Risk Management and Risks
Our Risk Management
Internal Control and Risk Management System
As a global company, SAP is exposed to a broad range of risks across our business operations. As a consequence, our Executive Board has established comprehensive internal control and risk management structures that enable us to identify and analyze risks early and take appropriate action. Our risk management and internal control system is designed to identify potential events that could negatively impact the Company and to provide reasonable assurance regarding the operating effectiveness over our financial reporting while ensuring the achievement of the Company objectives, specifically our ability to achieve our financial, operational, or strategic goals as planned.
This system comprises numerous control mechanisms and is an important element of our corporate decision-making process; it is therefore implemented as an integral part of SAP’s business processes across the entire Group. We have adopted an integrated risk management and internal control approach to ensure that our global risk management efforts are effective while also enabling us to aggregate risks and report on them transparently,
Due to our public listings in both Germany and the United States, we are subject to both German and U.S. regulatory requirements that relate to risk management and internal controls over financial reporting, such as provisions in the German Stock Corporation Act, section 91 (2) and the U.S. Sarbanes-Oxley Act (SOX) of 2002, specifically sections 302 and 404. Hence, our Executive Board has established an early warning system (risk management system) to ensure compliance with applicable regulations and an effective management of risks.
Our risk management system is based on three pillars, which include a dedicated risk management policy and a standardized risk management methodology as well as a global risk management organization. Our internal control system consists of the internal control and risk management system for financial reporting (ICRMSFR) that also covers the broader business environment. In 2016, we adjusted existing control designs to adequately address the changed risk environment and continued to automate our internal control landscape leveraging continuous control monitoring and continuous auditing activities in selected business areas. Using the current Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework of 2013, we define and implement internal controls along the value chain on a process and subprocess level to ensure that sound business objectives are set in line with the organization’s strategic, operational, financial, and compliance goals. In addition, we have a governance model in place across risk management and the internal control system to ensure both systems are effective, as well as a central software solution to store, maintain, and report all risk-relevant information.
Risk Management Policy and Framework
The risk management policy issued by our Executive Board governs how we handle risk in line with the Company’s risk appetite and defines a methodology that is applied uniformly across all parts of the Group. The policy is regularly updated and stipulates who is responsible for conducting risk management activities and defines reporting and monitoring structures. Our global corporate audit function conducts regular audits to assess the effectiveness of our risk management system. Every year, SAP’s external auditor assesses if the SAP SE early risk identification system is adequate to identify risks that might endanger our ability to continue as a going concern. SAP’s enterprise risk management covers risks in the areas of strategy, operational business, financial reporting, and compliance. As of today, the risk management system analyzes risks and only assesses or analyzes opportunities where it is deemed appropriate.
Risk Management Methodology and Reporting
Risk planning and risk identification for both internal and external risks are conducted in cooperation between risk managers and the business units or subsidiaries across the Group. We use various techniques to identify risks. For example, we have identified risk indicators and developed a comprehensive risk catalog that includes risk mitigation strategies for known product, solution, and project risks. Risk identification takes place at various levels of our organization to ensure that common risk trends are identified and end-to-end risk management across organizational borders is enabled. We apply both a qualitative and quantitative risk analysis as well as other risk analysis methods such as sensitivity analyses and simulation techniques.
To determine which risks pose the highest threat to the viability of the SAP Group, we classify them as “high,” “medium,” or “low” based on the likelihood that a risk will occur within the assessment horizon as well as the impact the risk would have on SAP’s business objectives if it were to occur. The scales for measuring these two indicators are given in the following tables.
|Probability/Likelihood of Occurrence||Description|
|1% to 19%||Remote|
|20% to 39%||Unlikely|
|40% to 59%||Likely|
|60% to 79%||Highly Likely|
|80% to 99%||Near Certainty|
In this framework, we define a remote risk as one that will occur only under exceptional circumstances and a near certain risk as one that can be expected to occur within the specified time horizon. The period for analyzing our risks correlates with the respectively associated business activities considering a relevant forecast horizon of up to one year, and up to 2020 where applicable. The period for analyzing the risks that could be possible threats to the Group’s ability to continue as a going concern is eight rolling quarters.
Based on the combination of the likelihood that a risk will occur and its impact on SAP’s reputation, business, financial position, profit, and cash flow, we classify the risks as “high,” “medium,” or “low.”
|L = Low Risk||M = Medium Risk||H = High Risk|
Risk analysis is followed by risk response and risk monitoring. The risk exposure and the risk description, as well as the appropriateness of agreed responses, are validated by the accountable management. Our risk managers work in close cooperation with the business owners, ensuring that effective strategies are implemented to address risks. Business owners are responsible for continuously monitoring the risks and the effectiveness of mitigation strategies, with support from the respective risk managers. Risks might be reduced by taking active steps based on risk approval. To provide greater risk transparency and enable appropriate decision-making for business owners, we have established a risk delegation of authority (RDOA) for relevant parts of the organization as deemed appropriate. RDOA is a risk management decision-making hierarchy that helps business owners gain timely insight into projects and processes with the greatest risk, so they are better able to review the relevant information, understand the risk profile and associated mitigation strategies, and determine if their approval is warranted. Depending on the exposure, approval is required at different levels of the Company, up to and including the Executive Board.
All identified and relevant risks are reported at the local, regional, and global levels in accordance with our risk management policy. At local, regional, and global levels, we have established executive risk councils that regularly discuss risks and countermeasures and that monitor the success of risk mitigation. In addition, the Executive Board is informed quarterly about individual risks based on clearly defined qualitative reporting criteria. Newly identified or existing significant risks that are above a defined threshold, a qualitative criteria or with a potential significant impact are also reported to the chairperson of the Supervisory Board and to the Audit Committee of the Supervisory Board. This includes any risks to the ability to continue as a going concern.
We also have a process in place that analyzes those risks with respect to potential effects on liquidity, excessive indebtedness, and insolvency, which could be possible threats to the Group’s ability to continue as a going concern.
Risk Management Organization
Our global risk management organization (Global GRC) ensures the Group-wide systematic identification, assessment, management, and monitoring of operational, financial, compliance, and strategic risks as well as opportunities. In addition, the Global GRC function is responsible for the standardized internal risk reporting to risk committees on different levels within the Company in line with the internal GRC Risk Reporting Standard, including the Executive Board, the chairperson of the Supervisory Board and the Audit Committee of the Supervisory Board, along with the external risk reporting. Furthermore, Global GRC is responsible for the regular maintenance and implementation of our risk management policy.
Operational, financial, and strategic risk management is uniformly implemented at SAP. Independent GRC risk managers are assigned to each of SAP’s important business units and business activities and to selected strategic initiatives. All GRC risk managers, together with assigned risk contacts in the business units, continuously identify and assess risks associated with material business operations using a uniform approach and monitor the implementation and effectiveness of the measures chosen to mitigate risks. Further financial risk management activities are performed by our global treasury function, and risk management of compliance risks is performed by our Legal Compliance & Integrity Office.
During the merger and acquisition and post-merger integration phase, newly acquired companies are subject to risk management performed by our Corporate Development M&A function. Furthermore, as long as they are not integrated, existing risk management structures are maintained or enhanced within the acquired companies for purposes of compliance with legal requirements.
Risk managers are responsible for supporting and monitoring the implementation of risk management across the Group that is both effective and compliant with regulatory requirements and SAP’s global risk management policy. Based on our risk management policy, all risks and risk-related matters must be reported to the Global GRC organization.
The head of Global GRC, who reports to the Group CFO, is responsible for SAP’s internal control and risk management program, and provides regular updates to the Audit Committee of the Supervisory Board. The overall risk profile of the Group is consolidated by the head of Global GRC,
Internal Control and Risk Management System for Financial Reporting
The purpose of our system of internal control over financial reporting is to provide reasonable assurance that our financial reporting is reliable and in compliance with applicable generally accepted accounting principles. Because of the inherent limitations of internal control over financial reporting, it might not prevent or bring to light all potential misstatements in our financial statements.
SAP’s internal control and risk management system for financial reporting (ICRMSFR) is based on our Group-wide risk management methodology. The ICRMSFR includes organizational, control, and monitoring structures designed to ensure that data and information concerning our business are collected, compiled, and analyzed in accordance with applicable laws and properly reflected in the IFRS Consolidated Financial Statements.
Our ICRMSFR also includes policies, procedures, and measures designed to ensure compliance of SAP’s financial reports with applicable laws and standards. We analyze new statutes, standards, and other pronouncements concerning IFRS accounting and its impact on our financial statements and ICRMSFR. Failure to adhere to these new statutes, standards, and other pronouncements would present a substantial risk to the compliance of our financial reporting. Finally, the ICRMSFR has both preventive and detective controls, including, for example, automated and non-automated reconciliations, segregated duties with two-person responsibility, authorization concepts in our software systems, and corresponding monitoring measures.
Our Corporate Financial Reporting (CFR) department codifies all accounting policies in our global group accounting and revenue recognition guidelines. These policies, the corporate closing schedule, and our process handbooks together define the closing process. Under this closing process, we prepare, predominately through centralized and outsourced services, the financial statements of all SAP legal entities for consolidation by our CFR department. The CFR department and other corporate departments assist in the efforts to comply with Group accounting policies and monitor the accounting work. The department also conducts reviews of our accounting processes and books.
We have outsourced some work, such as valuing projected benefit obligations and share-based payment obligations, quarterly tax calculations for most entities, and purchase price allocations in the context of asset acquisitions and business combinations. We have also outsourced the preparation of the local statutory financial statements for most of our subsidiaries. The employees who work on SAP’s financial reporting receive training in the respective policies and processes.
Based on an analysis of the design and operating effectiveness of our respective internal controls over financial reporting, a committee presents the results of the assessment on the ICRMSFR effectiveness with respect to our IFRS Consolidated Financial Statements as at December 31 each year to the Group CFO. The committee meets regularly to set the annual scope for the test of effectiveness, to evaluate any possible weaknesses in the controls, and to determine measures to address them adequately. During its own meetings, the Audit Committee of the Supervisory Board regularly scrutinizes the resulting assessments of the effectiveness of the internal controls over financial reporting with respect to the IFRS consolidated financial statements.
The assessment of the effectiveness of the ICRMSFR related to our IFRS consolidated financial statements was that on December 31, 2016, the Group had an effective internal control system over financial reporting in place.
Additionally, and in compliance with German commercial law requirements in Germany, SAP maintains an effective internal control system beyond financial reporting. This is supported through automated controls (continuous control monitoring) as part of our business processes.
