Opportunities and Risks Report

Group-Wide Opportunities and Risk Management System

Conscientious management of opportunities and risks is part of responsible corporate governance and is the foundation of sustainable growth and financial success. This includes the ability to systematically identify and take advantage of opportunities while managing risks at the same time. The entrepreneurial decisions we make daily in the course of business processes are based on balancing opportunities and risks. We therefore regard the management of our opportunities and risks as an integral part of our business management system rather than as the task of a specific corporate function.

Opportunities and risk management system

Opportunities and risk management system (graphic)

Our opportunity and risk management begins with strategy and planning processes, from which relevant external and internal opportunities and risks of an economic, ecological, or social nature are derived. Opportunities and risks are identified by observing and analyzing trends along with macroeconomic, industry-specific, regional, and local developments. The identified opportunities and risks are subsequently evaluated and incorporated into our strategic and operational processes. We aim to avoid or mitigate risks by taking appropriate countermeasures, or to transfer them to third parties (such as insurers) to the extent possible and economically acceptable. At the same time, we strive to take maximum advantage of opportunities by incorporating them into our entrepreneurial decisions. We consciously accept and bear manageable and controllable risks that are in reasonable proportion to the anticipated opportunities. Covestro regards these as the general risks of doing business. Opportunities and risks are continuously monitored using indicators so that, for example, changes in the economic or legal environment can be identified at an early stage and suitable countermeasures can be initiated, if necessary.

To enable the Board of Management and the Supervisory Board to monitor material business risks as legally required, the following systems are in place: an ensuring proper and effective financial reporting pursuant to Section 289, Paragraph 4 and Section 315, Paragraph 4 of the (HGB); a compliance management system; and a risk early warning system pursuant to Section 91, Paragraph 2 of the (AktG).

The various management systems are based on different risk types, risk characteristics, and timelines. Different processes, methods, and IT systems are therefore applied to identify, evaluate, manage, and monitor risks. The principles underlying the various systems are documented in Group policies that are integrated into our central document control processes and are accessible to all employees via the intranet. Covestro’s Board of Management is primarily responsible for supervising the Group’s risk management. The Chief Financial Officer of Covestro AG is responsible for the effectiveness and appropriateness of the system as a whole in accordance with the areas of responsibilities.

The various systems are described below.

Internal control system for (Group) accounting and financial reporting (Report pursuant to Section 289, Paragraph 4 and Section 315, Paragraph 4 of the German Commercial Code)

The purpose of our internal control system (ICS) is to ensure proper and effective accounting and financial reporting in accordance with Section 289, Paragraph 4 and Section 315, Paragraph 4 of the German Commercial Code.

The ICS is designed to guarantee timely, uniform, and accurate accounting for all business processes and transactions based on applicable statutory regulations, accounting and financial reporting standards, and the internal Group regulations that are binding on all consolidated companies.

The ICS concept is based on two frameworks: the Internal Control – Integrated Framework (2013) of the Committee of the Sponsoring Organizations of the Treadway Commission (COSO) and the Control Objectives for Information and Related Technology (COBIT) framework. It is designed to address the risk of misreporting in the consolidated financial statements. Risks are identified and evaluated, and steps are taken to counter them. standards mandatory throughout the Covestro Group, such as system-based and manual reconciliation processes and functional separation, have been derived from these frameworks and stipulated by Group Accounting.

The management of each Covestro Group company is responsible for implementing the ICS standards at the local level.

The effectiveness of the ICS processes for accounting and financial reporting is evaluated on the basis of a cascaded self-assessment system that starts with the persons directly involved in the processes, then involves the principal managers responsible for accounting and financial reporting, and ends with Covestro AG’s Board of Management. The IT systems in use throughout the Covestro Group ensure the uniform and audit-proof documentation and transparent presentation of the risks, controls, and effectiveness evaluations associated with all ICS-relevant business processes. It should generally be noted that, however carefully designed, an internal control system cannot provide absolute assurance that material misstatements in the accounting will be avoided or identified in a timely manner.

Continually ensuring the effectiveness and suitability of our ICS considering process changes, new business models, and technical specifications requires regular reviews and updating of the controls applied. We identified possible potential for improvement by analyzing our existing ICS from various perspectives in the 2020 fiscal year.

In fulfillment of the Chief Financial Officer’s responsibilities, the CFO of Covestro AG has confirmed the criteria and the effective functioning of the internal control system for accounting and financial reporting for fiscal 2020.

Internal control system to ensure compliance

Compliance risks are systematically identified and assessed as part of Covestro’s Group-wide risk management. Risk owners assess the compliance risks that have been identified. A risk matrix is used to define focal points of compliance tasks at Covestro. The findings of a risk-based analysis enabled Covestro to identify three key topics: antitrust law, corruption, and foreign trade law. The General Counsel/Chief Compliance Officer is the risk owner responsible for breaches of antitrust law and corruption, while the Export Control Officer is responsible for the risk of breaches of foreign trade law. With respect to corruption, areas including gifts and invitations, relationships with government officials, and relationships with certain business partners such as sales agents were identified as being especially risk-relevant. A corruption risk analysis was performed for all Covestro companies. During the reporting period, we specifically worked on implementing in operations the policies governing gifts and invitations that were revised the previous year as well as restructuring the compliance review process with a focus on corruption in the context of business partners.

