RISK FACTORS AND RISK MANAGEMENT

Risk Management
As a global enterprise, we are exposed to an extensive variety of risks across our entire range of business operations. In the broadest sense, we define risk as being the danger of not achieving our financial, operative, or strategic goals as planned. In order to ensure our long-term corporate success it is therefore essential that risks be effectively identified and assessed and then either eliminated or at least limited by means of appropriate control measures.

We have a comprehensive risk management system in place, which enables us to recognize and analyze risks early on and to take the appropriate action. This system is implemented across the entire SAP Group as an integral part of our business processes, comprises multiple control mechanisms, and constitutes an important element of the corporate decision-making processes. These mechanisms include recording, monitoring, and controlling internal enterprise processes and business risks, a number of management and controlling systems, a planning process that is uniform throughout the Group and a comprehensive risk reporting system. So as to ensure the effectiveness of our risk management efforts as well as the transparency and aggregation of risks within the framework of reporting, we have opted for an integrated approach to managing corporate risks, to be uniformly implemented throughout the Group, and have established a dedicated global risk management organization with a direct reporting line to the Chief Financial Officer of SAP AG. This global risk management organization is tasked as follows:

To continually identify and assess the risks incurred within all important business operations by means of a uniform, methodical approach

To monitor implementation of the measures defined to counteract risks

To report on risks to management and the Executive Board on a regular basis

To develop and continuously maintain a global, riskoriented insurance strategy as a means of risk mitigation

To ensure compliance with regulations governing the establishment and monitoring of effective internal controls of financial reporting in line with the U.S. Sarbanes- Oxley Act, section 404.

Based on its assesment work, our management believes SAP has an internal control structure that meets the requirements of the Sarbanes-Oxley Act. At the time this SAP Review of Group Operations was written, the assessment had not been completed, so no final conclusion was possible. We have documented key business processes of SAP AG and its major subsidiaries, as well as the controls contained in these processes, in accordance with those requirements. Our global internal audit service and dedicated process champions periodically assess these standard processes and their documented procedures and test the design and effectiveness of the process controls. Further elements of the system include a Group-wide corporate Code of Business Conduct for employees and the work of the Supervisory Board in monitoring and controlling the Executive Board.

Our risk management system is based on our global risk management framework, which we developed and implemented in accordance with international recommendations to ensure we comply with Sarbanes-Oxley Act regulations. The Global Risk Management Framework consists of five main components:

A Group-wide risk management policy approved by the SAP Executive Board

A three-tier global risk management organization (at Group, divisional/regional and local level) uniformly structured in all business units

A Group-wide, uniform risk management process model

IT tools implemented throughout SAP to support the risk management process, and

Group-wide cascading risk reporting.

ECONOMIC RISKS

MARKET RISKS

STRATEGIC PLANNING RISKS

HUMAN CAPITAL RISKS

ORGANIZATIONAL AND GOVERNANCE-RELATED RISKS

COMMUNICATION AND INFORMATION RISKS

FINANCIAL RISKS  

PROJECT RISKS

PRODUCT RISKS

OTHER OPERATIONAL RISKS

CONSOLIDATED RISK PROFILE