Risk Management and Internal Control Governance
Our Executive Board is responsible for ensuring the effectiveness of the risk management and internal control system. The effectiveness of both systems and their implementation in the different Executive Board areas is monitored by each board member. We regularly provide a status on the risk management and the internal control system to the Audit Committee. Key risks are reported quarterly to the chairperson of the Supervisory Board and to the Audit Committee of the Supervisory Board. The Audit Committee of the Supervisory Board regularly monitors the effectiveness of SAP’s risk management and internal control system. At the direction of our Audit Committee, the Corporate Audit department regularly audits various aspects of the risk management system and its effectiveness. Additional reassurance is obtained through the external audit of the effectiveness of our internal control system over financial reporting and the early warning system.
Software Solution Deployed
We use our own risk management software, SAP solutions for GRC powered by SAP HANA, to effectively support the governance process. Risk managers record and address identified risks using our risk management software to help create transparency across all known risks that exist in the Group, as well as to facilitate risk management and the associated risk reporting. Our continuous controls monitoring activities are performed utilizing our GRC software as well. This information is available to managers through a mobile app as well as regularly issued reports, and is consolidated and aggregated for the quarterly risk report to the Executive Board. The solution also supports the risk-based approach of the ICRMSFR.
controlling, but are broken down by the same risk categories we use in our internal risk management system reporting structure. An overview of the risk factors presented below is outlined in the following table. It categorizes the risk factors according to our framework detailed in the Risk Management Methodology and Reporting section.
Overview Risk Factors
|Economic, Political, Social, and Regulatory Risk|
|Global Economy||likely||business critical||high||→|
|International Business Activities||unlikely||major||medium||→|
|Environmental, Social, and Political Instability||unlikely||business critical||medium||→|
|Maintenance Business and Support||unlikely||business critical||medium||→|
|Market Development for Cloud||unlikely||business critical||medium||→|
|Market Share and Profit||unlikely||major||medium||→|
|Business Strategy Risks|
|Demand for New and Existing Solutions||remote||business critical||medium||→|
|Cloud Business Model||remote||business critical||medium||→|
|Relationships with Partners||unlikely||major||medium||→|
|Human Capital Risks|
|Managing the Geographically Dispersed Workforce||remote||major||low||→|
|Attract, Develop, and Retain People||unlikely||major||medium||→|
|Organizational and Governance-Related Risks|
|Corporate Governance Laws and Regulations||unlikely||major||medium||→|
|Data Protection and Privacy||unlikely||business critical||medium||→|
|Climate Change, Energy, and Emissions||unlikely||moderate||low||→|
|Communication and Information Risks|
|Unauthorized Disclosure of Information||remote||business critical||medium||→|
|Quarterly Sales Fluctuations||unlikely||moderate||low||→|
|Management Use of Estimates||unlikely||moderate||low||→|
|Compliance with Accounting Pronouncements||unlikely||major||medium||→|
|Currency, Interest Rate and Share Price Fluctuations||remote||major||low||→|
|Product and Technology Risks|
|Product Security||unlikely||business critical||medium||→|
|Undectected Defects in Products||unlikely||business critical||medium||→|
|Technology and Product Strategy||unlikely||business critical||medium||→|
|Operation of SAP Cloud Data Centers||unlikely||business critical||medium||→|
|Infringement of Intellectual Property||likely||business critical||high||→|
|Mergers and Acquisitions||unlikely||business critical||medium||→|
|Enforcement of Intellectual Property||likely||business critical||high||→|
1) Evolution: Risk Level compared with previous year.
All described risks are applicable to a different extent to our reportable segments (Applications, Technology & Services and SAP Business Network) unless otherwise noted.
SAP SE is the parent company of the SAP Group. Consequently, the risks described below also apply, directly or indirectly, to SAP SE.
Economic, Political, Social, and Regulatory Risk
Our business is influenced by multiple risk factors that are both difficult to predict and beyond our influence and control. These factors include global economic and business conditions, and fluctuations in national currencies. Other examples are political developments and general regulations as well as budgetary constraints or shifts in spending priorities of national governments.
Macroeconomic developments, such as financial market volatility episodes, global economic crises, chronic fiscal imbalances, slowing economic conditions, or disruptions in emerging markets, could limit our customers’ ability and willingness to invest in our solutions or delay purchases. In addition, changes in the euro conversion rates for particular currencies might have an adverse effect on business activities with local customers and partners. Furthermore, political instability in regions such as Africa and the Middle East, political crises (including Brazil, Great Britain, Greece, Syria, Turkey, Ukraine, or Venezuela), sanctions (such as those placed on Russia), natural disasters, pandemic diseases (such as Ebola in West Africa) and terrorist attacks (including the attacks in Brussels, Belgium, in March 2016, or in Nice, France, in July 2016) could contribute to economic and political uncertainty.
These events could reduce the demand for SAP software and services, and lead to:
- Delays in purchases, decreased deal size, or cancellations of proposed investments
- Potential lawsuits from customers due to denied provision of service as a result of sanctioned-party lists or export control issues
- Higher credit barriers for customers, reducing their ability to finance software purchases
- Increased number of bankruptcies among customers, business partners, and key suppliers
- Increased default risk, which might lead to significant impairment charges in the future
- Market disruption from aggressive competitive behavior, acquisitions, or business practices
- Increased price competition and demand for cheaper products and services
Any one or more of these developments could reduce our ability to sell and deliver our software and services which could have an adverse effect on our business, financial position, profit, and cash flows.
SAP has established measures and conducted scenario analyses to address and mitigate the described risks and adverse effects to the extent possible. We offer our customers standard software and product packages that are fast and easy to install, as well as financially attractive financing, software licensing, and subscription models. Our ongoing shift to a higher share of cloud subscriptions and software support revenue streams will lead to more predictable streams over time providing increased stability against financial volatility. Furthermore, we continue to apply cost discipline internally and have a conservative financial planning policy. Additionally, SAP is continuously reshaping its organizational structure and processes to increase efficiency.
We estimate the probability of occurrence of this risk to be likely. Therefore, we cannot completely exclude the possibility that it will have a business-critical impact on our business, financial position, profit, and cash flows. This could exacerbate the other risks we describe in this report or cause a negative deviation from our revenue and operating profit target. We classify this risk as a high risk.
Our international business activities and processes expose us to numerous, sometimes even conflicting laws and regulations, policies, standards or other requirements, and to risks that could harm our business, financial position, profit, and cash flows.
We are a global company and currently market our products and services in more than 180 countries and territories in the Americas (Latin America and North America); Asia Pacific Japan (APJ); and Europe, Middle East, and Africa (EMEA) regions. Our business in these countries is subject to numerous risks inherent in international business operations. Among others, these risks include:
- Data protection and privacy regulations regarding access by government authorities to customer, partner, or employee data
- Data residency requirements (the requirement to store certain data only in and, in some cases, also to access such data only from within a certain jurisdiction)
- Conflict and overlap among tax regimes
- Possible tax constraints impeding business operations in certain countries
- Expenses associated with the localization of our products and compliance with local regulatory requirements
- Discriminatory or conflicting fiscal policies
- Operational difficulties in countries with a high corruption perception index
- Protectionist trade policies, import and export regulations, and trade sanctions and embargoes
- Works councils, labor unions, and immigration laws in different countries
- Difficulties enforcing intellectual property and contractual rights in certain jurisdictions
- Country-specific software certification requirements
- Challenges with effectively managing a large distribution network of third-party companies
- Compliance with various industry standards (such as Payment Card Industry Data Security Standard)
- Market volatilities or workforce restrictions due to changing laws and regulations resulting from political decisions (e.g. Brexit, government elections)
As we expand into new countries and markets, these risks could intensify. The application of the respective local laws and regulations to our business is sometimes unclear, subject to change over time, and often conflicting among jurisdictions. Additionally, these laws and government approaches to enforcement are continuing to change and evolve, just as our products and services continually evolve. Compliance with these varying laws and regulations could involve significant costs or require changes in products or business practices. Non-compliance could result in the imposition of penalties or cessation of orders due to alleged non-compliant activity. We do not believe we have engaged in any activities sanctionable under these laws and regulations, but governmental authorities could use considerable discretion in applying these statutes and any imposition of sanctions against us could be material. One or more of these factors could have an adverse effect on our operations globally or in one or more countries or regions, which could have an adverse effect on our business, financial position, profit, and cash flows.
We address these risks with various measures depending on the circumstances on which SAP will not compromise, including, for example, a strong legal and compliance office presence in the main countries, compliance safeguards supported and monitored by SAP legal teams and the Legal Compliance & Integrity Office, maintaining an effective data protection and privacy office and associated policy, receiving guidance from external economics consultants, law firms, tax advisors, and authorities in the concerned countries, and taking legal actions when necessary.
Although we estimate the probability of occurrence of this risk to be unlikely, we cannot completely exclude the possibility that this risk could have a major impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.
Social and political instability caused by state-based conflicts, terrorist attacks, civil unrest, war, or international hostilities might disrupt SAP’s business operations.
Terrorist attacks (such as in Turkey, in March, June, August, and December 2016) as well as other acts of violence or war, civil, religious, and political unrest (such as in Turkey, Ukraine, and Venezuela; Israel, Libya, Syria, and in other parts of the Middle East; and parts of Africa); natural disasters (such as hurricanes, flooding, or similar events); or pandemic diseases (such as Ebola in West Africa) could have a significant adverse effect on the local economy and beyond. Such an event could lead, for example, to the loss of a significant number of our employees, or to the disruption or disablement of operations at our locations, and could affect our ability to provide business services and maintain effective business operations. Furthermore, this could have a significant adverse effect on our partners as well as our customers and their investment decisions, which could have an adverse effect on our reputation, business, financial position, profit, and cash flows.
Our mitigation measures have been designed and implemented to minimize such adverse effects. In an effort to ensure continuous operations of all business processes, we have been implementing and operating a worldwide business continuity management and crisis management system. To enable effective response and minimize possible losses in case of crisis situations, we have installed local crisis management teams at our main locations, supplemented by regional crisis management teams for the Americas (including Latin America and North America), APJ (including Greater China), and EMEA regions, and a global crisis management team.
To protect our key IT infrastructure (especially our data centers), critical business systems, and processes from material adverse effects in crisis situations, disaster recovery and business continuity plans have been developed that include implementation of data redundancies and daily data backup strategies. To verify and improve our approach, our IT-related organizations have been certified to the internationally recognized ISO 22301:2013 (Business Continuity Management) standard with regards to the Applications, Technology & Services segment. In addition, our corporate headquarters, which houses certain critical business functions, is located in the German state of Baden-Württemberg. This area has historically been free of natural disasters.
With regards to the relevance of current and anticipated political crisis situations and acts of violence impacting SAP’s business, we believe that the likelihood of this risk materializing is unlikely; however, we cannot exclude the possibility of such a risk occurring and having a business-critical impact on our reputation, business, financial position, profit, and cash flows, or causing a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.
