SAP AG - Annual Report 2007 - Risk Factors and Risk Management

Risk Factors and Risk Management

Risk Management

As a global enterprise, we are exposed to an extensive variety of risks across our entire range of business operations. In the broadest sense, we define risk as the danger of not achieving our financial, operative, or strategic goals as planned. To ensure our long-term corporate success, it is therefore essential that risks be effectively identified and analyzed and then eliminated or at least limited by means of appropriate control measures. We have a comprehensive risk management system in place, which enables us to recognize and analyze risks early on and to take the appropriate action. This system is implemented as an integral part of our business processes across the entire SAP Group; it comprises multiple control mechanisms and constitutes an important element of the corporate decision-making processes. These mechanisms include recording, monitoring, and controlling internal enterprise processes and business risks, a number of management and controlling systems, a planning process that is uniform throughout the Group, and a comprehensive risk reporting system. To ensure the effectiveness of our risk management efforts, as well as the transparency and aggregation of risks within the framework of reporting, we have opted for an integrated approach to managing corporate risks, to be uniformly implemented throughout the Group by a global GRC organization with a direct reporting line to the chief financial officer of SAP AG. The GRC organization has the following mandate:

To continually identify and assess the risks incurred within all important business operations using a uniform, methodical approach
To monitor implementation of the measures defined to
counteract risks
To report on risks to management and the Executive Board on a regular basis
To develop and continuously maintain a global, risk-oriented insurance strategy as a means of risk mitigation
To ensure compliance with regulations governing the establishment and monitoring of effective internal control over financial reporting in line with the U.S. Sarbanes-Oxley Act, section 404
To ensure information security.

In 2006, we conducted an audit of our internal control structure, as required by the U.S. Sarbanes-Oxley Act, section 404 for the first time. We found that on December 31, 2006, our financial reporting control over the U.S. GAAP consolidated financial statements submitted to the SEC was effective. We are also auditing that control structure as on December 31, 2007. The audit had not found any indication by March 19, 2008, that it was not effective on December 31, 2007. We have documented key business processes of SAP AG and its major subsidiaries, as well as the controls contained in these processes, in accordance with those requirements. Our global internal audit service and dedicated process champions periodically assess these standard processes and their documented procedures and test the design and effectiveness of the process controls. Further elements of the system include a Group-wide corporate Code of Business Conduct for employees and the work of the SAP Supervisory Board in monitoring and controlling the Executive Board.

Our risk management system is based on our global risk management framework, which we developed and implemented in accordance with international recommendations to ensure, among other things, that we comply with Sarbanes-Oxley Act regulations. The Global Risk Management Framework consists of five main components:

A Group-wide risk management policy approved by the Executive Board
A risk management organization that is part of our global GRC organization
A Group-wide, uniform risk management process model
IT tools implemented throughout SAP to support the risk management process
Group-wide cascading risk reporting.

Uniform Risk Analysis Across the Group

Within the scope of risk assessment, we consider the probability of occurrence as well as the loss associated with risks. We employ both qualitative and quantitative assessment methods that are uniformly structured across the Group and thereby foster the comparability of the risk analyses conducted across the various business units. In accordance with the results yielded by analyzing the probability of occurrence and potential loss, we assess a risk as “high,” “medium,” or “low” on the Group-wide uniform risk-assessment matrix. In addition, we apply stochastic risk-analysis methods such as value at risk (VaR) calculations to continuously determine our foreign exchange, litigation, and escalation exposures. Simulation techniques such as Monte Carlo analyses are used within the context of calculating contingencies for the pricing of project proposals.

In other areas where a quantitative assessment is more difficult, we employ qualitative assessment techniques based on the uniform risk-assessment matrix indicated above. We estimate the probability of occurrence and impact of individual risks using a common assessment horizon of three years to give us a risk prioritization. We only use insurance for risk control where the economic benefit appears worthwhile to us.

