Skip to Content

Risk Management and Risks


Quick Access to Subchapters

Risk Factors


Our Risk Management


Internal Control and Risk Management System

As a global company, SAP is exposed to a broad range of risks across our business operations. As a consequence, our Executive Board has put comprehensive risk management and internal control structures in place that enable SAP to identify and analyze risks early and take appropriate action. Our risk management and internal control system is designed to identify potential events that could negatively impact the Company and to provide reasonable assurance regarding the operating effectiveness over our financial reporting in place ensuring the achievement of the Company objectives, specifically our ability to achieve our financial, operational, or strategic goals as planned.

This system comprises numerous control mechanisms and is an important element of our corporate decision-making process; it is therefore implemented as an integral part of SAP’s business processes across the entire Group. To ensure that our global risk management efforts are effective while also enabling us to aggregate risks and report on them transparently, we have adopted an integrated risk management and internal control approach.

Due to our public listings in both, Germany and the United States, we are subject to both, German and U.S. regulatory requirements that relate to risk management and internal controls over financial reporting, such as provisions in the German Stock Corporation Act, section 91 (2) and the U.S. Sarbanes-Oxley Act (SOX) of 2002, specifically sections 302 and 404. Hence, our Executive Board has established an early warning system (risk management system) to ensure compliance with applicable regulations and an effective management of risks.

Our risk management system is based on five pillars, which include a dedicated risk management policy and a standardized risk management methodology as well as a global risk management organization. Our internal control system consists of the internal control and risk management system for financial reporting (ICRMSFR) that also covers the broader business environment. In 2015, we adjusted existing control designs to adequately address the changed risk environment and continued to automate our internal control landscape leveraging continuous control monitoring and continuous auditing activities in selected business areas. Using the current Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework of 2013, we define and cover internal controls along the value chain on a process and subprocess level to ensure that sound business objectives are set in line with the organization’s strategic, operational, financial, and compliance goals. In addition, we have a governance model in place across risk management and the internal control system to ensure both systems are effective, as well as a central software solution to store, maintain, and report all risk-relevant information.

Risk Management Policy and Framework

The risk management policy issued by our Executive Board governs how we handle risk in line with the Company’s risk appetite and defines a methodology that is applied uniformly across all parts of the Group. The policy stipulates who is responsible for conducting risk management activities and defines reporting and monitoring structures. In 2015, as part of our regular review, we updated and rolled out this mandatory policy to all employees. Our global corporate audit function conducts regular audits to assess the effectiveness of our risk management system. Every year, SAP’s external auditor assesses if the SAP SE early risk identification system is adequate to identify risks that may endanger our ability to continue as a going concern. SAP’s enterprise risk management covers risks in the areas of strategy, operational business, financial reporting, and compliance. As of today, the risk management system analyzes risks and only assesses or analyzes opportunities where deemed appropriate.

Risk Management Methodology and Reporting

The following sections describe the key elements of the risk management process as part of SAP’s risk management policy: risk planning, identification, analysis, response, and monitoring.

Risk planning and risk identification for both internal and external risks are conducted in cooperation between risk managers and the business units or subsidiaries across the Group. We use various techniques to identify risks. For example, we have identified risk indicators and developed a comprehensive risk catalog that includes risk mitigation strategies for known product and project risks. Risk identification takes place at various levels of our organization to ensure that common risk trends are identified and end-to-end risk management across organizational borders is enabled. We apply both a qualitative and quantitative risk analysis as well as other risk analysis methods such as sensitivity analyses and simulation techniques.

To determine which risks pose the highest threat to the viability of the SAP Group, we classify them as “high,” “medium,” or “low” based on the likelihood that a risk will occur within the assessment horizon as well as the impact the risk would have on SAP’s business objectives if it were to occur. The scales for measuring these two indicators are given in the following tables.

Probability/Likelihood of Occurrence   Description
1% to 19%   Remote
20% to 39%   Unlikely
40% to 59%   Likely
60% to 79%   Highly Likely
80% to 99%   Near Certainty

In this framework, we define a remote risk as one that will occur only under exceptional circumstances and a near certain risk as one that can be expected to occur within the specified time horizon. The period for analyzing our risks is at least the used forecast period. The period for analyzing our risks that could be possible threats to the Group’s ability to continue as a going concern is eight rolling quarters.

Impact Level   Impact Definition
Insignificant   Negligible negative impact on business, financial position, profit, and cash flows
Minor   Limited negative impact on business, financial position, profit, and cash flows
Moderate   Some potential negative impact on business, financial position, profit, and cash flows
Major   Considerable negative impact on business, financial position, profit, and cash flows
Business-Critical   Detrimental negative impact on business, financial position, profit, and cash flows

Based on the combination of the likelihood that a risk will occur and its impact on SAP’s reputation, business, financial position, profit, and cash flow classify the risks as “high,” “medium,” or “low.”

Probability       Insignificant   Minor   Moderate   Major   Business Critical
80-99%   L   M   H   H   H
60-79%   L   M   M   H   H
40-59%   L   L   M   M   H
20-39%   L   L   L   M   M
1-19%   L   L   L   L   M
    Impact
        L = Low Risk       M = Medium Risk       H = High Risk

Risk analysis is followed by risk response and risk monitoring. Our risk managers work in close cooperation with the business owners, ensuring that effective strategies are implemented to address risks. Business owners are responsible for continuously monitoring the risks and the effectiveness of mitigation strategies, with support from the respective risk managers. Risks may be reduced by taking active steps based on risk approval. To provide greater risk transparency and enable appropriate decision making for business owners, we have established a risk delegation of authority (RDOA) for relevant parts of the organization as deemed appropriate. Risk DOA is a risk management decision-making hierarchy that helps business owners gain timely insight into projects and processes with the greatest risk, so they are better able to review the relevant information, understand the risk profile and associated mitigation strategies, and determine if their approval is warranted. Depending on the exposure, approval is required at different levels of the Company, up to and including the Executive Board.

All identified and relevant risks are reported at the local, regional, and global levels in accordance with our risk management policy. At local, regional, and global levels, we have established executive risk councils that regularly discuss risks and countermeasures and that monitor the success of risk mitigation. In addition, the Executive Board is informed quarterly about individual risks based on clearly defined reporting criteria. Newly identified or existing significant risks that are above a defined threshold or with a potential significant impact are also reported to the chairperson of the Supervisory Board and to the Audit Committee of the Supervisory Board. This includes any risks of potential ongoing concern.

We also have a process in place that analyzes those risks with respect to potential effects on liquidity, excessive indebtedness, and insolvency, which could be possible threats to the Group’s ability to continue as a going concern.

Risk Management Organization

Our risk management organization ensures the coverage of the functions of risk management governance, strategic, operational, financial, and compliance risk management. Our Global Governance, Risk & Compliance (GRC) organization comprises a Group-wide governance function, including regular maintenance and implementation of our risk management policy. The uniform process model comprises all essential elements of risk management: risk planning, risk identification, risk analysis, risk response, and risk monitoring. This function is also responsible for standardized risk reporting to risk committees at different levels of the Company, including the Executive Board as well as the chairperson and the Audit Committee of the Supervisory Board.

Our strategic risk management function resides within our Global Controlling organization and is responsible for enabling early identification and mitigation of risks that could threaten the successful execution of SAP’s strategic priorities and targets. It also supports the successful execution of our corporate strategy by creating transparency regarding risks that could threaten commercial interests or intangible assets such as corporate or product reputation and brand image.

Operational and financial risk management is uniformly implemented at SAP. Independent GRC risk managers are assigned to each of SAP’s important business units and business activities and to selected strategic initiatives. All GRC risk managers, together with assigned risk contacts in the business units, continuously identify and assess risks associated with material business operations using a uniform approach and monitor the implementation and effectiveness of the measures chosen to mitigate risks. Further financial risk management activities are performed by our global treasury function.

During the merger and acquisition and post-merger integration phase, newly acquired companies are subject to risk management performed by our Corporate Development M&A function. Furthermore, as long as they are not integrated, existing risk management structures are maintained or enhanced within the acquired companies to ensure that legal requirements are met.

Risk managers are responsible for supporting and monitoring the implementation of risk management across the Group that is both effective and compliant with regulatory requirements and SAP’s global risk management policy. Based on our risk management policy, all risks and risk-related matters have to be reported to the Global GRC organization.

The head of Global GRC, together with other key functions (for example, Global Controlling or Global Treasury), is responsible for SAP’s internal control and risk management program, and provides regular updates to the Audit Committee of the Supervisory Board. The overall risk profile of the Group is consolidated by the head of Global GRC, who reports to the Group CFO.

Internal Control and Risk Management System for Financial Reporting

The purpose of our system of internal control over financial reporting is to ensure with sufficient certainty that its financial reporting is reliable and in compliance with applicable generally accepted accounting principles. Because of the inherent limitations of internal control over financial reporting, it may not prevent or bring to light all potential misstatements in our financial statements.

SAP’s internal control and risk management system for financial reporting (ICRMSFR) is based on our Group-wide risk management methodology. The ICRMSFR includes organizational, control, and monitoring structures designed to ensure that data and information concerning our business are collected, compiled, and analyzed in accordance with applicable laws and properly reflected in the IFRS Consolidated Financial Statements.

Our ICRMSFR also includes policies, procedures, and measures designed to ensure compliance of SAP’s financial reports with applicable laws and standards. We analyze new statutes, standards, and other pronouncements concerning IFRS accounting and its impact on our financial statements and ICRMSFR. Failure to adhere to these new statutes, standards, and other pronouncements would present a substantial risk to the compliance of our financial reporting. Finally, the ICRMSFR has both preventive and detective controls, including, for example, automated and non-automated reconciliations, segregated duties with two-person responsibility, authorization concepts in our software systems, and monitoring.

Our Corporate Financial Reporting department codifies all accounting policies in our global Group Accounting and Revenue Recognition Guidelines. These policies, the corporate closing schedule, and our process handbooks together define the closing process. Under this closing process, we prepare, predominately through centralized and outsourced services, the financial statements of all SAP legal entities for consolidation by our Corporate Financial Reporting department. The Corporate Financial Reporting department and other corporate departments assist in the efforts to comply with Group accounting policies and monitor the accounting work. Our Corporate Financial Reporting department conducts reviews of our accounting processes and books.

We have outsourced some work, such as valuing projected benefit obligations and share-based payment obligations, quarterly tax calculations for most entities, and purchase price allocations in the context of asset acquisitions and business combinations. We have also outsourced the preparation of the local statutory financial statements of most of our subsidiaries. The employees who work on SAP’s financial reporting receive training in the respective policies and processes.

Based on an analysis of the design and operating effectiveness of our respective internal controls over financial reporting, a committee presents the results of the assessment on the ICRMSFR effectiveness with respect to our IFRS Consolidated Financial Statements as at December 31 each year to the Group CFO. The committee meets regularly to set the annual scope for the test of effectiveness, to evaluate any possible weaknesses in the controls, and to determine measures to address them adequately. During its own meetings, the Audit Committee of the Supervisory Board regularly scrutinizes the resulting assessments of the effectiveness of the internal controls over financial reporting with respect to the IFRS consolidated financial statements.

