The governance systems at Continental comprise the internal control system (ICS), the risk management system (RMS) and – as a subcomponent of these systems – the compliance management system. The risk management system in turn also includes the early risk identification system in accordance with Section 91 (2) of the German Stock Corporation Act (Aktiengesetz – AktG).
The Executive Board is responsible for the governance systems, which include all subsidiaries. The Supervisory Board and its Audit Committee monitor the effectiveness of these systems.
Main characteristics of the internal control system
In order to operate successfully as a company in a complex business environment and to ensure the effectiveness, efficiency and propriety of all processes and compliance with the relevant legal and sub-legislative regulations, Continental has established an internal control system that encompasses all relevant business processes. Certain aspects of sustainability are also considered and continuously further developed in compliance with the regulatory framework. The management and monitoring of the internal control system are currently being incorporated into a holistic ICS governance system.
The Governance, Risk and Compliance (GRC) Committee, chaired by the Executive Board member responsible for Integrity and Law and the Executive Board member responsible for Finance, Controlling and IT, is responsible for monitoring the internal control system and the risk management system and – as part of these systems – the compliance management system.
Key elements of the corporate-wide internal control system are the clear allocation of responsibilities and system-inherent controls in the respective process flows. The two-person rule and separation of functions are fundamental principles of this organization. Continental’s management also issues guidelines to ensure that all business processes are conducted in an economical, orderly and legally compliant manner. Guidelines specific to the Continental Group and to its individual group sectors are managed centrally in the “House of Rules” and are thus available to all Continental employees.
Based on these fundamental principles and the globally applicable guidelines, the internal control system at Continental follows the Three Lines Model.
In the first line, system-inherent controls are configured in the company’s IT systems to support the orderly and economical execution of all process flow transactions in accordance with the corporate- wide guidelines. At the same time, these transactional controls help to identify risks and deviations that require separate consideration. As the controls and process flows established in the first line apply to Continental’s operating business, they are generally put in place at the level of our operating units, such as our subsidiaries, business areas and group sectors.
In the second line of our internal control system, guidelines for process flows are developed, implemented and updated and compliance with controls and guidelines is monitored. Responsibility for this lies primarily with the group functions, in addition to the business areas and group sectors. The responsibilities include, for example, the risk management system and the compliance management system. In order to perform this supervisory and monitoring function, an integrated reporting system has been established that includes, for example, the financial reporting internal control system (Financial Reporting ICS), the general risk management system, the compliance risk management system and the tax compliance management system. The supervisory and monitoring function is performed on the basis of regular reports and supplemented as needed with effectiveness tests as part of self-audits and regular internal and external reviews.
The compliance management system plays an important role within the second line of defense by helping to prevent, detect and respond to compliance violations. The Group Compliance group function is responsible for the compliance management system.
The chief compliance officer reports directly to the Executive Board member responsible for Integrity and Law. The work done by Group Compliance focuses mainly on preventing and detecting corruption, fraud and other property offenses, violations of antitrust and competition law and money laundering; implementing data protection; and responding to compliance violations. For other legal areas in which there is a risk of compliance violations – such as taxes, customs, sanctions and export controls, and quality/technical compliance – responsibility for appropriate and effective compliance management lies with the respective functions, which are supported in these tasks by Group Compliance.
An effective culture of compliance is the basis for prevention. It begins with setting an appropriate “tone from the top” by the Executive Board and management and, in addition to risk analysis, includes in particular employee training, compliance consulting and the internal publication of guidelines.
In the course of risk analysis, the business activities of Continental are examined for compliance risks within the scope of top-down as well as bottom-up review processes. The risk of compliance violations arises primarily from organizational structures and workflows, the given market situation, activities in certain geographical regions, inappropriate incentive systems, conflicts of interest, and criminal intent on the part of individual employees. Furthermore, findings from investigations by the Group Internal Audit group function as well as discussions with management and employees at all hierarchical levels are taken into account. This risk analysis is not a one-off procedure, but is performed annually and continuously updated.
Prevention is also fostered by consultation on specific matters with Group Compliance and by the internal publication of guidelines on topics such as anti-corruption (including giving and receiving gifts as well as donations and sponsoring), antitrust and competition law, anti-money laundering and data protection. In training events, Group Compliance addresses topics directly related to everyday compliance issues and challenges.
Continental introduced the Business Partner Code of Conduct to prevent compliance violations by suppliers, service providers, representatives or similar third parties. This must be recognized as a basic requirement for doing business with Continental.
In the context of detection, Continental has set up an Integrity Hotline to give employees and third parties outside the Continental Group the opportunity to report violations of legal regulations, its fundamental values and ethical standards. Information on any kind of potential violations, including accounting manipulation, can be reported anonymously via this hotline. The hotline is available worldwide in many different languages. The company’s investigating units rigorously pursue any and all substantiated leads.
Detection also includes the support of regular and incident-related audits conducted by Group Internal Audit. Compliance-related issues are regularly the subject of audits by Group Internal Audit.
