At Schaeffler, Corporate Governance is characterized by responsible and effective corporate management. Management decisions are guided by long-term value creation.
Targeted cooperation between the Executive Board and the Supervisory Board and transparency in corporate and financial communications strengthens the trust of stakeholders in management and oversight of the global family company. The Governance Structure supports the Schaeffler Group’s corporate values of sustainable, innovative, excellent, and passionate. The company’s manner of conducting business is thereby based on integrity, fairness, and mutual respect. The structure of governance should enable an early recognition of risks that threaten the Schaeffler Group’s existence or development. In the process, elements of the governance structure are optimized to support efficient, coordinated cooperation in identifying possible risks, as well as the development of appropriate management principles.
An important component of this governance is the Group Compliance and Risk Committee (GCRC), which is chaired by the Chief Compliance Officer of the Schaeffler Group. It is composed of the heads of the subordinate departments and those responsible for further risk and central functions. The GCRC is tasked with supporting the Executive Board in its governance duties regarding compliance and risk management through clearly defined responsibilities and points of interaction. For this purpose, it is tasked with presenting a thorough and complete view of the risk situation in the company’s divisions, functions, and regions based upon a standardized method of assessment and prioritization, and with developing and overseeing measures for risk reduction.
The activities of the subsystems within the governance structure are coordinated based on the internationally recognized Three Lines of Defense model. This model assigns clear responsibility for dealing with risks to the company’s continued existence and development and is based on the principle that primary responsibility for a risk lies with its originator. The business units bear primary responsibility for the risks inherent in their business. Hence, the Schaeffler Group’s employees represent the first line of defense against potential risks. The established Code of Conduct of the Schaeffler Group encourages employees to turn to their supervisor or the corresponding control function with any questions or concerns they might have regarding dealing with risks and inappropriate business practices.
With its corporate governance structure and its Three Lines of Defense model, the Schaeffler Group fulfills its obligation to manage the company responsibly and to maintain effective controls. Please refer to the Annual Report 2017 for comprehensive details on the Schaeffler Group’s corporate governance and the Three Lines of Defense model. Further information on the Three Lines of Defense model of the Schaeffler Group can be found in the Annual Report 2017.
The management and all employees of the Schaeffler Group are obliged by the Code of Conduct to comply with all local, national, and international laws and regulations applicable in their geographic business area. The entire worldwide compliance organization of the Schaeffler Group provides support in doing this. The underlying compliance management system (CMS) of the Schaeffler Group is based on the three pillars of prevention, detection, and response and is part of the second line of defense in the governance structure of the Schaeffler Group. In its present form, it was initiated by the Executive Board as the result of a fundamental review within the framework of the “Compliance Fit & Proper” program as part of the “ONE Schaeffler” program. After the underlying concept was successfully subjected to a concept review by an independent auditing company in accordance with the testing standards of the compliance management system IDW PS 980, the next step will be to have an independent auditing company assess the implementation.
In particular, the CMS comprises the control and monitoring of the necessary activities for the prevention or early detection of legal violations with regard to corruption, money laundering, competition and antitrust law, and business crime violations. It also supports active risk control and has a protective function for both the company and its employees.
The CMS includes seven core elements: compliance culture, compliance goals, hazard analysis, compliance program, compliance organization, communication, and oversight and improvement. Based on a regular group-wide risk analysis, the compliance organization develops precautions to counter antitrust and competition law violations, corruption, economic crime, and money laundering on the basis of a risk-based approach. The risk analysis provides information on the current risks associated with business activities and on the effectiveness of arrangements already in place.
Management of the compliance organization is the responsibility of the Group chief compliance officer of the Schaeffler Group, who reports directly to the Chief Executive Officer, the chairman of the Supervisory Board, and the chairman of the Audit Committee. The compliance department offers the Group’s chief compliance officer a comprehensive network of experienced compliance specialists in the Europe, Americas, Greater China, and Asia/Pacific regions, who can also rely on an expanded central competence team in the company’s home location of Herzogenaurach consisting of the divisions “Advisory,” “Risk Analysis & Solutions,” and “Forensics & Investigations.” The tasks of the team of experts include defining and monitoring appropriate group-wide compliance standards and measures, compliance consulting, and the improvement of procedures and controls. The team is also responsible for independently investigating alleged violations and enforcing the necessary consequences. The causes of misconduct are analyzed, proposals for countermeasures are derived, and their implementation observed. Violations of laws, regulations, and internal rules are not tolerated and result in disciplinary action.
