Carl Zeiss Meditec Group – Annual Report 2024/25
Downloads

Risk management

The central risk management system of the Carl Zeiss Meditec Group stipulates uniform regulations and processes for the early detection, assessment and management of risks. In the subsidiaries and at Group level, risk management coordinators are responsible for applying the policies and procedures. The management of the subsidiaries identifies and manages operating and strategic risks. Risks from non-controlling interests are also taken into account. Risks and opportunities arising from general social requirements for companies and megatrends such as digitalization, sustainability and demographic change are also regularly examined. Overall responsibility lies with the Management Board, which regularly assesses risks and their management at Group level together with the Group Risk Manager. The Management Board and Supervisory Board review the appropriateness of and monitor the risk management system.

Risk management is an integral part of corporate governance within the Carl Zeiss Meditec Group, and is based on the following key components: a risk reporting system (including an early detection system), an internal control system and a compliance management system.

Risk reporting system

This is a clearly structured, traceable feedback loop which encompasses all of the Company’s activities, is integrated in its organizational structure and its control and reporting processes, and comprises a systematic and ongoing process for the identification, assessment, management/control, as well as the documentation and communication of any risks. Any relevant information can therefore be immediately passed on to the responsible decision makers. The main features of this system are as follows:

  • The risk reporting system exclusively records risks. It integrates all fully consolidated subsidiaries. Risks arising from investee companies, including at-equity investments, are recognized by the subsidiary that holds the investment.
  • The business risks are assessed and categorized according to their potential implications over the period of their existence, and according to their probability of occurrence and damage potential. The period of assessment is a maximum of three years. The risks are evaluated in respect of their effect on earnings before interest and tax.
  • Regular risk reports are provided to the Management Board, the management of the subsidiaries and other decision-makers within the Company on the basis of specified thresholds. Significant risks arising at very short notice are reported to this responsible group immediately.
  • On this basis, the Group takes and evaluates appropriate measures to avoid identified risks, reduce their probability of occurrence or reduce the potential economic damage they could cause. The measures to reduce risks and the residual risks derived from these are regularly updated and documented.

Internal control system

The internal control system of the Carl Zeiss Meditec Group is based on the COSO Enterprise Risk Management Model (COSO ERM model). The Group’s integrated enterprise risk management system covers strategic and operational risks. There are key risks and defined control mechanisms for central processes, the effectiveness of which is assessed annually by the relevant specialist departments and adjusted where necessary. The results of the regular evaluation of the controls are reported to the Management Board of the Carl Zeiss Meditec Group, monitored and incorporated into the execution of strategic and operational activities.

Risk assessment within the internal control system goes beyond pure financial risks. Key business processes other than accounting are identified and critical controls are defined for the relevant business processes by the specialist departments. Key business processes in the Carl Zeiss Meditec Group include the areas of organizational structure, human resources, research and development, purchasing, production planning, logistics, export control, complaints management, compliance, IT security, information processing, data protection, risk management and sustainability. The Management Board is confident that the internal control system is appropriate and effective.1

Internal control system relating to the Group accounting process

The accounting-related part of the internal control system ensures that key accounting processes are carried out properly and economically, that business transactions are recorded completely and punctually in accordance with the German Commercial Code (HGB) and the International Financial Reporting Standards (IFRS), thereby establishing a basis for reliable external reporting. The part of the internal control system specifically related to accounting falls under the responsibility and supervision of the Chief Financial Officer of the Carl Zeiss Meditec Group.

The internal control system and, as a consequence, the accounting-related part of the internal control system of the Carl Zeiss Meditec Group is supplemented by the risk reporting system. The risk reporting system includes systematic early identification of relevant operational and strategic risks. In terms of Company and Group accounting, the risk reporting system helps ensure the completeness and accuracy of the consolidated financial statements and reporting as issued to external recipients.

The accounting-related part of the internal control system is reviewed by Internal Auditing as part of regular audit procedures. In addition, the Group auditor audits accounting-related processes and financial statements of significant subsidiaries included in the consolidated financial statements and specified in the scope.

Compliance management system

The internal control system and the risk reporting and early warning system are supplemented by a compliance management system which focuses on the Company’s risk situation.

The compliance management system of the Carl Zeiss Meditec Group and the requirements for appropriate action are integrated into all major business processes. The core element of the Group’s compliance management system is a comprehensive internal Code of Conduct. This is based on various aspects including prevention, recognition and reaction and is a compilation of principles and guidelines for responsible conduct. The Code of Conduct applies to all employees and is available for inspection on the Company’s website. In addition to conventional anti-corruption regulations to ensure fair competition, prevent the granting and acceptance of advantages and avoid conflicts of interest, a variety of other principles of action are regulated, for example to ensure fair treatment of employees and business partners, the handling of business secrets and private data, insider regulations, handling of Company property, occupational health and safety and protection of the environment, and others.