Responses are aimed at implementing measures as a consequence of identified compliance violations. Group Compliance is involved in decision-making on measures that may be required, including thorough analysis to ensure that isolated incidents are not symptoms of failings in the system. In this way, corresponding gaps can be closed preventively and the compliance management system, as well as the internal control system, can be systematically developed.
When it comes to preventing violations in the area of technical compliance, responsibility lies with the Group Quality, Technical Compliance, CBS and Environment group function, supported by the central functions within the group sectors. The technical compliance policy as well as the technical compliance management system manual and other procedural standards set out how the compliance management system is designed and implemented.
A network of supporting roles in the various functions within the group sectors, business areas, segments and sites is being devised and expanded on an ongoing basis in order to support the identification of risks and other technical compliance considerations.
The third line of our internal control system is our Group Internal Audit group function.
Group Internal Audit serves an independent and objective auditing and advisory function, applying a systematic approach to help review, assess and improve the adequacy and effectiveness of the organization’s governance systems. Continental’s Executive Board authorizes Group Internal Audit to conduct audits in all regions, companies or functions of Continental AG and its affiliated, fully consolidated subsidiaries worldwide.
Group Internal Audit prepares an annual risk-oriented audit plan that is submitted to Continental’s Executive Board for review and approval. In addition to its planned general audits, Group Internal Audit also conducts special investigations. These are based on tips and information about fraudulent acts received from internal or external sources such as the Integrity Hotline or the ombudsman’s office.
Group Internal Audit regularly reports its audit and investigation results to the Executive Board and the Audit Committee. Significant risks and potential improvements to internal controls are presented as part of the reporting to the aforementioned bodies. The implementation by management of the measures recommended in the course of audits is also monitored by Group Internal Audit and reported to the Executive Board and the Audit Committee.
Main characteristics of the internal control and risk management system with respect to the accounting process (Sections 289 (4) and 315 (4) of the German Commercial Code (Handelsgesetzbuch – HGB) )
Pursuant to Sections 289 (4) and 315 (4) HGB, the main characteristics of the internal control and risk management system with respect to the accounting process must be described. All parts of the risk management system and internal control system that could have a material effect on the annual and consolidated financial statements must be included in the reporting.
The consolidated financial statements of Continental AG are prepared on the basis of standard reporting by the subsidiaries included in the consolidated financial statements in accordance with International Financial Reporting Standards (IFRS). Reporting is performed in compliance with IFRS and with the accounting manual applicable throughout the Continental Group. The consolidation of subsidiaries, debt, income and expenses, and intercompany profits is performed at corporate level.
The effectiveness of the financial reporting internal control system (Financial Reporting ICS) is evaluated in major areas by carrying out effectiveness tests in the reporting units on a quarterly basis. In addition, Group Internal Audit reviews the efficiency and effectiveness of control processes as well as compliance with internal and external requirements. If any weaknesses are identified, the Continental Group’s management initiates the necessary measures.
Main characteristics of the risk management system
In the GRC policy adopted by the Executive Board, Continental defines the general conditions for integrated GRC as a key element of the risk management system that regulates the identification, assessment, reporting and documentation of risks. In addition, this also further increases corporate-wide risk awareness and establishes the framework for a uniform risk culture.
The GRC system incorporates all components of risk reporting and the examination of the effectiveness of the Financial Reporting ICS. Risks are identified, assessed and reported at the organizational level that is also responsible for managing the identified risks. A multi-stage assessment process is used to involve also the higher-level organizational units. The GRC system thus includes all reporting levels, from the company level to the top corporate level.
At the corporate level, the responsibilities of the GRC Committee include identifying material risks for the Continental Group, based on a multi-stage reporting process, as well as complying with and implementing the GRC policy. The GRC Committee regularly informs the Executive Board and the Audit Committee of the Supervisory Board of the material risks, any weaknesses in the control system and measures taken. Moreover, the auditor is required to report to the Audit Committee of the Supervisory Board regarding any material weaknesses in the Financial Reporting ICS which they have identified as part of their audit activities.
A period under consideration of one year is always applied when evaluating risks and opportunities. Risks and their effects are assessed using an end-to-end gross and net assessment methodology that helps to identify the impact of risk mitigation measures. Risks are assessed primarily according to quantitative criteria in various categories. If a risk cannot be assessed quantitatively, then it is assessed qualitatively based on the potential negative effects its occurrence would have on achieving corporate goals and based on other qualitative criteria such as the impact on Continental’s reputation. Risks and opportunities are not offset.
Material individual risks for the Continental Group are identified from all the reported risks based on the probability of occurrence and the potential amount of damage that would be caused in the period under consideration. Quantified risks are based on EBIT effect and free cash flow effect.
The individual risks that Continental has classified as material and the aggregated risks that have been assigned to risk categories are all described in the report on risks and opportunities, provided the potential negative effect of an individual risk or the sum of risks included in a category exceeds €100 million in the period under consideration or there is a significant negative impact on the corporate goals.
The risk inventory, aggregated using a Monte Carlo simulation, is compared with the risk-bearing capacity determined on the reporting date, taking into account possible interactions and quantitative assumptions on qualitatively assessed risks, and is supplemented by a qualitative assessment by the GRC Committee on overarching non-quantifiable risks in order to derive a statement on the potential risk to the Continental Group.
