- The Group Compliance & Risk Committee is a central pillar of the governance structure
- No reportable non-financial risks were identified in 2019
Responsible corporate governance
Trusting customer relationships and acting with integrity are an integral part of corporate governance. In principle, business dealings and relationships are only entered into if they are in line with the corporate values “Sustainable”, “Innovative”, “Excellent”, and “Passionate”. The governance structure of the Schaeffler Group promotes transparency, supports the corporate values, and creates the necessary transparency in internal structures, the organization, and responsibilities. It also ensures that these components work together in an organized manner.
The Group Compliance and Risk Committee (GCRC) represents a key governance component in this regard, increasing transparency in internal structures, the organization, and in responsibilities. The GCRC is chaired by the Schaeffler Group’s Group Chief Compliance Officer. It consists of the heads of the relevant governance functions (including Compliance, Legal, Risk Management, Internal Control System, and Controlling). The GCRC is responsible for assisting the Board of Managing Directors with its organizational responsibilities with respect to compliance and risk management. Among the key objectives of the GCRC are defining and delineating responsibilities and interfaces and preventing redundancies in the process. In addition, it is expected to create a consistent and complete view of the risk situation in the divisions, functions, and regions based on a uniform measurement and prioritization methodology. A further objective of the GCRC is developing and monitoring risk mitigation activities. The Compliance & Risk Working Group, consisting of staff representatives from the functions represented on the GCRC, provides operational support to the GCRC.
The elements of the governance structure – the internal control system, the compliance and risk management system, and Internal Audit – work together according to the internally recognized “Three Lines of Defense Model”. It assigns clear responsibility for dealing with risks to Schaeffler’s continued existence and development and is based on the principle that primary responsibility for a risk lies with its originator.
Part of GNFK StartTo achieve its corporate objectives, Schaeffler takes deliberately calculated business risks in order to implement its corporate strategy and realize the associated opportunities. The risk management system aims to identify these risks at an early stage and to manage them in accordance with the risk strategy.
The Schaeffler Group’s opportunity and risk reporting in the group management report provides comprehensive information about the company’s risk management system as well as significant risks that have a medium or high negative impact on assets, finances or income. It also includes risks related to the Schaeffler Group’s business operations, business relationships, or products and services.
More information on the Schaeffler Group’s opportunity and risk reporting can be found in the current Annual Report 2019 starting on page 47 et seq.
With the integration of the non-financial risk assessment into the Schaeffler Group’s risk management system, the assessment of the non-financial risk impact of the five reportable aspects – in addition to the evaluation of their financial risk impact – is carried out using a similar assessment logic.
The risk survey showed that there were no reportable risks in 2019 in accordance with CSR-RUG (Section 289c, paragraph 3 HGB). As proactive risk management, the EnEHS (Energy, Environment, Health and Safety) management system serves to identify and avoid systematic risks and potential negative impacts from Schaeffler on the environment, energy, and occupational health and safety at an early stage. As a further development in the analysis of climate-related risks, the recommendations of the Task Force on Climate-related Financial Disclosures (TCFD) – an expert commission of the G20 Financial Stability Council – are being followed.Part of GNFK End
Part of GNFK StartIntegrity is a significant cornerstone of the Schaeffler Group’s manner of conducting business. Schaeffler adheres to high standards of compliance, especially in preventing corruption. Schaeffler sets high expectations for data protection, information, and IT security.
The compliance management system (CMS) is a part of the Schaeffler Group’s overall corporate governance structure. The management and all employees are obliged by the Schaeffler Group Corporate Code of Conduct (CoC) to comply with all applicable local, national, and international laws and regulations. The entire worldwide compliance organization of the Schaeffler Group provides support in doing this. The Schaeffler Group’s CMS is based on national and international standards. In 2018, an independent auditing company confirmed the appropriateness and implementation of the Schaeffler Group’s compliance management system in accordance with the IDW AsS 980 standard for auditing compliance management systems.
The CMS serves the purpose of:
- The prevention and early detection of legal violations in the areas of corruption, money laundering, competition, and antitrust law as well as economic crime.
- Active risk control and as a protective function for both the company and its employees.
The Schaeffler Group’s Group Chief Compliance Officer heads up the compliance organization and reports directly to the Chief Executive Officer. The Group Chief Compliance Officer also has a reporting line to the Chairman of the Supervisory Board and reports to the chairman of the audit committee on a regular basis.