SAP Runs SAP Software

We have developed our own risk management software to create transparency across all risks that exist within our corporate alliance as well as to facilitate risk management and the associated reporting system. We record and address all identified risks in our own operational risk management application. Every quarter, we consolidate, aggregate, and present to the Executive Board the risk management information held in the risk management application. In addition, an ad-hoc risk-reporting requirement to the Executive Board and the chairperson of the Supervisory Board has been established where a risk with an expected loss exceeding €100 million is identified. We define a risk to our ability to continue as a going concern to mean a risk associated with an expected loss exceeding €150 million.

We review our risk management policy and process model annually and revise them if necessary. Our global internal audit service conducts targeted reviews to check compliance with our risk management policy. Our global internal audit service regularly reviews the reliability of the risk management structure and the efficiency of the risk management and reports the results to the Executive Board. Apart from these measures, our auditor performs an annual assessment of the suitability of our risk management structures for the purpose of identifying risks that would threaten our ability to continue as a going concern, as required by the German Stock Corporation Act, section 91 (2). Key risk factors identified and tracked using the enterprise risk management program are summarized below, broken down by the same risk categories as we use in our internal risk management reporting structure.

Economic Risks

The purchase and implementation of our software products constitutes a considerable investment for many of our customers, and is therefore subject to an investment decision-making process. Uncertainties brought about by changes in political, legal, or social situations can have an adverse effect on our business, assets, financial position, and operating results, since they are likely both to reduce customers’ willingness to invest in acquiring and implementing our products and to delay the timing of these investments. In this context, particular risks can emanate from those countries in which, from a historical perspective, a certain legal and political instability prevails. However, our international orientation and the fact that we license our products on all significant world markets give us additional flexibility, because economic difficulties in one region can be balanced by increased business activity on other markets. We believe that a significant adverse impact on our expected business performance due to a decline in the general economic situation is unlikely.
We are dependent on a highly networked global infrastructure. A disruption or failure of our internal systems or the local and regional infrastructures on which they depend could result in a disruption in our services or the sale of our products. Natural disasters, cyber-attacks, terrorism, disease pandemics, and other factors beyond our control may influence our normal business operations. Such conditions can damage the local, regional, and even the world economy, and affect our investment decisions as well as those of our customers. Our corporate headquarters, which includes our executive management offices as well as our main research and development departments and certain other critical business functions, is located in the German state of Baden-Württemberg. A catastrophic event affecting the northern part of Baden-Württemberg could have a highly material impact on our operations. Similar catastrophes impacting other key locations such as Bangalore, India; Ra’anana, Israel; Tokyo, Japan; Newtown Square, Pennsylvania, or Palo Alto, California, in the United States; Shanghai, China; or in Singapore, might also affect our global operations, although less severely. The area where our headquarters is located is generally free of catastrophic natural exposures although the risks of cyber-attacks, terrorism, global pandemic, or an accident involving one of the nearby nuclear power plants does exist. Our other key development and infrastructure locations may have additional regional natural catastrophe exposures. Israel is also subject to risk exposures due to regional political instabilities. A catastrophic event that results in the loss of significant percentages of personnel or the destruction or disruption of operations in our headquarters or other key locations could affect our ability to provide normal business services and generate expected business revenues. However, data redundancies and daily information backup worldwide ensure that our key IT infrastructure and critical business systems should not materially be adversely affected. To minimize possible losses and ensure a coordinated and effective corporate response, our global GRC organization has a worldwide business continuity management program intended to ensure the functionality of our core processes in crisis situations.
Our products and services are currently marketed in over 120 countries worldwide. Sales in these countries are subject to risks inherent in international business operations. Such risks include, in particular, the general economic or political conditions in individual countries, the conflict and overlap of differing tax structures, regulatory constraints such as import and export restrictions, legislation governing the use of the Internet and the development and provision of software and services. In Brazil, Russia, India, and China, certain regulatory constraints in the form of, for example, special levies on cross-border royalty payments and bureaucratic import-control processes still impede international goods traffic and business operations. We address these risks by means of various measures ranging from regular dialog with law firms, tax advisors, and the authorities of the host countries to the initiation of legal proceedings. A moderate impact on our expected business performance in the countries in question induced by such regulatory constraints is nevertheless possible. For the majority of our important target markets, in particular those of the EU and North America, the ever-advancing convergence of legal and tax regulations allows us to assess both the likelihood and impact of these risks as low.