In 2016, we continued to depend materially on the success of our support portfolio and on our ability to deliver high-quality services. Traditionally, our large installed customer base generates additional new software, maintenance, consulting, and training revenue. Despite the high quality and service level of our transformed and expanded service offering in the area of premium support services, we might be unable to meet customer expectations with regards to delivery and value proposition. This might lead to a potentially adverse impact on customer experience. Existing customers might cancel or not renew their maintenance contracts, decide not to buy additional products and services, not subscribe to our cloud offerings, or accept alternative offerings from other vendors. In addition, the increasing volume in our cloud business as well as the conversion of traditional on-premise licenses to cloud subscriptions licenses and an increased complexity in our maintenance and support cycle across our diverse solutions and offerings could have a potential negative impact on our software and maintenance revenue streams. This could have an adverse effect on our business, financial position, profit, and cash flows.
Working closely with SAP user groups, we continuously demonstrate the business value and the benefits of our solution, service and support portfolio in terms of innovation, quality, and high service level as well as through customer references and success stories. Additionally, we continuously monitor the performance and the perceived value of our services and the satisfaction of our customers. We implement mitigating steps where required and deliberately invest into alignments and improvements in order to benefit our customers.
The SAP Digital Business Services organization is combining responsibility for services and support in regards to the Applications, Technology & Services segment. This organization offers a wide range of support, including premium support services (SAP MaxAttention and SAP ActiveEmbedded), and professional services to increase business benefit for our customers. For the SAP Business Network segment, we continue the established service and support models.
With regards to our volume in cloud business as well as the conversion of traditional on-premise licenses to cloud subscriptions licenses, we estimate the probability of this risk materializing to be unlikely. However, we cannot completely exclude the possibility that it could have a business-critical impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue. We classify this risk as a medium risk.
The success of our cloud computing strategy depends on positive market perception and increasing market adoption of our cloud solutions and managed cloud services. Insufficient adoption of our solutions and services could lead to a loss of SAP’s position as a leading cloud company.
The market for cloud computing is increasing and shows strong growth relative to the market for our on-premise solutions. To offer a broad cloud service portfolio and generate the associated business value for our customers, we continue to invest in innovation and acquisitions. Due to ongoing contracts and previous substantial investments to integrate traditional on-premise enterprise software into their businesses, as well as concerns about data protection, total cost of ownership, functional capacities, migration, security and integration capabilities, and reliability, customers and partners might be reluctant or unwilling to migrate to the cloud.
Other factors that could affect the market acceptance, adoption and extension of cloud solutions and services include:
- Concerns with entrusting a third-party to store and manage critical employee or company confidential data
- Customer concerns about security capabilities and reliability
- Customer concerns about the ability to scale operations for large enterprise customers
- Inadequate level of configurability or customizability of the software
- Missing integration scenarios between on-premise products and cloud-to-cloud solutions
- Failure to securely and successfully deliver cloud services by any cloud service provider could have a negative impact on customer trust in cloud solutions
- Strategic alliances among our competitors and / or their growth-related efficiency gains in the cloud area could lead to significantly increased competition in the market with regards to pricing and ability to integrate solutions
- Failure to get the full commitment of our partners might reduce speed and impact in market reach
- Failure to comply with increasing governance on data privacy and data residence
- Challenge in defining adequate solution packages and scope for all customer segments
If organizations do not perceive the benefits of cloud computing, the market for cloud business might not develop further, or it might develop more slowly than we expect, either of which could have an adverse effect on our business, competitiveness, financial position, profit, reputation and cash flows.
In addition to measures to communicate the business value of our cloud solutions to the market, we invest significantly in infrastructure and processes in an effort to ensure secure operations of our cloud solutions including the adaption of cloud service delivery to local and/or specific market requirements (such as local or regional data centers) and compliance with all local legal regulations regarding data protection and privacy as well as data security.
Although we estimate the probability of occurrence of this risk to be unlikely, we cannot completely exclude the possibility that this risk could have a business-critical impact on our reputation, business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify the risk as a medium risk.
Our market share and profit could decline due to increased competition, market consolidation and technological innovation as well as new business models in the software industry.
The software industry continues to evolve rapidly and is currently undergoing a significant shift due to innovations in the areas of enterprise mobility, machine learning, augmented and virtual reality, cybersecurity, Big Data, hyperconnectivity, the Internet of Things, digitization, supercomputing, cloud computing, and social media. While smaller innovative companies tend to create new markets organically, large traditional IT vendors tend to enter such markets mostly through acquisitions. SAP faces increased competition in its business environment from traditional, new and in particular cooperating competitors. This competition could cause price pressure, cost increases, and loss of market share, which could have an adverse effect on our business, financial position, profit, and cash flows.
Additionally, related to our Applications, Technology & Services segment, customers could change their buying behavior by accelerating their acceptance of cloud solutions to reduce their investments, which might have a temporary adverse effect on our operating results. Furthermore, the trend in the market to invest more in cloud solutions might lead to a risk of the potential loss of existing on-premise customers. It might also have a temporary adverse effect on our revenue due to the number of conversions from on-premise licenses to cloud subscriptions from existing SAP customers in our installed base, as we recognize cloud subscriptions revenue over the respective service provision, and that typically ranges from one-to-three years with some up to five years.
We believe we will be able to protect our leadership in the market by continuing to execute successfully on our customer-centric innovation strategy, which is driven by a mix of organic growth, targeted acquisitions, and attractive cloud solution offerings. To compete successfully in the market, we continuously enhance our global processes and adjust our organizational structures. Furthermore, in the Application, Technology, and Services segment, we have policies in place to effectively manage conversions from on-premise software arrangements to cloud arrangements.
Although we estimate the probability of this risk unlikely with major impact, we cannot completely exclude the possibility that this risk could have a major impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.
Business Strategy Risks
Our business consists of new software licenses, software license updates, Services and maintenance fees as well as of cloud subscriptions. Our customers are expecting to take advantage of technological breakthroughs from SAP without compromising their previous IT investments. However, the introduction of new SAP solutions, technologies, and business models as well as delivery and consumption models is subject to uncertainties as to whether customers will be able to perceive the additional value and realize the expected benefits we deliver along our road maps. There is a risk that such uncertainties might lead customers to wait for proof of concepts or holistic integration scenarios through reference customers or more mature versions first, which might result in a lower level of adoption of our new solutions, technologies, business models, and flexible consumption models, or no adoption at all, possibly impacting customer satisfaction and retention. This could have an adverse effect on our business, financial position, profit, and cash flows.
To mitigate this risk, SAP is balancing the distribution of our strategic investments by evolving and protecting our core businesses and simultaneously developing new solutions, technologies, and business models for markets, such as those in analytics, applications, and database and technology. Furthermore, we continuously demonstrate the benefits of our solution and services portfolio through end-to-end integration scenarios, homogeneous and compelling user interfaces, customer references and success stories as well as the provision of support excellence to ensure customer satisfaction with and after the implementation of our solution.
We estimate the probability of occurrence of this risk to be remote, but cannot completely exclude the possibility that this risk could have a business-critical impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. Furthermore, unsuccessful launches of flagship products/offerings could negatively affect market perception. We classify this risk as a medium risk.
Though downturns or upturns in cloud sales might not be immediately reflected in our operating results, any decline in our customer renewals would harm the future operating results of our cloud business.
We recognize cloud subscriptions revenue as we provide the respective services, which typically range from one-to-three years with some up to five years. This revenue recognition and our increasing subscription revenues could have a temporary adverse effect on our financial position, profit, and cash flows.
To maintain or improve our operating results in the cloud business, it is important that our customers renew their agreements with us when the initial contract term expires and purchase additional modules or additional capacity. Our customers have no obligation to renew their subscriptions after the initial subscription period, and we cannot assure that customers will renew subscriptions at the same or at a higher level of service, or at all. Our customers’ renewal rates might decline or fluctuate as a result of various factors, including their satisfaction or dissatisfaction with our cloud solution and services portfolio; our ability to efficiently provide cloud services according to customer expectations and meeting the service level agreements, service availability and provisioning, the integration capabilities of our cloud solutions into their existing IT environment (including hybrid solutions combining both cloud and on-premise solutions); our customer support; concerns regarding stable, efficient, and secure cloud operations and compliance with legal and regulatory requirements; our pricing; the pricing of competing products or services; mergers and acquisitions affecting our customer base; global economic conditions; and reductions in our customers’ spending levels.
If our customers do not renew their subscriptions, if they renew on terms less favorable to us, or do not purchase additional modules or users, our revenue and billings might decline, and our operating results could be negatively impacted. This could have an adverse effect on our business, financial position, profit, and cash flows.
We share our overall long-term cloud strategy and our integration road map with our customers and continuously implement improvements to enhance our cloud solutions, including instant provisioning, a consumer-grade user experience, and a fast time to value, among others. To continuously improve our services, we closely monitor all issues and work together with customers to perform a root-cause analysis and provide solutions to identified problems. We have a strong focus on providing our cloud services efficiently and according to customer expectations, including service provisioning, quality, and security as well as data protection and privacy.
Furthermore, we are continuously improving and adapting cloud services delivery and license models to local and/or specific market requirements (such as local or regional data centers, customer expectations, and in accordance with legal and regulatory requirements).
Although we estimate the probability of occurrence of this risk to be remote, we cannot completely exclude the possibility that this risk could have a business-critical impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.
If we are unable to scale and enhance an effective partner ecosystem, revenue might not increase as expected.
An open and vibrant partner ecosystem is a fundamental pillar of our success and growth strategy. We have entered into partnership agreements that drive co-innovation on our platforms, profitably expand all our routes to market to optimize market coverage, optimize cloud delivery, and provide high-quality services capacity in all market segments. Partners play a key role in driving market adoption of our entire solutions portfolio, by co-innovating on our platforms, embedding our technology, and reselling and/or implementing our software.
If partners consider our products or services model less strategic and/or financially less attractive compared to our competition and/or less appropriate for their respective channel and target market, if partners fear direct competition by SAP or if SAP fails to establish and enable a network of qualified partners meeting our quality requirements and the requirements of our customers, then, among other things, partners might not:
- Develop a sufficient number of new solutions and content on our platforms
- Provide high-quality products and services to meet customer expectations
- Drive growth of references by creating customer use cases and demo systems
- Embed our solutions sufficiently enough to profitably drive product adoption, especially with innovations such as SAP S/4HANA and SAP Cloud Platform (formerly called SAP HANA Cloud Platform)
- Enable and train sufficient resources to promote, sell, and support to scale to targeted markets
- Comply with applicable quality requirements expected by our customers, resulting in delayed, disrupted, or terminated sales and services
- Transform their business model in accordance with the transformation of SAP’s business model in a timely manner
- Renew their existing agreements with us or enter into new agreements on terms acceptable to us or at all
- Provide ability and capacity to meet customer expectations regarding service provisioning.
If one or more of these risks materialize, this might have an adverse effect on the demand for our products and services as well as the partner’s loyalty and ability to deliver. As a result, we might not be able to scale our business to compete successfully with other software vendors, which could have an adverse effect on our reputation, business, financial position, profit, and cash flows.