Measures for preventing breaches of compliance include, among other things, the Schaeffler Group’s Code of Conduct, guidelines governing compliance with antitrust and competition law and anti-corruption, as well as those protecting information confidentiality, and Web-based and classroom training measures. There is also a compliance help desk to advise on specific compliance issues. In addition to basic behavioral requirements, the principles and practices described in the Code of Conduct also cover behavior toward business partners and third parties, the handling of sensitive information, conduct toward employees and colleagues, and requirements with regard to environment, safety, and health.
In accordance with corporate values, neither bribes nor any form of corruption are tolerated. All employees of the Schaeffler Group are expressly prohibited from taking part in any form of bribery or corruption. This also applies to illegal anticompetitive and antitrust conduct. The Schaeffler Group avoids business dealings that cannot be carried out or maintained without unacceptable behavior.
employees were trained in 2017 on the topic of compliance.
Compliance training courses are continuously further developed and adapted to the areas of activity of the employees. Hence, among other things, the case studies of the “Risk Awareness” training course pertain to the relevant business units in order to identify potential risks in the most concrete and comprehensible manner. In the business year 2017, the compliance training program of the Schaeffler Group included, among other things, training courses on the issues of risk awareness and the Code of Conduct. The training serves both to clarify and raise the awareness on the part of management and employees for such circumstances in accordance with the principle of prevention by creating an increased risk awareness toward reducing risks. In 2017, for example, 8,741 employees were trained in classroom training and workshops on the subject of compliance. The goal is for every new employee to be trained on essential compliance topics by 2020 and for these trainings to be regularly refreshed. In addition, measures are in place to detect any compliance violations. These include audits and controls and a worldwide whistle-blower system that enables alleged violations to be reported anonymously. All submitted claims are independently verified. Retaliation against employees who, in good faith, express concerns about misconduct in the company is prohibited.
The goal of corporate security is to achieve a high degree of security by protecting the lives, health, and personal rights of all employees, visitors, and business partners at company sites from any kind of damage. For Schaeffler as a technology company, increasing the safety, efficiency, and appropriateness of how data relevant to the company is handled is a crucial competitive factor. Carefully coordinated components form an information security management system that protects Schaeffler’s intellectual property and the business secrets of business partners from theft, loss, unauthorized disclosure, illegal access, or misuse. Schaeffler is thus countering this increasing threat with effective methods. Prevention measures aimed especially at protecting against internet criminality and CEO fraud have been successively expanded with offerings of training and information.
In order to mitigate against the risk of cyberattacks, the Schaeffler Group has introduced an “IT Security by Design” process that is guided by national and international standards. In this process, IT security is considered from the start in terms of systems and applications development, and corresponding protection measures are integrated into the process depending on the security needs. IT security is thus a part of the system solution from the very start. Based on a company guideline that applies worldwide, crisis management has been expanded across divisions and all across the company. For this purpose, crisis teams were set up and standardized processes of escalation and communication were introduced in the company headquarters and its regions. Measures for training and practice prepare the employees who are involved in this process to deal with crisis situations.
Schaeffler has further strengthened and intensified its protection of data relating to persons, products, and processes. It handles the processing of data belonging to business partners and employees with the greatest care and sensitivity. These measures comply with the respective data protection guidelines or other legal requirements. The implemented checks and balances ensure the best possible protection of sensitive data.
In order to identify the requirements of the EU General Data Protection Regulation (EU GDPR) and its effects on the company, and to be able to execute the necessary adjustments in procedures, Schaeffler started a company-wide project early on. In doing so, the company relies on the pillars of the existing data protection management system. The Strategic IT business division defines the IT-wide process model in coordination with the Process Excellence Initiative and takes responsibility for rollout in IT units in Schaeffler’s divisions, functions, and regions. In this context, Strategic IT also carries responsibility for IT governance activities relating to IT risk, compliance, and security management, among other things.