Market Risks

Competitors may gain market share because of acquisitions, the acceptance of new development models such as enterprise service-oriented architecture (enterprise SOA), and the popularity of new delivery models, such as “software as a service” (SaaS). In this context, large corporations such as IBM and Microsoft expand into our core market and compete with us more directly via enterprise SOA. Additionally, emerging SaaS vendors such as Salesforce.com are entering our market. Successful integration of acquired assets by consolidators such as Oracle and Infor may erode SAP’s integrated suite value proposition. SOA may encourage a shift in buying patterns, encouraging increased custom application development to the advantage of tool vendors. Simple Webbased consumption models may encourage increased spending on SaaS to SAP’s disadvantage. This could have a material adverse effect on us in a variety of ways, such as reducing sales due to customer uncertainty and subjecting us to competition from stronger, established companies or new peer-group companies. Additionally, traditional and non-traditional competitors are competing for finite partner wallet share that may make ecosystem revenue targets difficult to achieve. We believe that our strategy of organic growth, fill-in acquisitions, and a competitive SaaS midmarket offering remains valid for this environment. Therefore, we consider it unlikely now that our expected results will be greatly harmed by our direct competitors’ winning significant segment share from us. Rather, we see the current wave of consolidation in the IT sector as an opportunity to strengthen our position. However, we cannot rule out that competitors may offer more extreme discounts to customers, thus significantly limiting our profits.
The continuing trend toward business process outsourcing (BPO) could result in increased competition through the entry of systems integrators, consulting firms, telecommunications companies, computer hardware vendors, and other IT services providers. The perception of value created by SAP’s products among customers could be diminished to the extent that outsourcing providers bundle SAP applications with their services or provide such services using non-SAP applications. While most of our revenue is currently derived from license contracts concluded directly with customers, an increased trend toward outsourcing business processes to external providers could have an adverse impact on our revenue and results. In addition, the distribution of applications through application service providers (ASP) or other SaaS models may reduce the price paid for SAP products or adversely affect other sales of SAP products. We are actively countering these risks with our increasingly successful structured BPO partner program and our own on-demand business models and product ranges. In light of these measures, we still consider the risk of significant impairment to our revenue and results from competing BPO providers and SaaS models as unlikely for the foreseeable future.
Our large installed customer base has traditionally generated a large portion of our revenue. Declining customer satisfaction may lead to their decisions not to renew their maintenance agreements, not to license additional products, or not to contract for additional services, or to reduce the scope of their maintenance agreements. This could have a significant adverse effect on our revenue. We consider this unlikely due to the solid growth of business with our installed base in the past years and our forward-looking technological strategy, which has been acclaimed by both analysts and customers. Furthermore, customer satisfaction is closely monitored on a global basis to identify trends and proactively address them.

