In our constant pursuit of making our business resilient and generating value, risks and opportunities are an integral and indispensable part of our activities. We operate in a highly complex, global, and interconnected business environment that further necessitates a competent management of risks and opportunities. For us, risks and opportunities management are hence an imperative and a core component of our internal business planning and forecasting. We have put in place clear processes, appropriate tools, and fixed responsibilities to enable early identification of risks to derive effective and efficient mitigation strategies. In our internal risk reporting framework, we define risks as potential future events or developments that could result in unfavorable deviation from our financial and non-financial targets. Risk parameters in this context are the probability of financial (quantitative) impact (EBITDA pre/Operating Cash Flow) or non-financial (qualitative) impact (reputation/brand, Environment, Social, Governance (ESG) including Workforce and Ethics, Strategy, Operations).
Meanwhile, opportunities imply a favorable deviation from targets. Future events and expected developments are considered in internal planning if a likely occurrence can be assumed within the planning period. The following section presents the risks and opportunities that could result in favorable and unfavorable deviations from existing plans and targets.
For additional information and details regarding the non-financial topics, please refer to the Non-Financial Statement.
Risk and opportunity management
Group Controlling & Risk Management forms the organizational framework for risk management and reports to the Group Chief Financial Officer. Within the scope of audits, Group Internal Auditing regularly reviews the performance of risk management processes within the units on local level and, at the same time, the communication of relevant risks from the operating businesses to Group Risk Management. Furthermore, the external auditor reviews the risk early warning system during the annual audit of the financial statements.
The objective of our risk management activities is to identify, assess and manage risks in a timely manner so that appropriate measures can be implemented to mitigate their potential negative impact. Our internal risk management guidelines detail the responsibilities, objectives, and processes of risk management. The business heads, managing directors of Group subsidiaries, and the heads of Group functions are appointed as “risk owners”, who run local risk management processes. Requirements for local risk management are risk identification taking all internal and external influences into consideration (impacting financial or non-financial targets), risk analysis, risk mitigation by appropriate actions, definition of preventive measures and emergency plans if applicable, and documentation of risks and mitigation actions.
The risk owners regularly assess the risk status and report their risk portfolio to Group Risk Management. We use special risk management tools to manage and support these activities. Group Risk Management coordinates and supervises the bottom-up risk reporting, confirming the plausibility of the reported risk, evaluates the mitigation measures and the planned time frames, and determines the residual risk, which is presented as net risk in the internal risk report.
For the internal bottom-up risk reporting process, reporting is based on defined thresholds, and a variety of distribution functions are used to reflect scenarios with varied occurrence probabilities. Risks below the global reporting threshold are managed and monitored locally. The timeframe applied for internal risk reporting is five years. It can go beyond five years in special cases, e.g., for regulatory risks related to climate change. The outlined risks and their evaluation are based on respective annual values in the reporting time frame. The assessment of the risks presented relates to December 31, 2022. There were no relevant changes after the balance sheet date that would have necessitated an amended presentation of the risk situation of the Group.
Group Risk Management uses the information reported to determine the current risk portfolio for the Group, presenting this in a report to the Executive Board, the Supervisory Board, and relevant Committees with detailed explanations twice per year. This also encompasses a quantitative aggregation of risks at Group level, using a Monte Carlo simulation. Furthermore, significant changes in the assessment of the risks already known and new significant risks can be reported at any time and are communicated to the Executive Board on an ad-hoc basis.
The opportunity management process is integrated into our internal controlling processes and is carried out based on the Group strategy in the operating units. The business sectors analyze and assess potential market opportunities as part of the strategy and planning processes. In this context, investment opportunities are examined and prioritized primarily in terms of their potential value proposition, to ensure an effective allocation of resources. We target investment in growth markets to leverage the opportunities of dynamic development and customer proximity at a local level.
If the occurrence of the identified opportunities is rated as likely, they are incorporated into the business plans and forecasts. Trends going beyond this, or events that could lead to a positive development in the net assets, financial position, and results of operations, are presented in the following report as opportunities. These could have a positive effect on our medium-term prospects.
Risk and opportunity assessment
The significance of a risk is determined based on its probability to cause potential unfavorable deviations from our financial and non-financial targets.
The underlying scales for measuring these factors are shown below:
Probability of occurrence |
|
Explanation |
|---|---|---|
< 1% |
|
Highly improbable |
1 – 5% |
|
Improbable |
5 – 20% |
|
Possible |
20 – 50% |
|
Likely |
> 50% |
|
More than likely |
Degree of impact |
|
Explanation |
|---|---|---|
> € 500 million |
|
Critical negative impact on the net asset, financial position, and results of operations |
€ 100 – 500 million |
|
Significant negative impact on the net asset, financial position, and results of operations |
€ 25 – 100 million |
|
Moderate negative impact on the net asset, financial position, and results of operations |
€ 10 – 25 million |
|
Minor negative impact on the net asset, financial position, and results of operations |
< € 10 million |
|
Immaterial negative impact on the net asset, financial position, and results of operations |
For non-financial risks (such as reputation, Environmental, Social, Governance (ESG)), we introduced a qualitative rating scale as a reference for comprehensive assessment. The evaluation range is from low to critical.