Risk reporting
Local management can utilize various instruments for risk assessment, such as predefined risk categories (e.g. exchange-rate risks, product-liability risks, legal risks) and assessment criteria, centrally developed function-specific questionnaires as well as the Financial Reporting ICS’s process and control descriptions. The key controls in business processes (purchase to pay, order to cash, asset management, HR, IT authorizations, the financial statement closing process and sustainability reporting) are thus tested with respect to their effectiveness.
All major subsidiaries carry out a semiannual assessment of business- related risks and an annual assessment of compliance risks in the GRC system’s IT-aided risk management application. Any quality, legal and compliance cases that have actually occurred are also taken into account when assessing these risks. The GRC system likewise encompasses the tax compliance management system, the customs compliance management system and the export control compliance management system in order to ensure standard and regular review and reporting of pertinent risks. The quarterly Financial Reporting ICS completes regular GRC reporting.
In the reporting year, Continental redesigned its process for identifying and reporting strategic risks and began implementing these procedures in the established GRC process. Any new material risks arising ad hoc between regular reporting dates have to be reported immediately and considered by the GRC Committee. These also include risks identified in the audits performed by group functions.
In addition to the risk analyses carried out by the reporting units as part of integrated GRC, audits are also performed by Group Internal Audit. Furthermore, the various controlling functions analyze the key figures provided as part of this reporting process at corporate and group-sector level in order to assess the effects of potential risks.
For each risk identified, the responsible management team initiates appropriate countermeasures which, for material risks, are also documented in the GRC system. The GRC Committee monitors and consolidates the material risks and suitable countermeasures at the corporate level. It regularly reports to the Executive Board and recommends further measures if needed. The Executive Board discusses and resolves the measures and reports to the Supervisory Board’s Audit Committee. The responsible bodies continually monitor the development of all identified risks and the progress of actions initiated. Group Internal Audit regularly audits the risk management process, thereby continually monitoring its effectiveness and further development.
Appropriateness and effectiveness of the internal control and risk management system
The Executive Board based its assessment of the appropriateness and effectiveness of the internal control and risk management system on the findings from routine internal reporting, but in particular also on function-specific statements on the internal control and risk management system as well as an assessment of these by Group Internal Audit, which were consolidated into an overall statement by the GRC Committee. These statements, together with the overall statement by the GRC Committee, are intended to offer an overview of key activities and controls that have been implemented, summarize measures for reviewing appropriateness and effectiveness, and indicate critical weaknesses in the control system as well as any related improvement measures.
The function-specific statements, collected on the basis of a risk-oriented selection process, included various aspects in accordance with the implemented Three Lines model. In the first line, documented processes and controls were checked with respect to whether these were in place and had been implemented, as was any communication relating to these elements. Responsibility for guidelines and process flows lies in particular with the second line, which – within the scope of the review of the appropriateness and effectiveness of the internal control and risk management system, including the compliance management system – is generally also satisfied with respect to the status of implementation of the regulations, based on random checks as well as the processing of external supporting documentation such as certification in line with the International Organization for Standardization (ISO), the Trusted Information Security Assessment Exchange (TISAX) and the International Automotive Task Force (IATF). These not only reinforce compliance with regulatory provisions, but also underscore the appropriate and effective operation of systems implemented at Continental in accordance with industry standards. Monitoring the internal control system and risk management system is one of the core tasks of Group Internal Audit, the third line. As part of its audits, Group Internal Audit assesses the implementation of risk-control measures and internal controls, conducted with the help of recognized standards and methods. Deviations and weaknesses noted are summarized in a report for the relevant persons responsible, and any improvement measures initiated. Significant risks and potential improvements to internal controls are presented as part of the reporting to the Executive Board and the Audit Committee. The implementation by management of the measures recommended in the course of audits is also monitored by Group Internal Audit and reported to the Executive Board and the Audit Committee.
The internal control and risk management system, including the compliance management system, of Continental AG is undergoing a continuous process of improvement in order to expand existing processes and controls and meet new regulatory challenges. Currently, this mainly includes implementing a technical compliance management system and improving IT governance and data compliance. In addition, the global reorganization of the customs and export control functions is currently being driven forward and transferred to a comprehensive compliance management system. In a cross-domain project, work is also being done on a reinforced integrative approach and expansion of the governance functions.
Based on the statements from the respective functional areas, the assessment of these by Group Internal Audit and the consolidated overall statement by the GRC Committee, no matters have come to the Executive Board’s attention that would suggest that the internal control and risk management system, including the compliance management system, was inappropriate or ineffective in all material respects in fiscal 2023.
Nevertheless, there are inherent limitations to any internal control or risk management system, including the compliance management system. Even a system considered appropriate and effective does not offer any guarantee that all risks or violations that have actually occurred will be uncovered in advance or that any process disruptions can be entirely ruled out.
Opportunity management
As part of our opportunity management activities, we assess market and economic analyses and changes in legal requirements (e.g. with regard to fuel consumption and emission standards as well as safety regulations). In addition, we deal with the corresponding effects on the sectors and markets relevant to us, our production factors and the composition and further development of our product portfolio.