The assessment of the effectiveness of the ICRMSFR related to our IFRS consolidated financial statements was that on December 31, 2015, the Group had an effective internal control system over financial reporting in place.

Risk Management and Internal Control Governance

Our Executive Board is responsible for ensuring the effectiveness of the risk management and internal control system. The effectiveness of both systems and their implementation in the different Executive Board areas is monitored by each board member. We regularly provide a status on the risk management and the internal control system to the Audit Committee. Key risks are reported quarterly to the chairperson of the Supervisory Board and to the Audit Committee of the Supervisory Board. The Audit Committee of our Supervisory Board regularly monitors the effectiveness of SAP’s risk management and internal control system. In this regard, our Audit Committee requested the Corporate Audit department to regularly audit various aspects of the risk management system and its effectiveness. Additional reassurance is obtained through the external audit of the effectiveness of our internal control system over financial reporting and the internal warning system.

Software Solution Deployed

We use our own risk management software (SAP solutions for GRC) powered by SAP HANA to effectively support the governance process. Risk managers record and address identified risks using our risk management software to create transparency across all known risks that exist in the Group, as well as to facilitate risk management and the associated risk reporting. This information is available to managers through a mobile app as well as regularly issued reports, and is consolidated and aggregated for the quarterly risk report to the Executive Board. The solution also supports the risk-based approach of SAP’s internal control and risk management system for financial reporting (ICRMSFR).

Risk Factors


The following sections outline risk factors that we identify and track using our risk management software (SAP solutions for GRC) powered by SAP HANA. They are presented below at a more aggregated level as compared to their use in internal controlling, but are broken down by the same risk categories we use in our internal risk management system reporting structure. An overview of the risk factors presented below is outlined in the following table. It shows the clarification of the risk factors according to our framework detailed in the Risk Management Methodology and Reporting section.

Overview Risk Factors

 

 

Probability

 

Impact

 

Risk Level

 

Evolution1)

Economic, Political, Social, and Regulatory Risks  

 

 

 

 

 

 

 

Global Economy

 

likely

 

business critical

 

high

 

International Business Activities

 

unlikely

 

major

 

medium

 

Environmental, Social and Political Instability

 

unlikely

 

business critical

 

medium

 

Market Risks

 

 

 

 

 

 

 

 

Demand for New and Existing Solutions

 

unlikely

 

business critical

 

medium

 

Market Development for Cloud

 

unlikely

 

business critical

 

medium

 

Market Share and Profit

 

unlikely

 

major

 

medium

 

Business Strategy Risks

 

 

 

 

 

 

 

 

Solution Demand

 

remote

 

business critical

 

medium

 

Cloud Business Model

 

remote

 

business critical

 

medium

 

Relationships with Partners

 

likely

 

major

 

medium

 

Human Capital Risks

 

 

 

 

 

 

 

 

Managing the Geographically Dispersed Workforce

 

remote

 

major

 

low

 

Attracting, Develop, and Retaining People

 

unlikely

 

major

 

medium

 

Organizational and Governance-Related Risks

 

 

 

 

 

 

 

 

Corporate Governance Laws and Regulations

 

unlikely

 

major

 

medium

 

Data Protection and Privacy

 

unlikely

 

business critical

 

medium

 

Climate Change, Energy and Emissions

 

unlikely

 

moderate

 

low

 

Ethical Behavior

 

remote

 

major

 

low

 

Communication and Information Risks

 

 

 

 

 

 

 

 

Unauthorized Disclosure of Information

 

remote

 

business critical

 

medium

 

Financial Risks

 

 

 

 

 

 

 

 

Quarterly Sales Fluctuations

 

unlikely

 

moderate

 

low

 

Liquidity

 

remote

 

business critical

 

medium

 

Management Use of Estimates

 

unlikely

 

moderate

 

low

 

Accounting Pronouncement

 

unlikely

 

major

 

medium

 

Currency and Interest Rate Fluctuations

 

remote

 

major

 

low

 

Derivative Instruments for Share-Based Payment Plans

 

remote

 

minor

 

low

 

Project Risks

 

 

 

 

 

 

 

 

Implementation Projects

 

unlikely

 

major

 

medium

 

Product and Technology Risks

 

 

 

 

 

 

 

 

Product Security

 

unlikely

 

business critical

 

medium

 

Undectected Defects in Products

 

unlikely

 

business critical

 

medium

 

Third Party Licensing

 

likely

 

major

 

medium

 

Innovation

 

remote

 

business critical

 

medium

 

Technology and Product Strategy

 

unlikely

 

business critical

 

medium

 

Cloud Performance

 

unlikely

 

business critical

 

medium

 

Operational Risks

 

 

 

 

 

 

 

 

Infringement of Intellectual Property

 

likely

 

business critical

 

high

 

Lawsuits

 

likely

 

business critical

 

high

 

Mergers and Acquisitions

 

unlikely

 

business critical

 

medium

 

Enforcement of Intellectual Property

 

likely

 

business critical

 

high

 

Cybersecurity

 

unlikely

 

business critical

 

medium

 

Business Operations

 

unlikely

 

major

 

medium

 

Insurance

 

remote

 

business critical

 

medium

 

Venture Capital

 

remote

 

minor

 

low

 

 

 

 

 

Icon:

 

decreased

 

 

 

 

 

 

 

unchanged

 

 

 

 

 

 

 

increased

 

1) Evolution: Risk Level compared with previous year.

All described risks are applicable to a different extent to our reportable segments (Applications, Technology, and Services and SAP Business Network) unless otherwise noted.

SAP SE is the parent company of the SAP Group. Consequently, the risks described below also apply, directly or indirectly, to SAP SE.

Economic, Political, Social, and Regulatory Risk

Uncertainty in the global economy, financial markets, or political conditions could have a negative impact on our business, financial position, profit, as well as cash flows, and put pressure on our operating profit.

Our business is influenced by multiple risk factors that are both difficult to predict and beyond our influence and control. These factors include global economic and business conditions, and fluctuations in national currencies. Other examples are political developments and general regulations as well as budgetary constraints or shifts in spending priorities of national governments.

Macroeconomic developments, such as financial market volatility episodes, global economic crises, chronic fiscal imbalances, slowing economic conditions, or disruptions in emerging markets, could limit our customers’ ability and willingness to invest in our solutions or delay purchases. In addition, changes in the euro conversion rates for particular currencies might have an adverse effect on business activities with local customers and partners. Furthermore, political instabilities in regions such as the Middle East and Africa, political crises (such as in Greece or Ukraine), natural disasters, pandemic diseases (such as Ebola in West Africa) and terrorist attacks (such as the attacks in Paris, France, in November 2015) could contribute to economic and political uncertainty.

These events could reduce the demand for SAP software and services, and lead to:

  • Delays in purchases, decreased deal size, or cancellations of proposed investments
  • Potential lawsuits from customers due to denied provision of service as a result of sanctioned-party lists or export control issues
  • Higher credit barriers for customers, reducing their ability to finance software purchases
  • Increased number of bankruptcies among customers, business partners, and key suppliers
  • Increased default risk, which may lead to significant impairment charges in the future
  • Market disruption from aggressive competitive behavior, acquisitions, or business practices
  • Increased price competition and demand for cheaper products and services

Any one or more of these developments could reduce our ability to sell and deliver our software and services which could have an adverse effect on our business, financial position, profit, and cash flows.

SAP has established measures and conducted scenario analyses to address and mitigate the described risks and adverse effects to the extent possible. We offer our customers standard software and product packages that are fast and easy to install, as well as financially attractive financing, software licensing, and subscription models. Our ongoing shift to a higher share of cloud subscriptions and software support revenue streams will lead to more predictable streams over time providing increased stability against financial volatilities. Furthermore, we continue to apply cost discipline internally and have a conservative financial planning policy. Additionally, SAP is continuously reshaping its organizational structure and processes to increase efficiency.

We estimate the probability of occurrence of this risk to be likely. Therefore, we cannot completely exclude the possibility that it will have a business-critical impact on our business, financial position, profit, and cash flows. This could exacerbate the other risks we describe in this report or cause a negative deviation from our revenue and operating profit target. We classify this risk as a high risk.

Our international business activities and processes expose us to numerous and often conflicting laws and regulations, policies, standards or other requirements and sometimes even conflicting regulatory requirements, and to risks that could harm our business, financial position, profit, and cash flows.

We are a global company and currently market our products and services in more than 180 countries and territories in the Americas (Latin America and North America); Asia Pacific Japan (APJ); China, Hong Kong, Macau, and Taiwan (Greater China); Europe, Middle East, and Africa (EMEA); and Middle and Eastern Europe (MEE) regions. Our business in these countries is subject to numerous risks inherent in international business operations. Among others, these risks include:

  • Data protection and privacy regulation regarding access by government authorities to customer, partner, or employee data
  • Data residency requirements (the requirement to store certain data only in and, in some cases, also to access such data only from within a certain jurisdiction)
  • Conflict and overlap among tax regimes
  • Possible tax constraints impeding business operations in certain countries
  • Expenses associated with the localization of our products and compliance with local regulatory requirements
  • Discriminatory or conflicting fiscal policies
  • Operational difficulties in countries with a high corruption perceptions index
  • Protectionist trade policies, import and export regulations, and trade sanctions and embargoes
  • Works councils, labor unions, and immigration laws in different countries
  • Difficulties enforcing intellectual property and contractual rights in certain jurisdictions
  • Country-specific software certification requirements
  • Challenges with effectively managing a large distribution network of third-party companies
  • Compliance with various industry standards (such as Payment Card Industry Data Security Standard)

As we expand into new countries and markets, these risks could intensify. The application of these laws and regulations to our business is sometimes unclear, subject to change over time, and often conflict among jurisdictions. Additionally, these laws and government approaches to enforcement are continuing to change and evolve, just as our products and services continually evolve. Compliance with these varying laws and regulations could involve significant costs or require changes in products or business practices. Non-compliance could result in the imposition of penalties or cessation of orders due to alleged non-compliant activity. One or more of these factors could have an adverse effect on our operations globally or in one or more countries or regions, which could have an adverse effect on our business, financial position, profit, and cash flows.

We address these risks with various measures depending on the circumstances, including, for example, a strong legal and compliance office presence in the main countries, maintaining an effective data protection and privacy office and associated policy, receiving guidance from external economics consultants, law firms, tax advisors, and authorities in the concerned countries, and taking legal actions.

Although we estimate the probability of occurrence of this risk to be unlikely, we cannot completely exclude the possibility that this risk could have a major impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.

Social and political instability caused by state-based conflicts, terrorist attacks, civil unrest, war, or international hostilities, as well as pandemic disease outbreaks or natural disasters, may disrupt SAP’s business operations.