SAP continues to invest in long-term, mutually beneficial relationships and agreements with partners. We continue to develop and enhance a wide range of partner programs to retain existing and attract new partners of all types. We offer training opportunities to a wide range of resources for our partners and additionally provide demo solutions to enable partners to lead business value discussions on cloud and on-premise solutions with customers. A thorough certification process for third-party solutions has been designed and established to ensure consistent high-quality and seamless integration.
We estimate the probability of occurrence of this risk to be unlikely, and we cannot exclude the possibility that this risk could have a major impact on our reputation, business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target if it were to materialize. We classify this risk as a medium risk.
Human Capital Risks
Our success is dependent on appropriate alignment of our internal and external workforce planning processes, adequate resource allocation and our location strategy with our general strategy. It is critical that we manage our internationally dispersed workforce effectively, taking short- and long-term workforce and skill requirements into consideration. This applies to the management of our internal as well as our external workforce. Changes in headcount and infrastructure needs as well as local legal or tax regulations could result in a mismatch between our expenses and revenue. Failure to manage our geographically dispersed workforce effectively could hinder our ability to run our business efficiently and successfully and could have an adverse effect on our business, financial position, profit, and cash flows.
We focus on mitigating this risk through a range of activities including succession management; workforce planning (which aims to achieve diversity and the right mix of talent and to take account of demographic changes); outsourcing; external short-term staffing; employer branding; career management (such as offering opportunities for short-term assignments and opportunities to improve skills, competencies, and qualifications); and extended benefit programs – for example, a performance-oriented remuneration system, an employer-financed pension plan in certain countries, and long-term incentive plans.
We estimate this risk to be a remote possibility, but we cannot completely exclude the possibility of this risk to have a major impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a low risk.
If we are unable to attract, develop, and retain leaders and employees with specialized knowledge and technology skills, or are unable to achieve internal diversity and inclusion objectives, we might not be able to manage our operations effectively and successfully, or develop successful new solutions and services.
Our highly qualified workforce is the foundation for our continued success. In certain regions and specific technology and solution areas, we continue to set very high growth targets, specifically in countries and regions such as Africa, China, Latin America, and the Middle East. In the execution of SAP’s strategic priorities, we depend on highly skilled and specialized personnel and leaders, both male and female. Successful maintenance and expansion of our highly skilled and specialized workforce in the area of cloud is a key success factor for our transition to be the leading cloud company. The availability of such personnel as well as business experts is limited and, as a result, competition in our industry is intense and could expose us to claims by other companies seeking to prevent their employees from working for a competitor. If we are unable to identify, attract, develop, motivate, adequately compensate, and retain well-qualified and engaged personnel, or if existing highly skilled and specialized personnel leave SAP and ready successors or adequate replacements are not available or we cannot allocate our workforce as required due to local regulations and associated restrictions, we might not be able to manage our operations effectively, which could have an adverse effect on our reputation, business, financial position, profit, and cash flows. Furthermore, we might not be able to develop, sell, or implement successful new solutions and services as planned. This is particularly true as we continue to introduce new and innovative technology offerings and expand our business in emerging markets. The lack of appropriate or inadequately executed benefit and compensation programs could limit SAP’s ability to attract or retain qualified employees and lead to financial losses. In addition, we might not be able to achieve our internal gender diversity objectives to increase the number of women in management from 18% in 2010 to 25% by end of 2017.
These risks notwithstanding, we continue to believe our leading market position, employer brand, and extended benefit programs will enable us to hire top talent internationally with the potential to contribute to SAP’s growing business success in the future. We address the risk of an adverse effect on our business operations from a failure to recruit the employees we need or from the loss of leaders and employees by seeking to build employee and leadership strengths through a range of targeted professional development, mentoring, and coaching programs, a gender diversity program, in September 2016, globally awarded with the Economic Dividends for Gender Equality (EDGE) certificate in recognition for commitment to gender equality in the workplace, and a special focus on accelerated high-potential employee development that aims to develop talent as well as leadership talent, in particular. A strong focus on succession planning for leadership and key positions seeks to ensure sustainable leadership and to safeguard the business from disruption caused by staff turnover.
Although the risks related to failure to attract, develop, and retain talent could materialize, we believe that this is unlikely and that the impact on our reputation, business, financial position, profit, and cash flows, or potential negative deviation from our revenue and operating profit target would be major. We classify this risk as a medium risk.
Organizational and Governance-Related Risks
As a European company domiciled in Germany with securities listed in Germany and the United States, we are subject to European, German, U.S., and other governance-related regulatory requirements. Changes in laws and regulations and related interpretations, including changes in accounting standards and taxation requirements, and increased enforcement actions, sanctions, for example United States sanction requirements for Iran, and penalties might alter the business environment in which we operate. Regulatory requirements have become significantly more stringent in recent years, and some legislation, such as the anticorruption legislation in Germany, the U.S. Foreign Corrupt Practices Act, the UK Bribery Act, and other local laws prohibiting corrupt payments by employees, vendors, distributors, or agents, is being applied more rigorously. Emerging markets are a significant focus of our international growth strategy. The nature of these markets presents a number of inherent risks. A failure by SAP to comply with applicable laws and regulations, or any related allegations of wrongdoing against us, whether merited or not, could have an adverse effect on our business, financial position, profit, cash flows and reputation.
It is difficult to assess the precise potential risk, because there is a wide variety of complex legal and regulatory requirements that apply, and therefore an equally wide variety of potential non-compliance scenarios exist.
However, we continuously monitor new and increased regulatory requirements, updated or new enforcement trends, and publicly available information on compliance issues in the computer software industry, the emerging markets where we invest our resources, and in the business environment in general to cope with an increase in regulation enforcement efforts of certain countries or state-driven protectionism. Based on this information and any other available sources, we continuously update and refresh our compliance programs to improve our effectiveness and to ensure that our employees understand and comply with the SAP Code of Business Conduct. This process is coordinated by our Legal Compliance and Integrity Office, a team of dedicated resources who are tasked with managing our policy-related compliance measures. Our chief compliance officer coordinates policy implementation, training, and enforcement efforts throughout SAP. Those efforts are monitored and tracked to allow trending and risk analysis and to ensure consistent policy application throughout the SAP Group. Despite our comprehensive compliance programs and established internal controls, intentional efforts of individuals to circumvent controls or engage in fraud for personal gains cannot always be prevented.
With regards to the increase of regulation enforcement efforts we have already experienced and continue to expect as well as state-driven protectionism, we estimate the likelihood of this risk to be unlikely. We cannot completely exclude the possibility that this risk could have a major impact on our reputation, business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.
Non-compliance with applicable data protection and privacy laws or failure to adequately meet the requirements of SAP’s customers with respect to our products and services could lead to civil liabilities and fines, as well as loss of customers and damage to SAP’s reputation.
As a global software and service provider, SAP is required to comply with local laws wherever SAP does business. Consequently, we must ensure that any legal requirements in connection with the provision of products and services are properly implemented. With regard to data protection requirements, in May 2016, the EU enacted a “General Data Protection Regulation” (GDPR), as a successor to the Data Protection Directive of 1995, with the aim of further harmonizing data protection laws across the EU. The GDPR will be directly applicable law in all EU and EEA member states as of May 25, 2018 after a two-year transition period. Within limits, member states can supplement the GDPR with additional national rules. Overall, the GDPR does not introduce substantial new concepts. It rather focuses on stronger compliance requirements and enforces them vigorously on every business that processes personal data of individuals in the EU/EEA, regardless of where that business is established. Some of the new rules are subject to further definition by the authorities, though, and others leave room for interpretation.
Risks for SAP include:
- Violations of the GDPR might be punished with financial penalties of up to the higher of €20 million or 4% of the responsible company’s annual global turnover. Further administrative measures include mandatory instructions by the data protection supervisory authorities relating to specific processing activities, up to their prohibition. Non-compliance might further lead to legal claims from affected individuals and consumer protection organizations. Where SAP processes data on behalf of its customers, violations might lead to damage claims from customers. Non-compliance further bears the risk of reputational losses if violations become publically known.
- Where member states can supplement the GDPR with additional national rules, there is a risk that data protection law will not be fully harmonized across Europe. As a consequence, SAP would have to continue to adapt its products and services to the individual national requirements.
- The data protection concepts of the GDPR do not adequately reflect the latest technological developments, such as big data and machine learning. If the GDPR cannot be interpreted in a way that allows for such technologies, or revised as necessary, SAP might not be able to use and offer products and services that implement such technologies in the EU/EEA.
Overall, these laws and regulations amend and supplement existing requirements regarding the processing of personal data that SAP and SAP customers must fulfill and which we must consequently address with our products and services, including cloud delivery. Failure to comply with applicable laws or to adequately address privacy concerns of customers, even if unfounded, could lead to investigations by supervisory authorities, civil liability, fines, (in the future, potentially calculated based on the Company’s annual revenue), loss of customers, damage to our reputation, and could have an adverse effect on our business, financial position, profit, and cash flows.
To mitigate risks due to legal non-compliance, SAP actively monitors changes to applicable laws and regulations so that we can take adequate measures and certify our existing standards and policies on an ongoing basis. We have implemented a wide range of measures to protect data controlled by SAP and our customers from unauthorized access and processing, as well as from accidental loss or destruction. This includes, among others, a continuous enhancement of our data center operations worldwide, also taking into account local and/or sector-specific market and legal requirements. We have implemented a certified data protection management system in areas critical to data protection, such as digital business services, human resources (HR), marketing, products and innovation, and custom development, whereby implementation is audited internally as well as externally by the British Standard Institutions on an annual basis. Furthermore, customers are provided with security certifications (such as ISO/IEC 27001), security white papers, and reports from our independent auditors and certification bodies.
With regard to the GDPR, the Data Protection & Privacy (DPP) team initiated a project that established a working group across all board areas. The aim of this project is to constructively assist all SAP business units to ensure compliance with the GDPR. DPP and Government Relations (GR) teams continue to work together and actively voice our opinion through industry-recognized associations. This is in addition to DPP‘s direct involvement with the European Commission and data protection authorities of member states. Such actions intend to achieve a use-oriented and forward-looking interpretation of the law while balancing protection of personal privacy as well as aiming to enhance European competitiveness.
We estimate this risk to be unlikely, and cannot rule out the possibility of it having a business-critical impact on our business, financial position, profit, and cash flows, and causing damage to our reputation, or causing a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.
Failure to meet customer, partner, or other stakeholder expectations or generally accepted standards on climate change, energy constraints, and our social investment strategy could negatively impact SAP’s business, results of operations, and reputation.