The Schaeffler Group Corporate Code of Conduct and corporate policies on competition and antitrust compliance, fighting corruption, the protection of confidential information, and conflicts of interest include requirements to prevent compliance violations. A compliance helpdesk is available for consultation on specific compliance issues. In addition, Schaeffler has taken measures to detect any compliance violations. These include controls as well as a globally accessible whistleblowing system which allows anonymous reporting of alleged violations. As a part of the central competence team for compliance at the headquarters in Herzogenaurach, the “Forensics & Investigations” department is responsible for the independent investigation of alleged violations.Part of GNFK End
The Schaeffler Group Code of Conduct is available at: www.schaeffler.com/code-of-conduct
Part of GNFK StartOn the basis of web-based and face-to-face trainings, the company provides its employees with a necessary understanding of compliance issues.
Training topics in 2019 were in particular:
- Integrity/Code of Conduct
- Antitrust and competition law
- Conflicts of interest
The training courses are continuously developed to meet best standards. 6,461 participants1) (prior year: 9,578) took part in web-based training on compliance in the reporting period. Furthermore, 8,091 employees (prior year: 8,793) were trained in face-to-face trainings and workshops.
More information on the individual subsystems of the governance structure and the compliance management system of the Schaeffler Group can be found in the current Annual Report 2019 starting on page 76 et seq.
More information on material compliance can be found under Responsibility in the value chain
Due diligence processes: systematically securing lawful behavior
Part of GNFK StartIn order to systematically avoid legal and reputational risks, the Schaeffler Group further strengthened its measures in the fiscal year 2019. The competitor contact register was digitalized. It promotes transparency and supports the pre-approval process for competitor contacts. The IT-based “Business Partner Due Diligence Workflow” that had been integrated was transferred to ongoing operations. In the Automotive Aftermarket, Industrial divisions and in the Purchasing department, the process was already implemented in selected areas and countries. The rollout for the remaining areas and countries will take place in 2020. The process primarily focuses on risks associated with corruption and export control and aims to facilitate and improve business partner reviews.Part of GNFK End
Data protection, information, and IT security
Part of GNFK StartProtecting personal rights is a high priority for Schaeffler and is part of the Group Code of Conduct. It handles the processing of data belonging to business partners and employees with the greatest care and sensitivity. The corresponding processes comply with legal data protection requirements. The data protection officer at Schaeffler AG plays a central managing role. He is assigned to the “Compliance & Corporate Security” department and thus to the Chief Executive Officer’s function.
The Schaeffler Group’s information security measures are based on the ISO/IEC 27001 standard and take national and industry-specific regulations and compliance with the VDA-ISA standard within the framework of TISAX (Trusted Information Security Assessment Exchange) into account where necessary. These measures are designed to protect Schaeffler’s intellectual property and the business secrets of business partners from theft, loss, unauthorized disclosure, unlawful access or misuse. As part of the “Information & Cyber Security Program”, the regulatory framework has been consolidated and prepared for a global rollout in 2019.
Preventive measures to protect against cybercrime in particular will be gradually systematically expanded as part of the “Information & Cyber Security Program”, among others, and accompanied by training and information offerings.
An “IT Security by Design” process based on national and international standards has been introduced at Schaeffler. It will secure that IT security is already taken into account when developing systems and applications. Corresponding protective measures are integrated in the process depending on the protection requirements. The implementation of the “IT Security by Design” process in the regions was started in 2019. The global introduction will be completed in 2020.Part of GNFK End
Business continuity and crisis management
In 2018, Schaeffler has begun to coordinate business continuity activities at the corporate level. Elements such as effective emergency and crisis management have been established. A unified approach to a business impact analysis was created and piloted at a plant in China in 2019. The introduction into relevant business areas will take place by 2021. Different measures prepare the members of the crisis management teams to deal with crisis situations.
Compliance conference on information and cyber security
In 2019, Schaeffler dedicated its compliance conference to the important field of information and cyber security in addition to the topic of optimizing the control landscape. During the conference, senior executives at management level completed an executive education program on information and cyber security in cooperation with the Goethe University Frankfurt and external experts. Business and internal IT experts discussed the topic of cyber security intensively with senior Schaeffler executives and provided valuable insights.
1) Employees incl. temporary staff, apprentices, interns, and contract workers.