Opportunity and Risk Report

Group-wide Opportunity and Risk Management System

As a global life science enterprise, the Bayer Group is constantly exposed to a wide range of internal or external developments and events that could significantly impact the achievement of our financial and nonfinancial objectives. Opportunity and risk management is therefore an integral part of corporate management at Bayer. We regard opportunities as positive deviations, and risks as negative deviations, from projected or target values for potential future developments.

In conjunction with the acquisition of Monsanto in the second quarter of 2018 and its subsequent integration into the Crop Science segment, we are in the process of integrating Monsanto’s risk management system into our own. For the first time, Bayer’s risk situation also covers the risk situation of the newly acquired business, which was outlined in a separate chapter in the 2017 Annual Report.

Opportunity management system

We identify opportunities as part of the annual strategic planning cycle, during which we analyze internal and external factors that may affect the development of our business. These may be factors of a social, economic or environmental nature. The core phase of our strategic planning process normally takes place in the first half of the year and starts with a comprehensive analysis of the markets. We build on this by analyzing the respective market environments to identify opportunities. These analyses are based on different time periods since trends or developments may impact our business over the short, medium or long term. In addition, opportunities are identified by the management and employees through daily observation of internal processes and markets. Opportunities that we regard as highly probable to materialize have already been taken into account in our planning.

Risk management system

The Bayer Group has implemented a holistic and integrated risk management system designed to ensure the continued existence and future target attainment of the Group through the early identification, assessment and treatment of risks.

The Bayer Group’s risk management system is aligned to internationally recognized standards and principles such as the ISO 31000 risk management standard of the International Organization for Standardization.

Structure of Bayer’s Risk Management System

Structure of the Risk Management System

Structure of the Risk Management System (chart)

Board of Management / Supervisory Board

The Board of Management of Bayer AG holds overall responsibility for an effective risk management system. The Audit Committee of the Supervisory Board examines the appropriateness and effectiveness of the risk management system at least once a year.

Bayer Risk Committee

The Bayer Risk Committee, which is chaired by the Chief Financial Officer, is a subcommittee of the Board of Management. It ensures that all substantial risks are addressed (through suitable mitigation measures), and also regularly discusses and evaluates the risk portfolio and the mitigation status.

Operational business

Responsibility for the identification, assessment, treatment and reporting of risks lies with the operational business units in the segments and corporate functions.

Control and monitoring systems

To enable the Board of Management and the Supervisory Board to monitor material business risks as required by law, we have implemented a risk early warning system pursuant to Section 91, Paragraph 2 of the German Stock Corporation Act (AktG), an internal control system for (Group) accounting and financial reporting processes, and a compliance management system. Various corporate functions are responsible for these systems.

As the main corporate function for control and monitoring systems, the Risk Management function assumes governance and coordination responsibilities in relation to the risk management system. It provides overarching standards, methods and tools, is responsible for the risk early warning system, steers the annual Enterprise Risk Management (ERM) process, and ensures reporting to the Bayer Risk Committee and the Board of Management. The three systems in place at Bayer are described in the following paragraphs.

Risk early warning system

Our ERM system meets the requirement set out in Section 91, Paragraph 2 of the German Stock Corporation Act that a risk early warning system be implemented and used to identify at an early stage developments that are material and / or could endanger the company’s continued existence. It establishes a consistent framework and uniform standards for the risk early warning system throughout the Bayer Group.

Internal control system for (Group) accounting and financial reporting

(Report pursuant to Sections 289, Paragraph 4 and 315, Paragraph 4 of the German Commercial Code)

As part of the comprehensive risk management system, Bayer has an internal control system (ICS) in place for the (Group) accounting and financial reporting process. This system comprises suitable structures and workflows that are defined and implemented throughout the organization. The purpose of our ICS is to ensure proper and effective accounting and financial reporting in accordance with Section 289, Paragraph 4 and Section 315, Paragraph 4 of the German Commercial Code. The ICS is designed to guarantee timely, uniform and accurate accounting for all business transactions based on applicable statutory regulations, accounting and financial reporting standards and the internal Group policies that are binding upon all consolidated companies. Risks are identified and assessed, and mitigated using suitable countermeasures. Mandatory, Group-wide ICS standards (or standards required by the Sarbanes-Oxley Act [SOX] for the newly acquired Monsanto companies) such as system-based and manual reconciliation processes and functional separation have been derived from these frameworks and promulgated throughout the Bayer Group by the Risk Management function on behalf of the Chief Financial Officer of Bayer AG. The ICS standards (and the SOX standards) are implemented by the Bayer Group companies and their compliance is overseen by the respective management teams. Using Bayer’s shared service centers, these companies prepare their financial statements locally and transmit them with the aid of a standard Bayer Group data model. The former Monsanto companies are using a converter to transfer their financial statements to the Bayer data model. This data model is based on the Group accounting policy and thus ensures the regulatory compliance of the consolidated financial statements. The Board of Management has confirmed the effective functioning of the ICS and the relevant criteria (as well as the SOX standards) for the 2018 fiscal year. However, it should be noted that an internal control system, irrespective of its design, cannot provide absolute assurance that material misstatements in the financial reporting will be avoided or identified.

