The governance systems at Continental comprise the internal control system, the risk management system and – as part of the risk management system – the compliance management system. The risk management system in turn also includes the early risk identification system in accordance with Section 91 (2) of the German Stock Corporation Act (Aktiengesetz – AktG).
The Executive Board is responsible for the governance systems, which include all subsidiaries. The Supervisory Board and its Audit Committee monitor the effectiveness of these systems.
Structure of the internal control system
In order to operate successfully as a company in a complex business environment and to ensure the effectiveness, efficiency and propriety of all processes and compliance with the relevant legal and sub-legislative regulations, Continental has established an internal control system that encompasses all relevant business processes.
Key elements of the corporate-wide internal control system are the clear allocation of responsibilities and system-inherent controls in the respective process flows. The two-person rule and separation of functions are fundamental principles of this organization. Continental’s management also issues guidelines to ensure that all business processes are conducted in an economical, orderly and legally compliant manner.
Based on these fundamental principles and the globally applicable guidelines, the internal control system at Continental follows the Three Lines Model.
In the first line, system-inherent controls are configured in the company’s IT systems to support the orderly and economical execution of all process flow transactions in accordance with the corporate- wide guidelines. At the same time, these transactional controls help to identify risks and deviations that require separate consideration. As the controls and process flows established in the first line apply to Continental’s operating business, they are generally put in place at the level of our operating units, such as our subsidiaries, business areas and group sectors.
In the second line of our internal control system, guidelines for process flows are developed, implemented and updated and compliance with controls and guidelines is monitored. Responsibility for this lies primarily with the group functions, in addition to the business areas and group sectors. The responsibilities include, for example, the risk management system and the compliance management system. In order to perform this supervisory and monitoring function, an integrated reporting system has been established that includes, for example, the financial reporting internal control system (Financial Reporting ICS), the general risk management system, the compliance risk management system and the tax compliance management system. The supervisory and monitoring function is performed on the basis of regular reports and supplemented as needed with effectiveness tests as part of self-audits and regular internal and external reviews.
The compliance management system plays an important role within the second line of defense by helping to prevent, detect and respond to compliance violations. The Group Compliance group function is responsible for the compliance management system. The chief compliance officer reports directly to the chairman of the Executive Board. The work done by Group Compliance focuses mainly on preventing and detecting corruption, fraud and other property offenses, violations of antitrust and competition law and money laundering; implementing data protection; and responding to compliance violations. For other legal areas in which there is a risk of compliance violations, responsibility for appropriate and effective compliance management lies with the respective functions, which are supported in these tasks by Group Compliance.
An effective culture of compliance is the basis for prevention. It begins with setting an appropriate “tone from the top” by the Executive Board and management and, in addition to risk analysis, includes in particular employee training, compliance consulting and the internal publication of guidelines.
In the course of risk analysis, the business activities of Continental are examined for compliance risks within the scope of top-down as well as bottom-up review processes. The risk of compliance violations arises primarily from organizational structures and workflows, the given market situation and activities in certain geographical regions. Furthermore, findings from investigations by the Group Internal Audit group function as well as discussions with management and employees at all hierarchical levels are taken into account. This risk analysis is not a one-off procedure, but is performed annually and continuously updated.
Prevention is also fostered by consultation on specific matters with Group Compliance and by the internal publication of guidelines on topics such as anti-corruption (including giving and receiving gifts as well as donations and sponsoring), antitrust and competition law, anti-money laundering and data protection. In training events, Group Compliance addresses topics directly related to everyday compliance issues and challenges.
Continental introduced the Business Partner Code of Conduct to prevent compliance violations by suppliers, service providers, representatives or similar third parties. This must be recognized as a basic requirement for doing business with Continental.
In the context of detection, Continental has set up an Integrity Hotline to give employees and third parties outside the Continental Group the opportunity to report violations of legal regulations, its fundamental values and ethical standards. Information on any kind of potential violations, including accounting manipulation, can be reported anonymously via this hotline. The hotline is available worldwide in many different languages. The company’s investigating units rigorously pursue any and all substantiated leads.
Detection also includes the support of regular and incident-related audits conducted by Group Internal Audit. Compliance-related issues are regularly the subject of audits by Group Internal Audit.