Terrorist attacks (such as the attacks in Paris in November 2015) as well as other acts of violence or war, civil, religious, and political unrest (such as in Ukraine, Israel, Syria, and in other parts of the Middle East, Libya, and in other parts of Africa); natural disasters (such as hurricanes, flooding, or similar events); or pandemic diseases (such as Ebola in West Africa) could have a significant adverse effect on the local economy and beyond. Such an event could lead, for example, to the loss of a significant number of our employees, or to the disruption or disablement of operations at our locations, and could affect our ability to provide business services and maintain effective business operations. Furthermore, this could have a significant adverse effect on our partners as well as our customers and their investment decisions, which could have an adverse effect on our reputation, business, financial position, profit, and cash flows.

Our mitigation measures have been designed and implemented to minimize such adverse effects. To ensure continuous operations of all business processes, we have been implementing and operating a worldwide business continuity management and crisis management system. To enable effective response and minimize possible losses in case of crisis situations, we have installed local crisis management teams at our main locations, supplemented by regional crisis management teams for the Americas (including Latin America and North America), APJ (including Greater China), EMEA, and MEE regions, and a global crisis management team.

To protect our key IT infrastructure (especially our data centers), critical business systems, and processes from material adverse effects in crisis situations, disaster recovery and business continuity plans have been developed that include implementation of data redundancies and daily data backup strategies. To verify and improve our approach, our IT-related organizations have been certified to the internationally recognized ISO 22301:2013 (Business Continuity Management) standard with regards to the Applications, Technology, and Services segment. In addition, our corporate headquarters, which houses certain critical business functions, is located in the German state of Baden-Württemberg. This area has historically been free of natural disasters.

With regards to the relevance of current and anticipated political crisis situations and acts of violence as well as pandemic diseases impacting SAP’s business, we believe that the likelihood of this risk materializing is unlikely; however, we cannot exclude the possibility of such a risk occurring and having a business-critical impact on our reputation, business, financial position, profit, and cash flows, or causing a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.

Market Risks

Our established customers might not buy additional software solutions, subscribe to our cloud offerings, renew maintenance agreements, purchase additional professional services, or they might switch to other products or service offerings (including competitive products).

In 2015, we continued to depend materially on the success of our support portfolio and on our ability to deliver high-quality services. Traditionally, our large installed customer base generates additional new software, maintenance, consulting, and training revenue. Despite the high quality and service level of our transformed and expanded service offering in the area of premium support services, we may be unable to meet customer expectations with regards to delivery and value proposition. This may lead to a potentially adverse impact on customer experience. Existing customers might cancel or not renew their maintenance contracts, decide not to buy additional products and services, not subscribe to our cloud offerings, or accept alternative offerings from other vendors. In addition, the increasing volume in our cloud business as well as the conversion of traditional on-premise licenses to cloud subscriptions licenses could have a potential negative impact on our software and maintenance revenue streams. This could have an adverse effect on our business, financial position, profit, and cash flows.

Working closely with SAP user groups, we continuously demonstrate the business value and the benefits of our solution, service and support portfolio in terms of innovation, quality, and high service level as well as through customer references and success stories. Additionally, we continuously monitor the performance and the perceived value of our services and the satisfaction of our customers. We implement mitigating steps where required.

In early 2015, we combined organizationally two main departments responsible for services and support at SAP in regards to the Applications, Technology, and Services segment, into one Global Service & Support unit. This combined organization offers a wide range of support, including premium support services (SAP MaxAttention and SAP ActiveEmbedded), and professional services to increase business benefit for our customers. For the SAP Business Network segment, we continue the established service and support models.

With regards to our volume in cloud business as well as the conversion of traditional on-premise licenses to cloud subscriptions licenses, we estimate the probability of this risk materializing to be unlikely. However, we cannot completely exclude the possibility that it could have a business-critical impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. Overall, we classify this risk as medium risk.

The success of our cloud computing strategy depends on market perception and an increasing market adoption of our cloud solutions and managed cloud services. Insufficient adoption of our solutions and services could lead to a loss of SAP’s position as a leading cloud company.

The market for cloud computing is increasing and shows strong growth relative to the market for our on-premise solutions. To offer a broad cloud service portfolio and generate the associated business value for our customers, we have acquired cloud computing companies such as Ariba, Concur, Fieldglass, and SuccessFactors. Due to ongoing contracts and previous substantial investments to integrate traditional on-premise enterprise software into their businesses, as well as concerns about data protection, security capabilities, and reliability, customers and partners might be reluctant or unwilling to migrate to the cloud.

Other factors that could affect the market acceptance of cloud solutions and services include:

  • Concerns with entrusting a third-party to store and manage critical employee or company confidential data
  • Customer concerns about security capabilities and reliability
  • Customer concerns about the ability to scale operations for large enterprise customers
  • The level of configurability or customizability of the software
  • Missing integration scenarios between on-premise products and cloud-to-cloud solutions
  • Failure to securely and successfully deliver cloud services by any cloud service provider could have a negative impact on customer trust in cloud solutions
  • Strategic alliances among our competitors in the cloud area could lead to significantly increased competition in the market with regards to pricing and ability to integrate solutions
  • Failure to get the full commitment of our partners might reduce speed and impact in the market reach

If organizations do not perceive the benefits of cloud computing, the market for cloud business might not develop further, or it may develop more slowly than we expect, either of which could have an adverse effect on our business, financial position, profit, reputation and cash flows.

In addition to measures to communicate the business value of our cloud solutions to the market, we invest significantly in infrastructure and processes that ensure secure operations of our cloud solutions including the adaption of cloud service delivery to local and/or specific market requirements (such as local or regional data centers) and the compliance with all local legal regulations regarding data protection and privacy as well as data security.

Although we estimate the probability of occurrence of this risk to be unlikely, we cannot completely exclude the possibility that this risk could have a business-critical impact on our reputation, business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify the risk as a medium risk.

Our market share and profit could decline due to increased competition, market consolidation and technological innovation as well as new business models in the software industry.

The software industry continues to evolve rapidly and is currently undergoing a significant shift due to innovations in the areas of enterprise mobility, cybersecurity, Big Data, hyperconnectivity, the Internet of Things, digitization, supercomputing, cloud computing, and social media. While smaller innovative companies tend to create new markets continuously and expand their reach through mergers, large traditional IT vendors tend to enter such markets mostly through acquisitions. SAP faces increased competition in our business environment from traditional as well as new competitors. This competition could cause price pressure, cost increases, and loss of market share, which could have an adverse effect on our business, financial position, profit, and cash flows.

Additionally, related to our Applications, Technology, and Services segment, customers could change their buying behavior by accelerating their acceptance of cloud solutions to reduce their investments, which might have a temporary adverse effect on our operating results. Furthermore, the trend in the market to invest more in cloud solutions might lead to a risk of the potential loss of existing on-premise customers. It may also have a temporary adverse effect on our revenue due to the number of conversions from on-premise licenses to cloud subscriptions from existing SAP customers in our installed base, as we recognize cloud subscriptions revenue over the respective service provision, and that typically ranges from one-to-three years with some up to five years.

We believe we will be able to protect our leadership in the market by continuing to execute successfully on our customer-centric innovation strategy, which is driven by a mix of organic growth, targeted acquisitions, and attractive cloud solution offerings. To compete successfully in the market, we continuously enhance our global processes and adjust our organizational structures. Furthermore, in the Application, Technology, and Services segment, we have policies in place to effectively manage conversions from on-premise software arrangement to cloud arrangements.

Although we estimate the probability of this risk being a major impact unlikely, we cannot completely exclude the possibility that this risk could have a major impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.

Business Strategy Risks

Demand for our new solutions may not develop as planned and our strategy on new business models and flexible consumption models may not be successful.

Our business consists of new software licenses, software license updates, and support and maintenance fees as well as of cloud subscriptions. Our customers are expecting to take advantage of technological breakthroughs from SAP without compromising their previous IT investments. However, the introduction of new SAP solutions, technologies, and business models as well as delivery and consumption models is subject to uncertainties as to whether customers will be able to perceive the additional value and realize the expected benefits we deliver along our road maps. There is a risk that such uncertainties may lead customers to wait for proof of concept through reference customers or more mature versions first, which might result in a lower level of adoption of our new solutions, technologies, business models, and flexible consumption models, or no adoption at all. This could have an adverse effect on our business, financial position, profit, and cash flows.

To mitigate this risk, SAP is balancing the distribution of our strategic investments by evolving and protecting our core businesses and simultaneously developing new solutions, technologies, and business models for markets, such as those in analytics, applications, and database and technology. Furthermore, we continuously demonstrate the benefits of our solution and services portfolio through customer references and success stories as well as the provision of support excellence to ensure customer satisfaction with and after the implementation of our solution.

We estimate the probability of occurrence of this risk to be remote, but cannot completely exclude the possibility that this risk could have a business-critical impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.

Though downturns or upturns in cloud sales may not be immediately reflected in our operating results, any decline in our customer renewals would harm the future operating results of our cloud business.

We recognize cloud subscriptions revenue as we provide the respective services, which typically ranges from one-to-three years with some up to five years. This revenue recognition and our increasing subscription revenues could have a temporary adverse effect on our financial position, profit, and cash flows.

To maintain or improve our operating results in the cloud business, it is important that our customers renew their agreements with us when the initial contract term expires and purchase additional modules or additional capacities. Our customers have no obligation to renew their subscriptions after the initial subscription period, and we cannot assure that customers will renew subscriptions at the same or at a higher level of service, or at all. Our customers’ renewal rates may decline or fluctuate as a result of various factors, including their satisfaction or dissatisfaction with our cloud solution and services portfolio; our ability to efficiently provide cloud services according to customer expectations and meeting the service level agreements, service availability and provisioning, the integration capabilities of our cloud solutions into their existing IT environment (including hybrid solutions combining both cloud and on-premise solutions); our customer support; concerns regarding stable, efficient, and secure cloud operations and compliance with legal and regulatory requirements; our pricing; the pricing of competing products or services; mergers and acquisitions affecting our customer base; global economic conditions; and reductions in our customers’ spending levels.

If our customers do not renew their subscriptions, renew on terms less favorable to us, or fail to purchase additional modules or users, our revenue and billings will decline, and we may not realize significantly improved operating results from our customer base. This could have an adverse effect on our business, financial position, profit, and cash flows.

We share our overall long-term cloud strategy and our integration road map with our customers and continuously implement improvements that enhance our cloud solutions, including instant provisioning, a consumer-grade user experience, and a fast time to value, among others. To continuously improve our services, we closely monitor any issue and work together with customers to perform a root-cause analysis and provide a solution. We have a strong focus on providing our cloud services efficiently and according to customer expectations, including service provisioning, quality, and security as well as data protection and privacy.

Furthermore, we are continuously improving and adapting cloud services delivery to local and/or specific market requirements (such as local or regional data centers, customer expectations, and in accordance with legal and regulatory requirements).

Although we estimate the probability of occurrence of this risk to be remote, we cannot completely exclude the possibility that this risk could have a business-critical impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.

If we are unable to scale and enhance an effective partner ecosystem, revenue might not increase as expected.

An open and vibrant partner ecosystem is a fundamental pillar of our success and growth strategy. We have entered into partnership agreements that drive co-innovation on our platforms, profitably expand all our routes -to- market to optimize market coverage, optimize cloud delivery, and provide high-quality services capacity in all market segments. Partners play a key role in driving market adoption of our entire solutions portfolio, by co-innovating on our platforms, embedding our technology, and reselling and/or implementing our software.

