In order to operate successfully as a company in a complex business environment and to ensure the effectiveness, efficiency and propriety of accounting and compliance with the relevant legal and sub-legislative regulations, Continental has created a governance system that encompasses all relevant business processes. The governance system comprises the internal control system, the risk management system and the compliance management system, which is described in detail in the corporate governance declaration on page 16. The risk management system in turn also includes the early risk identification system in accordance with Section 91 (2) of the German Stock Corporation Act (Aktiengesetz – AktG).
The Executive Board is responsible for the governance system, which includes all subsidiaries. The Supervisory Board and its Audit Committee monitor its effectiveness.
Pursuant to Sections 289 (4) and 315 (4) of the German Commercial Code (Handelsgesetzbuch – HGB), the main characteristics of the internal control and risk management system with respect to the accounting process must be described. All parts of the risk management system and internal control system that could have a material effect on the annual and consolidated financial statements must be included in the reporting.
Key elements of the corporate-wide control systems are the clear allocation of responsibilities and controls inherent in the system when preparing the financial statements. The two-person rule and separation of functions are fundamental principles of this organization. In addition, Continental’s management ensures accounting that complies with the requirements of law via guidelines on the preparation of financial statements and on accounting, access authorizations for IT systems and regulations on the involvement of internal and external specialists.
The effectiveness of the financial reporting internal control system (Financial Reporting ICS) is evaluated in major areas by testing the effectiveness of the reporting units on a quarterly basis. If any weaknesses are identified, the Continental Group’s management initiates the necessary measures.
As part of our opportunity management activities, we assess market and economic analyses and changes in legal requirements (e.g. with regard to fuel consumption and emission standards as well as safety regulations). In addition, we deal with the corresponding effects on the automotive sector and other relevant markets, our production factors and the composition and further development of our product portfolio.
Governance, risk and compliance (GRC)
In the GRC policy adopted by the Executive Board, Continental defines the general conditions for integrated GRC as a key element of the risk management system, which regulates the identification, assessment, reporting and documentation of risks. In addition, this also further increases corporate-wide risk awareness and establishes the framework for a uniform risk culture.
The GRC Committee ensures that this policy is adhered to and implemented. The GRC system incorporates all components of risk reporting and the examination of the effectiveness of the Financial Reporting ICS. Risks are identified, assessed and reported at the organizational level that is also responsible for managing the identified risks. A multi-stage assessment process is used to involve also the higherlevel organizational units. The GRC system thus includes all reporting levels, from the company level to the top corporate level.
At the corporate level, the responsibilities of the GRC Committee – chaired by the Executive Board member responsible for Finance, Controlling, Compliance, Law and IT – include identifying material risks for the Continental Group. The GRC Committee regularly informs the Executive Board and the Audit Committee of the Supervisory Board of the material risks, any weaknesses in the control system and measures taken. Moreover, the auditor is required to report to the Audit Committee of the Supervisory Board regarding any material weaknesses in the Financial Reporting ICS which they identified as part of their audit activities.
Risk assessment and reporting
A period under consideration of one year is always applied when evaluating risks and opportunities. The risks and their effects are assessed primarily according to quantitative criteria and assigned to different categories in line with the net principle, i.e. after risk mitigation measures. If a risk cannot be assessed quantitatively, then it is assessed qualitatively based on the potential negative effects its occurrence would have on achieving corporate goals and based on other qualitative criteria such as the impact on Continental’s reputation.
Material individual risks for the Continental Group are identified from all the reported risks based on the probability of occurrence and the amount of damage that would be caused in the period under consideration.
The individual risks that Continental has classified as material and the aggregated risks that have been assigned to risk categories are all described in the report on risks and opportunities, provided the potential negative EBIT effect of an individual risk or the sum of risks included in a category exceeds €100 million in the period under consideration or there is a significant negative impact on the corporate goals.
Local management can utilize various instruments for risk assessment, such as predefined risk categories (e.g. exchange-rate risks, product-liability risks, legal risks) and assessment criteria, centrally developed function-specific questionnaires as well as the Financial Reporting ICS’s process and control descriptions. The key controls in business processes (purchase to pay, order to cash, asset management, HR, IT authorizations and the financial statement closing process) are thus tested with respect to their effectiveness.
All major subsidiaries carry out a semiannual assessment of business- related risks and an annual assessment of compliance risks in the GRC system’s IT-aided risk management application. Any quality, legal and compliance cases that have actually occurred are also taken into account when assessing these risks. The quarterly Financial Reporting ICS completes regular GRC reporting.
Furthermore, the GRC Committee identifies and assesses strategic risks, for example as part of a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats). Any new material risks arising unexpectedly between regular reporting dates have to be reported immediately and considered by the GRC Committee. This also includes risks identified in the audits by corporate functions.
In addition to the risk analyses carried out by the reporting units as part of integrated GRC, audits are also performed by the Group Audit department. Furthermore, the central controlling function analyzes the key figures provided as part of this reporting process at corporate and business-area level in order to assess the effects of potential risks.
Continental has set up the Compliance & Anti-Corruption Hotline to give employees and third parties outside the Continental Group the opportunity to report violations of legal regulations, its fundamental values and ethical standards. Information on any kind of potential violations, such as bribery or antitrust behavior, but also accounting manipulations, can be reported anonymously, where permissible by law, via the hotline. Tips received by the hotline are examined, pursued and dealt with fully by the Group Audit and Compliance departments, as required, with the assistance of other departments.
The responsible management initiates suitable countermeasures that are also documented in the GRC system for each risk identified and assessed as material. The GRC Committee monitors and consolidates the identified risks and suitable countermeasures at the corporate level. It regularly reports to the Executive Board and recommends further measures if needed. The Executive Board discusses and resolves the measures, and reports to the Supervisory Board’s Audit Committee. The responsible bodies continually monitor the development of all identified risks and the progress of actions initiated. Group Audit regularly audits the risk management process, thereby continually monitoring its effectiveness and further development.