Business Strategy Risks

Targeting midsize companies with the aim of building on our leading position in the midmarket is a key part of our strategy. In that context, introducing a new business model, and expanding our partner ecosystem, and creating the infrastructure for volume business are all of great importance. These activities to win new segment share are all associated with risk that could have an adverse effect on our financial position and operating results aside from the risks associated with developing and launching a new product (discussed in the Product Risk section). In previous years, we demonstrated an ability to overcome risks associated with innovative approaches, and consolidated our leading position in this segment. In addition, we are confident we can cover our customers’ requirements with shorter time-to-value, minimum risk, and predictable cost. Therefore, we believe it is unlikely that planned innovations or new business models will significantly impair our planned results.
We have entered into cooperative agreements with a number of leading computer software and hardware suppliers, and technology providers to ensure that selected products produced by such suppliers are compatible with SAP software products. We have also supplemented our consulting and services through alliance partnerships with third-party hardware and software suppliers, systems integrators, and consulting firms. Most of these agreements are of relatively short duration and nonexclusive. In addition, we have established relationships relating to the resale of some of our software products by third parties. Most of these third parties or business partners maintain similar arrangements with our competitors, and some even operate in competition with us. A decision by these partners to cease cooperating with us when such agreements or partnerships expire or come up for renewal could adversely affect the marketing of and demand for our software products. However, this risk has become considerably easier to assess in recent years because of the ongoing consolidation in the enterprise software industry. We assess the occurrence of such a risk event with a significant impact on our expected business performance to be small because leading system integrators and IT infrastructure providers such as IBM and Microsoft, even where in competition with us, see cooperation agreements as an efficient and attractive opportunity to raise their own business performance in the enterprise sector. In our view, this also holds true for our agreement with Oracle, a competitor of ours, governing SAP’s resale of Oracle database licenses, since we are Oracle’s largest database reseller worldwide.

Human Capital Risks

Our highly qualified employees and managers provide the foundation for developing and selling new products, marketing and providing services for existing products, successfully leading and executing SAP’s business processes, and thus for securing its financial success. Ensuring that our workforce feels a long-term commitment to SAP is of utmost importance to us, as is attracting new, highly qualified employees. IT companies are all competing for top talent, so in certain labor markets the competition for top talent is very tight. Further intensification of competition is likely on the labor market because of growing demand for well-qualified and experienced professionals (for example, IT, consulting, and others). Our operations could be adversely affected if a high number of employees were to leave in quick succession and qualified replacements were not available. In light of the ever-increasing competition for highly qualified talents in the IT industry, there can be no absolute assurance that we will continue to be able to attract and retain key performers over the long term, despite the attractive benefits SAP offers. Therefore, we believe SAP’s attractiveness as an employer will again offer excellent opportunities to hire selected top talent worldwide in 2008 with the potential to contribute to SAP’s increased business success in the future. Extra efforts are being undertaken to mitigate the risk through employee qualification and development activities, including but not limited to thorough succession management as well as through employer benefit programs (for example, a performance-oriented remuneration system, employer-financed pension plan, and long-term incentive plan). In addition, efforts to strengthen management capacities through management development programs, mentoring and coaching, and top talent programs have been undertaken. We therefore assess the risk of a tangible adverse effect on our business operations because of the departure of key managers and employees as unlikely now.

Organizational and Governance-Related Risks

As a stock corporation domiciled in Germany issuing securities listed on a U.S. stock exchange, we are subject to both German and U.S. governance-related regulatory requirements. As mentioned earlier, in 2006 and 2007 we assessed our disclosure controls and procedures and determined they were effective. Nonetheless, however great our efforts, there can be no assurance that we will not be held in breach of regulatory requirements if, for example, individual employees behave fraudulently or negligently. We assess the likelihood of a material future occurrence of such a risk event as remote due to a significant number of internal control mechanisms, but we cannot entirely exclude the risk. Any such event may have a material adverse impact on our reputation and may lead to decreased business and stock value performance, although it is difficult to quantify the risk involved exactly due to the large variety of potential noncompliance scenarios. We continually monitor new regulatory requirements and take steps to ensure employee awareness of required standards and our Code of Business Conduct. In 2007, we centralized our policy-related compliance programs into a Global Compliance Office. A Chief Global Compliance Officer was appointed to oversee policy implementation, training, and policy enforcement efforts globally. Enforcement activities are monitored and tracked to allow trending and risk management analysis and to ensure consistent policy application throughout the Group.

Communication and Information Risks

We have undertaken a range of measures in recent years to mitigate the risk that internal, confidential communications and information about sensitive subjects such as future strategies, technologies, and products are improperly or prematurely disclosed to the public. These measures include Group-wide mandatory security standards and guidelines relating to external communications, technical precautions to prevent the transmission of confidential internal communications over external communication networks, and the provision of encrypted hardware equipment to employees who are frequently exposed to sensitive, confidential information. However, there is no guarantee that the protective mechanisms we have established will work in every case. Our competitive position could sustain serious damage if, for example, confidential information about the future direction of our product development became public knowledge. In light of these extensive measures, which we regularly review, we assess the occurrence of such a risk event as unlikely.

