Risk management system
The Schaeffler Group intentionally takes risks in order to meet its corporate objectives. The objective of the risk management system is to identify these risks on a timely basis and to manage them in accordance with the company’s risk appetite. This applies particularly to risks to the company’s continued existence as a going concern and to its development, which are responded to with appropriate action. Consciously addressing identified risks and regularly monitoring risk factors is designed to increase risk awareness and ensure a continuous improvement process.
The groupwide risk management system is based on the management-oriented enterprise risk management (ERM) approach, which in turn has its basis in the globally recognized framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As described in this framework, the processes of the risk management system are linked to financial reporting and the internal control system. The Schaeffler Group’s risk management process described below is based on the COSO ERM framework.
Responsibility for the risk management system rests with the Board of Managing Directors of Schaeffler AG. The Board of Managing Directors regularly reports to the Schaeffler AG audit committee and ensures that necessary risk management measures are approved. Details of the risk management system are largely set out in a risk management guideline issued by the Board of Managing Directors and published within the Schaeffler Group, making it available to all employees. It contains a description of the process, the allocation of responsibilities, and the structure of the risk management system. The Board of Managing Directors has asked Corporate Risk Management to review and update the risk management system on an ongoing basis and to ensure that existing uniform groupwide standards are implemented and complied with. All instructions from Corporate Risk Management are binding on all individuals responsible for risk.
The risk management system consists of a multi-phase process spanning various levels and organizational units in order to appropriately reflect the matrix structure of the Schaeffler Group. In a bottom-up process, risks are identified and analyzed at the subsidiary level. Based on this analysis, the next step is a top-down analysis by the appropriate global management of the functions and divisions. They assess the risks identified within the subsidiaries, taking into account all interdependencies within the Schaeffler Group. This approach ensures that all dimensions of the Schaeffler Group’s matrix structure are reflected in the risk management system. Risks are identified at all material Schaeffler AG subsidiaries on a semiannual basis. Operating management is responsible for identifying risks. The time period for identifying risks is three years, longer than the outlook horizon.
Systematic identification of risks related to the issues in the non-financial report is performed separately and is not part of the risk management system described herein.
The guideline also defines a groupwide catalog of risk categories to ensure that all risks along the value chain are identified. Identified risks have to be assigned to predefined risk categories. This catalog must be completely reviewed by all those responsible for risk in order to ensure uniform and complete identification of risks. To make risk assessment comparable, suggested risk assessments have been provided for all risk categories.
Subsidiaries included are selected using a defined selection process based on revenue and earnings (EBIT) as well as risk factors specific to the business. This selection process ensures that all Schaeffler Group subsidiaries that are relevant from a materiality perspective are included in the risk management system. In 2018, 42 of 153 Schaeffler Group entities were included, representing 94% of revenue and 93% of the Schaeffler Group’s EBIT. The remaining 111 entities are subject to an abbreviated risk survey process ensuring that all risks to the existence of the company as a going concern are identified.
The risk management system only deals with risks exceeding a threshold of EUR 5 m on a net basis. Risks are assessed based on their amount of damage and their probability of occurrence. The assessment classifies the amount of damage of each risk in one of four categories: very low, low, medium, and high. Classification is performed based on the amount of damage for one year. The probability of occurrence is assessed using percentages and is classified in the four categories improbable, possible, probable, and highly probable. The combination of estimated amount of damage and probability of occurrence determines the risk class, which is classified as either low, medium, or high based on its impact on net assets, the financial position, and earnings. Risks are assigned to the various risk classes using the risk matrix.
In assessing risks, the Schaeffler Group differentiates between gross exposures and net exposures. Measures already in place can reduce the gross exposure with respect to both amount of damage and probability of occurrence. The net exposure represents the amount of damage and the probability of occurrence after taking into account any risk mitigation measures in place at the reporting date.
Identified risks are actively managed to achieve the company’s intended level of risk mitigation. Management takes measures to avoid or reduce risks or to provide safeguards against them. Any risks that cannot be mitigated by taking appropriate action are classified as business risks. Risks with a low impact on the Schaeffler Group are managed by operating management. Risks with a medium or high impact, however, are also managed by the Board of Managing Directors of Schaeffler AG. Within his or her area of responsibility, each member of the Board of Managing Directors decides what measures are required and ensures that they are implemented and kept up to date. The current risk assessment is regularly reported to the Board of Managing Directors and the audit committee.
Corporate Risk Management reports to the Board of Managing Directors on the risk situation semiannually, which ensures that the Board of Managing Directors is continually updated on the current risk situation of the Schaeffler Group and its change over time. All net exposures with a medium or high impact are reported to the Board of Managing Directors. These reports also include an aggregated summary of identified opportunities. Between regular reporting dates, emerging risks are reported using a defined ad hoc process, ensuring timely communication of emerging risks to the Board of Managing Directors.
Internal audit regularly satisfies itself that the risk management system is effective.
In response to the growing complexity of the risk management system and to ensure data is protected, Schaeffler has captured risks in a risk management tool developed specifically for this purpose.