If partners consider our products or services model less strategic and/or financially less attractive compared to our competition and/or less appropriate for their respective channel and target market, if partners fear direct competition by SAP or if SAP fails to establish and enable a network of qualified partners meeting our quality requirements and the requirements of our customers, then, among other things, partners might not:

  • Develop a sufficient number of new solutions and content on our platforms
  • Provide high-quality products and services to meet customer expectations
  • Drive growth of references by creating customer use cases and demo systems
  • Embed our solutions sufficiently enough to profitably drive product adoption, especially with innovations such as SAP S/4HANA and SAP HANA Cloud Platform
  • Enable and train sufficient resources to promote, sell, and support to scale to targeted markets
  • Comply with applicable laws and regulations, resulting in delayed, disrupted, or terminated sales and services
  • Transform their business model in accordance with the transformation of SAP’s business model in a timely manner
  • Renew their existing agreements with us or enter into new agreements on terms acceptable to us or at all
  • Provide ability and capacity to meet customer expectations regarding service provisioning.

If one or more of these risks materialize, this may have an adverse effect on the demand for our products and services as well as the partner’s loyalty and ability to deliver. As a result, we may not be able to scale our business to compete successfully with other software vendors, which could have an adverse effect on our reputation, business, financial position, profit, and cash flows.

SAP continues to invest in long-term, mutually beneficial relationships and agreements with partners. We continue to develop and enhance a wide range of partner programs to retain existing and attract new partners of all types. We offer training opportunities to a wide range of resources for our partners and additionally provide demo solutions to enable partners to lead business value discussions on cloud and on-premise solutions with customers. A thorough certification process for third-party solutions has been designed and established to ensure consistent high-quality and seamless integration.

With the transformation of SAP’s business model, partners play an increasingly important role in co-locating our cloud solutions as well as operating SAP’s cloud solutions for their customers. Therefore, we estimate the probability of occurrence of this risk to be likely, and we cannot exclude the possibility that this risk could have a major impact on our reputation, business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target if it were to materialize. We classify this risk as a medium risk.

Human Capital Risks

If we do not effectively manage our geographically dispersed workforce, we may not be able to run our business efficiently and successfully.

Our success is dependent on appropriate alignment of our internal and external workforce planning processes and our location strategy with our general strategy. It is critical that we manage our internationally dispersed workforce effectively, taking short- and long-term workforce and skill requirements into consideration. This applies to the management of our internal as well as our external workforce. Changes in headcount and infrastructure needs as well as local legal or tax regulations could result in a mismatch between our expenses and revenue. Failure to manage our geographically dispersed workforce effectively could hinder our ability to run our business efficiently and successfully and could have an adverse effect on our business, financial position, profit, and cash flows.

We focus on mitigating this risk through a range of activities including succession management; workforce planning (which aims to achieve diversity and the right mix of talent and to take account of demographic changes); outsourcing; external short-term staffing; employer branding; career management (such as offering opportunities for short-term assignments and opportunities to improve skills, competencies, and qualifications); and extended benefit programs – for example, a performance-oriented remuneration system, an employer-financed pension plan in certain countries, and long-term incentive plans.

We estimate this risk to be a remote possibility, but we cannot completely exclude the possibility of this risk to have a major impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a low risk.

If we are unable to attract, develop, and retain leaders and employees with specialized knowledge and technology skills, or are unable to achieve internal diversity and inclusion objectives, we might not be able to manage our operations effectively and successfully, or develop successful new solutions and services.

Our highly qualified workforce is the foundation for our continued success. In certain regions and specific technology and solution areas, we continue to set very high growth targets, specifically in countries and regions such as Africa, China, Latin America, and the Middle East. In the execution of SAP’s strategic priorities, we depend on highly skilled and specialized personnel and leaders, both male and female. Successful maintenance and expansion of our highly skilled and specialized workforce in the area of cloud is a key success factor for our transition to be the leading cloud company. The availability of such personnel is limited and, as a result, competition in our industry is intense and could expose us to claims by other companies seeking to prevent their employees from working for a competitor. If we are unable to identify, attract, develop, motivate, adequately compensate, and retain well-qualified and engaged personnel, or if existing highly skilled and specialized personnel leave SAP and ready successors or adequate replacements are not available, we may not be able to manage our operations effectively, which could have an adverse effect on our reputation, business, financial position, profit, and cash flows. Furthermore, we may not be able to develop, sell, or implement successful new solutions and services as planned. This is particularly true as we continue to introduce new and innovative technology offerings and expand our business in emerging markets. The lack of appropriate or inadequately executed benefit and compensation programs could limit SAP’s ability to attract or retain qualified employees and lead to financial losses. In addition, we might not be able to achieve our internal gender diversity objectives to increase the number of women in management from 18% in 2010 to 25% by 2017.

These risks notwithstanding, we continue to believe our leading market position, employer brand, and extended benefit programs will enable us to hire top talent internationally with the potential to contribute to SAP’s growing business success in the future. We address the risk of an adverse effect on our business operations from a failure to recruit the employees we need or from the loss of leaders and employees by seeking to build employee and leadership strengths through a range of targeted professional development, mentoring, and coaching programs, a gender diversity program, and a special focus on accelerated high-potential employee development that aims to develop talent as well as leadership talent, in particular. A strong focus on succession planning for leadership and key positions seeks to ensure sustainable leadership and to safeguard the business from disruption caused by staff turnover.

Although the risks related to failure to attract, develop, and retain talent could materialize, we believe that this is unlikely and that the impact on our reputation, business, financial position, profit, and cash flows, or potential negative deviation from our revenue and operating profit target would be major. We classify this risk as a medium risk.

Organizational and Governance-Related Risks

Laws and regulatory requirements in Germany, the United States, and elsewhere have become much more stringent.

As a European company domiciled in Germany with securities listed in Germany and the United States, we are subject to European, German, U.S., and other governance-related regulatory requirements. Changes in laws and regulations and related interpretations, including changes in accounting standards and taxation requirements, and increased enforcement actions and penalties may alter the business environment in which we operate. Regulatory requirements have become significantly more stringent in recent years, and some legislation, such as the anticorruption legislation in Germany, the U.S. Foreign Corrupt Practices Act, the UK Bribery Act, and other local laws prohibiting corrupt payments by employees, vendors, distributors, or agents, is being applied more rigorously. Emerging markets are a significant focus of our international growth strategy. The nature of these markets presents a number of inherent risks. A failure by SAP to comply with applicable laws and regulations, or any related allegations of wrongdoing against us, whether merited or not, could have an adverse effect on our business, financial position, profit, cash flows and reputation.

It is difficult to assess the precise potential risk, because there is a wide variety of complex legal and regulatory requirements that apply, and therefore an equally wide variety of potential non-compliance scenarios exist.

However, we continuously monitor new and increased regulatory requirements, updated or new enforcement trends, and publicly available information on compliance issues in the computer software industry, the emerging markets where we invest our resources, and in the business environment in general to cope with an increase in regulation enforcement efforts of certain countries or state-driven protectionism. Based on this information and any other available sources, we continuously update and refresh our compliance programs to achieve the most effective approach possible and to ensure that our employees understand and comply with the SAP Code of Business Conduct. This process is coordinated by our Legal Compliance and Integrity Office, a team of dedicated resources who are tasked with managing our policy-related compliance measures. Our chief compliance officer coordinates policy implementation, training, and enforcement efforts throughout SAP. Those efforts are monitored and tracked to allow trending and risk analysis and to ensure consistent policy application throughout the SAP Group. Despite our comprehensive compliance programs and established internal controls, intentional efforts of individuals to circumvent controls or engage in fraud for personal gains cannot always be prevented.

With regards to the increase of regulation enforcement efforts we have already experienced and continue to expect as well as state-driven protectionism, we estimate the likelihood of this risk to be unlikely. We cannot completely exclude the possibility that this risk could have a major impact on our reputation, business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.

Non-compliance with applicable data protection and privacy laws or failure to adequately meet the requirements of SAP’s customers with respect to our products and services could lead to civil liabilities and fines, as well as loss of customers and damage to SAP’s reputation.

As a global software and service provider, SAP is required to comply with local laws wherever SAP does business. Consequently, we must ensure that any legal requirements in connection with the provision of products and services are properly implemented. With regards to data protection requirements, significant changes are expected subject to the upcoming European Data Protection Regulation. Furthermore, SAP is affected by the consequences of the decision of the European Court of Justice (ECJ), which declared Safe Harbor invalid, so that data transfers from within the European Union (EU) to the United States are no longer permitted based on Safe Harbor. This means that acquired SAP affiliates that have not already implemented the requirements for data transfers based on the Standard Contractual Clauses will have to implement these requirements immediately. However, this will be ensured by the implementation of the new Intra Group Agreement that provides a data protection level at the Standard Contractual Clauses within the SAP Group. These laws and regulations amend and supplement existing requirements regarding the processing of personal data that SAP and SAP customers must fulfill and which we must consequently address with our products and services, including cloud delivery. Failure to comply with applicable laws or to adequately address privacy concerns of customers, even if unfounded, could lead to investigations by supervisory authorities, civil liability, fines, (in the future, potentially calculated based on the Company’s annual revenue), loss of customers, damage to our reputation, and could have an adverse effect on our business, financial position, profit, and cash flows.

Further, recent landmark decisions by the ECJ on data protection matters, as well as official statements made by the European data protection supervisory authorities, require SAP to carefully review our globalized business practices. Most importantly, the ECJ on October 6, 2015, ruled that data transfers by European companies to data processors in the United States can no longer be based on Safe Harbor. While SAP has not widely relied upon Safe Harbor, the data protection supervisory authorities have challenged the legality of other transfer mechanisms, such as the Standard Contractual Clauses used by SAP, on the same grounds by which the ECJ has declared Safe Harbor invalid. The data protection supervisory authorities have threatened to start enforcement activities as early as end of January 2016 against European companies that still transfer data to the United States (or grant U.S. companies remote access to systems containing personal data in the EU) based on a transfer mechanism that the authorities consider invalid. Enforcement activities against SAP or against SAP customers because of services and products that SAP provides with the help of our U.S.-based entities and/or U.S.-based suppliers could lead to fines, civil liability, loss of customers, and damage to our reputation, and could have an adverse effect on our business, financial position, profit, and cash flows.

It is conceivable that data transfers to further countries that do not provide a level of data protection and privacy comparable to the European level may be challenged, too.

To mitigate risks due to legal non-compliance, SAP actively monitors changes to applicable laws and regulations so that we can take adequate measures and certify our existing standards and policies on an ongoing basis. We have implemented a wide range of measures to protect data controlled by SAP and our customers from unauthorized access and processing, as well as from accidental loss or destruction. This includes, among others, a continuous enhancement of our data center operations worldwide, also taking into account local and/or sector-specific market and legal requirements. We have implemented a certified data protection management system in areas critical to data protection, such as global service and support, human resources (HR), marketing, products and innovation, and custom development, whereby implementation is audited internally as well as externally by the British Standard Institutions on an annual basis. Furthermore, customers are provided with security certifications (such as ISO/IEC 27001), security white papers, and reports from our independent auditors and certification bodies.