Financial Risks

Our management and external accounting is in euros. Nevertheless, a significant portion of our business is conducted in currencies other than the euro. Consequently, period-over-period changes in a particular currency can significantly affect our reported revenue and income. In general, appreciation of the euro relative to another currency has a negative effect while depreciation of the euro has a positive effect. Accordingly, the relative rise in the value of the euro against foreign currencies such as the U.S. dollar and the Japanese yen in 2007 had an adverse impact on our financial results. We continually monitor our exposure to currency fluctuation risks based on balance-sheet items and expected cash flows, and pursue a Group-wide foreign exchange risk management strategy using, for example, derivative financial instruments as necessary. As a result of various steps we have taken, management of our foreign currency risk is to a great extent centralized with SAP AG in Germany. Taking into account the risk management instruments mentioned, for SAP AG we regularly quantify the foreign exchange exposure for the most relevant currencies (in particular, the U.S. dollar, pound sterling, Japanese yen, Swiss franc, South African rand, Canadian dollar, and Australian dollar) using the value-at-risk method. We calculate the possible loss of income from foreign currency influences for a holding period of 10 days and a confidence level of 99%. The following table shows the value-at-risk calculated based on exposure figures for our above mentioned main currencies (exposure is defined as the outstanding open items taking into consideration concluded hedging transactions) at the end of the fiscal year and the yearly averages for fiscal years 2006 and 2007. The yearly averages are calculated using the figures at the end of the relevant quarters. Our 2007 average value-at-risk and year-end value-at-risk were significantly higher than in the previous year. This is chiefly due to the expansion of our hedge horizon from 12 to 15 months and the inclusion of the highly volatile South African rand in the ambit of our risk management. In addition, the volatility of almost all of our most relevant foreign currencies has considerably increased. Consequently, our value at risk significantly increased in 2007.

€ millions	Dec. 28 2007	Average for Year 2007	Dec. 29, 2006	Average for Year 2006
Value at risk	12.4	13.6	3.8	8.5

Variances or slowdowns in our licensing activity may negatively affect revenue from services and support, since such revenues typically lag behind license revenue. A significant decrease in the percentage of our total revenue derived from software licensing could thus have an adverse effect on our business, financial position, operating results, and cash flow. In view of the growing importance of support revenue and revenue from subscriptions and other software-related services, we adopted software and software-related service revenue growth as a measure of our performance. In addition to our focus on new license revenue, we have started to tap more continuous product revenue streams such as subscription fees. Software and software-related services are thus at the core of our corporate development strategy, and new offerings support growth in those fields.
SAP’s policy with regard to investment in financial assets is set out in our internal treasury guideline document, which is a collection of the rules that apply globally to all companies in the Group. The weighted average rating of our financial assets is “A.” Predominantly, our financial investments are short term. Because of our cautious investment policy, we believe we are not currently exposed to any negative effects on our assets arising out of the subprime lending crisis, which relates to secured and unsecured housing loans to borrowers with inadequate or poor credit history.
We use derivative instruments to hedge risks resulting from future cash flows associated with SAP’s employee stock appreciation rights (STAR) plan. However, there can be no assurance that the benefits achieved from hedging the STAR plan will exceed the costs of hedging the STAR plan.

