Risk Management Process and Internal Control System

ESRS 2 GOV-5

The BASF Group’s risk management process is based on the international risk management standard COSO II Enterprise Risk Management – Integrated Framework and comprises the risk management system, the internal control system and compliance management and has the following key features:

Organization and responsibilities

• Risk management and the internal control system are the responsibility of the Board of Executive Directors. It defines the basic requirements and processes as well as the organization of the risk management system. It also determines the processes for approving investments, acquisitions and divestitures.
• The Board of Executive Directors is supported by the Corporate Center. The Corporate Center units Corporate Finance, which reports to the Chief Financial Officer, and Corporate Development, which reports to the Chairman of the Board of Executive Directors, and the Chief Compliance Officer (CCO) coordinate the risk management process at Group level. This involves examining economic and sustainability-related opportunities and risks and providing structures as well as appropriate methodologies. Opportunity and risk management is thus integrated into the strategy, planning and budgeting processes.
• BASF’s risk committee reviews the BASF Group’s risk portfolio at least twice a year to evaluate any adjustments to risk management measures and informs the Board of Executive Directors of these. Members of the risk committee are the president of Corporate Finance (chair), the president of Corporate Development, the president of Corporate Legal, Compliance & Insurance and the heads of the Corporate Audit, Corporate Environmental Protection, Health, Safety & Quality, Corporate Treasury, and Group Reporting & Performance Management departments.
• The management and control of specific opportunities and risks is largely delegated to the divisions, the service and research units and the regions,¹ and is steered at a decentralized level. This also applies to sustainability-related topics relevant to BASF in accordance with ESRS, such as the impact of climate change on BASF. A network of risk managers in the operating divisions, in the service and research units as well as in the regions advances the implementation of appropriate risk management practices in daily operations. Financial risks are an exception. The management of liquidity, currency and interest rate risks is conducted in the Corporate Finance unit. The management of commodity price risks takes place in the Global Procurement unit or in authorized Group companies. As part of the new strategy, the management of opportunities and risks at regional level is being reorganized in 2025.
• In order to ensure the efficacy of risk management in the operating divisions as well as in the service and research units, Corporate Finance performs integrated checks within risk reporting and also regularly reviews compliance with internal risk management guidelines. The BASF Group’s management is informed of short-term operational opportunities and risks that fall within an observation period of up to one year in the monthly Management’s Report produced by Corporate Finance. In addition, Corporate Finance provides information twice a year on the aggregated opportunity/risk exposure of the BASF Group, including information about risk management measures and the corresponding residual net risks. Furthermore, any arising individual risks with a probability of occurrence of at least 10% that have an impact of more than €10 million on earnings or any risks qualitatively evaluated to have a material impact on our sustainability targets as well as on our reputation must be internally reported immediately. The Supervisory Board is informed annually about short-term operational opportunities and risks. The Audit Committee also deals with the internal control system and the risk management system as well as their further development.
• As part of strategy development, the Corporate Development unit conducts strategic opportunity/risk analyses with a five-year medium-term assessment period. These analyses are annually reviewed as part of strategic controlling and are adapted if necessary. Scenarios are also developed to map possible impacts beyond the five-year horizon from a long-term perspective, for example from climate-related developments. The Board of Executive Directors and Supervisory Board are informed annually about strategic opportunities and risks.
• We also regularly consider exceptional situations that can have a fundamental impact at global, regional and local level – from process safety incidents and goods spillages to pandemics and cyberattacks. In addition, there is a crisis management organization that proactively draws up crisis plans where necessary and appropriate and which is activated in the event of a sudden crisis (for more information, please see S1 Own Workforce).
• The Chief Compliance Officer (CCO) manages the implementation of our Compliance Management System, supported by compliance officers worldwide. The CCO reports regularly to the Board of Executive Directors on the status of implementation as well as on any significant results and provides a status report to the Supervisory Board’s Audit Committee at least once a year, including any major developments. The Board of Executive Directors immediately informs the Audit Committee about significant incidents (for more information on compliance, see G1 Business Conduct).

