Back to: Home arrow Review of Operations arrow Review of SAP's Group Operations arrow Risk Factors and Risk Management
Print

Risk Factors and Risk Management

Risk Management

As a global enterprise, we are exposed to an extensive variety of risks across our entire range of business operations. In the broadest sense, we define risk as the danger of not achieving our financial, operative, or strategic goals as planned. To ensure our long-term corporate success, it is therefore essential that risks be effectively identified and analyzed and then eliminated or at least limited by means of appropriate control measures. We have a comprehensive risk management system in place, which enables us to recognize and analyze risks early on and to take the appropriate action. This system is implemented as an integral part of our business processes across the entire SAP Group; it comprises multiple control mechanisms and constitutes an important element of the corporate decision-making processes. These mechanisms include recording, monitoring, and controlling internal enterprise processes and business risks, a number of management and controlling systems, a planning process that is uniform throughout the Group, and a comprehensive risk reporting system. To ensure the effectiveness of our risk management efforts, as well as the transparency and aggregation of risks within the framework of reporting, we have opted for an integrated approach to managing corporate risks, to be uniformly implemented throughout the Group by a global GRC organization with a direct reporting line to the chief financial officer of SAP AG. The GRC organization has the following mandate:

  • To continually identify and assess the risks incurred within all important business operations using a uniform, methodical approach
  • To monitor implementation of the measures defined to
    counteract risks
  • To report on risks to management and the Executive Board on a regular basis
  • To develop and continuously maintain a global, risk-oriented insurance strategy as a means of risk mitigation
  • To ensure compliance with regulations governing the establishment and monitoring of effective internal control over financial reporting in line with the U.S. Sarbanes-Oxley Act, section 404
  • To ensure information security.
In 2006, we conducted an audit of our internal control structure, as required by the U.S. Sarbanes-Oxley Act, section 404 for the first time. We found that on December 31, 2006, our financial reporting control over the U.S. GAAP consolidated financial statements submitted to the SEC was effective. We are also auditing that control structure as on December 31, 2007. The audit had not found any indication by March 19, 2008, that it was not effective on December 31, 2007. We have documented key business processes of SAP AG and its major subsidiaries, as well as the controls contained in these processes, in accordance with those requirements. Our global internal audit service and dedicated process champions periodically assess these standard processes and their documented procedures and test the design and effectiveness of the process controls. Further elements of the system include a Group-wide corporate Code of Business Conduct for employees and the work of the SAP Supervisory Board in monitoring and controlling the Executive Board.

Our risk management system is based on our global risk management framework, which we developed and implemented in accordance with international recommendations to ensure, among other things, that we comply with Sarbanes-Oxley Act regulations. The Global Risk Management Framework consists of five main components:

  • A Group-wide risk management policy approved by the Executive Board
  • A risk management organization that is part of our global GRC organization
  • A Group-wide, uniform risk management process model
  • IT tools implemented throughout SAP to support the risk management process
  • Group-wide cascading risk reporting.