Corporate governance

Schaeffler is committed to responsible corporate governance. Central to this are an efficient cooperation between the Executive Board and the Supervisory Board as well as open and transparent corporate and financial communications as key aspects of corporate governance. Fundamental corporate management decisions are aimed towards long-term value creation.

Responsible corporate governance

The main focus of corporate governance is on trusting customer relationships and acting with integrity. Business dealings and relationships that are not compatible with the company values of “Sustainable”, “Innovative”, “Excellent”, and “Passionate” are rejected. The governance structure of the Schaeffler Group supports this attitude and creates the necessary transparency in internal structures, the organization, and responsibilities. It also ensures that these components work together in an organized manner.

A key organizational pillar of governance in the Schaeffler Group is the “Group Compliance and Risk Committee” (GCRC) chaired by the Group Chief Compliance Officer. The committee is made up of the heads of the relevant governance functions (including compliance, law, internal control systems, internal auditing, and controlling) and has the task of supporting the Executive Board in its organizational duties with regard to compliance and risk management. One of the main tasks of the GCRC is to define interactions and to clearly delineate responsibilities in order to avoid duplication. Furthermore, a consistent and complete picture of the risk situation in all divisions, functions and regions should be created on the basis of a uniform evaluation and prioritization methodology. Another goal is to develop risk reduction measures and monitor their implementation. Operationally, the GCRC is supported by the “Compliance & Risk Working Group”, which is composed of representatives of the working level of the functions represented in the GCRC.

The elements of the governance structure – internal control system and compliance and risk management system – work together according to the internally recognized “Three Lines of Defense Model”. The model assigns clear responsibilities to manage risks that threaten the company’s existence or development. It is based on the principle that the responsibility for a risk lies primarily with its originator.

Compliance

The compliance management system (CMS) is a part of the Schaeffler Group’s overall corporate governance structure. Management and all employees are required by the Schaeffler Code of Conduct (CoC) to comply with all applicable local, national, and international laws and regulations wherever the Schaeffler Group conducts business. The entire worldwide compliance organization of the Schaeffler Group provides support in doing this. The Schaeffler Group’s CMS is based on national and international standards. The concept of the CMS was initially audited successfully by an independent auditing firm in accordance with the IDW PS 980 auditing standard. In 2018, a second independent auditing firm confirmed the adequacy and implementation of the Schaeffler Group’s compliance management system.

The purpose of the CMS is the prevention and early detection of legal violations in the areas of corruption, money laundering, competition, and antitrust law as well as economic crime. It also supports active risk control and has a protective function for both the company and its employees. The Group Chief Compliance Officer manages the compliance organization. He reports directly to the Chief Executive Officer. In addition, he maintains a reporting line to the Chairman of the Supervisory Board and regularly reports to the Chairman of the Audit Committee.

The Schaeffler Group Code of Conduct and corporate policies on competition and antitrust compliance, anticorruption, the protection of confidential information, and against conflicts of interest include requirements to prevent compliance violations. A compliance help desk continues to serve this purpose by providing advice on specific issues. In addition, Schaeffler has taken measures to detect any compliance violations. These include audits and inspections as well as a global whistleblower system that also allows anonymous reporting of alleged violations. As a part of the central competence team at the headquarters in Herzogenaurach, the “Forensics & Investigations” department is responsible for the independent investigation of alleged violations.

Compliance training

With a systematic and target group-specific training program, the company provides its employees with a necessary understanding of compliance issues. As part of web-based training and face-to-face training, employees and executives are informed about the relevant requirements and made aware of risks. Key areas of focus in 2018 included the Code of Conduct, sales compliance, information security, and protection against cybercrime and CEO fraud, a fraud scam that tricks companies into making payments by using false identities. The training courses are developed continuously and adapted to the areas of activity of the employees. 9,578 participants¹⁾ (prior year: 8,160) took part in web-based training on compliance in the reporting period. Furthermore, 8,793 employees (prior year: 8,741) were trained in face-to-face training and workshops.

Further information on the individual subsystems of the governance structure and the compliance management system of the Schaeffler Group can be found in the annual report 2018, page 101 et seq.

Due diligence processes: Systematically ensuring lawful behavior

In order to systematically ensure the avoidance of legal and reputational risks, the Schaeffler Group further strengthened its measures in the 2018 fiscal year. The expansion of a competitor contact register was driven forward. The register is already being used successfully at various pilot sites worldwide. It promotes transparency and supports the pre-approval process for competitor contacts. In 2018, the process was digitalized, which significantly speeds up the further groupwide implementation.

In addition, an IT-based “Business Partner Due Diligence Workflow” was created. This workflow was integrated in the existing business process. This new process facilitates and improves the business partner review. This workflow has been in use as part of a pilot project since 2018.

Data protection, information, and IT security

Protecting personal rights is a high priority for Schaeffler and is a part of the Code of Conduct. The company handles the processing of data belonging to business partners and employees with the greatest care and sensitivity. The corresponding processes comply with the respective data protection requirements. In 2018, these processes were further improved with regard to the requirements of the EU General Data Protection Regulation (EU GDPR) in particular. The data protection officer at Schaeffler AG plays a central managing role. He is assigned to the “Compliance & Corporate Security” department and thus to the Chief Executive Officer’s division.

Schaeffler Group information security measures are based on the ISO/IEC 27001 standard and take national and industry-specific regulations into account. They are designed to protect Schaeffler’s intellectual property and the business secrets of business partners from theft, loss, unauthorized disclosure, unlawful access or misuse.

Preventative measures to protect against cybercrime in particular will be gradually expanded as part of the “Information & Cyber Security” program, among others, and accompanied by training and information offerings. In addition, a comprehensive “Information Security Training and Awareness Concept” was developed in 2018. It will be introduced globally by 2020.

In 2018, Schaeffler introduced an “IT Security by Design” process which is based on national and international standards. It will ensure that IT security is already taken into account when developing systems and applications. Corresponding protective measures are integrated in the process depending on the protection requirements. The global implementation of the “IT Security by Design” process is planned in the regions for 2019.

In 2018, Schaeffler also dedicated its compliance conference to the topic of information security and cyber security. Compliance officers from Schaeffler regions around the world attended the conference. The conference not only focused on the protection of their own data, but also about the development of an information security management system. This system also includes managing risks in the supply chain and implements customer requirements.

Business continuity and crisis management

In 2018, Schaeffler began combining and coordinating business continuity activities at the Group level. Elements such as effective emergency and crisis management have been established. A unified approach to a business impact analysis has been created and will be piloted in a plant in China in 2019. The introduction into relevant business areas will take place until 2021. Continuous measures for training and practice prepare the members of the crisis staff to deal with crisis situations.

1) Employees incl. temporary staff, apprentices, interns, and contract workers.