Opportunities are assessed in their respective specific business environment. General measures of the business functions are quantified during forecasting and strategic planning usually in relation to sales, EBITDA pre, and operating cash flow. Net present value, internal rate of return, the return on capital employed (ROCE), and the payback period of the investment are primarily used to assess and prioritize investment opportunities. We use these indicators to assess the opportunities arising from the investment projects. Similarly, scenarios are used to simulate the influence of possible fluctuations and changes in the respective parameters on results.
Internal control system for the (Group) accounting process
The objective of the internal control system for the accounting process is to implement controls that provide assurance that the financial statements are prepared in compliance with the relevant accounting laws and standards. This system covers measures designed to ensure the complete, correct, and timely reporting and presentation of information that is relevant for the preparation of the Consolidated Financial Statements and the Combined Management Report.
Our internal control system for financial reporting is based on the COSO framework, a globally recognized standard divided into five components: control environment, risk assessment, control activities, information and communication, as well as monitoring activities. Each of these components is regularly documented, tested and/or assessed.
The internal control system aims to ensure the accuracy of the consolidated accounting process through functioning internal controls with reasonable assurance. The Group Accounting function centrally steers the preparation of the Consolidated Financial Statements of Merck KGaA, Darmstadt, Germany, as the parent company of the Group. This Group function defines the reporting requirements that all Group subsidiaries must meet. At the same time, this function steers and monitors the scheduling and process-related requirements of the Consolidated Financial Statements. Group Accounting centrally manages all changes to the equity holding structure and correspondingly adapts the Group’s scope of consolidation. The proper elimination of intragroup transactions within the scope of the consolidation process is ensured. Group-wide accounting guidelines form the basis for the preparation of the statutory financial statements of the parent company and of the subsidiaries, which are reported to Group Accounting; the guidelines are adapted in a timely manner to reflect changes in the financial regulatory environment and are updated in accordance with internal reporting requirements. For special issues, such as the accounting treatment of intangible assets within the scope of company acquisitions or pension obligations, external experts are additionally involved where necessary.
The individual companies have a local internal control system within a global framework. Where financial processes are handled by a Shared Service Center, the internal control system of the Shared Service Center is additionally applied. Both ensure that accounting complies with IFRS (International Financial Reporting Standards) and with the Group accounting guidelines.
Group Accounting provides support to the local contacts and ensures a consistently high quality of reporting throughout the entire reporting process.
For Group financial reporting purposes, most of our subsidiaries use standard SAP software. Consolidation software from SAP is also used for the elimination of intragroup transactions. A detailed authorization concept ensures the separation of duties with respect to both single-entity reporting and the Consolidated Financial Statements. The accounting process is generally designed to ensure that all units involved adhere to the principle of dual control.
The operational effectiveness of our internal control system is regularly tested in the format of self-assessments by our legal entities, group functions, and shared services. The quality is systematically reviewed by a dedicated global financial control and governance team. Control deficiencies are properly recorded and, wherever necessary, adequate countermeasures are taken to remediate control deficiencies in a timely manner.
The overall effectiveness of our internal control system with regard to accounting and compliance with financial reporting on the part of the individual companies is confirmed by both the local Managing Director and the local Chief Financial Officer by signing the single-entity reporting and a separate confirmation regarding the effectiveness of the financial control system (internal control system sign-off letter). For the accounting treatment of balance sheet items, Group Accounting closely cooperates with Group Risk Management to correctly present potential risks in the balance sheet.
All structures and processes described above related to the Group Accounting procedures are subject to regular review by Group Internal Auditing based on an annual audit plan set out by the Executive Board.
The results of the self-assessments, quality reviews, and internal audits are dealt with by the Executive Board, the Supervisory Board, and the Audit Committee. The internal control system within the Group makes it possible to lower the risk of material misstatements in accounting to a minimum. However, residual risk cannot be entirely ruled out as no internal control system is infallible, irrespective of its design.
The Internal Control System of the Group as the entirety of all controls shall avoid and reduce the probability of potential risks occurring as well as actively steer risks in business processes. Thereby, it contributes to ensure the compliance of the company’s activities with laws and regulations. The Internal Control System in its entirety and the applied methods are continuously developed further. The responsibility for the effectiveness of the Internal Control System and the further development of the non-financial key metrics lies with the respective responsible senior leaders/risk and process owners.