Project Risks

Implementation of SAP software is a process that often involves a significant commitment from our customers in terms of resources and is subject to a number of significant risks over which we have little or no control. Additionally, some projects are managed by third parties and we may have limited insight into factors such as implementation schedules, costs, and project issues. We cannot provide absolute assurances that protracted installation times will not continue, that shortages of trained consultants will not occur, or that the costs of installation projects will not exceed the fixed fees we charge in some of our customer projects. Unsuccessful customer implementations projects could result in claims from customers, harm SAP’s image, and cause a loss of future revenues. However, for various reasons we have been trending positively in this risk category for several years. A tangible adverse impact on SAP’s expected business and earnings from customer project risks is unlikely. On the one hand, our customers now increasingly follow modular project approaches to optimize their IT environment. They embark on sequentially integrated individual projects with a comparatively low risk profile to realize specific potential improvement instead of pursuing highly complex resource-intensive projects to implement an all embracing IT landscape. On the other hand, our projects use a risk management system that is seamlessly integrated into SAP project management methods and safeguards successful implementation with coordinated risk and quality management programs. Risk control and minimization in customer projects have thus been optimally integrated into our overall risk management system. Escalation expenses remain very low, although in 2007 they increased slightly when measured in relation to the growth of our business. The number of actions filed against us arising out of our regular operations once again remained unchanged in comparison with the preceding year. In our opinion, the remaining individual risks are adequately considered in our financial planning. In addition, we have provided adequate insurance coverage against a broad range of typical liability scenarios established on the basis of known project risks. In those cases where risks result from partner implementation, we mitigate risks through the sale of safeguarding services, inclusion of subject matter experts on partner-led projects and close relations with the partners in our Global Alliance program.

Product Risks

To achieve full customer acceptance, new products and product enhancements can require long development and testing periods. Such efforts are subject to multiple risks, for example, scheduled market launches can be delayed, market needs and requirements may not be entirely met, or products may not completely satisfy our stringent quality standards. Furthermore, new products and product enhancements may still contain undetected errors when they are first released. Our product innovation life-cycle process, which provides strict quality controls at various defined points, was implemented several years ago to counteract such risks. In addition, we work in close cooperation with early-stage customers to correct such errors in the first year following the introduction of a new software release. There can be no assurance, however, that all such errors can be corrected to customers’ full satisfaction. As a result, it is feasible that certain customers may bring claims in certain cases for cash refunds, damages, replacement software, or other concessions. SAP software products are chiefly used by customers in business-critical applications and processes. This raises the defined risk in the event of actual or alleged failures of our software products and services. Our contractual agreements generally contain provisions designed to limit SAP’s exposure to warranty-related risks. However, these provisions may not cover every eventuality or be entirely effective under applicable law. Such claims could adversely affect our assets, finances, income, and reputation. Nevertheless, we counter these risks with thorough project management, project monitoring, rigid and regular quality assurance measures certified according to ISO 9001, and program risk assessments during product development. The generally high quality of our products is confirmed by our low customer escalation handling expenses (as described in the Project Risks section), the low rate of litigation arising against us out of our regular operations, and our constantly high customer satisfaction ratings as measured by regular customer surveys. Therefore, we believe it is unlikely that our planned results will be significantly impaired by product defect claims from SAP customers.
Our products include security features that are intended to protect the privacy and integrity of customer data. However, information systems and software applications are increasingly coming under attack for reasons ranging from criminal intent to personal financial gain. At the same time, an increasing number of applications are offered and supplied over the Internet to simplify cross company processes. Despite our security features, SAP products may be vulnerable to attacks and similar problems may be caused by attackers such as hackers bypassing the security precautions of our customers and misappropriating confidential information. Attacks by criminally motivated hackers or similar disruptions could jeopardize the security of information stored in and transmitted through the computer systems of our customers and lead to claims for damages against us from customers. We counter this risk with a multilevel approach. First, our development process includes measures for preventing security problems, which are subject to multiple control checks prior to product delivery. Secondly, all our applications are supplied with a security guideline intended to enable optimum integration into our customers’ existing security architecture utilizing the safety functions delivered by SAP with the product. We have a specifically dedicated product security team that is responsible for this. However, in the unlikely event that any security problems are identified in SAP software, customers are provided with help to rectify the situation as quickly as possible. Despite the fact that SAP performs extensive security tests and our products have not been significantly exposed to major security attacks so far, it cannot be ruled out that we are exposed to such attacks.
We have taken numerous third-party technologies under license and incorporated them into our portfolio of products. It cannot be ruled out that the licenses for certain third-party technologies will not be terminated against our interests or that we will not be able to favorably license third-party software for our products. This could lead to short-term replacement problems and to significantly higher development expenses. The risk increases if we acquire a company or a company’s intellectual property assets that have been subject to third-party technology licensing and product standards less rigorous than our own. Overall, in our assessment this risk is low. However, we cannot exclude the possibility that our business performance might be adversely affected specifically by a product from a business we acquire.
A key component of our strategy for a broad adoption of the SAP NetWeaver technology platform is offering it to certified independent software vendors (ISVs) to develop their own business applications. To the extent that SAP cannot attract a sufficient number of capable ISVs delivering high-quality solutions based on the platform, the desired market penetration of SAP NetWeaver may not be achieved. Any ISV-developed solutions displaying significant errors may reflect negatively on our reputation and thus indirectly impede our own business operations. In addition, as with any open platform design, the greater flexibility provided to customers to use data generated by non-SAP software might reduce customer demand to select and use certain SAP software products. To counter this risk, we have established a thorough certification process for all third-party vendors designed to ensure that they deliver consistently high quality. In our current assessment, which is based on our experience of having successfully certified more than 2,000 third-party solutions built on SAP NetWeaver, the risk of an adverse effect on our business is low.

