Active risk management helps us deliver on our strategy, deliver quality service, and ensure sustainable growth and business continuity. Throughout our long way, we have taken a conservative and consistent approach to risk, which allows us to provide services responsibly. The risk management system in accordance with ISO 31000 is the basis for making informed risk-based business decisions in our company.

Compliance and risk management are important aspects of our business, and over the past years we have put considerable effort into building a strong compliance system. This has helped us demonstrate resilience during the COVID crisis.

At our company, significant attention is paid to creating an environment that encourages our employees to speak up and do the right thing.

Financial and tax risks

Managing financial risks such as market risk, credit risk or liquidity risk is part of our holistic corporate risk management approach and allows you to better identify and assess risks, develop and evaluate appropriate controls and mitigation plans that support a sound risk-based approach to decision making and our overall corporate strategy.

Financial risk management helps us optimize profits and mitigate possible financial and reputational damage. It also ensures the smooth running of day-to-day operations.

The goal of tax risk management as part of our overall business strategy is to avoid unnecessary tax expenditures while ensuring strict compliance with legal requirements. We are working to implement effective tax risk management strategies that align our growth plans with good practices and changing tax laws. We constantly monitor changes in tax legislation.

Information security risks

The enterprise services industry continues to face increasingly sophisticated cybersecurity threats. We continue to protect the interests of our clients by investing in technical controls to prevent, detect and respond to information security risks.

Our Information Security Management System complies with industry leading cybersecurity standards.

We have a robust cybersecurity organizational structure and resource model, with clearly defined roles and responsibilities.

An important part of our risk management strategy is to ensure that our employees are aware of cybersecurity issues and know how to report incidents. We conduct regular information security awareness events and have developed a dedicated training program.

Privacy risks

The trust and confidence our customers and employees in how we collect, use and share their personal information is very important to us. That's why we're constantly working to improve our systems, processes and controls.

Our privacy management principles comply with the requirements of the EU General Data Protection Regulation (GDPR). To date, GDPR regulations are the most stringent in the world. We adhere to these principles at a high level with regard to a consistent global approach to the processing of personal data. We apply these principles around the world as a minimum standard for how we manage the information our customers have entrusted to us, even if this is not required in specific countries.

All of our employees are responsible for ensuring that their activities comply with the principles and laws on the protection of personal data.

Privacy risk governance

We are committed to maintaining a conservative and consistent approach to risk, including privacy risk.

All of our employees are responsible for risk management. We conduct regular audits to ensure that our privacy controls and processes are working effectively. To ensure our employees and management are aware of the risks associated with privacy, we conduct staff training annually to help keep them abreast of key developments and requirements.

As part of the Speak Up! policy, employees are encouraged to report data privacy incidents directly to senior management.

You can read more about our protection of personal data.

Money laundering and corruption risks

A key obligation for our company is to fully understand who we are doing business with. This requires us not only to identify our clients but also to thoroughly verify the accuracy of the information provided to us. It is important to note that all documents provided by clients are properly recorded and stored.

Risk Management

The specific scope of our customer due diligence obligations corresponds to the level of risk associated with a specific counterparty, business relationship, or transaction. Compliance with these obligations can be verified by an authorized supervisory body.

Our company practices active risk management in the field of money laundering prevention and anti-corruption to implement our strategy and ensure sustainable growth and business continuity. We strive to manage risks based on analytical data.

Risk management consists of risk analysis and internal security measures.

If we cannot be assured of the integrity of the counterparty, we are not entitled to establish or continue business relations, and any existing business relationships must be terminated. Non-compliance with these requirements can lead to penal sanctions.

The general due diligence obligations include, in particular:

• Identification of the counterparty and the representative acting on its behalf
• Determination of the identity of the economically interested party if the counterparty is acting on their behalf
• Acquisition and assessment of information about the purpose and intended nature of the business relationship
• Clarification whether the counterparty is a politically exposed person (PEP)
• Continuous monitoring of business relationships

It should be noted that identification is carried out before establishing business relations or before conducting a transaction.

Our policy against money laundering, sanctions, bribery, and corruption is aimed at properly reducing the risks identified by our company.

Legal Framework

The obligations related to the prevention of money laundering and the fight against corruption are based on both European and national regulations. In particular, our company aligns itself with the Directive (EU) 2015/849 – also known as the Fourth Anti-Money Laundering Directive, as well as with the German Money Laundering Act (GwG). These regulations serve as a guiding framework for our company in developing and implementing appropriate measures to ensure legal compliance and responsible business practices.

Risk analysis

Our company conducts ongoing risk analysis to identify money laundering and terrorist financing risks and assess them individually for our business. This is done in four steps:

1. Inventory
2. Definition and identification of risks
3. Categorization of risks
4. Risk assessment

Based on the risk analysis, we develop organizational measures corresponding to the risk level to be able to adequately respond to identified dangers.

We regularly document the results of the risk analysis and update them as necessary. In particular, we document:

• Information on the conduct and results of risk assessments, as well as on the relevant measures that have been taken.
• The results of the investigation of unusual transactions and the basis for decision-making regarding circumstances.
• Measures taken to determine the beneficiary.

The retention period for these documents is five years. It begins at the end of the calendar year in which the business relationship causing the obligations ended. In all other cases, it starts at the end of the calendar year in which the relevant information was established. The term can be extended up to ten years if a longer term is provided by law. After the retention period, the documents are destroyed.

Sustainability risks

We are committed to ensuring that the services we provide to our customers do not have an unacceptable impact on people or the environment.

We take measures concerning our suppliers that allow us to identify and minimize human rights violations and environmental risks, as well as prevent, cease, or minimize the scale of human rights violations and environmental obligations in the supply chain.

When creating and implementing a risk management system, our company takes into account the interests of our employees and those whose interests may be affected through our company's business activities.

We interact with clients, where appropriate, and support them in adopting sustainable development practices. We endeavor not to maintain business relationships with partners when they are unwilling or unable to comply with our principles.

Sustainability risk governance

As part of sustainable development risk management, our company exercises due diligence and regularly conducts risk assessments to identify potential human rights violations and environmental risks, both directly within our company's operations and with our direct suppliers.

Identified human rights and environmental risks are assessed and prioritized appropriately based on the following criteria:

1. The nature and scope of the company's activities;
2. The company's ability to influence the direct perpetrator of human rights or environmental risk or human rights violation or environmental obligation;
3. The anticipated severity of the violation, reversibility of the violation, and likelihood of human rights or environmental obligation violation;
4. And, depending on the nature of the cause-and-effect relationship of the company with human rights or environmental risk or violation of human rights or environmental obligations.

Identified risks of human rights violations or environmental threats, measures taken by our company to fulfill its due diligence obligations and compliance with human rights and environmental protection requirements, as well as the assessment of the impact and effectiveness of the adopted measures, are continuously documented and regularly brought to the attention of the company's senior management.

The company's senior management is directly responsible for sustainable development risk management and ensuring compliance with requirements. We conduct regular internal audits to ensure that our sustainable development risk management tools are working effectively.

To raise awareness, our employees and management undergo annual training to stay informed about key events and requirements.

As part of the Speak Up! policy, employees and suppliers are encouraged to report incidents related to human rights violations and environmental risks directly to our company's senior management.

We regularly review our policies to ensure that they take into account new and emerging risks, as well as stakeholder concerns. We believe that independent certification schemes can play an important role in risk management and ensuring supply chain safety.