18.3.1 Group-wide Opportunity and Risk Management System

Responsible Corporate governance comprises the long-term management and oversight of the company in accordance with the principles of responsibility and transparency. The German Corporate Governance Code sets out basic principles for the management and oversight of listed companies. forms the basis for sustainable growth and profitability. Key elements of corporate governance are the systematic identification and use of opportunities and the avoidance of risks to the company’s success.

Corporate Governance

Corporate Governance (organigram)Corporate Governance (organigram)

The entrepreneurial decisions we make daily in the course of business processes are based on balancing opportunities and risks. We therefore regard opportunity and risk management as an integral aspect of business management rather than the task of a specific organizational unit. Our opportunity and risk management is rooted in our strategy and planning processes. Based on these, we determine relevant external and internal opportunities along with economic, ecological and social challenges. Opportunities and risks are identified by observing and analyzing trends along with macroeconomic, industry-specific, regional and local developments. These opportunities and risks are then evaluated and incorporated into business-specific strategic and operational frameworks. We attempt to avoid or mitigate risks by taking appropriate countermeasures, or to transfer them to third parties (such as insurers) to the extent possible and economically acceptable. We consciously accept and bear manageable and controllable risks that stand in a reasonable relation to the anticipated opportunities. They are an aspect of general entrepreneurial risk. Opportunities and risks are continuously monitored so that changes in the economic or legal environment, for example, can be identified at an early stage and suitable countermeasures can be initiated if necessary.

To enable the Board of Management and the Supervisory Board to monitor material business risks as legally required, the following systems are in place: an internal control system ensuring proper and effective financial reporting pursuant to Section 289, Paragraph 5 and Section 315, Paragraph 2, No. 5 of the German Commercial Code; a compliance management system; and a risk early warning system pursuant to Section 91, Paragraph 2 of the German Stock Corporation Act.

The various management systems are based on different risk types, risk levels and timelines. Different processes, methods and IT systems are therefore applied to identify, evaluate, manage, and monitor risks. The principles underlying the various systems are documented in Group directives that are contained in our Management Regulations (Margo) database and are accessible to all employees via the Bayer intranet. System owners and coordinators are named at the management level in the divisions, service companies, country companies and central functions of the Bayer Group. The overall responsibility for the effectiveness and appropriateness of the systems lies with the Chief Financial Officer.

The different systems are described below.

Internal control system for (Group) accounting and financial reporting

(Report pursuant to Sections 289, Paragraph 5 and 315, Paragraph 2, No. 5 of the German Commercial Code)

Bayer has an internal control system (ICS) in place for the (Group) accounting and financial reporting process. This process comprises defined structures and workflows implemented throughout the organization. The purpose of our ICS is to ensure proper and effective accounting and financial reporting in accordance with Section 289, Paragraph 5 and Section 315, Paragraph 2, No. 5 of the German Commercial Code.

The ICS is designed to guarantee timely, uniform and accurate accounting for all business processes and transactions based on applicable statutory regulations, accounting and financial reporting standards and the internal Group directives that are binding upon all consolidated companies.

The ICS is based on the COSO I (Committee of the Sponsoring Organizations of the Treadway Commission) and COBIT (Control Objectives for Information and Related Technology) frameworks and addresses misreporting risks in the consolidated financial statements. Risks are identified and evaluated, and steps are taken to counter them. Mandatory ICS standards such as system-based and manual reconciliation processes and functional separation have been derived from these frameworks and promulgated throughout the Group by the Accounting unit of Bayer AG.

The management of each Group company holds responsibility for implementing the ICS standards at the local level. Using Bayer’s shared service centers, the Group companies prepare their financial statements locally and transmit them with the aid of a standard Group data model that is based on the Group accounting directive. This ensures the regulatory compliance of the consolidated financial statements.

The effectiveness of the ICS processes for accounting and financial reporting is evaluated on the basis of a cascaded self-assessment system that starts with the persons directly involved in the processes, then involves the principal responsible managers and ends with the Board of Management. The system also makes use of internal and external audits. An IT application in use throughout the Bayer Group ensures uniform and audit-proof documentation and transparent presentation of all ICS-relevant business processes, focusing especially on the relevant risks, controls and effectiveness evaluations.