Other Operational Risks

We use many different measures to protect our intellectual property. For example, we apply for patents, we register trade, service, and other marks, we register copyright, and we implement procedures and processes to protect our trade secrets. We are also willing to enforce our intellectual property rights against third parties who we believe infringe our intellectual property rights. We impose appropriate provisions in our license and nondisclosure agreements. However, it cannot be ruled out that all measures to protect our innovations will be sufficient to prevent a third party from infringing SAP’s intellectual property rights. We could suffer damage caused by an infringement of our intellectual property rights that cannot be pursued effectively in the courts. For example, in some countries in which we market our software products the local laws and courts do not offer effective means to enforce our intellectual property rights.
Software in general includes many components or modules that provide different features and perform different functions. Some of these features or functions may have valid intellectual property rights attached to them. SAP respects the valid intellectual property rights of third parties. We have been issued patents under our patent program and have a number of patent applications pending for our innovations. Nevertheless, there can be no assurance that, in the future, patents of third parties will not preclude us from utilizing certain technologies in our products, or require us to enter into royalty and licensing arrangements on terms that are not favorable to SAP. Third parties have claimed, and may claim in the future, that we have infringed their intellectual property rights.
In 2007, a number of lawsuits were filed against SAP for alleged patent infringement. For more information about actions before the Court and claims brought against us, see Note 24 in the Notes to the Consolidated Financial Statements section. We do not believe they will have any material adverse effect on our business, finances, income, or cash flow. However, any trial involves risk and potentially substantial legal costs. It is therefore impossible to exclude for certain the possibility that these cases could have a material adverse effect on our business, finances, income, or cash flow. The outcome of these actions currently before the courts cannot be predicted to any degree of certainty. We think it likely that SAP will increasingly be subject to such claims. The legal wrangling involved with a claim, with or without merit, can be time-consuming and often results in costly litigation. Moreover, such actions could result in product shipment delays, injunctions against the sale of our products or services, necessitate a complete or partial redesign of important products, and/or require us to enter into royalty or licensing agreements, which would significantly impair our results. Royalty or licensing agreements, if required, may not be available on terms acceptable to us.
As a software company, we attach great importance to protecting confidential information and intellectual property. There is a danger that someone might gain unauthorized access to our facilities and to sensitive material, and might use such material to SAP’s detriment. We have several physical and organizational barriers to such unauthorized access, such as multilevel access control, video surveillance at all key locations, and security personnel contractors. In our assessment, the risk of material impact on our business performance from compromised confidentiality arising out of unauthorized access is therefore low.
Our core processes (for example, application development, sales, customer support, and financial operations) are highly dependent on IT infrastructure (like networks and operating systems) and applications (such as SAP ERP or SAP Customer Relationship Management). Therefore, a secure and reliable IT operation is important for SAP’s business success. Outage of critical infrastructure can be triggered by problems like malware or virus attacks, sabotage by hackers, failures during change management (for example, operating system or application upgrade), serious natural disasters, or failure of underlying technology (such as the Internet). This could disrupt our systems/network or make it inaccessible to customers or suppliers. These incidents could lead to a substantial denial of service (unavailability), change (breach of integrity), or disclosure (breach of confidentiality) of SAP’s, our customers’, or our partners’ services or data, causing production downtime, recovery costs, and customer claims. Such incidents would significantly harm our business. However, a variety of defense mechanisms is in place that safeguard our IT infrastructure. Examples are state-of-the-art firewalls, anti-virus software, intrusion detection technology, and high availability landscapes – including the development and quality infrastructures. The IT processes are audited and successfully certified according to ISO 9001 (Quality System) and ISO 27001 (Information Security Management System). As a result, our main IT system enjoyed an average availability of 99.83% in 2007.
In the past, we have acquired companies, products, and technologies to expand our business. Such acquisitions are also planned for the future. In particular, our strategy for growth includes acquiring enterprises to specifically expand our product portfolio, such as the acquisition of OutlookSoft and Business Objects. In addition to risks in the categories already discussed, the risks commonly encountered in such transactions include the inability to successfully integrate the acquired business and the acquired technologies or products with our current products and technologies; a potential disruption of our ongoing business; the inability to retain key technical and managerial personnel; the assumption of material unknown liabilities of the acquired companies; the incurrence of debt or significant cash expenditure; a potential adverse impact on our relationships with partner companies, third-party providers of technology or products, or customers; and regulatory constraints. They could adversely affect our revenue and income. We counter these acquisition-related risks by means of many different methodological and organizational measures. These range from thorough technical, operational, financial, and legal due diligence checks on the company or assets to be acquired and a holistic evaluation of material transaction and integration risks before conclusion of any transaction to detailed, standardized integration planning and its execution by a dedicated integration team.
As a venture capital investor, in the past we acquired and expect in the future to continue to acquire equity interests in technology-related companies. Many of these enterprises currently generate net losses and require additional capital outlay from their investors. Changes to planned business operations may possibly affect the performance of companies in which SAP holds investments, and that could negatively affect the value of our investments. Moreover, under German tax law, capital losses and impairments of equity securities are not tax-deductible, which may negatively affect our effective tax rate. However, this risk is restricted due to the limited scope of our venture-capital activities, making a significant effect on planned results unlikely. This risk is mitigated through diversification of our portfolio and through active management of our investments.

