Corporate governance

Responsible corporate governance

Part of GNFK StartTrusting customer relationships and acting with integrity are an integral part of corporate governance. In principle, business dealings and relationships are only entered into if they are in line with the corporate values Sustainable, Innovative, Excellent, and Passionate. The Schaeffler Group’s governance structure supports this approach, creates the necessary transparency within the organization and with regards to responsibilities, and thus ensures coordinated collaboration.

Schaeffler Group governance structure

The Group Compliance & Risk Committee (GCRC) represents the most important governance component, and is chaired by the Schaeffler Group’s Group Chief Compliance Officer. The committee is made up of each of the heads of the relevant governance functions – including compliance, internal control system, internal audit, and risk management – and is responsible for supporting the Executive Board in its organizational duties with regard to compliance and risk management. One of the main tasks of the GCRC is to define interfaces and to clearly delineate responsibilities. In addition, it is expected to create a consistent and complete view of the risk situation in all of the divisions, functions, and regions based on a uniform measurement and prioritization methodology. A further objective of the GCRC is developing and monitoring risk mitigation activities. The “Compliance & Risk Working Group”, consisting of employees from the functions represented on the GCRC, provides operational support to the GCRC.

The elements of the governance structure work together in accordance with the internationally recognized three-lines model (previously known as the “Three Lines of Defense Model”). The model assigns clear responsibilities to manage risks that threaten the company’s existence or development. It is based on the principle that the responsibility for a risk lies primarily with its originator. The governance structure was expanded to include the Global Risks & International Affairs function in 2020.Part of GNFK End

Transparent risk reporting

Part of GNFK StartThe Schaeffler Group deliberately takes calculated business risks in order to achieve its corporate objectives and thus implement its corporate strategy and exploit the associated opportunities. The risk management system aims to identify these risks at an early stage and to manage them in accordance with the risk strategy.

The Schaeffler Group’s opportunity and risk reporting in the group management report provides comprehensive information about the company’s risk management system as well as significant risks that have a medium or high negative impact on assets, finances, or income. It also includes risks related to the Schaeffler Group’s business operations, business relationships, or products and services.

With the integration of the non-financial risk assessment into the Schaeffler Group’s risk management system, the assessment of the non-financial risk impact of the five reportable aspects – in addition to the evaluation of their financial risk impact – is carried out using a similar assessment logic.

The risk survey showed that there were no reportable risks in 2020 in accordance with CSR-RUG (Section 289c, paragraph 3 HGB). As proactive risk management, the EnEHS (Energy, Environment, Health and Safety) management system serves to identify and avoid systematic risks and potential negative impacts from the Schaeffler Group on the environment and occupational health and safety at an early stage. The recommendations of the Task Force on Climate-related Financial Disclosures (TCFD) provide guidance and represent a further development in the analysis of climate-related risks.Part of GNFK End

More information on the Schaeffler Group’s opportunity and risk reporting can be found in the current Annual Report on page 47 et seq.

More information on the TCFD.

Due diligence processes: systematically ensuring lawful behavior

Part of GNFK StartIn order to systematically ensure the avoidance of legal and reputational risks, the Schaeffler Group further strengthened its measures in the reporting period. The digitalized Competitor Contacts and Associations Register (CARe), which promotes transparency and supports the pre-approval process for competitor contacts, was rolled out worldwide, as was the IT-supported workflow for assessing business contacts, “Know Your Business Partner”, which is integrated into the existing business processes. The process primarily addresses risks associated with corruption and export control and aims to facilitate and improve assessment. A new process for assessing the reliability of candidates applying for sensitive positions at the company was also implemented. With new, special company guidelines for preventing money laundering and the financing of terrorism, steps were taken to further improve management of the corresponding risks and the approach to informing employees about these topics. Guidance for identifying and addressing conflicts of interest was also revised and further defined to increase confidence in recognizing and responding to conflicts of interest.Part of GNFK End

Compliance management

Part of GNFK StartIntegrity and compliance are fundamental values of the Schaeffler Group’s business conduct. Accordingly, the company pursues stringent standards – particularly when it comes to preventing corruption, money laundering, and economic crime. Additional areas of focus include data protection and information and IT security.

