The stated revenue, income, and margin targets of SAP for fiscal year 2004 are subject to a number of risks, over which the Company may have no influence or only limited influence. However, SAP implements numerous risk-management measures. These include a comprehensive system for classifying risks relevant to the Company. SAP has identified the following significant business risks.

Economic and regulatory risks

• Although the global economy is improving, it is still uncertain whether this recovery is sustainable. The European economy in particular, SAP’s largest market, is growing slowly. The threat of more geopolitical instability, for example caused by war or terrorism, cannot be excluded in fiscal year 2004. This may reduce or restrain overall economic development. SAP is a global provider of solutions with a diversified portfolio of customers in a number of industries. It can thus maintain its position in a difficult market situation better than many of its competitors. Nevertheless, global and regional economic slumps do have an effect on SAP’s business. Negative economic growth could harm SAP’s revenue and income – not only in individual countries but also across the Group.
• SAP must adapt its software products to a host of national legal requirements to ensure it can sell them in all markets. It cannot be ruled out that amended, potentially stricter legal requirements may temporarily affect SAP’s ability to compete efficiently with local vendors in particular markets.
• The entire IT sector, including the software industry, is experiencing a phase of consolidation. The number of acquisitions, particularly involving the larger companies in the market, is rising. Large companies continue to expand into related industries. Due to its leadership of the enterprise software segment, SAP believes it is very well positioned in this difficult situation and can further strengthen its market position. However, company takeovers and mergers involving competitors could negatively impact how SAP’s business develops. For example, in the short term they could lead to insecurity in the market or, in the long term, stronger competitors to SAP.

Strategic planning risks

• A significant factor in SAP’s success in the dynamic enterprise software segment is the Company’s ability to react quickly to fundamental technological innovations and to integrate them into the SAP product portfolio rapidly and uniformly. SAP has implemented a range of processes as part of its product planning methods to underpin long-term product planning. However, it cannot be ruled out that, in individual cases, competitors will recognize and exploit forward-looking technological developments earlier than SAP. This could impair SAP’s ability to compete and lead to the loss of market share.
• To ensure it can sustain and further improve its competitive position, SAP must recruit and retain ever more highly qualified employees. SAP seeks to strengthen its status as a globally attractive employer and encourage a highly motivated workforce by offering suitable benefits. These include attractive compensation packages, voluntary social insurance benefits, stock-based compensation and benefits, qualification and training programs, and various sporting and cultural activities. In light of the current labor market situation, SAP is confident that it can adequately cover its specialist and management recruitment and retention needs. SAP plans an above-average increase in the number of employees at its locations in India and China. If there is a shortage of personnel resources there – due, for example, to greater competition from other attractive employers in the IT industry – this could increase overall spending on personnel expenses, which may affect the Company’s results.

Governance risks

• In recent years, SAP has implemented an extensive package of measures to counter risks that result from the Company’s internal processes. These include SAP’s Principles of Corporate Governance, which, among other things, regulate the work and cooperation of SAP AG’s governing bodies as described in the SAP AG Articles of Incorporation. The Company also introduced a Code of Business Conduct for Employees in 2003, which defines how employees interact with customers, vendors, competitors, and partners. As part of the implementation of the requirements of the U.S. Sarbanes-Oxley Act, the Company-wide process introduced in 2002 to continually document and assess the effectiveness of the internal controls was extended. For example, in 2002 and 2003, the Company created standard documentation of the key business processes of SAP AG and its largest subsidiaries. This will be extended to all of SAP’s subsidiaries in 2004. This documentation focuses on the processes and their internal control systems. At the same time, SAP implemented Company-wide ongoing assessment of the effectiveness and efficiency of the internal control systems. It intendeds to update the process documentation on an ongoing basis to incorporate, for example, improvements. Despite these measures, it is not always possible to prevent individual breaches – whether committed by accident or design – of legal or internal process requirements, or resultant material or image loss to SAP.
• The integration of new companies into group structures and the embedding of strategic alliances and joint ventures in corporate strategy pose considerable challenges, particularly to IT companies with complex solution offerings. Before concluding such agreements, SAP uses a largely standardized investment evaluation and approval process to examine the associated risks. SAP has an extensive range of measures at its disposal to ensure the integration of human capital, technologies, business processes, and products. The unusual dynamics of the IT market mean acquisitions and other forms of cooperation are always subject to residual risks in terms of future development and the potential for success.

