Risk management and internal control system
Linde, a technology company with global operations, is exposed to a great variety of risks in the course of its international business. A willingness to take entrepreneurial risks enables the Group to exploit opportunities as they arise. Therefore, Linde deliberately accepts risks, as long as they are reasonable and can be managed and controlled, and bears such risks if they are expected to provide opportunities to create a sustainable increase in shareholder value.
In this context, the purpose of risk management is to make it more certain that growth and earnings targets as well as strategic objectives are met. The Executive Board of the Group has established a risk management system (Enterprise Risk Management System or ERM system), the basic principles of which are laid down in Group guidelines and which is reviewed in terms of effectiveness and efficiency at regular intervals. The ERM system has been tailored to suit Linde’s corporate structure and takes into consideration not only economic risks but also ecological and social risks.
Enterprise Risk Management system
The key elements of the ERM concept are the risk management system and the internal control system, which are interrelated. The design of the systems is based on the Three Lines of Defence Model (TLoD), proposed in the recommendation issued by FERMA and the ECIIA on the implementation of Article 41 of the 8th EU Directive, which seeks to provide a structured account of the interaction between the various actors in risk management and internal control.
The risk management system focuses on the identification and handling of risks. It seeks to address not only those risks that might affect the viability of the Group as a going concern, as required by the German Law on Control and Transparency in Business (KonTraG), but also all significant risks for the Group. The international standard ISO 31000/2009, which sets out best practice for risk management, forms the framework around which Linde’s risk management system is built.
The aim of the internal control system is to prevent risks arising in the course of operations by adopting appropriate controls, especially with regard to conformity with the law, compliance with strategy, the quality of accounting and reporting, the quality of processes and the protection of assets. Linde does not limit itself to risks that might have a direct impact on the net assets, financial position or results of operations of the Group, but also includes risks which might have an indirect impact on key financial figures, such as risks to the Group’s reputation. The internal control system comprises all the controls which are embedded in the Group’s business operations. The structure of the internal control system is based around the globally recognised framework published in 2013 by COSO (the Committee of Sponsoring Organisations of the Treadway Commission) and entitled “Internal Control Integrated Framework”.
Internal control system
The internal control system comprises general principles, procedures and regulations aimed at the organisational implementation of corporate decisions. Linde establishes controls in the form of central guidelines, standards and best practices. These define the overall framework and limits within which operating business activities are to be performed. Guidelines, standards and best practices are based on external requirements and internal corporate targets, as well as risk assessments. They are designed to ensure that corporate decisions are adhered to and that all necessary measures are taken to prevent any risks to the achievement of the corporate objectives in accordance with the corporate strategy set by the management. The following guidelines, standards and best practices are examples of components of the internal control system:
- Compliance Management System (CMS): Linde implements a CMS, the main components of which include the analysis of compliance risks, training sessions on compliance guidelines and the monitoring of adherence to processes and controls.
- Guidelines for antitrust law compliance: The guidelines for antitrust law compliance provide an overview of the main principles of antitrust law. The regulations on how to deal with competitors form a key focal point. These regulations are supplemented and set out in greater detail in Best Practice Guidelines.
- Anti-corruption compliance: To avoid the risk of corruption, Linde has introduced a Group guideline on how employees should deal with gifts, hospitality and invitations. In the Healthcare product area, these rules are set out in greater detail and supplemented by the global Healthcare Compliance Guide.
- Compliance guideline for business partners: The compliance guideline for business partners states that payments to business partners can only be made for lawful activities. So, for example, before a contract is concluded, a review of the business partner must be conducted based on certain criteria.
- Capital expenditure guideline: The decision and allocation process for capital expenditure in the Group is centralised. Each major item of capital expenditure is approved by a central investment committee and/or by the Executive Board of The Linde Group.
- Treasury guideline: The Treasury guideline, which applies worldwide, essentially addresses the financial risks which may be encountered by a group with global operations, such as counterparty risk, liquidity risk and risks arising from changes in interest rates and exchange rates. Clear guidelines are set for the Group to minimise these risks and to manage them actively. A monthly report on these risks is produced by the Treasury Committee, which is chaired by the Chief Financial Officer.
- Purchasing guideline: Global purchasing activities present stringent requirements in terms of business conduct. Linde adheres to the principles of free and fair competition. The Group therefore rejects any illegal business practices when purchasing goods and services. Linde has supplemented its employee code of conduct with a purchasing guideline which applies equally to all Group personnel. In these rules, Linde sets out principles relating to business conduct and the avoidance of conflicts of interest.
- Code of Conduct for Suppliers of The Linde Group: To prevent the occurrence of ecological, social and compliance risks in the supply chain, Linde introduced a global Code of Conduct for Suppliers. This has formed part of new contracts with suppliers since 2013.
