In order to operate successfully as a company in a complex business environment and to ensure the effectiveness, efficiency and propriety of accounting and compliance with the relevant legal and sub-legislative regulations, Continental has created a governance system that encompasses all relevant business processes. The governance system comprises the internal control system, the risk management system and the compliance management system, which is described in detail in the Compliance section on page 22. The risk management system in turn also includes the early risk identification system in accordance with Section 91 (2) of the German Stock Corporation Act (Aktiengesetz – AktG).
The Executive Board is responsible for the governance system, which includes all subsidiaries. The Supervisory Board and its Audit Committee monitor its effectiveness.
Pursuant to Sections 289 (4) and 315 (4) of the German Commercial Code (Handelsgesetzbuch – HGB), the main characteristics of the internal control and risk management system with respect to the accounting process must be described. All parts of the risk management system and internal control system that could have a material effect on the annual and consolidated financial statements must be included in the reporting.
Key elements of the corporate-wide control systems are the clear allocation of responsibilities and controls inherent in the system when preparing the financial statements. The two-person rule and separation of functions are fundamental principles of this organization. In addition, Continental’s management ensures accounting that complies with the requirements of law via guidelines on the preparation of financial statements and on accounting, access authorizations for IT systems and regulations on the involvement of internal and external specialists.
The effectiveness of the financial reporting internal control system (Financial Reporting ICS) is evaluated in major areas by testing the effectiveness of the reporting units on a quarterly basis. In addition, Group Audit reviews the efficiency and effectiveness of control processes as well as compliance with internal and external requirements. If any weaknesses are identified, the Continental Group’s management initiates the necessary measures.
As part of our opportunity management activities, we assess market and economic analyses and changes in legal requirements (e.g. with regard to fuel consumption and emission standards as well as safety regulations). In addition, we deal with the corresponding effects on the automotive sector and other relevant markets, our production factors and the composition and further development of our product portfolio.
Governance, risk and compliance (GRC)
In the GRC policy adopted by the Executive Board, Continental defines the general conditions for integrated GRC as a key element of the risk management system, which regulates the identification, assessment, reporting and documentation of risks. In addition, this also further increases corporate-wide risk awareness and establishes the framework for a uniform risk culture.
In the year under review, Continental systematized the calculation of risk-bearing capacity, among other things, in order to meet the extended requirements of the revised auditing standard IDW PS 340 n. F. However, this did not lead to any significant changes in the general flow of established processes.
The GRC system incorporates all components of risk reporting and the examination of the effectiveness of the Financial Reporting ICS. Risks are identified, assessed and reported at the organizational level that is also responsible for managing the identified risks. A multi-stage assessment process is used to involve also the higher-level organizational units. The GRC system thus includes all reporting levels, from the company level to the top corporate level.
At the corporate level, the responsibilities of the GRC Committee – chaired by the Executive Board member responsible for Finance, Controlling and IT – include identifying material risks for the Continental Group as well as complying with and implementing the GRC policy. The GRC Committee regularly informs the Executive Board and the Audit Committee of the Supervisory Board of the material risks, any weaknesses in the control system and measures taken. Moreover, the auditor is required to report to the Audit Committee of the Supervisory Board regarding any material weaknesses in the Financial Reporting ICS which they have identified as part of their audit activities.
Risk assessment and reporting
A period under consideration of one year is always applied when evaluating risks and opportunities. Risks and their effects are assessed using an end-to-end gross and net assessment methodology that helps to identify the impact of risk-minimizing measures. Risks are assessed primarily according to quantitative criteria in various categories. If a risk cannot be assessed quantitatively, then it is assessed qualitatively based on the potential negative effects its occurrence would have on achieving corporate goals and based on other qualitative criteria such as the impact on Continental’s reputation. Risks and opportunities are not offset.
Material individual risks for the Continental Group are identified from all the reported risks based on the probability of occurrence and the potential amount of damage that would be caused in the period under consideration. Quantified risks are based on EBIT effect and free cash flow effect.
The individual risks that Continental has classified as material and the aggregated risks that have been assigned to risk categories are all described in the report on risks and opportunities, provided the potential negative effect of an individual risk or the sum of risks included in a category exceeds €100 million in the period under consideration or there is a significant negative impact on the corporate goals.
The aggregated risk inventory is compared with the risk-bearing capacity determined under both the liquidation and going-concern approaches, taking into account possible interactions, and is supplemented by a qualitative assessment by the GRC Committee on non-quantifiable risks in order to derive a statement on the potential risk to the Continental Group.
Local management can utilize various instruments for risk assessment, such as predefined risk categories (e.g. exchange-rate risks, product-liability risks, legal risks) and assessment criteria, centrally developed function-specific questionnaires as well as the Financial Reporting ICS’s process and control descriptions. The key controls in business processes (purchase to pay, order to cash, asset management, HR, IT authorizations, the financial statement closing process and sustainability reporting) are thus tested with respect to their effectiveness.
All major subsidiaries carry out a semiannual assessment of business- related risks and an annual assessment of compliance risks in the GRC system’s IT-aided risk management application. Any quality, legal and compliance cases that have actually occurred are also taken into account when assessing these risks. The quarterly Financial Reporting ICS completes regular GRC reporting.
Furthermore, strategic risks are identified and assessed, for example as part of a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats). Any new material risks arising ad hoc between regular reporting dates have to be reported immediately and considered by the GRC Committee. This also includes risks identified in the audits by corporate functions.
In addition to the risk analyses carried out by the reporting units as part of integrated GRC, audits are also performed by the Group Audit department. Furthermore, the central controlling function analyzes the key figures provided as part of this reporting process at corporate and group-sector level in order to assess the effects of potential risks.
Continental has set up the Compliance & Anti-Corruption Hotline to give employees and third parties outside the Continental Group the opportunity to report violations of legal regulations, its fundamental values and ethical standards. Information on any kind of potential violations, such as bribery or antitrust behavior, but also accounting manipulations, can be reported anonymously, where permissible by law, via this hotline. Tips received by the hotline are examined, pursued and dealt with fully by the Group Audit and Compliance departments, as required, with the assistance of other departments. Continental also offers an ombudsman’s office.
Risk management and monitoring
The responsible management initiates suitable countermeasures that are also documented in the GRC system for each risk identified and assessed as material. The GRC Committee monitors and consolidates the identified risks and suitable countermeasures at the corporate level. It regularly reports to the Executive Board and recommends further measures if needed. The Executive Board discusses and resolves the measures, and reports to the Supervisory Board’s Audit Committee. The responsible bodies continually monitor the development of all identified risks and the progress of actions initiated. Group Audit regularly audits the risk management process, thereby continually monitoring its effectiveness and further development.