Notwithstanding the aforementioned, and to address the potential risks resulting from the ECJ ruling on Safe Harbor in particular, we are analyzing all processes by which personal data is transferred to or remotely accessed by U.S.-based SAP entities or external third parties. Any of these processes that are still based upon Safe Harbor will be amended to address any requirements based upon the Standard Contractual Clauses that are still considered a valid legal basis to transfer personal data from within the EU to the United States. SAP further works on investigating possibilities to host and process all personal data that is in the legal responsibility of EU/European Economic Area (EEA)-based SAP entities in the EU/EEA only. With respect to customers, the EU Access service by which already today many European customers can be supported from within the EU/EEA countries shall be expanded.

We estimate this risk to be unlikely, and cannot rule out the possibility of it having a business-critical impact on our business, financial position, profit, and cash flows, and causing damage to our reputation, or causing a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.

Failure to meet customer, partner, or other stakeholder expectations or generally accepted standards on climate change, energy constraints, and our social investment strategy could negatively impact SAP’s business, results of operations, and reputation.

Energy and emissions management are an integral component of our holistic management of social, environmental, and economic risks and opportunities. We have identified risks in these major areas:

  • Our solutions
  • Our own operations – energy management and other environmental issues such as carbon management, water use, and waste

Because our customers, employees, and investors expect a reliable energy and carbon strategy, we have reemphasized our previously communicated targets, especially our 2020 target for greenhouse gas emissions. In case these targets cannot be achieved, our customers might no longer recognize SAP for our environmental leadership and might buy other vendors' products and services. Consequently, we could fail to achieve our revenue target. If we do not meet stakeholder expectations in the areas identified, our rating in sustainable investment indexes might decrease, which could have an adverse effect on our reputation, business, financial position, profit, and cash flows.

In recent years, SAP has shown that it is possible to take a proactive position on social and environmental issues while delivering robust financial growth. As a result, we received great recognition for our sustainability efforts. As a proof point for SAP’s sustainability performance, we continue to be listed in the most prominent and recognized sustainability indexes, such as the Dow Jones Sustainability Indices and the CDP Climate Performance and Disclosure Leadership Indices. In 2015, SAP’s greenhouse gas emissions added up to 455 kilotons CO2, which means we did not meet our greenhouse gas emissions target of 420 kilotons by 35 kilotons. If we do not meet our greenhouse gas emissions target for 2020, we might fail to meet expectations regarding our energy and emission performance.

However, we believe that the risk of failing to meet expectations regarding our energy and emission strategy is unlikely to occur and that if the risk were to occur, it would only have a moderate impact on our reputation, business, financial position, profit, and cash flows, as well as on the achievement of our revenue and operating profit target. We classify this risk as a low risk.

Unethical behavior and non-compliance with our integrity standards due to intentional and fraudulent employee behavior could seriously harm our business, financial position, profit, and reputation.

SAP’s leadership position in the global market is founded on the long-term and sustainable trust of our stakeholders worldwide. Our heritage is one of corporate transparency, open communication with financial markets, and adherence to recognized standards of business integrity. The SAP Code of Business Conduct, adopted by the Executive Board on January 29, 2003, and updated as necessary since then, memorialized and supplemented the already existing guidelines and expectations for the business behavior practiced at SAP.

However, we may encounter unethical behavior and non-compliance with our integrity standards due to intentional and fraudulent behavior of individual employees, possibly in collusion with external third parties. In addition to intentional behavior, problems could also arise due to negligence in the adherence to rules and regulations. Unethical behavior and misconduct attributable to SAP could not only lead to criminal charges, fines, and claims by injured parties, but also to financial loss, and severe reputational damage. This could have an adverse effect on our business, financial position, profit, and cash flows.

To help prevent this, we instituted a comprehensive compliance management system (CMS), which is based on the three pillars of prevention, detection, and reaction. Our CMS program comprises several educational, counseling, control, and investigative instruments. The objective is to minimize and mitigate the risk of unethical behavior, whether intentional or negligent.

The SAP Code of Business Conduct is mandatory and applies to every SAP employee. It provides legal compliance guidance on how to avoid unethical behavior and solve dilemma situations. On an annual basis, the SAP Code of Business Conduct is re-confirmed by SAP’s workforce (except where disallowed by local legal regulations). We also rolled out and enforced various additional compliance policies aimed at managing third parties and preventing misuse of third-party payments for illegal purposes; ensuring controls around travel, entertainment, gift, and expense policies; and promoting a commitment to business with integrity through our partner and vendor ecosystems. These efforts are flanked by continuous education including e-learning and classroom training to target audiences as identified by compliance risk assessment. The overall CMS approach by SAP is continuously monitored internally and externally, and adapted accordingly, if needed.

Although we estimate the probability of occurrence of intentional or negligent major unethical conduct to be remote, we cannot exclude the possibility that this risk could materialize. In that event, this risk could have a major impact on our reputation, business, financial position, profit, and cash flows and could cause a negative deviation from our operating profit target. We classify this risk as a low risk.

Communication and Information Risks

Our controls and efforts to prevent the unauthorized disclosure of confidential information might not be effective.

Confidential information and internal information related to topics such as our strategy, new technologies, mergers and acquisitions, unpublished financial results, or personal data, could be prematurely or inadvertently disclosed and subsequently lead to market misperception and volatility. This could require us to notify multiple regulatory agencies and comply with applicable regulatory requirements and, where appropriate, the data owner, which could result in a loss of reputation for SAP. For example, leaked information during a merger or acquisition deal could cause the loss of our deal target, or our share price could react significantly in case of prematurely published financial results. This could have an adverse effect on our market position and lead to fines and penalties. In addition, this could have an adverse effect on our business, financial position, profit, and cash flows.

We take a wide range of actions to prevent unauthorized disclosure of information, including procedural and organizational measures. These measures include mandatory security awareness training for all employees, social engineering tests, standards for safe internal and external communication, and technical security features in our IT hardware and communication channels, such as mandatory encryption of sensitive data.

Although we estimate the likelihood of occurrence of this risk to be remote, we cannot completely exclude the possibility that this risk could have a business-critical impact on our reputation, business, financial position, profit, and cash flows, or cause a negative deviation from our operating profit target. We classify this risk as a medium risk.

Financial Risks

Our sales are subject to quarterly fluctuations and our sales forecasts may not be accurate.

Our revenue and operating results can vary and have varied in the past, sometimes substantially, from quarter to quarter. Our revenue in general, and our software revenue in particular, is difficult to forecast for a number of reasons, including:

  • The relatively long sales cycles for our products
  • The large size, complexity, and extended timing of individual customer transactions
  • The introduction of licensing and deployment models such as cloud subscription models
  • The timing of the introduction of new products or product enhancements by SAP or our competitors
  • Changes in customer budgets
  • Decreased software sales that could have an adverse effect on related maintenance and services revenue
  • The timing, size, and length of customers' services projects
  • Deployment models that require the recognition of revenue over an extended period of time
  • Adoption of, and conversion to, new business models leading to changed or delayed payment terms
  • Seasonality of a customers' technology purchases
  • Limited visibility during the ongoing integration of acquired companies into their ability to accurately predict their sales pipelines and the likelihood that the projected pipeline will convert favorably into sales
  • Other general economic, social, environmental, and market conditions, such as a global economic crisis and difficulties for countries with large debt

Since many of our customers make their IT purchasing decisions near the end of calendar quarters, and with a significant percentage of those decisions being made during our fourth quarter, even a small delay in purchasing decisions for our on-premise software could have an adverse effect on our revenue results for a given year. Our dependence on large transactions has decreased in recent years with a trend towards an increased number of transactions coupled with a decrease in deal size. However, the loss or delay of one or a few large opportunities could have an adverse effect on our business, financial position, profit, and cash flows.

We use a “pipeline” system for forecasting sales and trends in our business. Pipeline analysis informs and guides our business planning, budgeting, and forecasting, but pipeline estimates do not necessarily consistently correlate to revenue in a particular quarter, potentially due to one or more of the reasons outlined above. The reliability of our plans, budgets, and forecasts may therefore be compromised. Because our operating expenses are based upon anticipated revenue levels and a high percentage of our expenses are relatively fixed in the near term, any shortfall in anticipated revenue or delay in revenue recognition could result in significant variations in our operating results from quarter to quarter or year to year. Continued deterioration in global economic conditions would make it increasingly difficult for us to accurately forecast demand for our products and services, and could cause our revenue, operating results, and cash flows to fall short of our expectations and public forecasts. This could have an adverse effect on our stock price. To the extent any future expenditure fails to generate the anticipated increase in revenue, our quarterly or annual operating results may be subject to an adverse effect and may vary significantly compared to preceding or subsequent periods. As we recognize cloud subscriptions and support revenue over the respective service period that typically ranges from one-to-three years with some up to five years, the relevance and impact of sales fluctuations decrease along with the growing importance of these revenues.

Although we estimate the probability of occurrence of this risk to be unlikely, we cannot completely exclude the possibility that this risk could have a moderate impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a low risk.

External factors could impact our liquidity and increase the default risk associated with, and the valuation of, our financial assets.

Macroeconomic factors such as an economic downturn could have an adverse effect on our future liquidity. We use a globally centralized financial management to control financial risk, such as liquidity, exchange rate, interest rate, counterparty, and equity price risks. The primary aim is to maintain liquidity in the SAP Group at a level that is adequate to meet our obligations at any time. Our total Group liquidity is supported by our strong operating cash flows, of which a large part is recurring, and by credit facilities from which we can draw if necessary. However, adverse macroeconomic factors could increase the default risk associated with the investment of our total Group liquidity including possible liquidity shortages limiting SAP’s ability to repay financial debt. This could have an impact on the value of our financial assets, which could have an adverse effect on our business, financial position, profit, and cash flows.

SAP’s investment policy with regards to total Group liquidity is set out in our internal treasury guideline, which is a collection of uniform rules that apply globally to all companies in the SAP Group. Among others, it requires that we invest, with limited exceptions, only in assets and funds rated BBB flat or better. The weighted average rating of the investments of our total Group liquidity is in the range A to A–. We continue to pursue a policy of cautious investment characterized by wide portfolio diversification with a variety of counterparties, predominantly short-term investments, and standard investment instruments.

Although we estimate the probability of occurrence of this risk to be remote, there can be no assurance that the prescribed measures will be successful or that uncertainty in global economic conditions could not have a business-critical impact on our business, financial position, profit, cash flows, or operating profit target. We classify this risk as a medium risk.

Management use of estimates could negatively affect our business, financial position, profit, and cash flows.

To comply with IFRS, management is required to make numerous judgments, estimates, and assumptions (among others for our major patent disputes) that affect the reported financial figures. The facts and circumstances, as well as assumptions on which management bases these estimates and judgments and management’s judgment regarding the facts and circumstances, may change from time to time and this could result in significant changes in the estimates and judgments and, consequently, in the reported financials. Such changes could have an adverse effect on our business, financial position, profit and cash flows.