Energy and emissions management are an integral component of our holistic management of social, environmental, and economic risks and opportunities. We have identified risks in these major areas:
- Our solutions
- Our own operations energy management and other environmental issues such as carbon management, water use, and waste
Because our customers, employees, and investors expect a reliable energy and carbon strategy, we have reemphasized our environmental policy and our previously communicated targets, especially our 2020 target for greenhouse gas emissions. In case these targets cannot be achieved, our customers might no longer recognize SAP for our environmental leadership and might buy other vendors' products and services. Consequently, we could fail to achieve our revenue target. If we do not meet stakeholder expectations in the areas identified, our rating in sustainable investment indexes might decrease, which could have an adverse effect on our reputation, profit, and share price.
In recent years, SAP has shown that it is possible to take a proactive position on social and environmental issues while delivering robust financial growth. As a result, we received great recognition for our sustainability efforts. As a proof point for SAP’s sustainability performance, we continue to be listed in the most prominent and recognized sustainability indexes, such as the Dow Jones Sustainability Indices and the CDP Climate Performance and Disclosure Leadership Indices. In 2016, SAP’s greenhouse gas emissions added up to 380 kilotons CO2, which means we did meet our greenhouse gas emissions target of 400 kilotons by 20 kilotons. If we do not meet our greenhouse gas emissions target for 2020, we might fail to meet expectations regarding our energy and emission performance.
We believe that the risk of failing to meet expectations regarding our energy and emission strategy is unlikely to occur and that if the risk were to occur, it would only have a moderate impact on our reputation, business, financial position, profit, and cash flows, as well as on the achievement of our revenue and operating profit target. We classify this risk as a low risk.
Unethical behavior and non-compliance with our integrity standards due to intentional and fraudulent employee behavior could seriously harm our business, financial position, profit, and reputation.
SAP’s leadership position in the global market is founded on the long-term and sustainable trust of our stakeholders worldwide. Our heritage is one of corporate transparency, open communication with financial markets, and adherence to recognized standards of business integrity. The SAP Code of Business Conduct, adopted by the Executive Board on January 29, 2003, and updated as necessary since then, memorialized and supplemented the already existing guidelines and expectations for the business behavior practiced at SAP.
However, we might encounter unethical behavior and non-compliance with our integrity standards due to intentional and fraudulent behavior of individual employees, possibly in collusion with external third parties. In addition to intentional behavior, problems could also arise due to negligence in the adherence to rules and regulations, especially in countries with a high Corruption Perceptions Index and continuously increasing business activities in profoundly regulated industries such as public sector, healthcare, banking or insurance. Unethical behavior and misconduct attributable to SAP could not only lead to criminal charges, fines, and claims by injured parties, but also to financial loss, and severe reputational damage. This could have an adverse effect on our business, financial position, profit, and cash flows.
To help prevent this, we instituted a comprehensive compliance management system (CMS), which is based on the three pillars of prevention, detection, and reaction. Our CMS program comprises several educational, counseling, control, and investigative instruments. The objective is to minimize and mitigate the risk of unethical behavior, whether intentional or negligent.
The SAP Code of Business Conduct is mandatory and applies to every SAP employee. It provides legal compliance guidance on how to avoid unethical behavior and solve dilemma situations. On an annual basis, the SAP Code of Business Conduct is re-confirmed by SAP’s workforce (except where disallowed by local legal regulations). We also rolled out and enforced various additional compliance policies aimed at managing third parties and preventing misuse of third-party payments for illegal purposes; ensuring controls around travel, entertainment, gift, and expense policies; and promoting a commitment to business with integrity through our partner and vendor ecosystems. These efforts are flanked by continuous education including e-learning and classroom training to target audiences as identified by compliance risk assessment. The overall CMS approach by SAP is continuously monitored internally and externally, and adapted accordingly, if needed.
Although we estimate the probability of occurrence of intentional or negligent major unethical conduct to be unlikely, we cannot exclude the possibility that this risk could materialize. In that event, this risk could have a major impact on our reputation, business, financial position, profit, and cash flows and could cause a negative deviation from our operating profit target. We classify this risk as a medium risk.
Communication and Information Risks
Confidential information and internal information related to topics such as our strategy, new technologies, mergers and acquisitions, unpublished financial results, customer data or personal data, could be prematurely or inadvertently disclosed and subsequently lead to market misperception and volatility. This could require us to notify multiple regulatory agencies and comply with applicable regulatory requirements and, where appropriate, the data owner, which could result in a loss of reputation for SAP. For example, leaked information during a merger or acquisition deal could cause the loss of our deal target, or our share price could react significantly in case of prematurely published financial results. This could have an adverse effect on our market position and lead to fines and penalties. In addition, this could have an adverse effect on our business, financial position, profit, and cash flows.
We take a wide range of actions to prevent unauthorized disclosure of information, including procedural and organizational measures. These measures include mandatory compliance base line trainings for all employees (including fundamentals within security awareness, data privacy and data protection, compliance and communication), social engineering tests, standards for safe internal and external communication, and technical security features in our IT hardware and communication channels, such as mandatory encryption of sensitive data.
Additionally, we combined organizationally all security groups into one global security unit. This combined organization strengthens the security capabilities and offers a wide range of policies, guidelines and support on executing the success of SAP’s security measures.
With the digital transformation, the increased use of cloud solutions and social media by employees, a continual adoption of internal security measures is meaningful to achieve and maintain an effective and appropriate level of data protection and privacy and to reinforce the position of SAP as a trusted partner for its customers.
Although we estimate the likelihood of occurrence of this risk to be remote, we cannot completely exclude the possibility that this risk could have a business-critical impact on our reputation, business, financial position, profit, and cash flows, or cause a negative deviation from our operating profit target. We classify this risk as a medium risk.
Our revenue and operating results can vary and have varied in the past, sometimes substantially, from quarter to quarter. Our revenue in general, and our software revenue in particular, is difficult to forecast for a number of reasons, including:
- The relatively long sales cycles for our products
- The large size, complexity, and extended timing of individual customer transactions
- The introduction of licensing and deployment models such as cloud subscription models
- The timing of the introduction of new products and services or product and service enhancements by SAP or our competitors
- Changes in customer budgets
- Decreased software sales that could have an adverse effect on related maintenance and services revenue
- The timing, size, and length of customers' services projects
- Deployment models that require the recognition of revenue over an extended period of time
- Adoption of, and conversion to, new business models leading to changed or delayed payment terms
- Seasonality of a customers' technology purchases
- Limited visibility during the ongoing integration of acquired companies into their ability to accurately predict their sales pipelines and the likelihood that the projected pipeline will convert favorably into sales
- Other general economic, social, environmental, and market conditions, such as a global economic crisis and difficulties for countries with large debt
Since many of our customers make their IT purchasing decisions near the end of calendar quarters, and with a significant percentage of those decisions being made during our fourth quarter, even a small delay in purchasing decisions for our on-premise software could have an adverse effect on our revenue results for a given year. Our dependence on large transactions has decreased in recent years with a trend towards an increased number of transactions while the average deal size is more or less constant.
However, the loss or delay of one or a few large opportunities could have an adverse effect on our business, financial position, profit, and cash flows.
We use a “pipeline” system for forecasting sales and trends in our business. Pipeline analysis informs and guides our business planning, budgeting, and forecasting, but pipeline estimates do not necessarily consistently correlate to revenue in a particular quarter, potentially due to one or more of the reasons outlined above. The reliability of our plans, budgets, and forecasts might therefore be compromised. Because our operating expenses are based upon anticipated revenue levels and a high percentage of our expenses are relatively fixed in the near term, any shortfall in anticipated revenue or delay in revenue recognition could result in significant variations in our operating results from quarter to quarter or year to year. Continued deterioration in global economic conditions would make it increasingly difficult for us to accurately forecast demand for our products and services, and could cause our revenue, operating results, and cash flows to fall short of our expectations and public forecasts. This could have an adverse effect on our stock price. To the extent any future expenditure fails to generate the anticipated increase in revenue, our quarterly or annual operating results might be subject to an adverse effect and might vary significantly compared to preceding or subsequent periods. As we recognize cloud subscriptions and support revenue over the respective service period that typically ranges from one-to-three years with some up to five years, the relevance and impact of sales fluctuations decrease along with the growing importance of these revenues.
Although we estimate the probability of occurrence of this risk to be unlikely, we cannot completely exclude the possibility that this risk could have a moderate impact on our business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a low risk.
External factors could impact our liquidity and increase the default risk associated with, and the valuation of, our financial assets.
Macroeconomic factors such as an economic downturn could have an adverse effect on our future liquidity. We use a globally centralized financial management to control financial risk, such as liquidity, exchange rate, interest rate, counterparty, and equity price risks. The primary aim is to maintain liquidity in the SAP Group at a level that is adequate to meet our obligations at any time. Our total Group liquidity is supported by our strong operating cash flows, of which a large part is recurring, and by credit facilities from which we can draw if necessary. However, adverse macroeconomic factors could increase the default risk associated with the investment of our total Group liquidity including possible liquidity shortages limiting SAP’s ability to repay financial debt. This could have an impact on the value of our financial assets, which could have an adverse effect on our business, financial position, profit, and cash flows.
SAP’s investment policy with regards to total Group liquidity is set out in our internal treasury guideline, which is a collection of uniform rules that apply globally to all companies in the SAP Group. Amongst others, it requires that we invest, with limited exceptions, only in assets and funds rated BBB flat or better. The weighted average rating of the investments of our total Group liquidity is in the area of A–. We continue to pursue a policy of cautious investment characterized by wide portfolio diversification with a variety of counterparties, predominantly short-term investments, and standard investment instruments.
Although we estimate the probability of occurrence of this risk to be remote, there can be no assurance that the prescribed measures will be successful or that uncertainty in global economic conditions could not have a major impact on our business, financial position, profit, cash flows, or operating profit target. We classify this decreased risk as a low risk.
Management use of estimates could negatively affect our business, financial position, profit, and cash flows.
To comply with IFRS, management is required to make numerous judgments, estimates, and assumptions that affect the reported financial figures. The facts and circumstances, as well as assumptions on which management bases these estimates and judgments and management’s judgment regarding the facts and circumstances, might change over time and this could result in significant changes in the estimates and judgments and, consequently, in the reported financials. There is a risk that such changes could have an adverse effect on our business, financial position, profit and cash flows.
We have a number of control procedures in place to make sure that our estimates and judgments are adequate. For example, we apply two-person verification to significant estimating.
Although we estimate the probability of occurrence of the risk to be unlikely, we cannot completely exclude the possibility of a moderate impact on our business, financial position, profit, and cash flows, or a negative deviation from our revenue and operating profit target. We classify this risk as a low risk.
Current and future accounting pronouncements and other financial reporting standards, especially but not only concerning revenue recognition, might negatively impact our financial results.