- Corporate Responsibility: Linde is committed to responsible behaviour in all its divisions. In key areas such as safety and environmental protection, Linde has devised guidelines and standards which provide concrete examples of how to incorporate the CR guideline into the Group’s daily business.
Structure and responsibilities
At the start of the year under review, the refined organisational model passed by the Executive Board came into force. It is designed to lay the organisational foundation for an improvement in customer focus and competitive standing and to step up the focus on high-growth areas. The organisational changes also provided further details on the interfaces and responsibilities for the internal control system, as provided for by the Three Lines of Defence Model (TLoD).
The Corporate & Support Functions set out company-wide guidelines and standards for the functional management of Linde’s operating segments. They support the operating segments in the introduction and application of the guidelines and standards.
The Global Governance Centres are responsible for defining company-wide standards and best practices for the relevant areas within the Gases Division. Operating Segment Hubs (OS Hubs) at the interface between the Global Governance Centres and the operating segments use initiatives to coordinate and support the implementation of the central requirements within the operating segments of the Gases Division.
The operating segments are responsible for the implementation and ongoing application of control activities. These control activities are designed to ensure the reliable implementation of the central requirements in operating procedures.
They must incorporate special regional features, such as local legal requirements, into the internal control system.
The Corporate & Support Functions and Global Governance Centres in turn monitor, from the perspective of the Group/the Gases Division, whether the controls applied in the relevant areas are appropriate and effective in order to sufficiently prevent the identified risks from materialising, or to identify and correct these risks. They are responsible for resolving any weak points identified within the internal control system in a suitable manner.
The Internal Audit department is responsible for reviewing the internal control system from a procedural and functional perspective. The Corporate & Support Functions, the Global Governance Centres and the operating segments have to use regular “self-assessments” to assess and document whether processes in the individual functional areas comply with the rules and with security requirements, and whether the controls implemented have been effective. Internal Audit is responsible for the coordination and evaluation of this process.
Accounting-related internal control system
The procedures for the preparation of the Group financial statements are centrally defined, monitored and implemented.
Accounting and reporting guidelines which apply across the Group set out the minimum requirements for the local units and ensure compliance with legal regulations and the articles of association.
Accounting transactions are recorded by the local subsidiaries of The Linde Group. In the 2010 financial year, Linde started to concentrate some bookkeeping functions in shared service centres in order to centralise and standardise its processes. Shared service centres are now to be found in Europe and Asia/Pacific and provide services for countries in EMEA, Asia/Pacific and North America. The existing controls were transferred at the same time as the functions, while additional controls to ensure proper accounting were also implemented.
This information, recorded either locally or at the shared service centres, is combined with supplementary information into a Group reporting package and submitted by the local units using a standardised Group-wide reporting system.
The reporting and consolidation system is a fully integrated system which not only collects data for the preparation of the quarterly financial statements and Group financial statements on a systematic basis, but also provides data for the monthly management reporting, budget data and data which is relevant to Financial Control and other central departments. All the consolidation procedures are carried out centrally. In particular cases, such as the measurement of pension obligations, external experts are used.
The internal control system procedures, which are geared towards the proper preparation and reliability of the Group accounting records, ensure that business transactions are recorded on a timely basis in accordance with legal regulations and the articles of association and that the records of these transactions are complete. They also ensure that inventories are properly drawn up, and that assets and liabilities are appropriately recognised, measured and disclosed. The separation of administration, implementation, execution and authorisation functions reduces the chance of fraud.
The key controls used to ensure the proper preparation and reliability of the accounting records are:
- automated controls, such as reconciliation routines relating to the figures and systems access controls based on the authorisation concept,
- manual controls, such as variance and trend analyses based on defined key figures and comparisons with budget figures, as well as plausibility checks. The reliability of the accounting procedures is also underpinned by monthly discussions with the operating units about the principal key figures.
The accounting-related internal control system ensures that the accounting and reporting process complies with International Financial Reporting Standards (IFRS) as adopted in the European Union, the German Commercial Code (HGB) and other relevant regulations and laws.
Risk management system
Structure and responsibilities
The central risk management department, a Corporate & Support Function, is responsible for devising a standardised Group-wide risk management process and for risk reporting. Those with local responsibility for risk in the operating units are responsible for the implementation of the centrally devised risk management process.
Linde distinguishes between risks which relate to the entire Group (Group risks and corporate risks) and risks arising from the activities of the operating segments whose impact and risk management is limited to certain operating segments (business risks). Group risks and corporate risks are identified by members of the Executive Board and/or heads of the Corporate & Support Functions and Global Governance Centres, and are managed by the personnel to whom the responsibility for those risks has been allocated. Business risks are managed by those responsible for the operating segments in the divisions. They identify, analyse, manage and monitor their risks on a regular basis.