Compliance managers at the subsidiaries and at Group level are responsible for applying the guidelines and directives and for communicating violations or suspected violations to the management.

Management and further development measures as well as training programs help to ensure that the compliance principles are known and observed throughout the Group and that the compliance management system is aligned with the Company’s current risk situation. We also encourage our employees to take part in discussions with colleagues and managers on the subject of compliance and to raise concerns about specific business processes. These concerns can also be addressed in consultations with internal compliance officers. In addition, there are telephone and web-based whistleblower communication channels that are available not only to all employees worldwide, but also to third parties, and which fulfill the requirements of the German Corporate Governance Code and the German Supply Chain Due Diligence Act.

Further to providing comprehensive advice on the compliance components mentioned above, the work of the compliance function in the past fiscal year focused primarily on the following topics:

  • Implementation of non-routine investigations in response to appropriate indications
  • Regular liaison between the Segment Compliance Officer and the Local Compliance Officers

The Compliance Officer for the Group reports regularly and also, if necessary, on an ad hoc basis to the Management Board. The Management Board is informed about key issues relating to the compliance function in regular meetings with the Group Compliance Officer. The Management Board receives a detailed compliance report once a year. This Annual Report provides the Management Board with an overview of the company-wide compliance risk situation and the development of the compliance modules in relation to the three basic functions of compliance (prevention, detection and response). In the final meeting of the year, the Compliance function also reports to the Audit Committee of the Supervisory Board of the Carl Zeiss Meditec Group on behalf of the Management Board.

The entire compliance management system is constantly updated to bring it in line with company-specific risks and various local legal requirements. The findings from internal consultations and investigations and the dialogue with the global compliance organization, for example, are used to derive measures for the further development of the system.

The effectiveness of the system is ensured by regular evaluations and inspections. It is also subject to monitoring by Internal Auditing.

Certified quality management

A vital part of early risk detection is the Group’s certified quality management system. Clearly structured and documented quality management processes ensure not only transparency, but are now a prerequisite in most markets for obtaining regulatory approval for medical devices. The quality management system employed by the Carl Zeiss Meditec Group was certified by DQS GmbH Deutsche Gesellschaft zur Zertifizierung von Managementsystemen and complies with the US standard for Good Manufacturing Practice (“GMP”), 21 C.F.R. part 820, Quality System Regulation.

Monitoring system

The Management Board is responsible for ensuring an appropriate and effective internal control system and for continuously improving it. The Audit Committee of the Supervisory Board monitors the effectiveness of risk management, the internal control system, including the accounting process and the compliance management system. It also uses the Internal Auditing system for this purpose, whose tasks it also monitors and controls at the same time.

Risks will be managed as effectively as possible through a combination of internal control system, risk reporting and early warning system and compliance management system. Internal Audit prepares an annual risk-oriented audit plan. It conducts spot checks to determine whether the internal guidelines for the Group’s entire control and risk management system are being adhered to. This monitoring function also includes checking the functionality and effectiveness of the defined controls. Standardized risk control matrices, which are subject to continuous further development, are used for this purpose. In terms of key Group-wide controls, we also use structured assessments as described in the internal control system chapter. These are also verified by Internal Audit as part of its site audits. The Management Board, the Supervisory Board and above all the Audit Committee are kept informed about the regular audits carried out by Internal Audit. They receive regular reports on the current status and results of the audit as well as on the progress towards mitigation of the findings. Internal Audit conducted audits at selected subsidiaries and on Group functions in the 2024/25 fiscal year based on the risk-oriented audit plan. Specific measures for the further development of the control system were agreed with the audited areas. Implementation of these measures is also continuously monitored by Internal Audit.

Assessment of risk-bearing capacity

The risk-bearing capacity of the Carl Zeiss Meditec Group is the difference between the aggregate total risks and the risk coverage potential. The risks are assessed using distribution functions and the risks are aggregated using a Monte Carlo simulation. The risk coverage potential is calculated as the sum of the planned earnings before interest and income taxes for the current fiscal year and the lower of equity and current assets. Risk-bearing capacity is at risk if the risk coverage potential in the aggregation of all risks is exceeded with a probability of 5%.

1 The Management Board’s assessment of the appropriateness and effectiveness of the internal control and risk management system is based on the German Corporate Governance Code (GCGC) and goes beyond the statutory requirements for the management report. In this respect, the information is excluded from the audit of the management report by the auditor.

Share