Responses are aimed at implementing measures as a consequence of identified compliance violations. Group Compliance is involved in decision-making on measures that may be required, including thorough analysis to ensure that isolated incidents are not symptoms of failings in the system. In this way, corresponding gaps can be closed preventively and the compliance management system, as well as the internal control system, can be systematically developed.
The third line of our internal control system is our Group Internal Audit group function.
Group Internal Audit serves an independent and objective auditing and advisory function, applying a systematic approach to help review, assess and improve the adequacy and effectiveness of the organization’s governance systems. Continental’s Executive Board authorizes Group Internal Audit to conduct audits in all regions, companies or functions of Continental AG and its affiliated, fully consolidated subsidiaries worldwide.
Group Internal Audit prepares an annual risk-oriented audit plan that is submitted to Continental’s Executive Board for review and approval. In addition to its planned general audits, Group Internal Audit also conducts special investigations. These are based on tips and information about fraudulent acts received from internal or external sources such as the Integrity Hotline or the ombudsman’s office.
Group Internal Audit regularly reports its audit and investigation results to the Executive Board and the Audit Committee. Significant risks and potential improvements to internal controls are presented as part of the reporting to the aforementioned bodies. The implementation by management of the measures recommended in the course of audits is also monitored by Group Internal Audit and reported to the Executive Board and the Audit Committee.
Appropriateness and effectiveness of the internal control system
The three-tier structure of the internal control system at Continental and the associated guidelines and processes introduced worldwide fundamentally ensure that the relevant business processes are performed properly, economically and in compliance with legal regulations. Nevertheless, an internal control system cannot provide complete protection, particularly if internal controls and guidelines are intentionally circumvented. To proactively prevent and detect such circumvention, Continental has established monitoring functions at the various levels of the internal control system. Group Internal Audit assumes a particularly important role in this regard. Internal monitoring of compliance with internal controls is supplemented by information we receive from external audits, for example as part of ISO certifications, customer and supplier audits, company audits, customs audits and IT audits. These findings are taken into account when updating and making necessary adjustments to our internal control system.
Continental’s Executive Board is kept continuously informed of the results of internal audit activities, external audits and governance system reporting, all of which form the basis for the Executive Board’s assessment of the appropriateness and effectiveness of the internal control system.
The increased volatility of our business environment, the transformation of the automotive industry, the ever faster pace of technological development and the necessary consideration of sustainability aspects have shown that an internal control system must be continuously adapted to changing conditions. This increasingly complex environment has made it particularly vital to reassess the individual sub-areas of the internal control system in order to achieve a comprehensive overview and structure defined by uniform specifications. To this end, a comprehensive project to analyze the internal control system has been initiated.
Main characteristics of the internal control and risk management system with respect to the accounting process (Sections 289 (4) and 315 (4) of the German Commercial Code (Handelsgesetzbuch – HGB) )
Pursuant to Sections 289 (4) and 315 (4) HGB, the main characteristics of the internal control and risk management system with respect to the accounting process must be described. All parts of the risk management system and internal control system that could have a material effect on the annual and consolidated financial statements must be included in the reporting.
The consolidated financial statements of Continental AG are prepared on the basis of standard reporting by the subsidiaries included in the consolidated financial statements in accordance with International Financial Reporting Standards (IFRS). Reporting is performed in compliance with IFRS and with the accounting manual applicable throughout the Continental Group. The consolidation of subsidiaries, debt, income and expenses, and intercompany profits is performed at corporate level.
The effectiveness of the financial reporting internal control system (Financial Reporting ICS) is evaluated in major areas by carrying out effectiveness tests in the reporting units on a quarterly basis. In addition, Group Internal Audit reviews the efficiency and effectiveness of control processes as well as compliance with internal and external requirements. If any weaknesses are identified, the Continental Group’s management initiates the necessary measures.
Risk management system
In the governance, risk and compliance (GRC) policy adopted by the Executive Board, Continental defines the general conditions for integrated GRC as a key element of the risk management system, which regulates the identification, assessment, reporting and documentation of risks. In addition, this also further increases corporatewide risk awareness and establishes the framework for a uniform risk culture.
The GRC system incorporates all components of risk reporting and the examination of the effectiveness of the Financial Reporting ICS. Risks are identified, assessed and reported at the organizational level that is also responsible for managing the identified risks. A multi-stage assessment process is used to involve also the higher-level organizational units. The GRC system thus includes all reporting levels, from the company level to the top corporate level.