Compliance management system

Our compliance management system is aimed at ensuring lawful and responsible conduct by our employees. It is designed to identify potential violations in advance and systematically prevent their occurrence. The compliance management system thus contributes significantly to the integration of compliance into our operating units and their processes. Details of compliance management can be found in Chapter “Compliance,” which describes in particular the process used to identify risks and measures taken to mitigate them. Monsanto had its own compliance management system prior to the start of the integration process. This system, which mitigates compliance risks and addresses largely the same risk areas as Bayer, will remain in place until full integration into Bayer’s compliance processes and systems has been achieved. The integration process has already begun and is scheduled to be completed in 2019.

Process-independent monitoring

Internal Audit supports Bayer’s attainment of the Group targets by employing a systematic and targeted approach in order to assess and help improve the effectiveness of corporate management, risk management and monitoring processes.

In addition, the external auditor, as an independent external body, assesses the fundamental suitability of the early warning system as part of its audit of the annual financial statements.

Basic Elements of the Bayer Risk Management System

Basic Elements of the Bayer Risk Management System

Basic Elements of the Bayer Risk Management System (chart)

The basic elements of the risk management system are described below and established in binding documents.

Risk culture and objectives of the risk management system

The incorporation of all levels of the company into this process heightens the awareness and understanding of risks, which is essential for creating a risk culture. Furthermore, the clearly defined roles and responsibilities, principles, standards, methods, tools and training measures create the foundation for the independent, proactive and systematic management of risks.

The aims of the risk management system are to achieve risk transparency, support risk-based (treatment) decisions and ensure compliance with legal requirements. This establishes a basis for the proper and responsible management of risks.

Risk management process

Identification: Risks are identified by risk owners in the segments and functions. To support the fullest possible identification of risks, the Bayer Group maintains a Risk Universe that reflects the potential risk categories of Bayer as a life science company. The Bayer Risk Universe also expressly accounts for risks of a nonfinancial nature that are linked to our business activity or to our business relationships, products and services. These may include risks pursuant to the CSR Directive Implementation Act that relate to environmental, employee and social issues, as well as human rights, and corruption and bribery (compliance). The Bayer Risk Universe is regularly examined and updated if necessary, as was the case in 2018.

See Chapter “About this Report” for more information on the implementation of the CSR Directive Implementation Act

Assessment: Where possible, the identified risks are evaluated with regard to their potential impact and likelihood of occurrence in line with following matrix, taking into account established mitigation measures.

Risk Assessment Matrix

Risk Assessment Matrix (chart)

Risks are classified as high, medium or low to assess their materiality regarding the overall risk portfolio. The extent of the impact is rated according to quantity and / or quality. A quantitative assessment reflects the possible loss of cash flows. A qualitative assessment of damage is based on criteria such as the impact on our strategy or reputation, the potential loss of stakeholder confidence, and potential incomplete compliance with sustainability principles (e.g. in the area of safety, environmental protection or human rights). The higher rating – qualitatively or quantitatively – determines the overall assessment. The likelihood of occurrence is calculated based on a maximum period of 10 years. Risk categories may potentially influence the materialization of risks in other categories, a factor that we take into account when assessing the likelihood of occurrence. For example, developments in the “Social and macroeconomic trends” risk category may have an influence on the “Regulatory changes,” “Legal / compliance” and “Product safety and stewardship” categories.

Risks with a potential impact of over €4,000 million are examined separately by the Bayer Risk Committee to determine their potential to endanger the company’s continued existence.

Treatment: The risk owners decide on a targeted risk level based on a cost-benefit analysis and define a risk management strategy as well as risk management measures. These include risk avoidance, risk reduction, risk transfer and risk acceptance.

Reporting: The results are reported to the Bayer Risk Committee by the Risk Management function. In addition, new risks above a defined threshold are reported to the Risk Management function on an ad-hoc basis and, if relevant, to the Bayer Risk Committee and the Chief Financial Officer. A report on the risk portfolio is submitted to the Board of Management and the Audit Committee of the Supervisory Board at least once a year.

Monitoring and improvement

The Group Risk Management function continuously evaluates the appropriateness and timeliness of the principles, standards, methods and tools.

Compare to Last Year