Many controls have been implemented at both the global and local levels to reduce the number of compliance risks. To the extent possible, we integrate the compliance controls into our internal control system (ICS). The effectiveness of the compliance controls is evaluated on the basis of a cascaded self-assessment system, as are the ICS processes for accounting and financial reporting. The results of the effectiveness evaluations are documented in the global system for the ICS processes. Corporate Audit carries out dedicated compliance checks at regular intervals in the larger companies. In the smaller companies, compliance aspects are part of a general review.

Risk early warning system (Report pursuant to Section 91, Paragraph 2 of the German Stock Corporation Act)

Covestro has implemented a structured process for the early identification of any potentially disadvantageous developments that could have a material impact on our business or endanger the continued existence of the company. This process satisfies the legal requirements regarding an early warning system for risks pursuant to Section 91, Paragraph 2 of the German Stock Corporation Act, and is aligned with the international risk management standard COSO II Enterprise Risk Management – Integrated Framework (2004). A central unit defines, coordinates, and monitors the framework and standards for this risk early warning system.

Throughout the year, various global subcommittees provide new and updated information about identified risks. The Covestro Corporate Risk Committee met four times in fiscal 2020 to review the risk landscape as well as the various risk management and monitoring mechanisms that are in place, and to take any necessary measures. Additionally, we conduct an ad-hoc process for newly identified risks throughout the year so that these are immediately incorporated into the risk management system. These ad-hoc risks are identified and their handling is determined based on risk assessments and depending on the defined thresholds.

Risks are evaluated using estimates of the potential impact after taking into account countermeasures (net impact), the likelihood of their occurrence, and their relevance for our external . The potential economic losses are projected using the expected loss. In certain cases, the impact on (FOCF) is used as an alternative. All material risks and the respective countermeasures are documented in a company-wide database. The risk early warning system is reviewed regularly over the course of the year. Significant changes must be promptly entered in the database and reported to the Board of Management. In addition, a report on the risk portfolio is submitted to the Audit Committee several times a year and to the Supervisory Board at least once a year.

Risk management has been assigned a continuously high priority primarily due to the global coronavirus pandemic. For this reason, during the reporting year we revised the criteria for assessing risks at Covestro. This mainly resulted in changes in the likelihood of occurrence of risks and cumulative loss amounts. As a result, in the future all risks with a cumulative loss totaling €50 million or more will be considered material; the previous materiality threshold was €60 million. This modification did not change the estimated weighted risk occurrence of the individual risks.

The following matrix illustrates the direct financial and indirect financial criteria for rating a risk as high, medium or low.

Rating matrix

Rating matrix (graphic)

1 An individual risk that could have both a direct financial and an indirect financial impact of different severities is always classified based on the higher level of risk.

Criteria for the classification of indirect financial impact

Criteria for the classification of indirect financial impact (graphic)

Process-independent monitoring

The effectiveness of our management systems is evaluated at regular intervals by the Corporate Audit corporate function, which performs an independent and objective audit focused on verifying compliance with laws and policies. Corporate Audit also supports the company in achieving its goals by systematically evaluating the efficiency and effectiveness of governance, risk management, and control processes, and helping to improve them. The selection of audit targets follows a risk-based approach. Corporate Audit performs its tasks according to internationally recognized standards and delivers reliable audit services. The Supervisory Board’s Audit Committee is regularly informed about the results of these audits, and receives an annual report on the internal control system and its effectiveness.

Risks in the areas of occupational health and safety, plant safety, environmental protection, and product quality are assessed through specific health, safety, environment, energy, and quality () audits.

The external auditor assesses the early warning system for risks as part of its audit of the annual financial statements, focusing on whether the system is fundamentally suitable for identifying at an early stage any risks that could endanger the company’s continued existence so that suitable countermeasures can be taken. The auditor also reports at regular intervals to Covestro AG’s Board of Management and the Supervisory Board on the results of the audit and any weaknesses identified in the internal control system. Audit outcomes are also taken into account in the continuous improvement of our management processes.

ICS/internal control system
Internal control system to ensure compliance with directives by means of technical and organizational rules
HGB/German Commercial Code
Comprises much of the German accounting legislation
AktG/German Stock Corporation Act
Regulates the legal provisions pertaining to German stock corporations
ICS/internal control system
Internal control system to ensure compliance with directives by means of technical and organizational rules
Stakeholders
Internal and external interest groups which are directly or indirectly impacted by the company’s corporate activities and/or may be so in the future
EBITDA/earnings before interest, taxes, depreciation and amortization
EBIT plus depreciation and amortization of property, plant, equipment, and intangible assets
FOCF/free operating cash flow
Operating cash flows (pursuant to IAS 7) less cash outflows for additions to property, plant, equipment and intangible assets
HSEQ/Health, safety, environment, energy, and quality
Health, safety, environment, energy, and quality