We regularly monitor our compliance with applicable financial reporting standards and review new pronouncements and drafts thereof that are relevant to us. As a result of new standards, changes to existing standards (including the new IFRS 15 on revenue from contracts with customers that we will need to adopt in 2018) and changes in their interpretation, we might be required to change our accounting policies, particularly concerning revenue recognition, to alter our operational policies so that they reflect new or amended financial reporting standards, or to restate our published financial statements. Such changes might have an adverse effect on our reputation, business, financial position, and profit, or cause an adverse deviation from our revenue and operating profit target.
Although we estimate the probability of occurrence of the risk to be unlikely, we cannot completely exclude the possibility of a major impact. We classify this risk as a medium risk.
As a globally operating company, SAP is subject to various financial risks, which could negatively impact our business, financial position, profit, and cash flows.
Because we are operating throughout the world, a significant portion of our business is conducted in foreign currencies. In 2016, approximately 73% of our revenue was attributable to operations in foreign currencies and therefore gets translated into our reporting currency, the euro. Consequently, period-over-period fluctuations can significantly impact our financial results. In general, an appreciation of the euro has an adverse effect while a depreciation has a positive effect. In addition to exchange rate risks, we are exposed to interest rate and share price fluctuations due to variable interest bearing assets and liabilities and share-based compensation plans for our employees and executives.
We continuously monitor our exposure to all of these financial risks and have implemented adequate procedures to mitigate them. For example, we pursue a group-wide foreign exchange risk management strategy to hedge balance sheet items and expected cash flows in foreign currencies by using derivative financial instruments as appropriate. We have a balanced maturity profile and mixture of fixed and floating interest rate arrangements in place to hedge against interest rate risk and use derivative instruments to reduce the impact of our share-based compensation plans on our income statement and cash flow.
Nevertheless, financial risks could negatively impact our business, financial position, profit, and cash flows. We believe the likelihood of such a risk with a material adverse effect on our financial results is remote and if the risk were to occur, its impact on our business, financial position, profit, and cash flows could be major. We classify this risk as a low risk
For more information about risks arising from financial instruments, including our currency and interest rate risks and our related hedging activity, see the Notes to the Consolidated Financial Statements section, Notes (24) to (25).
A core element of our business is the successful implementation of software and service solutions to enable our customers to master complexity and help our customers’ business run at their best. The implementation of SAP software and cloud-based service deliveries is led by SAP, by partners, by customers, or by a combination thereof. Depending on various factors, such as the complexity of solutions, the customer’s implementation, integration and migration needs, or the resources required, SAP faces a number of different risks. For example, functional requirement changes, delays in timeline, or deviation from recommended best practices might occur during the course of a project. These scenarios have a direct impact on the project resource model and on securing adequate internal personnel or consultants in a timely manner and could therefore prove challenging.
Other aspects that could potentially affect our projects and deliveries, especially during the transition to the Cloud are security breaches or unauthorized access to confidential data, operational data center and infrastructure disruptions as well as local legislation with regards to data privacy.
As a result of these and other risks, SAP and/or some of our customers have incurred significant implementation costs in connection with the purchase and installation of SAP software products and solutions. Some customer implementations have taken longer than planned and failed to generate the profit originally expected. We cannot guarantee that we can reduce or eliminate protracted installation or significant third-party consulting costs, for example, that trained consultants will be readily available, that our costs will not exceed the fees agreed in fixed-price contracts, or that customers will be satisfied with the implementation of our software and solutions. Unsuccessful, lengthy, or costly customer implementation and integration projects could result in claims from customers, harm SAP’s reputation, and could have an adverse effect on our business, financial position, profit, and cash flows. Additionally, potentially new contracting models based on subscription models for services, support, and application management might lead to challenges from a financial position perspective including profit and cash flow.
Our customers continue to follow project approaches to optimize their IT solutions in a non-disruptive manner. Our projects also include risk management processes that are integrated into SAP project management methods intended to safeguard implementations with coordinated risk and quality management programs. As part of our processes, we make adequate financial planning provisions for the remaining individual risks.
We estimate the probability of this risk to be unlikely, but we cannot completely exclude the possibility that this risk could have a major negative impact on our reputation, business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.
Product and Technology Risks
Customer systems or systems operated by SAP itself to provide services could potentially be compromised by vulnerabilities if they are exploited by hackers. This could lead to theft, destruction, or abuse of data, or systems could be rendered unusable (for example, due to distributed denial of service attacks). The detection of security vulnerabilities in our software, our customers’ systems, or SAP systems used in the provision of services, especially in case of exploitation, could prevent us from meeting our contractual obligations and subsequently might lead to customer claims and reputational damage, which might have an adverse effect on our business, financial position, profit, and cash flows.
We have implemented a software security development lifecycle as a mandatory integral part of our software development process. For the Applications, Technology & Services segment we systematically align our software security development lifecycle to the recommendations of ISO/IEC 27034, applying methods to develop secure software in all development phases starting early in the design phase. This includes industry best practices such as security risk identification, threat modeling, a comprehensive security testing strategy, mandatory security training for all developers, and security validation of our products, patches, and services before shipment.
SAP has a software security response process in place to rapidly react to detected vulnerabilities and provide fixes. We have also improved the roll-out procedures for security-relevant notes, patches, and service packs to ensure easy and fast consumption on the customer side. However, with regards to the Applications, Technology & Services segment, there is a risk that customers do not upgrade or patch their business systems on a timely basis according to SAP’s recommendations.
We cannot completely exclude the possibility of a negative impact on our customers’ and partners’ or our own operations globally or in one or more countries or regions. We estimate the probability of occurrence of the risk of severe damages to customers and SAP to be unlikely. If such an occurrence happens, it could have a business-critical impact on our reputation, business, financial position, profit, and cash flows as well as on the achievement of our revenue and operating profit target. We classify this risk as a medium risk.
Undetected defects in the introduction of new products, product enhancements and cloud offerings could increase our costs, and reduce customer demand.
Our development investment, including new product launches and enhancements, is subject to risks. For example, software products and services might not completely meet our high-quality standards, including security standards; might not fulfill market needs or customer expectations; or might not comply with local standards and requirements. Furthermore, this risk also exists with respect to acquired companies’ technologies and products where we might not be able to manage these as quickly and successfully as expected. Therefore, market launches, entering new markets, or the introduction of new innovations could be delayed or not be successful.
In addition, new products and cloud offerings, including third-party technologies we have licensed and open source software components we use in those products, could contain undetected defects or they are detected, or not be mature enough from the customer’s point of view for business-critical solutions after shipment in spite of all due diligence SAP puts into quality and security. The detection and correction of any defects especially after delivery could be expensive and time-consuming and in some cases we might not be able to meet the expectations of customers regarding time and quality in the defect resolution process. In some circumstances, we might not be in a position to rectify such defects or entirely meet the expectations of customers, specifically as we are expanding our product portfolio into additional markets. As a result, we might have to fix defects in our software after shipment (so called security response) or in some cases even face customer claims for cash refunds, damages, replacement software, or other concessions. The risk of defects and their adverse consequences could increase as we seek to introduce a variety of new software products and product enhancements at a higher innovation rate. This is especially relevant for cloud products as delivery cycles are even shorter (up to daily deliveries) and our complete cloud product customer base could receive undetected defects simultaneously. Furthermore, for products that use third-party (not SAP) cloud services, we might not always be able to detect defects in advance. Significant undetected defects or delays in introducing new products or product enhancements could affect market acceptance of SAP software products and could have an adverse effect on our reputation, business, financial position, profit, and cash flows.
The use of existing SAP software products by customers in business-critical solutions and processes and the relative complexity and technical interdependency of our software products and services create a risk that customers or third parties might pursue warranty, performance, or other claims against us for actual or alleged defects in SAP software products, in our provision of services, or in our application hosting services. We have in the past been, and might in the future be, subject to warranty, performance, or other similar claims.
Although our contracts generally contain provisions designed to limit our exposure due to actual or alleged defects in SAP software products or in our provision of services, these provisions might not cover every eventuality or be effective under the applicable law. Regardless of its merits, any claim could entail substantial expense and require the devotion of significant time and attention by key management personnel. Publicity surrounding such claims could affect our reputation and the demand for our software.
We counter these risks using a broad range of techniques, including project management, project monitoring, product standards and governance, and rigid and regular quality assurance measures certified to ISO 9001:2008, applicable to the Applications, Technology & Services segment. Additionally, we are introducing a new and improved risk-based secure software development lifecycle with all the trainings, tools, and processes in place to develop secure software. This spans from specific security training curriculums for our developers, threat modelling at the beginning of every development project to identify potential risks early on to centrally provided security tools (for example, static and dynamic analysis tools), a holistic security testing strategy to validate the state of security for every product before market introduction. In addition, direct customer feedback is considered in the market release decision process. Delivering high-quality software products is a priority and part of our core business. Our strong investment and permanent efforts lead to a generally high level of quality of our products, which is made transparent in the defined quality perception and support index and confirmed by our constantly high customer satisfaction ratings as measured by customer quality perception reporting.
With regards to the increased volume of open source software components used in our software products and services as well as in the products and services of our acquired companies, we see a probability of this risk to materialize but rate the probability as unlikely. We cannot completely exclude the possibility that this risk, if it were to occur, could have a business-critical impact on our reputation, business, financial position, profit, and cash flows, or cause a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.
Changes in our rights to use software, cloud services, and technologies we license from third parties that are an integral part of SAP’s products and services could slow down time to market and influence our license pricing and therefore the competitiveness with other software vendors. Furthermore, it could diminish our software’s or cloud functional capabilities and therefore could jeopardize the stability of our solution portfolio offering.
The numerous third-party solutions we have licensed and certain open source software components we use have become an integral part of our product and service portfolio. We depend on those solutions for the functionality of our software and cloud services. Changes to, or the loss of, third-party licenses as well as open source licenses being construed could significantly increase the cost of these licenses and significantly reduce software or cloud functionality and/or usability or availability of SAP’s software or cloud offerings. As a result, we might incur additional development or license costs to ensure the continued functionality of our products, experience delays in our ability to offer or have to stop offering our products for sale, which could have an adverse effect on our business, financial position, profit, and cash flows. This risk increases with each of our acquisitions of a company or a company’s intellectual property assets that had been subject to third-party solution licensing, open source software and product standards less rigorous than our own.
We strive to execute appropriate due diligence and contract management processes and to continuously monitor development projects through our product implementation lifecycle process and monitoring as part of our cloud deployment.
We believe that the probability of occurrence of this risk is likely and we cannot exclude the possibility of a major impact on our business, financial position, profit, and cash flows, or the possibility of a negative deviation from our revenue and operating profit target. We classify this risk as a medium risk.
If we are unable to keep up with rapid technological, process and service innovations, and new business models as well as changing market expectations, we might not be able to compete effectively.
