness and determine whether additional actions are required. Group Risk Management monitors the aggregated mitigation measures and is regularly informed if deviations are determined regarding implemented mitigation actions.
The responsibility for the effectiveness of the internal control system and the further development of non-financial key metrics lies with the respective senior leaders or risk and process owners. In 2024, non-financial aspects were added to the approach for confirming the overall effectiveness of the internal control system, with the responsible Group functions, the respective local Managing Director and the respective local Chief Financial Officer signing respective confirmations.