risk management
Integrated risk management
Sanitas has taken measures to ensure an appropriate risk management strategy is in place with regard to all material risks, and has documented this strategy accordingly.
Risk management as the key to corporate governance
Risk management includes the methods and processes that are used to identify, assess, implement risk strategies and risk management measures, monitor and report on risks. These measures are implemented based on Art. 22 of VAG/ISA and Art. 96 and 97 of AVO/ISO. In accordance with the regulations governing Sanitas Beteiligungen AG, the board of directors is responsible for risk management policy. The executive board issues the necessary directives.
In strategic terms, risk management helps improve the company’s corporate value by ensuring an appropriate balance between risk and profit, which in turn guarantees long-term financial stability.
With this in mind, integrated risk management:
- is integrated into the strategic planning process,
- is adapted to the specific needs of the Sanitas Group; and
- acts as a management and monitoring tool, whereby the goal is to create and enhance risk awareness in daily operational business.
Integrated risk management is therefore a fundamental part of corporate governance.
Key elements of integrated risk management
Integrated risk management comprises the following elements:
- All these measures help to identify, assess and control risks. The risk management process comprises: the tools used during the process as well as the principles and guidelines upon which it is based. Controlling and regulatory processes are also associated with the risk management process (e.g. risk control).
- The most significant risks are monitored constantly. Existing measures and processes that are already operational as well as new measures and projects must be assigned annually to the highest priority risks and assessed periodically (risk reporting).
- The processes of risk identification, risk assessment and monitoring of any implemented measures (control activities) are supported electronically.
The four phases of risk management processes
Sanitas’ risk management process is aligned with the ISO 31000 standard and is divided into the following four methodical phases (risk management control system):
01
Risk identification
The systematic process of identifying risks and documenting their characteristics. This is the first phase of risk management (risk management control system). Level 1 and 2 risk drivers are also identified for each risk as part of the Sanitas Group’s integrated risk management process in order to identify the cause and effect of risks and any cross-sectional risks.
02
Risk assessment
involves the analysis and classification of risks in order to quantify the probability of occurrence and the extent of a potential loss. The probability of occurrence is determined for a period of three years (planning period of strategic corporate goals) and the extent of a potential loss with regard to the impact on the Sanitas Group’s invested capital.
03
Risk navigation
This includes the definition of risk navigation measures. These are measures to accept, avoid, control and transfer specific risks and risk segments.
04
Risk monitoring/reporting/early warning
in addition to compulsory regulatory guidelines, a bottom-up reporting structure should be implemented to form the basis for the enactment of top-down directives (board of directors) and objectives in line with the Sanitas Group’s risk appetite. As part of the risk reporting process, an early warning system should also be implemented to enable the Sanitas Group to make risk information available promptly in an appropriate form where necessary (adverse event reports).