As defined in the Schaeffler Group’s Code of Conduct, all employees, managers and Executive Board members are to comply with the applicable local, national and international laws and guidelines down to the letter. The Schaeffler Group’s Code of Conduct and compliance guidelines, which address behavior in accordance with antitrust and competition law, conflicts of interest, the fight against corruption, as well as the prevention of money laundering and the financing of terrorism, take laws and additional internal requirements into account. As required, all employees and managers can take part in a consultation on concrete issues via the compliance helpdesk.

The Schaeffler Group’s Code of Conduct is available at: Code of Conduct Schaeffler Group

To uphold its values and standards, the company maintains a compliance management system (CMS) within the framework of the overarching corporate governance structure, as well as a compliance organization that incorporates the entire Schaeffler Group. The head of this organization is the Group Chief Compliance Officer, who regularly reports to the Chief Executive Officer, the Chairman of the Supervisory Board, and the Chairman of the Audit Committee.

Based on national and international standards, the CMS was last audited in 2018 by an independent auditing company in accordance with the IDW AsS 980 standard for auditing compliance management systems. The Schaeffler Group’s CMS has a protective function for both the company and its employees. The aim is to prevent and detect any legal violations in the areas of corruption, money laundering, competition and antitrust law, or economic crime (compliance violations) at an early stage. It also serves as a form of active risk control.

As a part of the central competence team for compliance, the “Forensics & Investigations” department is responsible for the independent investigation of alleged violations. Business processes and locations are routinely audited to identify and uncover such violations. Another component of this approach is a globally accessible whistleblowing system that enables anonymous reporting. Potential compliance violations are resolved independently and in full. In the event of violations, all appropriate and legally permissible measures up to the extraordinary termination of employment relationships are taken.Part of GNFK End

The Schaeffler Group’s whistleblowing system is available at: Whistleblowing system Schaeffler Group

More information on the topic can be found in chapter Material Compliance.

Compliance training

Part of GNFK StartTo ensure the necessary understanding of compliance among its employees and managers, the company employs face-to-face trainings and e-learnings.

In 2020, the usual face-to-face compliance training courses were carried out as topic-based video conferences in accordance with the risk-based approach due to the coronavirus pandemic. Topics included the Schaeffler Group’s Code of Conduct, competition and antitrust law, and fighting corruption.

Online training courses ensure a consistent level of knowledge on the topic of compliance across all company levels and are continuously developed and tailored to the workforce’s tasks. The mandatory basic training was revised in 2020. In addition to well-known compliance topics such as anti-corruption and antitrust and competition law, the “Integrity & Security@Schaeffler” e-learning course covers other topics related to the Code of Conduct, including data protection, information security, cybersecurity, and human rights. The mandatory training also contains information on new and updated compliance measures such as “Know Your Business Partner” and “CARe”¹⁾. To establish the “Know Your Business Partner” process in practice, many virtual face-to-face training courses were offered around the world, and a specific online training course was rolled out. Additional online advanced courses will be offered in 2021 on the topics of preventing corruption and observing antitrust and competition law.

Participants¹⁾ in compliance training

34,879 people²⁾ (prior year: 6,461) took part in online compliance trainings within the reporting period. The global rollout of the new, mandatory “Integrity & Security@Schaeffler” online course, in particular, is responsible for the significant increase compared to the prior year. Around 95 % (prior year: 98 %) of the invitations to the mandatory online compliance training courses were accepted in 2020.³⁾ The compliance rate in the reporting period therefore corresponds to the targeted level of 95 %. Furthermore, 3,277 employees (prior year: 8,091) were trained in face-to-face training sessions and workshops. The significant drop is primarily the result of increased use of digital formats due to the coronavirus pandemic.Part of GNFK End

More information on the individual subsystems of the governance structure and the compliance management system of the Schaeffler Group can be found in the current Annual Report on page 78 et seq.