Consolidated Risk Profile

In 2007, the categories with the highest percentage scores in our overall risk distribution profile were project risks, product risks, and other operational risks – all with similar scores. Next came market risks, strategic planning risks, and human capital risks – also all with similar scores. All of those categories together account for 82% as a portion of all risks in the consolidated profile. All of the other categories of risk are relatively insignificant to SAP.

None of the quantifiable risks identified by our risk management system exceeded the threshold we set (€150 million expected loss) defining a risk to our ability to continue as a going concern. The risks identified and quantified by our continuous operative risk management process continue the positive trend recorded in the preceding year. The proportion of “high” and “medium” risks in the risk-level matrix we use once again decreased in 2007. At the end of the fourth quarter, the risks categorized as “high” accounted for 2% (2006: 5%), while the proportion of “medium” level risks declined over the course of the year to 13% (2006: 21%). As a result, the proportion of risks categorized as “low” rose to 84% (2006: 74%). In our view, the risks identified above do not individually or cumulatively threaten our ability to continue as a going concern. On the contrary, the consolidated risk profile developed favorably during the course of 2007, and we believe our business opportunities, described below, will be of far more significance. In view of our risk profile, we are confident that we can continue in 2008 to successfully counter the challenges arising from those risks thanks to our strong position in the market, our technological leadership, our highly motivated employees, and our structured processes for early risk identification.