Our future success depends upon our ability to keep pace with technological and process innovations and new business models, as well as our ability to develop new products and services, enhance and expand our existing products and services portfolio, and integrate products and services we obtain through acquisitions. To be successful, we are required to adapt our products and our go-to-market approach to a cloud-based delivery and consumption model to satisfy changing customer demand and to ensure an appropriate level of adoption, customer satisfaction and retention.
We might not be successful in bringing new business models, solutions, solution enhancements, and/or services to market before our competitors or at equally favorable conditions. We might also face increasing competition from open source software initiatives, or comparable models in which competitors might provide software and intellectual property free and/or under terms and conditions unfavorable for SAP. In addition, we might not be able to generate enough revenue to offset the significant research and development costs we incur to deliver technological innovations or to offset the required infrastructure costs to deliver our solutions and services as part of our new business models. Moreover, we might not anticipate and develop technological improvements or succeed in adapting our products, services, processes, and business models to technological change, changing regulatory requirements, emerging industry standards, and changing requirements of our customers and partners. Finally, we might not succeed in producing high-quality products, enhancements, and releases in a timely and cost-effective manner to compete with our competitors, which could have an adverse effect on our reputation, business, financial position, profit, and cash flows.
We will continue to align our organization, processes, products, delivery and consumption models, and services to changing markets and customer and partner demands. We develop new technology and new solutions such as the next-generation suite SAP S/4HANA or the next-generation business warehouse BW/4HANA. Furthermore, we explore future trends as well as the latest technologies e.g. through our network of innovation centers under the leadership of our chief innovation officer and adopt it if there is a clear business opportunity for SAP and if it provides value to our customers. To ensure that we remain competitive in the future, we conduct wide-ranging market and technology analyses and research projects, often in close cooperation with our customers and partners. We strive for strategic acquisitions with the potential to drive innovation and contribute to achieving our growth target.
We believe that the likelihood of this risk materializing is remote; however, we cannot exclude the business-critical impact this risk would have on our reputation, business, financial position, profit, and cash flows, or the potential negative deviation from our revenue and operating profit target if it were to materialize. We classify this risk as a medium risk.
Our technology and/or product strategy might not be successful or our customers and partners might not adopt our technology platforms and other innovations as expected.
We might not be successful in integrating our platforms and solutions, enabling the complete product and cloud service portfolio, harmonizing our user interface design and technology, integrating acquired technologies, or bringing new solutions based on the SAP HANA platform as well as SAP HANA Cloud Platform to the market as fast as expected, in particular, innovative applications such as SAP S/4HANA or new technologies such as Internet of Things or machine learning. In addition, we might not be able to compete or partner effectively in the area of cloud services and our new applications and services might not meet customer expectations possibly impacting customer satisfaction and retention. As a result, our partner organizations and customers might not adopt our technology platforms, applications, or cloud services quickly enough or they might consider other competitive solutions in the market. This could have an adverse effect on our reputation, business, financial position, profit, and cash flows.
We believe that we will be able to deliver additional business value with minimum disruption to our customers if we can successfully drive the integration and convergence of our technology platform offerings, SAP S/4HANA, as well as acquired technologies, enable our current product portfolio for SAP HANA, develop new solutions based on SAP HANA, and offer comprehensive cloud-based services, extendable with SAP HANA Cloud Platform. We enable and encourage partners to leverage SAP technology by providing guidance about business opportunities, architecture, and technology, as well as a comprehensive certification program designed to ensure that relevant third-party solutions are of consistently high quality.
We believe that the likelihood of this risk materializing is unlikely. If this risk were to occur, its impact on our reputation, business, financial position, profit, cash flows, and revenue and operating profit target would be business-critical. We classify this risk as a medium risk.
Our cloud offerings and related infrastructure might be subject to a security attack, become unavailable, or fail to perform properly.
The software used in our cloud portfolio is inherently complex and any defects in product functionality, data center operations, or system stability that cause interruptions in the availability of our application portfolio could result in the following:
- Lost or delayed market acceptance and sales
- Breach of warranty or other contract breach or misrepresentation claims
- Sales credits or refunds to our customers or partners
- Loss of customers and/or partners
- Diversion of development and customer service resources
- Breach of data protection and privacy laws and regulations
- Customers considering competitive cloud offerings
- Loss of customer satisfaction and brand reputation
The costs incurred in correcting any defects or errors might be substantial and could have an adverse effect on our reputation, business, financial position, profit, and cash flows. The availability of our cloud applications could be interrupted by a number of factors, resulting in customers’ inability to access their cloud applications or receive their service level, system outages or downtimes, failure of our network due to human or other errors, security breaches, or variability in user traffic for our cloud applications. Because of the large amount of data that we collect and manage, hardware failures, defects in our software, or errors in our systems could result in data loss or corruption, or cause the information that we collect to be incomplete or contain inaccuracies that our customers regard as significant. Additionally, any loss of the right to use hardware purchased or leased from third parties could result in delays in our ability to provide our cloud applications until equivalent technology is either developed by us or, if available, identified. Furthermore, our cooperation with partners in the area of cloud includes the co-location of data centers that might expose SAP to additional risks in the area of security and data protection, as well as the potential for breached service-level agreements by partners.
We have administrative, technical, and physical security measures in place as well as contracts that require third-party data centers to have appropriate security and data protection and privacy measures in place. In this context, customers might demand to use only specific and/or local data centers. However, if these security measures are breached as a result of third-party action, employee error or malfeasance, or otherwise, and if, as a result, someone obtains unauthorized access to our customers' data, which might include personally identifiable information regarding users, our reputation could be damaged, our business might suffer, local data protection and privacy laws or regulations might be breached, and we could incur significant liability.
In addition, our insurance coverage might not cover claims against us for loss or security breach of data or other indirect or consequential damages. Moreover, defending a suit, regardless of its merit, could be costly and time-consuming. In addition to potential liability, if we experience interruptions in the availability of our cloud applications, our reputation could be harmed and we could lose customers.
Our mitigation measures have been designed and implemented to minimize such adverse effects. We continuously invest in protecting the integrity and security of our products and services as well as internal and external data that is managed within our data centers. We are consolidating and harmonizing our data centers and our data protection measures, including implementing security information and event management solutions as well as network access control enforcement and we monitor and invest to continuously improve our disaster recovery and business continuity capabilities, to run a homogeneous landscape that supports the complex infrastructure, application, and security requirements so that we can deliver the required service level for cloud services.
Although we estimate the probability of occurrence of this risk to be unlikely, we cannot completely exclude the possibility that any disruption of our cloud operations could result in a business-critical impact on our reputation, business, financial position, profit, cash flows, and revenue and operating profit target. We classify this risk as a medium risk.
We believe that we will continuously be subject to intellectual property infringement claims as our solution portfolio grows; as we acquire companies with increased use of third-party code including open source code; as we expand into new industries with our offerings, resulting in greater overlap in the functional scope of offerings; and as non-practicing entities that do not design, manufacture, or distribute products increasingly assert intellectual property infringement claims.
Any claims, with or without merit, and negotiations or litigation relating to such claims, could preclude us from utilizing certain technologies in our products, be time-consuming, result in costly litigation, and require us to pay damages to third parties, stop selling or reconfigure our products and, under certain circumstances, pay fines and indemnify our customers, which could have an adverse effect on our business, financial profile, profit, cash flows, and reputation. They could also require us to enter into royalty and licensing arrangements on terms that are not favorable to us, cause product shipment delays, subject our products to injunctions, require a complete or partial redesign of products, result in delays to our customers’ investment decisions, and damage our reputation.
Software includes many components or modules that provide different features and perform different functions. Some of these features or functions might be subject to third-party intellectual property rights. The rights of another party could encompass technical aspects that are similar to one or more technologies in one or more of our products. Intellectual property rights of third parties could preclude us from using certain technologies in our products or require us to enter into royalty and licensing arrangements on unfavorable or expensive terms.
The software industry is making increasing use of open source software in its development work on solutions. We also integrate certain open source software components from third parties into our software. Open source licenses might require that the software code in those components or the software into which they are integrated be freely accessible under open source terms. Third-party claims might require us to make freely accessible under open source terms one of our products or third-party (not SAP) software upon which we depend.
SAP continues to participate in standards organizations and increases the use of such standards in its products. Participation in standards organizations might require the licensing of SAP’s intellectual property to contributors to the standard and to all standards implementers, including competitors, on a non-discriminatory basis in accordance with licensing terms defined by standards organizations. Within the software-related standards field, there is a trend toward expanding the scope of licensing obligations and narrowing an intellectual property owner’s right to revoke a license if sued by a licensee. In certain situations, limitations on SAP’s rights to revoke a license could reduce SAP’s ability to assert a patent infringement claim against a third-party. Assertion of patents inadvertently licensed through standards could expose SAP to third-party claims.
Our Legal Compliance & Integrity Office sets and manages internal policies related to our Code of Business Conduct including the handling of third-party intellectual property. Corporate Audit monitors compliance with these policies through various investigations. Our Global GRC organization works closely with both the Legal Compliance & Integrity Office and Corporate Audit and is responsible for the management and reporting of potential risks associated with third-party intellectual property.
We consider the probability of this risk materializing to be likely, and that any claims concerning intellectual property rights of third parties, open source requirements, or certain standards could have a business-critical impact on our business, financial position, profit, cash flows and reputation, as well as on the achievement of our revenue and operating profit target, and could also exacerbate the other risks we describe in this report. We classify this risk as a high risk.
We are named as a defendant in various legal proceedings for alleged intellectual property infringements. For more information and a more detailed report relating to certain of these legal proceedings, see the Notes to the Consolidated Financial Statements, Note (23).
Claims and lawsuits against us could have an adverse effect on our business, financial position, profit, cash flows, and reputation.
Claims and lawsuits are brought against us, including claims and lawsuits involving businesses we have acquired. Adverse outcomes to some or all of the claims and lawsuits pending against us might result in the award of significant damages or injunctive relief against us that could hinder our ability to conduct our business and could have an adverse effect on our reputation, business, financial position, profit, and cash flows.
The outcome of litigation and other claims or lawsuits is intrinsically uncertain. Management’s view of the litigation might also change in the future. Actual outcomes of litigation and other claims or lawsuits could differ from the assessments made by management in prior periods, which are the basis for our accounting for these litigations and claims under IFRS.
We consider the probability of occurrence of this risk to be likely, and cannot exclude its business-critical impact on our reputation, business, financial position, profit, cash flows, and revenue and operating profit target if it were to materialize. We classify this risk as a high risk.
For more information and a more detailed report relating to certain of these legal proceedings, see the Notes to the Consolidated Financial Statements, Note (23).
We might not acquire and integrate companies effectively or successfully and our strategic alliances might not be successful.