Organization of the BASF Group’s risk management

• Risk-specific monitoring and control systems, some of which are decentralized, have been set up for each area identified in the risk portfolio. The results of the monitoring processes are incorporated into regular risk reporting to the risk committee and the Board of Executive Directors. Compared with internal control systems in financial reporting, these monitoring and control systems in other subject areas have a lower degree of formalization. As a rule, however, they also include organizational security precautions such as compliance with the basic principles of transparency, dual control, segregation of duties and least privilege, deployment of sufficiently qualified employees and adequate IT systems. The design of internal controls depends on the subject area. It ranges from monitoring the development of specific key indicators and evaluating internal and external reports or benchmarking analyses to formalized committee meetings in which decisions are made on applications for investments or research projects, for example. In addition, the appropriateness and effectiveness of the topic-specific internal control systems is monitored by the Corporate Center units responsible for the respective topics. To this end, the individual Corporate Center units choose different approaches depending on the subject area, such as the evaluation of questionnaires for self-assessment of the effectiveness of the internal control system, sample tests to validate the implementation and effectiveness of internal controls or the monitoring of compliance-related key indicators.
• The Corporate Audit department is responsible for regularly auditing the effectiveness and appropriateness of the risk management system, internal control system and the compliance management system.
• In addition, the Audit Committee addresses the effectiveness and appropriateness of these systems as part of its monitoring activities. The suitability of the early risk detection system set up by the Board of Executive Directors in accordance with section 91(2) of the German Stock Corporation Act (AktG) is assessed and evaluated by the auditors.

Tools

• The Governance, Risk Management, Compliance (GRC) Policy, applicable throughout the Group, forms the framework for risk management and is implemented by the operating divisions, the service and research units and the regions according to their specific business conditions.
• A catalog of opportunity and risk categories helps identify all relevant economic and sustainability-related opportunities and risks relating to our targets as comprehensively as possible. We derive the sustainability-related opportunities and risks from the double materiality analysis, in accordance with ESRS requirements.
• The positive contributions and negative impacts of our business activities on sustainability topics along the value chain, and the impact of sustainability topics on our business, are assessed in a materiality analysis. Opportunities and risks for our business activities that could arise from material sustainability topics, or for sustainability topics that could arise from our business activities, can only rarely be measured in specific financial terms and mainly have a medium- to long-term impact. Relevant sustainability topics are systematically considered in our strategic and operational risk management through our integrated risk catalog. The results are presented in the respective chapters (for more information, see Double Materiality Assessment).
• We also systematically assess opportunities and risks with effects that cannot yet be measured in monetary terms, such as climate and reputational risks. To reflect these, risks for companies in connection with the transition to a low-emission economy (transition risks) as well as physical risks as defined by the Task Force on Climate-related Financial Disclosures (TCFD), among others, were added to this catalog.
• Because global climate policy ambitions and the implementation of the relevant measures play a decisive role in the ongoing growth of the chemical industry and its customer industries, we defined and quantified global long-term scenarios (up to 2050) with various global warming paths. To assess the impact of different global climate policy approaches on our business units, the scenarios were discussed with the business units in workshops. The feedback was incorporated into the ongoing development of the scenarios. A dataset of scenario-specific macroeconomic parameters is provided to test the economic feasibility of investments and business strategies. We use the results of the double materiality analysis to document reportable sustainability risks within the meaning of section 289b et seq. of the German Commercial Code. No reportable residual net risks within the meaning of section 289b et seq. of the German Commercial Code were identified for 2024 (for more information, see General Disclosures).
• We use standardized evaluation and reporting tools for the identification and assessment of risks. The aggregation of opportunities, risks and sensitivities at division and Group level using a Monte Carlo simulation helps us to identify effects and trends across the Group. We base our sensitivities to oil and gas prices and currency developments on forward-looking assumptions in order to reflect specific market expectations and improve the quality of our forecasts. We also aggregate qualitatively assessed risks at Group level using a risk portfolio.
• Our Group-wide Compliance Program aims to ensure adherence to legal regulations and the company’s internal guidelines. Our global employee Code of Conduct firmly embeds these mandatory standards into everyday business. Members of the Board of Executive Directors are also expressly obligated to follow these principles (for more information, see G1 Business Conduct).
• Based on the reviews and findings of the risk management process, the Board of Executive Directors has no indication that BASF’s risk management system and the internal control system are not adequate or effective in all material respects.