We have a number of control procedures in place to make sure that our estimates and judgments are adequate. For example, we apply two-person verification to significant estimating.

Although we estimate the probability of occurrence of the risk to be unlikely, we cannot completely exclude the possibility of a moderate impact on our business, financial position, profit, and cash flows, or a negative deviation from our revenue and operating profit target. We classify this risk as a low risk.

Current and future accounting pronouncements and other financial reporting standards, especially but not only concerning revenue recognition, may negatively impact our financial results.

We regularly monitor our compliance with applicable financial reporting standards and review new pronouncements and drafts thereof that are relevant to us. As a result of new standards, changes to existing standards (including the new IFRS 15 on revenue from contracts with customers that we will need to adopt in 2018) and changes in their interpretation, we might be required to change our accounting policies, particularly concerning revenue recognition, to alter our operational policies so that they reflect new or amended financial reporting standards, or to restate our published financial statements. Such changes may have an adverse effect on our reputation, business, financial position, and profit, or cause an adverse deviation from our revenue and operating profit target.

Although we estimate the probability of occurrence of the risk to be unlikely, we cannot completely exclude the possibility of a major impact. We classify this risk as a medium risk.

Because we conduct operations throughout the world, our business, financial position, profit, and cash flows may be affected by currency and interest rate fluctuations.

Our Group-wide management reporting and our external financial reporting are both in euros. Nevertheless, a significant portion of our business is conducted in currencies other than the euro. Approximately 74% of our revenue in 2015 was attributable to operations outside the euro area and was translated into euros. Consequently, period-over-period changes in the euro rates for particular currencies can significantly affect our reported revenues, profits and cash flows. In general, appreciation of the euro relative to another currency has an adverse effect while depreciation of the euro relative to another currency has a positive effect. Variable interest balance-sheet items are also subject to changes in interest rates. Such changes may have an adverse effect on our business, financial position, profit and cash flows or cause an adverse deviation from our revenue and operating profit target.

We continuously monitor our exposure to currency fluctuation risks based on balance-sheet items and expected cash flows, and pursue a Group-wide foreign exchange risk management strategy using, for example, derivative financial instruments as appropriate. With regards to our financial debt, we have a very balanced maturity profile and mixture of fixed and floating interest rate arrangements in place.

We believe that the likelihood of this risk of significant currency and interest rate fluctuations affecting our reported revenue and income materializing is remote and that if the risk were to occur, its impact on our business, financial position, profit, and cash flows could be major, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a low risk.

For more information about risks arising from financial instruments, including our currency and interest rate risks and our related hedging activity, see the Notes to the Consolidated Financial Statements section, Notes (24) to (25).

The cost of using derivative instruments to hedge share-based payments may exceed the benefits of hedging them.

We use derivative instruments to reduce the impact of our share-based payments on our income statement and to limit future expense associated with those plans. Based on a defined hedging strategy, we align the decision of individual hedging transactions with the Group CFO in the Treasury Committee. The expense of hedging the share-based payments could exceed the benefit achieved by hedging them. On the other hand, a decision to leave the plans materially unhedged could prove disadvantageous. This could have an adverse effect on our business, financial position, profit and cash flows or cause an adverse deviation from our revenue and operating profit target.

We believe that the likelihood of this risk materializing is remote and that if the risk were to occur, its potential impact on our business, financial position, profit, cash flows, and operating profit target would be minor. We classify this risk as a low risk.

Project Risks

Implementation of SAP software often involves a significant commitment of resources by our customers and is subject to a number of significant risks over which we often have no control.

A core element of our business is the successful implementation of software solutions to enable our customers to master complexity and help our customers’ business run at their best. The implementation of SAP software is led by SAP, by partners, by customers, or by a combination thereof. Depending on various factors, such as the complexity of solutions, the customer’s implementation, integration and migration needs, or the resources required, SAP faces a number of different risks. For example, functional requirement changes, delays in timeline, or deviation from recommended best practices may occur during the course of a project. These scenarios have a direct impact on the project resource model and on securing adequate internal personnel or consultants in a timely manner and could therefore prove challenging.

As a result of these and other risks, SAP and/or some of our customers have incurred significant implementation costs in connection with the purchase and installation of SAP software products. Some customer implementations have taken longer than planned. We cannot guarantee that we can reduce or eliminate protracted installation or significant third-party consulting costs, for example, that trained consultants will be readily available, that our costs will not exceed the fees agreed in fixed-price contracts, or that customers will be satisfied with the implementation of our software and solutions. Unsuccessful, lengthy, or costly customer implementation and integration projects could result in claims from customers, harm SAP’s reputation, and could have an adverse effect on our business, financial position, profit, and cash flows.

Our customers continue to follow project approaches to optimize their IT solutions in a non-disruptive manner. Our projects also include risk management processes that are integrated into SAP project management methods intended to safeguard implementations with coordinated risk and quality management programs. As part of our processes, we make adequate financial planning provisions for the remaining individual risks.

We estimate the probability of occurrence of this risk to be unlikely, but we cannot completely exclude the possibility that this risk could have a major negative impact on our reputation, business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.

Product and Technology Risks

Undetected security vulnerabilities shipped and deployed within our products might cause damage to SAP and our customers, and partners.

Customer systems or systems operated by SAP itself to provide services could potentially be compromised by vulnerabilities if they are exploited by hackers. This could lead to theft, destruction, or abuse of data, or systems could be rendered unusable (for example, due to distributed denial of service attacks). The detection of security vulnerabilities in our software, our customers’ systems, or SAP systems used in the provision of services, especially in case of exploitation, could prevent us from meeting our contractual obligations and subsequently might lead to customer claims and reputational damage, which might have an adverse effect on our business, financial position, profit, and cash flows.

We have implemented a software security development lifecycle as a mandatory integral part of our software development process. We systematically align our software security development lifecycle to the recommendations of ISO/IEC 27034, applying methods to develop secure software in all development phases starting early in the design phase. This includes industry best practices such as security risk identification, threat modeling, a comprehensive security testing strategy, mandatory security training for all developers, and security validation of our products, patches, and services before shipment.

SAP has a software security response process in place to rapidly react to detected vulnerabilities and provide fixes. We have also improved the roll-out procedures for security-relevant notes, patches, and service packs to ensure easy and fast consumption on the customer side. However, with regards to the Applications, Technology and Services segment, there is a risk that customers do not upgrade or patch their business systems on a timely basis according to SAP’s recommendations. 

We cannot completely exclude the possibility of a negative impact on our customers’ and partners’ or our own operations globally or in one or more countries or regions. We estimate the probability of occurrence of the risk of severe damages to customers and SAP to be unlikely. If such an occurrence happens, it could have a business-critical impact on our reputation, business, financial position, profit, and cash flows as well as on the achievement of our revenue and operating profit target. We classify this risk as a medium risk.

Undetected defects in the introduction of new products and product enhancements could increase our costs, and reduce customer demand.

Our development investment, including new product launches and enhancements, is subject to risks. For example, software products and services might not completely meet our high-quality standards, including security standards; might not fulfill market needs or customer expectations; or might not comply with local standards and requirements. Furthermore, this risk also exists with respect to acquired companies’ technologies and products where we might not be able to manage these as quickly and successfully as expected. Therefore, market launches, entering new markets, or the introduction of new innovations could be delayed or not be successful.

In addition, new products and cloud offerings, including third-party technologies we have licensed and open source software components we use in those products, could contain undetected defects or they might not be mature enough from the customer’s point of view for business-critical solutions. The detection and correction of any defects especially after delivery could be expensive and time-consuming and we might not be able to meet the expectations of customers regarding time and quality in the defect resolution process. In some circumstances, we might not be in a position to rectify such defects or entirely meet the expectations of customers, specifically as we are expanding our product portfolio into additional markets. As a result, we might be faced with customer claims for cash refunds, damages, replacement software, or other concessions. The risk of defects and their adverse consequences could increase as we seek to introduce a variety of new software products and product enhancements at a higher innovation rate. This is especially relevant for cloud products as delivery cycles are even shorter (up to daily deliveries) and our complete cloud product customer base could receive undetected defects simultaneously. Furthermore, for products that use third-party (not SAP) cloud services, we cannot detect defects in advance. Significant undetected defects or delays in introducing new products or product enhancements could affect market acceptance of SAP software products and could have an adverse effect on our reputation, business, financial position, profit, and cash flows.

The use of existing SAP software products by customers in business-critical solutions and processes and the relative complexity and technical interdependency of our software products and services create a risk that customers or third parties may pursue warranty, performance, or other claims against us for actual or alleged defects in SAP software products, in our provision of services, or in our application hosting services. We have in the past been, and may in the future be, subject to warranty, performance, or other similar claims.

Although our contracts generally contain provisions designed to limit our exposure due to actual or alleged defects in SAP software products or in our provision of services, these provisions may not cover every eventuality or be effective under the applicable law. Regardless of its merits, any claim could entail substantial expense and require the devotion of significant time and attention by key management personnel. Publicity surrounding such claims could affect our reputation and the demand for our software.

We counter these risks using a broad range of techniques, including project management, project monitoring, product standards and governance, and rigid and regular quality assurance measures certified to ISO 9001:2008, applicable to the Applications, Technology and Services segment. Additionally, we conduct program risk assessments during product development as well as market introduction phases, and direct customer feedback is considered in the market release decision process. Delivering high-quality software products is a priority and part of our core business. Our strong investment and permanent efforts lead to a generally high level of quality of our products, which is made transparent in the defined quality perception and support index and confirmed by our constantly high customer satisfaction ratings as measured by customer quality perception reporting.

With regards to the increased volume of open source software components used in our software products and services as well as in the products and services of our acquired companies, we see a probability of this risk to materialize but rate the probability as unlikely. We cannot completely exclude the possibility that this risk, if it were to occur, could have a business-critical impact on our reputation, business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.

Changes in our rights to use software, cloud services, and technologies we license from third parties that are an integral part of SAP’s products could slow down time to market and influence our license pricing and therefore the competitiveness with other software vendors. Furthermore, it could diminish our software’s or cloud functional capabilities and therefore could jeopardize the stability of our solution portfolio offering.

The numerous third-party solutions we have licensed and certain open source software components we use have become an integral part of our product and service portfolio. We depend on those solutions for the functionality of our software and cloud services. Changes to, or the loss of, third-party licenses as well as open source licenses being construed could significantly increase the cost of these licenses and significantly reduce software or cloud functionality and/or usability of SAP’s software or cloud offerings. As a result, we might incur additional development or license costs to ensure the continued functionality of our products, which could have an adverse effect on our business, financial position, profit, and cash flows. This risk increases with each of our acquisitions of a company or a company’s intellectual property assets that had been subject to third-party solution licensing, open source software and product standards less rigorous than our own.

We strive to execute appropriate due diligence and contract management processes and to continuously monitor development projects through our product implementation lifecycle process and monitoring as part of our cloud deployment.