To expand our business, we acquire businesses, products, and technologies, and we expect to continue to make acquisitions in the future. Over time certain of these acquisitions have increased in size and in strategic importance for SAP, Management negotiation of potential acquisitions and alliances and integration of acquired businesses, products, or technologies demands time, focus, and resources of management and of the workforce. Acquisitions of companies, businesses, and technology expose us to unpredictable operational difficulties, expenditures, and risks. These risks include, among others:
- Selection of the wrong integration model for the acquired company and/or technology
- Failure to properly evaluate the acquired business and its different business and licensing models
- Incorrect assumptions during due diligence process leading to negative contribution with regards to an acquired company
- Failure to successfully integrate acquired technologies or solutions into SAP’s solution portfolio and strategy in a timely and profitable manner
- Failure to integrate the acquired company’s operations across SAP’s different cultures, languages, and local protocols, all within the constraints of applicable local laws
- Failure to meet the needs of the acquired company’s customers and partners in the combined company
- The diversion of management’s time and attention from daily operations
- Loss of key personnel of the acquired business
- Material unknown liabilities and contingent liabilities of acquired companies, including legal, tax, accounting, intellectual property, or other significant liabilities that might not be detected through the acquisition due diligence process
- Legal and regulatory constraints (such as contract obligations, privacy frameworks, and agreements)
- Difficulties in implementing, restoring, or maintaining internal controls, procedures, and policies
- Practices or policies of the acquired company that might be incompatible with our compliance requirements
- An adverse effect on relationships with existing customers, partners, or third-party providers of technology or products
- Difficulties in integrating the acquired company’s accounting, HR, and other administrative systems and coordination of the acquired company’s research and development (R&D), sales, and marketing functions
- Debt incurrence or significant cash expenditures
- Constraints in enforcing acquired companies’ compliance with existing SAP security standards in a timely manner
- Difficulties in customer implementation projects combining technologies and solutions from both SAP and the acquired company
In addition, acquired businesses might not perform as anticipated, resulting in charges for the impairment of goodwill and other intangible assets on our statements of financial position. Such charges might have an adverse effect on our business, financial position, profit, and cash flows. We have entered into, and expect to continue to enter into, alliance arrangements for a variety of purposes, including the development of new products and services. There can be no assurance that any such products or services will be successfully developed or that we will not incur significant unanticipated liabilities in connection with such arrangements. We might not be successful in overcoming these risks and we might therefore not benefit as anticipated from acquisitions or alliances.
We counter these acquisition-related risks with many different methodological and organizational measures. These include technical, operational, financial, and legal due diligence on the company or assets to be acquired and a holistic evaluation of material transaction and integration risks. The methods we use depend on the integration scenario. Our integration planning is detailed and standardized, and carried out by a dedicated integration team. We therefore believe we have minimized this risk.
Although we estimate this risk to be unlikely, we cannot completely exclude the possibility that this risk could have a business-critical impact on our business, financial position, profit, cash flows, and revenue and operating profit target. We classify this risk as a medium risk.
We might not be able to obtain adequate title to, or licenses in, or to enforce, intellectual property.
Protecting and defending our intellectual property is crucial to our success. We use a variety of means to identify and monitor potential risks and to protect our intellectual property. These include applying for patents, registering trademarks and other marks and copyrights, implementing measures to stop copyright and trademark infringement, entering into licensing, confidentiality, and non-disclosure agreements, and deploying protection technology. Despite our efforts, we might not be able to prevent third parties from obtaining, using, or selling without authorization what we regard as our proprietary technology and information. All of these measures afford only limited protection, and our proprietary rights could be challenged, invalidated, held unenforceable, or otherwise affected. Some intellectual property might be vulnerable to disclosure or misappropriation by employees, partners, or other third parties. Third parties might develop technologies that are substantially equivalent or superior to our technology. Finally, third parties might reverse-engineer or otherwise obtain and use technology and information that we regard as proprietary. Accordingly, we might not be able to protect our proprietary rights against unauthorized third-party copying or utilization, which could have an adverse effect on our competitive and financial positions, and result in reduced sales. Any legal action we bring to enforce our proprietary rights could also involve enforcement against a partner or other third party, which might have an adverse effect on our ability, and our customers’ ability, to use that partner’s or other third parties’ products. In addition, the laws and courts of certain countries might not offer effective means to enforce our intellectual property rights. This could have an adverse effect on our reputation, business, financial position, profit, and cash flows.
We rely on a combination of the protections provided by applicable statutory and common law rights, including trade secret, copyright, patent, and trademark laws, license and non-disclosure agreements, and technical measures to establish and protect our proprietary rights in our products. We have established various internal programs, such as internal policies, processes, and monitoring, to assess and manage the risks associated with standards organizations, open source, and third-party intellectual property.
We might be dependent in the aggregate on technology that we license from third parties that is embedded in our products or that we resell to our customers. We have licensed and will continue to license numerous third-party software products that we incorporate into and/or distribute with our existing products. We endeavor to protect ourselves in the respective agreements by obtaining certain rights in case such agreements are terminated.
We are party to certain patent cross-license agreements with third parties.
We estimate the probability of this risk occurring as likely, and that it could have a business-critical impact on our reputation, business, financial position, profit, cash flows, and revenue and operating profit target. We classify this risk as a high risk.
SAP’s business strategy focuses on certain business models that are highly dependent on a working cyberspace. A cybersecurity breach could have an adverse effect on our customers, our reputation, and our business.
The key cybersecurity risks currently applicable to us include state-driven economic espionage as well as competitor-driven industrial espionage, and criminal activities including, but not limited to, cyberattacks and “mega breaches” against cloud services and hosted on-premise software. This might result in, for example, disclosure of confidential information and intellectual property, defective products, production downtimes, supply shortages, and compromised data (including personal data). A failure of our cybersecurity measures could impact our compliance with legal demands (for example, Sarbanes-Oxley Act, Payment Card Industry Data Security Standard, data privacy) and expose our business operations as well as service delivery to the described risks, for example, virtual attack, disruption, damage, and/or unauthorized access. Additionally, we could be subject to recovery costs, for example, as well as significant contractual and legal claims by customers, partners, authorities, and third-party service providers for damages against us, which could have an adverse effect on our reputation, business, financial position, profit, and cash flows.
To address the increasing cybersecurity threats, we are continuously adapting and modifying our security procedures. We have multiple security measures in place, such as technical IT security measures, identity and access management, and mandatory security and compliance training. In addition, our security governance model clearly defines security management accountabilities for all security areas regarding product security and corporate security, which enables us to respond quickly to identified cybersecurity risks. We have a global security function as well as an independent security audit department within the Corporate Audit organization in place appropriately addressing potential security threats.
Although we still consider the occurrence of this risk to be unlikely, we cannot completely exclude the possibility that this risk could have a business-critical impact on our business, financial position, profit, cash flows, and reputation as well as revenue and operating profit target. We classify this risk as a medium risk.
We might not be able to protect our critical information and assets or to safeguard our business operations against disruption.
SAP is highly dependent on the exchange of a wide range of information across our global operations and on the availability of our infrastructure. With regards to our physical environment, we face several key security risks such as industrial and/or economic espionage, serious and organized crime, and other illegal activities, as well as violent extremism and terrorism. We might be endangered by threats including, but not limited to, social engineering, misuse, or theft of information or assets, or damage to assets by trespassers in our facilities or by people who have gained unauthorized physical access to our facilities, systems, or information. These could have an adverse effect on our business, financial profile, profit, and cash flows.
To minimize these risks, we have implemented several technical and organizational measures designed to safeguard our information, IT and facility infrastructure, and other assets. These measures include, for example, physical access control systems at facilities, multilevel access controls, closed-circuit television surveillance, security personnel in all critical areas, and recurring social engineering tests for SAP premises and data centers. Access to information and information systems is controlled using authorization concepts. Managers and employees are regularly sensitized to the issues and given mandatory security and compliance training. We keep these measures under continuous review to mitigate current threats.
Although we estimate the probability of occurrence of this risk to be unlikely, we cannot completely exclude the possibility that any misuse, theft, or breach of security could have a major impact on our business, financial position, profit, and cash flows as well as on our revenue and operating profit target. Due to our strategic transformation into cloud business operations, we classify this risk as a medium risk.
Our insurance coverage might not be sufficient and we might be subject to uninsured losses.
We maintain insurance coverage to protect us against a broad range of risks, at levels we believe are appropriate and consistent with current industry practice. Our objective is to exclude or minimize risk of financial loss at reasonable cost. However, we might incur losses that might be beyond the limits, or outside the scope, of coverage of our insurance and that might limit or prevent indemnification under our insurance policies. In addition, we might not be able to maintain adequate insurance coverage on commercially reasonable terms in the future. Further, certain categories of risks are currently not insurable at reasonable cost, which could have an adverse effect on our business, financial position, profit, and cash flows. Finally, there can be no assurance of the financial ability of the insurance companies to meet their claim payment obligations.
In view of the scope of our insurance coverage and our selection of insurers, and because we keep our insurance programs under constant review, we believe that the likelihood of this risk materializing is remote.
However, we cannot exclude the possibility of a business-critical impact on our business, financial position, profit, cash flows, and operating profit target if the risk were to occur. We classify this risk as a medium risk.
We could incur significant losses in connection with venture capital investments.
Through Sapphire Ventures (formerly SAP Ventures), our consolidated venture investment funds, we plan to continue investing in new and promising technology businesses. Many such investments initially generate net losses and require additional expenditures from their investors. Changes to planned business operations have, in the past affected, and might in the future affect, the performance of companies in which Sapphire Ventures holds investments, and that could have an adverse effect on the value of our investments in Sapphire Ventures, which could have an adverse effect on our business, financial position, profit, and cash flows. Furthermore, tax deductibility of capital losses and impairment in connection with equity securities are often restricted and could therefore have an adverse effect on our effective tax rate.
To address this risk, Sapphire Ventures diversifies its portfolio and manages our investments actively. In addition, our venture capital activities have a limited scope.
We believe that the likelihood of this risk materializing is remote and that if the risk were to occur, its potential impact on our business, financial position, profit, cash flows, and operating profit target would be minor. We classify this risk as a low risk.
Consolidated Risk Profile
SAP consolidates and aggregates all risks reported by the different business units and functions following our risk management policy, monitored by a Group-wide risk management governance function.
In 2016, we recognized only minor changes in the percentages of all reported risks categorized as “high” or “medium” in our risk-level matrix. The number of risks categorized as “high” accounted for 11% (2015: 11%) of all reported risks, while the risks categorized as “medium” accounted for 67% (2015: 68%) of all risks reported in the Risk Factors section.
In our view, considering their likelihood of occurrence and impact level, the risks described in our aggregated Risk Report do not individually or cumulatively threaten our ability to continue as a going concern. Management remains confident that the Group’s earnings strength forms a solid basis for our future business development and provides the necessary resource to pursue the opportunities available to the Group. Because of our strong position in the market, our technological leadership, our highly motivated employees, and our structured processes for early risk identification, we are confident that we can continue to successfully counter the challenges arising from the risks in our risk profile in 2017.