Combined Management Report 8.2.2 Enterprise risk management process We have implemented and coordinated a set of risk management and control systems which support us in the early recognition of developments that could jeopardize the continuity of our business. The most important of these systems include our enterprise-wide processes for strategic planning and management reporting. Strategic planning is intended to support us in considering potential risks and opportunities well in advance of major business decisions, while management reporting is intended to enable us to monitor such risks more closely as our business progresses. Our risk management and its contributing elements are regularly subject of audit activities by our internal audit function. Accordingly, if deficits are detected, it is possible to adopt appropriate measures for their elimination. This coordination of processes and procedures is intended to help ensure that the Managing Board and the Supervisory Board are fully informed about significant risks in a timely manner. Risk management at Siemens builds on a comprehensive, interactive and management-oriented Enterprise Risk Management (ERM) approach that is integrated into the organization and that addresses both risks and opportunities. Our ERM approach is based on the globally accepted COSO Standard (Committee of Sponsoring Organizations of the Treadway Commission) Enterprise Risk Management – Integrating with Strategy and Performance (2017) and the ISO (International Organization for Standardization) Standard 31000 (2018) and is adapted to Siemens requirements. The frameworks connect the ERM process with our financial reporting process, our internal control and our compliance management system. They consider a company’s strategy, the efficiency and effectiveness of its business operations, the reliability of its financial reporting and compliance with relevant laws and regulations to be equally important. Our ERM process aims for early identification and evaluation of, and response regarding, risks and opportunities that could materially affect the achievement of our strategic, operational, financial and compliance objectives. The time horizon is typically three years, and we take a net risk approach, addressing risks and opportunities remaining after the execution of existing and effective measures and controls. If risks have already been considered in plans, budgets, forecasts or the consolidated financial statements (e.g. as a provision or risk contingency), they are supposed to be incorporated with their financial impact in the entity’s business objectives. As a consequence, only additional risks arising from the same cause (e.g. deviations from business objectives, different impact perspectives) should be considered. In order to provide a comprehensive view of our business activities, risks and opportunities are identified in a structured way combining elements of both top-down and bottom-up approaches. Reporting generally follows a quarterly cycle; we complement this periodic reporting with an ad-hoc reporting process that aims to escalate critical issues in a timely manner. Relevant risks and opportunities are evaluated in terms of impact and likelihood, considering different impact perspectives, including business objectives, reputation and regulatory requirements. The bottom-up identification and prioritization process is supplemented by workshops with the respective managements of our organizational units. The top-down element ensures that potential new risks and opportunities are discussed at different management levels and are included in the subsequent reporting process, if found to be relevant. Reported risks and opportunities are analyzed regarding potential cumulative effects and are aggregated within and for each of the organizational units mentioned above. Responsibilities are assigned for all relevant risks and opportunities, with the hierarchical level of responsibility depending on the significance of the respective risk or opportunity. In a first step, assuming responsibility for a specific risk or opportunity involves choosing one of our general response strategies. Our general response strategies with respect to risks are avoidance, transfer, reduction or acceptance of the relevant risk. Our general response strategy with respect to opportunities is to “pursue” the relevant opportunity. In a second step, responsibility for a risk or opportunity also involves the development, initiation and monitoring of appropriate response measures corresponding to the chosen response strategy. These response measures have to be specifically tailored to allow for effective risk management. Accordingly, we have developed a variety of response measures with different characteristics. For example, we mitigate the risk of fluctuations in currency and interest rates by engaging in hedging activities. Regarding our projects, systematic and comprehensive project management with standardized project milestones, including provisional acceptances during project execution and complemented by clearly defined approval processes, assists us in identifying and responding to project risks at an early stage, even before the bidding phase. Furthermore, we maintain appropriate insurance levels for potential cases of damage and liability risks in order to reduce our exposure to such risks and to avoid or minimize potential losses. Among others, we address the risk of fluctuation in economic activity and customer demand by closely monitoring macroeconomic conditions and developments in relevant industries, and by adjusting capacity and implementing cost-reduction measures in a timely and consistent manner if they are deemed necessary. Due to regular screening of climate risks and environmental, social and governance (ESG) developments we can initiate related mitigation actions in a timely manner – also as part of our DEGREE implementation. Worldwide there are risks from the transmission of infectious agents from animals to humans, from humans to humans and in other ways. Epidemic, pandemic or other infectious developments such as bioterrorism to cause high disease rates in countries, regions or continents. We constantly check information from the World Health Organization (WHO), the Centers for Disease Control and Prevention in the U.S. and Europe, the Robert Koch Institute in Germany and other institutions in order to be able to identify early epidemic or pandemic risks and determine and initiate related mitigation actions as early as possible. 8.2.3 Risk management organization and responsibilities To oversee the ERM process and to further drive the integration and harmonization of existing control activities to align with legal and operational requirements, the Managing Board established a Risk Management and Internal Control Organization, led by the Head of Assurance. In order to allow for a meaningful discussion at the Siemens Group level, this organization aggregates individual risks and opportunities of similar cause-and-effect nature into broader risk and opportunity themes. This aggregation naturally results in a mixture of risks, including those with a primarily qualitative assessment and those with a primarily quantitative assessment; the same applies to opportunities. Accordingly, we do not adopt a purely quantitative assessment of risk and opportunity themes. Thematic risk and opportunity assessments as well as our risk-bearing capacity then form the basis for the evaluation of the company-wide risk and opportunity situation during the quarterly Managing Board meetings. The Head of Assurance assists the Managing Board with the operation and oversight of the risk and internal control system and reporting to the Audit Committee of the Supervisory Board. 24