We believe that the probability of occurrence of this risk is likely and we cannot exclude the possibility of a major impact on our business, financial position, profit, and cash flows, or the possibility of a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.

If we are unable to keep up with rapid technological, process and service innovations, and new business models as well as changing market expectations, we might not be able to compete effectively.

Our future success depends upon our ability to keep pace with technological and process innovations and new business models, as well as our ability to develop new products and services, enhance and expand our existing products and services portfolio, and integrate products and services we obtain through acquisitions. To be successful, we are required to adapt our products and our go-to-market approach to a cloud-based delivery model to satisfy changing customer demand.

We might not be successful in bringing new business models, solutions, solution enhancements, and/or services to market before our competitors. We may also face increasing competition from open source software initiatives in which competitors may provide software and intellectual property free and/or under terms and conditions unfavorable for SAP. In addition, we might not be able to generate enough revenue to offset the significant research and development costs we incur to deliver technological innovations or to offset the required infrastructure costs to deliver our solutions and services as part of our new business models. Moreover, we might not anticipate and develop technological improvements or succeed in adapting our products, services, processes, and business models to technological change, changing regulatory requirements, emerging industry standards, and changing requirements of our customers and partners. Finally, we might not succeed in producing high-quality products, enhancements, and releases in a timely and cost-effective manner to compete with products, solutions, and other technologies offered by our competitors, which could have an adverse effect on our reputation, business, financial position, profit, and cash flows.

We will continue to align our organization, processes, products, delivery models, and services to changing markets and customer and partner demands. We develop new technology and new solutions such as the next-generation suite SAP S/4HANA or adopt the latest technology if there is a clear business opportunity for SAP and if it provides value to our customers. To ensure that we remain competitive in the future, we still conduct wide-ranging market and technology analyses and research projects, often in close cooperation with our customers and partners. We strive for strategic acquisitions with the potential to drive innovation and contribute to achieving our growth target.

We believe that the likelihood of this risk materializing is remote; however, we cannot exclude the business-critical impact this risk would have on our reputation, business, financial position, profit, and cash flows, or the potential negative deviation from our revenue and operating profit target if it were to materialize. We classify this risk as a medium risk.

Our technology and/or product strategy may not be successful or our customers and partners might not adopt our technology platforms and other innovations accordingly.

We offer customers a broad portfolio of products, solutions, and services. Our technology strategy centers on SAP HANA as a real-time in-memory computing platform for analytics and applications, the SAP S/4HANA suite as the digital core, the business network, and SAP HANA Cloud Platform as our platform-as-a-service offering. The success of our technology strategy depends on the delivery of the new digital framework, as our technology continues to deliver business value to meet changing customer expectations. Our technology strategy also relies on our ability to maintain a dynamic network of partner organizations developing their own business applications using our technology platforms.

We might not be successful in integrating our platforms, enabling the complete product and cloud service portfolio, harmonizing our user interface design and technology, integrating acquired technologies, or bringing new solutions based on the SAP HANA platform as well as SAP HANA Cloud Platform to the market as fast as expected, in particular, innovative applications such as SAP S/4HANA. In addition, we may not be able to compete effectively in the area of cloud services and our new applications and services might not meet customer expectations. As a result, our partner organizations and customers might not adopt our technology platforms, applications, or cloud services quickly enough or they might consider competitive solutions. This could have an adverse effect on our reputation, business, financial position, profit, and cash flows.

We believe that we will be able to deliver additional business value with minimum disruption to our customers if we can successfully drive the integration and convergence of our technology platform offerings, SAP S/4HANA, as well as acquired technologies, enable our current product portfolio for SAP HANA, develop new solutions based on SAP HANA, and offer comprehensive cloud-based services, extendable with SAP HANA Cloud Platform. We enable and encourage partners to leverage SAP technology by providing guidance about business opportunities, architecture, and technology, as well as a comprehensive certification program designed to ensure that relevant third-party solutions are of consistently high quality.

We believe that the likelihood of this risk materializing is unlikely. If this risk were to occur, its impact on our reputation, business, financial position, profit, cash flows, and revenue and operating profit target would be business-critical. We classify this risk as a medium risk.

Our cloud offerings might be subject to a security attack, become unavailable, or fail to perform properly.

The software used in our cloud portfolio is inherently complex and any defects in product functionality, data center operations, or system stability that cause interruptions in the availability of our application portfolio could result in the following:

  • Lost or delayed market acceptance and sales
  • Breach of warranty or other contract breach or misrepresentation claims
  • Sales credits or refunds to our customers or partners
  • Loss of customers and/or partners
  • Diversion of development and customer service resources
  • Breach of data protection and privacy laws and regulations
  • Customers considering competitive cloud offerings
  • Loss of customer satisfaction and brand reputation

The costs incurred in correcting any defects or errors might be substantial and could have an adverse effect on our reputation, business, financial position, profit, and cash flows. The availability of our cloud applications could be interrupted by a number of factors, resulting in customers’ inability to access their cloud applications, system outages, the failure of our network due to human or other errors, security breaches, or variability in user traffic for our cloud applications. Because of the large amount of data that we collect and manage, hardware failures, defects in our software, or errors in our systems could result in data loss or corruption, or cause the information that we collect to be incomplete or contain inaccuracies that our customers regard as significant. Additionally, any loss of the right to use hardware purchased or leased from third parties could result in delays in our ability to provide our cloud applications until equivalent technology is either developed by us or, if available, identified. Furthermore, our cooperation with partners in the area of cloud includes the co-location of data centers that might expose SAP to additional risks in the area of security and data protection, as well as the potential for breached service-level agreements by partners.

We have administrative, technical, and physical security measures in place as well as contracts that require third-party data centers to have appropriate security and data protection and privacy measures in place. In this context, customers might demand to use only specific and/or local data centers. However, if these security measures are breached as a result of third-party action, employee error or malfeasance, or otherwise, and if, as a result, someone obtains unauthorized access to our customers' data, which may include personally identifiable information regarding users, our reputation could be damaged, our business may suffer, local data protection and privacy laws or regulations might be breached, and we could incur significant liability.

In addition, our insurance coverage might not cover claims against us for loss or security breach of data or other indirect or consequential damages. Moreover, defending a suit, regardless of its merit, could be costly and time-consuming. In addition to potential liability, if we experience interruptions in the availability of our cloud applications, our reputation could be harmed and we could lose customers.

Our mitigation measures have been designed and implemented to minimize such adverse effects. We continuously invest in protecting the integrity and security of our products and services as well as internal and external data that is managed within our data centers. We are consolidating and harmonizing our data centers and our data protection measures, including implementing security information and event management solutions as well as network access control enforcement, to run a homogeneous landscape that supports the complex infrastructure, application, and security requirements so that we can deliver the required service level for cloud services.

Although we estimate the probability of occurrence of this risk to be unlikely, we cannot completely exclude the possibility that any disruption of our cloud operations could result in a business-critical impact on our reputation, business, financial position, profit, cash flows, and revenue and operating profit target. We classify this risk as a medium risk.

Operational Risks

Third parties have claimed, and might claim in the future, that we infringe their intellectual property rights, which could lead to damages being awarded against us and limit our ability to use certain technologies in the future.

We believe that we will increasingly be subject to intellectual property infringement claims as our solution portfolio grows; as we acquire companies with increased use of third-party code including open source code; as we expand into new industries with our offerings, resulting in greater overlap in the functional scope of offerings; and as non-practicing entities that do not design, manufacture, or distribute products increasingly assert intellectual property infringement claims. 

Any claims, with or without merit, and negotiations or litigation relating to such claims, could preclude us from utilizing certain technologies in our products, be time-consuming, result in costly litigation, and require us to pay damages to third parties, stop selling or reconfigure our products and, under certain circumstances, pay fines and indemnify our customers, which could have an adverse effect on our business, financial profile, profit, cash flows, and reputation. They could also require us to enter into royalty and licensing arrangements on terms that are not favorable to us, cause product shipment delays, subject our products to injunctions, require a complete or partial redesign of products, result in delays to our customers’ investment decisions, and damage our reputation.

Software includes many components or modules that provide different features and perform different functions. Some of these features or functions may be subject to third-party intellectual property rights. The rights of another party could encompass technical aspects that are similar to one or more technologies in one or more of our products. Intellectual property rights of third parties could preclude us from using certain technologies in our products or require us to enter into royalty and licensing arrangements on unfavorable or expensive terms.

The software industry is making increasing use of open source software in its development work on solutions. We also integrate certain open source software components from third parties into our software. Open source licenses may require that the software code in those components or the software into which they are integrated be freely accessible under open source terms. Third-party claims may require us to make freely accessible under open source terms one of our products or third-party (not SAP) software upon which we depend.

SAP continues to expand our participation in standards organizations and increase the use of such standards in our products. Participation in standards organizations might require the licensing of SAP’s intellectual property to contributors to the standard and to all standards implementers, including competitors, on a non-discriminatory basis in accordance with licensing terms defined by standards organizations. Within the software-related standards field, there is a trend toward expanding the scope of licensing obligations and narrowing an intellectual property owner’s right to revoke a license if sued by a licensee. In certain situations, limitations on SAP’s rights to revoke a license could reduce SAP’s ability to assert a patent infringement claim against a third-party. Assertion of patents inadvertently licensed through standards could expose SAP to third-party claims.

Our Legal Compliance and Integrity Office is responsible for constantly assessing and managing risks associated with third-party intellectual property. It works closely with our Global GRC organization. The Legal Compliance and Integrity Office investigates the way we handle intellectual property, sets internal policies, and monitors compliance with these policies.

We consider the probability of this risk materializing to be likely, and that any claims concerning intellectual property rights of third parties, open source requirements, or certain standards could have a business-critical impact on our business, financial position, profit, cash flows and reputation, as well as on the achievement of our revenue and operating profit target, and could also exacerbate the other risks we describe in this report. We classify this risk as a high risk.

We are named as a defendant in various legal proceedings for alleged intellectual property infringements. For more information and a more detailed report relating to certain of these legal proceedings, see the Notes to the Consolidated Financial Statements, Note (23).

Claims and lawsuits against us could have an adverse effect on our business, financial position, profit, cash flows, and reputation.

Claims and lawsuits are brought against us, including claims and lawsuits involving businesses we have acquired. Adverse outcomes to some or all of the claims and lawsuits pending against us might result in the award of significant damages or injunctive relief against us that could hinder our ability to conduct our business and could have an adverse effect on our reputation, business, financial position, profit, and cash flows.

The outcome of litigation and other claims or lawsuits is intrinsically uncertain. Management’s view of the litigation may also change in the future. Actual outcomes of litigation and other claims or lawsuits could differ from the assessments made by management in prior periods, which are the basis for our accounting for these litigations and claims under IFRS.

We consider the probability of occurrence of this risk to be likely, and cannot exclude its business-critical impact on our reputation, business, financial position, profit, cash flows, and revenue and operating profit target if it were to materialize. We classify this risk as a high risk.

For more information and a more detailed report relating to certain of these legal proceedings, see the Notes to the Consolidated Financial Statements, Note (23).

We might not acquire and integrate companies effectively or successfully and our strategic alliances might not be successful.