Data protection, information security, and cybersecurity

Part of GNFK StartProtecting personal rights is a high priority for the Schaeffler Group and is therefore part of the Code of Conduct. It handles the processing of data belonging to business partners and employees with the greatest care and sensitivity. The corresponding processes comply with legal data protection requirements. The Data Protection Officer at Schaeffler AG plays a central managing role. He is assigned to the “Compliance & Corporate Security” department and thus to the Chief Executive Officer’s function.

There is an “IT Security by Design” process within the Schaeffler Group that is based on national and international standards. This process takes IT security into account even during the early phase of system and application development. Protective measures are integrated and monitored on the basis of the protection requirements associated with the process.

The Schaeffler Group’s information security and cybersecurity measures are designed to protect the intellectual property and business secrets of business partners from theft, loss, unauthorized disclosure, unlawful access, and misuse. Protective measures were introduced to prevent, detect, and correct and are continuously optimized. The measures are based on the ISO/IEC 27001 standard and take national and industry-specific regulations and compliance with the VDA-ISA standard within the framework of Trusted Information Security Assessment Exchange (TISAX) into account where necessary.

A variety of rules were standardized through the “Information & Cyber Security” program in 2019 and have been gradually rolled out since 2020. The following represents a selection of targets that have been achieved through the program:

• Reinforced activities related to security awareness, such as the publication of the golden rules of information security
• Continuous expansion of operation technology (OT) security of the production facilities
• Modernization of the information security management system (ISMS)

Preventive measures and training, as well as information offerings, particularly those with a focus on cybercrime protection, are being expanded. Three Schaeffler locations successfully underwent a TISAX audit in 2020.Part of GNFK End

Business continuity and crisis management

The Schaeffler Group has been bundling and coordinating activities designed to ensure business continuity on a Group level since 2018. Elements such as effective emergency and crisis management have been established.

Crisis management has proven its value during the global coronavirus pandemic. The company was able to detect risks associated with the coronavirus at an early stage and initiated crisis management measures to protect the workforce’s health, secure customer supply, and minimize the financial impact. All locations implemented strict measures to reduce the risk of infection and thus played a valuable role in curbing the rate of infection. Early collaboration across divisions and between central, regional and local units and functions proved to be of vital importance.

The central crisis management team and various task forces had already been active since January 2020 due to the increasing spread of the coronavirus. A travel ban between Germany and China was introduced in response to the outbreak in Wuhan. The Executive Board also set up the following centrally managed crisis response teams to address the associated tasks:

• Health, safety, and employees
• Customers, operations, and suppliers
• Finance and liquidity

The teams reported on their activities directly to the corresponding Member of the Executive Board.

The “Coronavirus Contingency Plan”, which proved to be an effective instrument of global crisis management, defines standardized measures to be prepared and implemented at the affected locations once a certain level of risk has been reached. In addition to distancing and hygiene rules, these measures also address the areas of crisis management, occupational health and safety, working from home and in the office, as well as travel and mobility. The level of risk is categorized based on clear criteria such as the presence of the virus in the region, government-instituted lockdown measures, and, most importantly, infections within the workforce. Thanks to the comprehensive bundle of measures and consistent, risk-oriented implementation, the company was able to protect its employees and minimize the negative impact on business.

1) The Competitor Contacts and Associations Register, CARe, is a database containing information on trade associations and their potential competition law risks.

2) Employees, including temporary office staff, apprentices, interns, and people working on a thesis.

3) Does not include those employees who were absent over a longer period of time during the year or for whom the deadline to complete the mandatory training courses had not yet passed by the end of the year. Employees were invited to participate, including temporary staff, apprentices, and interns. As of 12/31/2020. Figure first calculated for 2019. As of 1/7/2020.