Corporate and Cyber Security
We aim to avoid safety-related incidents as far as possible with comprehensive preventive measures and clearly defined responsibilities. Should an emergency nevertheless arise, we have established structures and processes that enable effective crisis management.
Strategy and governance
We want to be as prepared as possible for crisis situations at global, regional and local level – from process safety incidents and goods spillages to pandemics and cyber attacks – through extensive emergency preparedness and emergency response regulations and measures. That is why our emergency and crisis management focuses on the protection of our employees, contractors and neighbors, the safety of our plants and sites, and the protection of our intellectual property. To ensure rapid and effective crisis management, we have defined appropriate structures and processes and laid them down in binding Group-wide guidelines. Our sites and Group companies are responsible for implementing and complying with these internal guidelines and the legal requirements. The Environmental Protection, Health, Safety and Quality unit in the Corporate Center conducts regular audits to monitor this.
Unusual incidents are recorded and reported centrally in accordance with a standard Group-wide procedure (e-Rapid Incident Report). This enables us to identify risks at an early stage and, if necessary, initiate appropriate relief and communication measures. All incidents are carefully followed up on to identify potential for improvement, which is integrated into existing concepts as needed.
Incidents are initially handled by the local crisis organization or local emergency response team. We have implemented precautionary organizational measures with clearly defined responsibilities and procedures at all sites for this purpose. The responsible persons receive regular training. This includes safety and emergency drills, which vary in scope and the number of people involved. Depending on the situation, we also involve business partners and our sites’ communities, such as local authorities or neighboring companies, both in drills and in the event of an emergency. Additional teams may be called in for emergencies, depending on the extent of the damage and how it develops.
For example, the Global Crisis Management Support Team (GCMS), led by a member of the Board of Executive Directors, was most recently activated in connection with the coronavirus pandemic. It provides the strategic direction for crisis management and is supported by issue-specific and specialist working groups.
We are actively involved in external networks, which quickly provide information and assistance in emergencies. These include the International Chemical and Environmental (ICE) initiative and the German Transport Accident Information and Emergency Response System (TUIS), in which BASF plays a coordinating role. In 2022, we provided assistance to public emergency response agencies and other companies in 131 cases (2021: 138). This included information on chemicals and their proper disposal, on-site operational support for transportation accidents involving hazardous goods, or information on human biomonitoring. We apply the experience we have gathered to improve our own processes and set up similar systems in other countries.
Corporate and cyber security
We protect our employees, sites, plants and company know-how against third-party interference. Cyber security and information security plays an increasingly important role here. BASF applies the “security by design” principle to critically review and optimize IT applications from a cybersecurity perspective as early as the design phase. We are continually improving our ability to prevent, detect and react to security incidents with various measures and training programs. Our global cyber security team is tasked with protecting our IT systems and the data and business processes they handle. We cooperate with experts and partners in a global network to ensure that we can protect ourselves against cyber attacks as far as possible. Our IT security management system is certified according to DIN EN ISO/IEC 27001:2017. It also supports, in particular, our critical infrastructures in meeting additional compliance requirements such as DIN EN ISO/IEC 27019:2020, IT security catalog and corresponding industry-specific standards (B3S).
Around the world, we work to sensitize our employees about protecting information and know-how. In 2022, we continued to raise employees’ risk awareness with mandatory, regular online training for all employees and complementary offerings such as seminars, case studies and interactive training. These increasingly addressed aspects of working practices that have changed as a result of the coronavirus pandemic, such as cybersecurity when working from home.
Our global network of information protection officers comprises around 600 employees. They support the implementation of our uniform requirements and hold events and seminars on secure behaviors. Around 58,000 employees had been trained on the basics of cyber security and information protection in 2022. Our standardized Group-wide recommendations for the protection of information and knowledge were expanded in 2022 and updated in line with current developments.
Another cornerstone of corporate security is site security. The tasks performed by our security teams range from access controls at our sites to defense against industrial espionage. Aspects of human rights relevant to site security are a component of the global code of conduct and qualification requirements for our internal and external security personnel.
We analyze potential safety and security risks for investment projects and as part of strategic plans, define appropriate safety and security concepts. Our guiding principle is to identify risks for the company at an early stage, assess them properly and derive appropriate safeguards.
We inform business travelers and transferees about appropriate protection measures prior to and during travel in countries with elevated security risks. We continuously update our travel recommendations, for example, as a result of the coronavirus pandemic. After any major incident, we can use a standardized global travel system to locate and contact employees in the affected regions.