To ensure that standard procedures are applied to the identification and evaluation of business risks in the operating segments, the central risk management department provides those responsible with the risk management tools and methods they require. It also coordinates the Group-wide recording of all significant risks for the Group and continues to develop the tools and methods required to identify and evaluate risks.
Risk identification, evaluation and management
At the very heart of all risk management is a cyclical risk management process, involving a series of steps from the identification of a risk, to the analysis, evaluation and management of the risk.
The management team of each operating unit within the Group identifies the main risks affecting that unit. The executives in the various units categorise each risk they have identified and evaluate it in terms of criteria determined centrally, including the potential impact of the risk on the Group and the expected probability of its occurrence. When analysing the impact of the risk, Linde considers not only the impact on the results of operations, but also the impact on non-monetary aspects such as safety, reputation and strategy. When evaluating the potential impact of risks and the expected probability of their occurrence, the operating units use a standard scale devised by the central risk management department. This scale has four different risk ratings ranging from low risk to very high risk. Each risk is awarded a risk rating on this standard scale based on its potential impact and a risk rating based on the expected probability of its occurrence.
For each risk, the next step for those in charge is to plan the measures which can be taken to manage the risk, so that the risk may be reduced to an acceptable level. The management of the risk comprises a selection or a combination of measures to avoid risk, transfer risk, reduce risk and control risk. For each risk, responsibility for the risk is assumed by an individual appointed by management. This person then assesses the risk on a regular basis and monitors any measures taken to manage the risk.
The operating units record the information gathered by the risk management process in risk registers. These registers are updated at least every quarter. Risk workshops involving the management teams of the operating units are an important tool for Linde when identifying and evaluating risks and determining the measures to be taken to manage those risks. When identifying risks, a great variety of areas which might entail risk, both within and outside the Group, are taken into consideration. The areas covered by the risk assessments include not only internal processes and resources as well as the economic, financial, legal and regulatory environment, but also social and ecological aspects.
One particular tool which is designed to transfer risk is insurance. Linde has taken out appropriate insurance against potential losses and liability risks to ensure that the potential financial consequences of any risks which have arisen are eliminated or limited. The Group constantly ensures that its insurance is at the optimum level, based on the specific requirements of the business units.
Risk reporting is managed by the central risk management department. The units included in the risk reporting process differ from those included in the consolidation for accounting purposes in accordance with the IFRS to the extent that risk reporting applies to all operating units which are either fully consolidated or included in the Group financial statements on a line-by-line basis, and for which the annual revenue exceeds a certain figure determined internally. In addition, other operating units which do not meet the aforementioned criteria may be included in the risk reporting process on the basis of specific risk assessments. Uniform standards apply throughout the Group to the reporting of the status of any significant risks and any changes in those risks. Local units make their risk reports using Group-wide web-based reporting tools. Moreover, any risks which arise unexpectedly or which have repercussions for the whole Group are communicated directly to the appropriate Group personnel, irrespective of the normal reporting channels.
Every quarter, the Executive Board is presented with a risk report prepared by the central risk management department, which is then discussed at an Executive Board meeting. The Executive Board presents a report on the risk situation of the Group at the quarterly meetings of the Audit Committee.
The risk report submitted to the Executive Board comprises a description of the significant Group, corporate and business risks, as well as the corresponding risk assessments and the main measures taken to manage the risks. It also includes a description of the activities of the central risk management department.
In order to assess the risks, the ratings regarding the potential impact of the risk and the expected probability of its occurrence are reported. These ratings are selected by the employees responsible for risk in line with the standard scale of four ratings devised by the central risk management department.
The internal audit department performs reviews at regular intervals of the efficiency and effectiveness of the risk management system and the internal control system. Independent external auditors (KPMG AG Wirtschaftsprüfungsgesellschaft) also assess the effectiveness of the early recognition system for risks and submit regular reports about the outcome of their reviews to the Group Executive Board and Supervisory Board.
KPMG AG Wirtschaftsprüfungsgesellschaft also audits the Group financial statements and performs a review of the interim and half-year financial reports. Operating units which are material to the Group are also subject to a review or audited by companies in the KPMG AG Wirtschaftsprüfungsgesellschaft network. In the course of the audit of the Group financial statements, key audit issues are also regularly identified and reported.
Both the external auditors and the internal auditors are involved in the testing of subsystems which are relevant to accounting and reporting, such as the Treasury system and the bookkeeping systems of the operating units.
Linde’s risk management system is forward-looking. It is continuously being improved in order to enhance its effectiveness.
The company reviews all internal controls as and when required, thus ensuring that processes are constantly enhanced. The accounting-related internal controls are reviewed and optimised on a regular basis to ensure an efficient, functional process. The chart of accounts used throughout the Group, for instance, is adapted regularly to meet new internal or external requirements.