Communication and information risks

• SAP has established a range of security standards with technical and organizational security standards. This helps stop external hackers and viruses from attacking SAP’s IT systems and information stores. The measures also help ensure that internal, confidential communications are not improperly disclosed. However, there is no guarantee that the established protective mechanisms will work in every case. A successful attack on SAP’s own IT systems, which would, for example, lead to prolonged downtime, could significantly reduce SAP’s income. SAP’s competitive position would also be considerably compromised if, for example, confidential information about the future direction of product development at SAP became public knowledge.

Financial risks

• SAP uses active foreign exchange management and derivative financial instruments to protect itself against currency risks to which it is exposed as a global player. SAP has defined the strategies for these measures in a streamlined, transparent inspection process that it validates regularly. This ensures continuous effectiveness and prevents the use of derivative financial instruments for speculative purposes. Despite these precautions, if the value of the euro fluctuates considerably against local currencies in SAP’s key markets, the SAP Group’s business and thus its results, which are recorded in euros, could be negatively affected. Exchange-rate fluctuations unavoidably impact SAP’s financial numbers where the financial statements of subsidiaries are expressed in other currencies and require translation into euros for SAP’s consolidated financial statements.

Product and project risks

• The shipment within planned development schedules of high quality software products and releases that are free of defects is a key requirement on SAP’s product development organization. SAP has established extensive measures and processes to fulfill this requirement, which are subject to regular internal and external quality assurance measures and inspections. The risk of product delivery being late or containing defects cannot however be fully excluded in individual cases. This could lead to claims for damages, higher production costs, delayed market launches, and, consequently, reduced revenue.
• SAP is involved in a large number of complex IT projects. As part of its overall solution offering, SAP implements SAP standard products in close cooperation with its customers and partners and develops these standard products further. The solutions developed as part of these projects are either customer-specific or become part of SAP’s standard product portfolio. Although SAP has unique experience and proven methods for carrying out IT projects, there is a possibility that individual projects may not come to a successful conclusion. This could result in claims for damages and loss of reputation.

Intellectual property risks

• SAP takes numerous measures to protect its intellectual property. These include written notification of copyright infringements, registration of patents, trademarks, and other marks, conclusion of licensing and confidentiality agreements, and technical precautions against infringement. However, there can be no guarantee that these measures will be completely effective. Moreover, in some countries in which SAP markets its software products, the law offers less protection for SAP’s intellectual property than in the United States or Germany.

SAP operates many controls throughout the Group. They enable SAP’s management to recognize and control the entire range of risks affecting the Company in good time, and to develop effective measures to minimize risk from the sources described above. This includes detailed, Group-wide reporting of the Company’s key figures. Structured management and control systems ensure SAP can measure, monitor, and control these key financial figures. The Company’s internal audit service is active at all of SAP’s locations and the Supervisory Board is also intensively engaged in risk management.

Moreover, SAP has developed a risk management methodology tailored to its own needs. It is laid out in Group-wide risk management guidelines and a standard risk management model for all parts of SAP. The methodology covers, among other things, a specific system for classifying and evaluating risks. The model defines activity-dependent cycles for the risk reports of the individual business areas to management. The methodology is implemented in all business areas and is supported by organizational measures. These include, for example, a central risk management department as well as risk management functions for all operational areas of the SAP Group. SAP is also implementing a software application that it has developed itself for risk management across the Company. This ensures that the risk reports sent to the Company’s management are always up-to-date.

The internal audit department regularly evaluates the effectiveness of SAP’s risk management system. Risk management is thus subject to continuous development and improvement aligned to best practices.

The activities of SAP’s central risk management department include the ongoing definition, adaptation, and realization of Company-wide insurance strategy. Its goal is to safeguard SAP against a range of insurable risks and liabilities.

As a listed company, SAP is subject – both in its German home market and in the United States – to some of the most stringent legislative requirements on risk management systems in the world. These include, for example, the Sarbanes-Oxley Act in the United States and the German Supervision and Transparency in the Area of Enterprise Act. SAP has taken wide-ranging measures to fulfill its responsibilities under the legislation. That is why the Company is confident that it can effectively combat the risks related to achieving its revenue and income targets for fiscal year 2004. This confidence is based on SAP’s strong market position and its highly motivated and qualified employees.