To expand our business, we acquire businesses, products, and technologies, and we expect to continue to make acquisitions in the future. Over time certain of these acquisitions have increased in size and in strategic importance for SAP, Management negotiation of potential acquisitions and alliances and integration of acquired businesses, products, or technologies demands time, focus, and resources of management and of the workforce. Acquisitions of companies, businesses, and technology expose us to unpredictable operational difficulties, expenditures, and risks. These risks include, among others:

  • Selection of the wrong integration model for the acquired company and/or technology
  • Failure to properly evaluate the acquired business and its different business and licensing models
  • Failure to successfully integrate acquired technologies or solutions into SAP’s solution portfolio and strategy in a timely and profitable manner
  • Failure to integrate the acquired company’s operations across SAP’s different cultures, languages, and local protocols, all within the constraints of applicable local laws
  • Failure to meet the needs of the acquired company’s customers and partners in the combined company
  • The diversion of management’s time and attention from daily operations
  • Loss of key personnel of the acquired business
  • Material unknown liabilities and contingent liabilities of acquired companies, including legal, tax, accounting, intellectual property, or other significant liabilities that may not be detected through the acquisition due diligence process
  • Legal and regulatory constraints (such as contract obligations, privacy frameworks , and agreements)
  • Difficulties in implementing, restoring, or maintaining internal controls, procedures, and policies
  • Practices or policies of the acquired company that may be incompatible with our compliance requirements
  • An adverse effect on relationships with existing customers, partners, or third-party providers of technology or products
  • Difficulties in integrating the acquired company’s accounting, HR, and other administrative systems and coordination of the acquired company’s research and development (R&D), sales, and marketing functions
  • Debt incurrence or significant cash expenditures
  • Constraints in enforcing acquired companies’ compliance with existing SAP security standards in a timely manner
  • Difficulties in customer implementation projects combining technologies and solutions from both SAP and the acquired company

In addition, acquired businesses might not perform as anticipated, resulting in charges for the impairment of goodwill and other intangible assets on our statements of financial position. Such charges may have an adverse effect on our business, financial position, profit, and cash flows. We have entered into, and expect to continue to enter into, alliance arrangements for a variety of purposes, including the development of new products and services. There can be no assurance that any such products or services will be successfully developed or that we will not incur significant unanticipated liabilities in connection with such arrangements. We may not be successful in overcoming these risks and we may therefore not benefit as anticipated from acquisitions or alliances.

We counter these acquisition-related risks with many different methodological and organizational measures. These include technical, operational, financial, and legal due diligence on the company or assets to be acquired and a holistic evaluation of material transaction and integration risks. The methods we use depend on the integration scenario. Our integration planning is detailed and standardized, and carried out by a dedicated integration team. We therefore believe we have minimized this risk.

Although we estimate this risk to be unlikely, we cannot completely exclude the possibility that this risk could have a business-critical impact on our business, financial position, profit, cash flows, and revenue and operating profit target. We classify this risk as a medium risk.

We may not be able to obtain adequate title to, or licenses in, or to enforce, intellectual property.

Protecting and defending our intellectual property is crucial to our success. We use a variety of means to identify and monitor potential risks and to protect our intellectual property. These include applying for patents, registering trademarks and other marks and copyrights, implementing measures to stop copyright and trademark infringement, entering into licensing, confidentiality, and non-disclosure agreements, and deploying protection technology. Despite our efforts, we might not be able to prevent third parties from obtaining, using, or selling without authorization what we regard as our proprietary technology and information. All of these measures afford only limited protection, and our proprietary rights could be challenged, invalidated, held unenforceable, or otherwise affected. Some intellectual property might be vulnerable to disclosure or misappropriation by employees, partners, or other third parties. Third parties might independently develop technologies that are substantially equivalent or superior to our technology. Finally, third parties might reverse-engineer or otherwise obtain and use technology and information that we regard as proprietary. Accordingly, we might not be able to protect our proprietary rights against unauthorized third-party copying or utilization, which could have an adverse effect on our competitive and financial positions, and result in reduced sales. Any legal action we bring to enforce our proprietary rights could also involve enforcement against a partner or other third-party, which may have an adverse effect on our ability, and our customers’ ability, to use that partner’s or other third parties’ products. In addition, the laws and courts of certain countries may not offer effective means to enforce our intellectual property rights. This could have an adverse effect on our reputation, business, financial position, profit, and cash flows.

We rely on a combination of the protections provided by applicable statutory and common law rights, including trade secret, copyright, patent, and trademark laws, license and non-disclosure agreements, and technical measures to establish and protect our proprietary rights in our products. We have established various internal programs, such as internal policies, processes, and monitoring, to assess and manage the risks associated with standards organizations, open source, and third-party intellectual property.

We may be dependent in the aggregate on technology that we license from third parties that is embedded in our products or that we resell to our customers. We have licensed and will continue to license numerous third-party software products that we incorporate into and/or distribute with our existing products. We endeavor to protect ourselves in the respective agreements by obtaining certain rights in case such agreements are terminated.

We are party to certain patent cross-license agreements with third parties.

We estimate the probability of this risk occurring as likely, and that it could have a business-critical impact on our reputation, business, financial position, profit, cash flows, and revenue and operating profit target. We classify this risk as a high risk.

SAP’s business strategy focuses on certain business models that are highly dependent on a working cyberspace. A cybersecurity breach could have an adverse effect on our customers, our reputation, and our business.

The key cybersecurity risks currently applicable to us include state-driven economic espionage as well as competitor-driven industrial espionage, and criminal activities including, but not limited to, cyberattacks and “mega breaches” against cloud services and hosted on-premise software. This might result in, for example, disclosure of confidential information and intellectual property, defective products, production downtimes, supply shortages, and compromised data (including personal data). A failure of our cybersecurity measures could impact our compliance with legal demands (for example, Sarbanes-Oxley Act, Payment Card Industry Data Security Standard, data privacy) and expose our business operations as well as service delivery to the described risks, for example, virtual attack, disruption, damage, and/or unauthorized access. Additionally, we could be subject to recovery costs, for example, as well as significant contractual and legal claims by customers, partners, authorities, and third-party service providers for damages against us, which could have an adverse effect on our reputation, business, financial position, profit, and cash flows.

To address the increasing cybersecurity threats, we are continuously adapting and modifying our security procedures. We have multiple security measures in place, such as technical IT security measures, identity and access management, and mandatory security and compliance trainings. In addition, our security governance model clearly defines security management accountabilities for all security areas regarding product security and corporate security, which enables us to respond quickly to identified cybersecurity risks. In 2015, we have established a global security function as well as an independent security audit department within the Corporate Audit organization to appropriately address potential security threats.

Although we still consider the occurrence of this risk to be unlikely, we cannot completely exclude the possibility that this risk could have a business-critical impact on our business, financial position, profit, cash flows, and reputation as well as revenue and operating profit target. We classify this risk as a medium risk.

We may not be able to protect our critical information and assets or to safeguard our business operations against disruption.

SAP is highly dependent on the exchange of a wide range of information across our global operations and on the availability of our infrastructure. With regards to our physical environment, we face several key security risks such as industrial and/or economic espionage, serious and organized crime, and other illegal activities, as well as violent extremism and terrorism. We might be endangered by threats including, but not limited to, social engineering, misuse, or theft of information or assets, or damage to assets by trespassers in our facilities or by people who have gained unauthorized physical access to our facilities, systems, or information. These could have an adverse effect on our business, financial profile, profit, and cash flows.

To minimize these risks, we have implemented several technical and organizational measures designed to safeguard our information, IT and facility infrastructure, and other assets. These measures include, for example, physical access control systems at facilities, multilevel access controls, closed-circuit television surveillance, security personnel in all critical areas, and recurring social engineering tests for SAP premises and data centers. Access to information and information systems is controlled using authorization concepts. Managers and employees are regularly sensitized to the issues and given mandatory security and compliance training. We keep these measures under continuous review to mitigate current threats.

Although we estimate the probability of occurrence of this risk to be unlikely, we cannot completely exclude the possibility that any misuse, theft, or breach of security could have a major impact on our business, financial position, profit, and cash flows as well as on our revenue and operating profit target. Due to our strategic transition into cloud business operations, we classify this increased risk as a medium risk.

Our insurance coverage might not be sufficient and we might be subject to uninsured losses.

We maintain insurance coverage to protect us against a broad range of risks, at levels we believe are appropriate and consistent with current industry practice. Our objective is to exclude or minimize risk of financial loss at reasonable cost. However, we may incur losses that may be beyond the limits, or outside the scope, of coverage of our insurance and that may limit or prevent indemnification under our insurance policies. In addition, we might not be able to maintain adequate insurance coverage on commercially reasonable terms in the future. Further, certain categories of risks are currently not insurable at reasonable cost, which could have an adverse effect on our business, financial position, profit, and cash flows. Finally, there can be no assurance of the financial ability of the insurance companies to meet their claim payment obligations.

In view of the scope of our insurance coverage and our selection of insurers, and because we keep our insurance programs under constant review, we believe that the likelihood of this risk materializing is remote.

However, we cannot exclude the possibility of a business-critical impact on our business, financial position, profit, cash flows, and operating profit target if the risk were to occur. We classify this risk as a medium risk.

We could incur significant losses in connection with venture capital investments.

Through Sapphire Ventures (formerly SAP Ventures), our consolidated venture investment funds, we plan to continue investing in new and promising technology businesses. Many such investments initially generate net losses and require additional expenditures from their investors. Changes to planned business operations have, in the past affected, and may in the future affect, the performance of companies in which Sapphire Ventures holds investments, and that could have an adverse effect on the value of our investments in Sapphire Ventures, which could have an adverse effect on our business, financial position, profit, and cash flows. Furthermore, tax deductibility of capital losses and impairment in connection with equity securities are often restricted and could therefore have an adverse effect on our effective tax rate.

To address this risk, Sapphire Ventures diversifies its portfolio and manages our investments actively. In addition, our venture capital activities have a limited scope.

We believe that the likelihood of this risk materializing is remote and that if the risk were to occur, its potential impact on our business, financial position, profit, cash flows, and operating profit target would be minor. We classify this risk as a low risk. 

Consolidated Risk Profile

SAP consolidates and aggregates all risks reported by the different business units and functions following our risk management policy, monitored by a Group-wide risk management governance function.

In 2015, we recognized only minor changes in the percentages of all reported risks categorized as “high” or “medium” in our risk-level matrix. The number of risks categorized as “high” accounted for 11% of all reported risks, while the risks categorized as “medium” accounted for 68% of all risks reported in the Risk Factors section.

In our view, considering their likelihood of occurrence and impact level, the risks described in our aggregated risk report do not individually or cumulatively threaten our ability to continue as a going concern. Management remains confident that the Group’s earnings strength forms a solid basis for our future business development and provides the necessary resource to pursue the opportunities available to the Group. Because of our strong position in the market, our technological leadership, our highly motivated employees, and our structured processes for early risk identification, we are confident that we can continue to successfully counter the challenges arising from the risks in our risk profile in 2016.

Back to top