At the corporate level, the responsibilities of the GRC Committee – chaired by the Executive Board member responsible for Finance, Controlling and IT – include identifying material risks for the Continental Group as well as complying with and implementing the GRC policy. The GRC Committee regularly informs the Executive Board and the Audit Committee of the Supervisory Board of the material risks, any weaknesses in the control system and measures taken.
Moreover, the auditor is required to report to the Audit Committee of the Supervisory Board regarding any material weaknesses in the Financial Reporting ICS which they have identified as part of their audit activities.
Risk assessment and reporting
A period under consideration of one year is always applied when evaluating risks and opportunities. Risks and their effects are assessed using an end-to-end gross and net assessment methodology that helps to identify the impact of risk-minimizing measures. Risks are assessed primarily according to quantitative criteria in various categories. If a risk cannot be assessed quantitatively, then it is assessed qualitatively based on the potential negative effects its occurrence would have on achieving corporate goals and based on other qualitative criteria such as the impact on Continental’s reputation. Risks and opportunities are not offset.
Material individual risks for the Continental Group are identified from all the reported risks based on the probability of occurrence and the potential amount of damage that would be caused in the period under consideration. Quantified risks are based on EBIT effect and free cash flow effect.
The individual risks that Continental has classified as material and the aggregated risks that have been assigned to risk categories are all described in the report on risks and opportunities, provided the potential negative effect of an individual risk or the sum of risks included in a category exceeds €100 million in the period under consideration or there is a significant negative impact on the corporate goals.
Continental further developed its procedure for risk aggregation in the year under review. However, this did not lead to any significant changes in the general flow of established processes. The risk inventory, now aggregated using a Monte Carlo simulation, is compared with the risk-bearing capacity determined on the reporting date, taking into account possible interactions, and is supplemented by a qualitative assessment by the GRC Committee on non-quantifiable risks in order to derive a statement on the potential risk to the Continental Group.
Risk reporting
Local management can utilize various instruments for risk assessment, such as predefined risk categories (e.g. exchange-rate risks, product-liability risks, legal risks) and assessment criteria, centrally developed function-specific questionnaires as well as the Financial Reporting ICS’s process and control descriptions. The key controls in business processes (purchase to pay, order to cash, asset management, HR, IT authorizations, the financial statement closing process and sustainability reporting) are thus tested with respect to their effectiveness.
All major subsidiaries carry out a semiannual assessment of business- related risks and an annual assessment of compliance risks in the GRC system’s IT-aided risk management application. Any quality, legal and compliance cases that have actually occurred are also taken into account when assessing these risks. In the year under review, the GRC system was expanded to include the tax compliance management system, the customs compliance management system and the export control compliance management system, in order to ensure standard and regular review and reporting of pertinent risks. The quarterly Financial Reporting ICS completes regular GRC reporting.
Furthermore, strategic risks are identified and assessed, for example as part of a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats). Any new material risks arising ad hoc between regular reporting dates have to be reported immediately and considered by the GRC Committee. These also include risks identified in the audits by group functions.
In addition to the risk analyses carried out by the reporting units as part of integrated GRC, audits are also performed by Group Internal Audit. Furthermore, the central controlling function analyzes the key figures provided as part of this reporting process at corporate and group-sector level in order to assess the effects of potential risks.
Risk management and monitoring
For each risk identified, the responsible management team initiates appropriate countermeasures which, for material risks, are also documented in the GRC system. The GRC Committee monitors and consolidates the material risks and suitable countermeasures at the corporate level. It regularly reports to the Executive Board and recommends further measures if needed. The Executive Board discusses and resolves the measures and reports to the Supervisory Board’s Audit Committee. The responsible bodies continually monitor the development of all identified risks and the progress of actions initiated. Group Internal Audit regularly audits the risk management process, thereby continually monitoring its effectiveness and further development.
Opportunity management
As part of our opportunity management activities, we assess market and economic analyses and changes in legal requirements (e.g. with regard to fuel consumption and emission standards as well as safety regulations). In addition, we deal with the corresponding effects on the automotive sector and other relevant markets, our production factors and the composition and further development of our product portfolio.