The Board of Management has confirmed the effective functioning of the internal control system for accounting and financial reporting and the relevant criteria for the 2015 fiscal year. However, it should be noted that an internal control system, irrespective of its design, cannot provide absolute assurance that material misstatements in the accounting will be avoided or identified.

Compliance management system

Our compliance management system is aimed at ensuring lawful, responsible and sustainable conduct by our employees. It is designed to identify potential violations in advance and systematically prevent their occurrence. The compliance management system thus contributes significantly to the integration of compliance into our operating units and their processes.

In light of the Bayer Group’s diversified structure and international focus, we are active in different industry sectors, markets and geographical regions worldwide, each of which has its own local legislation and industry codes. Compliance risks are identified by performing a trend analysis based on cases reported from around the world. We embarked on the global implementation of an integrated compliance management system in 2014. This system enhances the systematic and preventive identification and assessment of risks. Risk identification is carried out both from the bottom up via the country organizations and from the top down via the global functions, taking global, local and business-specific aspects into account. In addition, compliance program audits are performed by Internal Audit. These audits proactively evaluate the implementation of the (Corporate) compliance comprises the observance of statutory and company regulations on lawful and responsible conduct. Policy in the country organizations. All the results are discussed by the local business units, the local compliance officers and representatives of the headquarters functions at a round table and are entered into a risk database.

Risk early warning system pursuant to Section 91, Paragraph 2 of the German Stock Corporation Act

A process known as BayRisk has been established to enable the early identification of any adverse developments that are material and / or could endanger the company’s continued existence, thus satisfying the legal requirements regarding an early warning system for corporate risks pursuant to Section 91, Paragraph 2 of the German Stock Corporation Act. This process is steered by a central unit within the Corporate Center to ensure the implementation of a consistent framework and standards for Bayer’s risk early warning system.

The BayRisk process follows a bottom-up approach in order to identify corporate risks as fully as possible. The early identification, evaluation, management and reporting of risks is the responsibility of the respective divisions, service companies and central functions. The process takes into account not only risks that could directly impact our financial targets, but also those that could affect the achievement of qualitative objectives such as the preservation of our reputation. Evaluation is based on both financial and nonfinancial criteria. Risk coordinators are appointed to evaluate, manage and monitor the identified risks.

This results in a multidimensional evaluation which estimates the probability of occurrence, potential damage and relevance for our external stakeholders. The following matrix illustrates the financial criteria for rating a risk as high, medium or low.

Risk Rating Matrix According to Financial Criteria



Likelihood of occurrence








H = high risk, M = medium risk, L = low risk

Accumulated impact (€ million)







> 1,250







500 – 1,250







< 500







All risks that exceed defined and annually updated value thresholds, together with the respective countermeasures, are entered in a Group-wide database. The risk portfolio is reviewed three times a year. Significant changes are documented and reported to the Board of Management. The risk portfolio is also documented in a management information system and is thus accessible to the members of the Group Leadership Circle at all times. A report on the risk portfolio is submitted to the Audit Committee of the Supervisory Board once a year.

Process-independent monitoring

The effectiveness of our management systems is audited and evaluated at regular intervals by Internal Audit, which performs an independent and objective audit function focused on verifying compliance with laws and directives. Internal Audit also supports the company in achieving its goals by systematically evaluating the efficiency and effectiveness of governance, risk management and control processes and helping to improve them. The selection of audit targets follows a risk- and cycle-based approach. Internal Audit applies internationally recognized standards and performs reliable audit services. This is confirmed by a quality assessment undertaken in 2012 by the American Institute of Internal Auditors (IIA). A report on the internal control system and its effectiveness is presented annually to the Audit Committee of the Supervisory Board.

Risks in the areas of occupational health and safety, plant safety, environmental protection and product quality are assessed through specific HSEQ stands for health, safety, environment and quality. (health, safety, environment and quality) audits.

In addition, the external auditor, as part of its audit of the annual financial statements, assesses the basic suitability of the early warning system for identifying at an early stage any risks that could endanger the company’s continued existence. The auditor regularly reports to the Board of Management and the Supervisory Board on the identification of any weaknesses in the internal control system.

Audit outcomes are taken into account in the continuous enhancement of our management processes.