Risk Report

Risk management objectives and methods

Risk management at secunet Security Networks AG is conducted by a risk committee. This committee is composed of the Management Board, the business unit heads and the commercial director, and holds regular, quarterly meetings. Any developments that could jeopardise the fulfilment of objectives or even threaten the survival of the Company are subjected to intense scrutiny by the committee. The aim is to thereby ensure that information about risks and the associated financial implications is detected as early as possible. The existing opportunities and associated potential for results are also to be detected and taken advantage of as part of the planning and controlling process.

Company-specific risks are assessed during the risk committee meetings in reference to their damage extent and probability of occurrence. Proposals for countermeasures are then drawn up. The Management Board examines these measures and implements them promptly.

Individual risks

Competitive environment

Risks relating to the competitive environment arise where secunet’s technological superiority in the market is endangered. The risk committee therefore keeps itself up to date regarding the status of technological development of secunet’s products and asks the opinion of expert employees on whether and to what extent the Company’s technological advantage is threatened by competitors’ product developments.

The competitive environment also means there are risks that rival businesses will attempt to challenge secunet’s market position in terms of business with government agencies. This would expose secunet to much greater competitive pressure in this target customer segment.

Customer structure

Customer structure risk is present to the extent that secunet still conducts the majority of its business with public sector authorities and organisations. The loss of sections of demand from this customer group can have very negative effects on sales and results. This risk has been discussed in depth by the risk committee. Investment in IT, and notably in IT security, is seen as particularly important for the smooth delivery of projects for the public sector, particularly in a world where IT plays an increasingly important role. The risk of a downturn in demand from public sector customers is therefore constantly monitored, although it is currently considered to be relatively low.

In order to be better placed in the medium-term to react to the potential risk of a decline in demand from public-sector customers, and in order to reduce and compensate for any resulting decline in sales and results, secunet is continuing to devote intensive efforts to the development of its activities for the private-sector target group.

Development risks

The risks associated with developing new products that subsequently prove unsuccessful in the market are not regarded as being of primary significance for secunet. Its IT security solutions are tailored precisely to customers’ requirements; secunet products are rarely designed without a specific need in mind. Most of the products developed by secunet are in fact made to order and are financed accordingly by the customer. This is particularly true of the SINA product range from the High Security business unit, but it also applies for example to secunet multisign, the solution for the mass creation of qualified electronic signatures, which arose from the projects based on the construction of different Trustcenters. Even when it comes to biometrics and sovereign documents, product innovations such as the biometric middleware, secunet biomiddle, or the Golden Reader Tool platinum edition were developed as a result of issues raised during consulting activities.

Sales structure risk

Sales are seen as a risk area for secunet, because the business results are still heavily influenced by recently tendered projects and projects to be individually awarded again. To this extent, efficient sales and marketing also represents an opportunity to boost the Company’s performance. At the same time, sales and earnings may be jeopardized if the sales force is too small or does not meet customers’ needs. These risks are assessed regularly.

Public-sector pricing legislation

A large part of the sales of secunet AG is subject to the ordinance on prices for public service contracts (Verordnung über die Preise bei öffentlichen Aufträgen). A price check may result in a retroactive price adjustment, which would then lead to a repayment from profits that have already been collected. However, the price checks carried out to date have only resulted in minor repayments.

Major projects

secunet is active in the project business: many projects relate to infrastructures and solutions that have been designed on an individual basis. In addition, IT security infrastructures are often associated with a large investment volume. Major projects such as these often initially involve a costly and often protracted tendering and decision-making procedure to meet customer requirements. This places great limitations on the ability to plan for sales, leading to an associated volatility in secunet’s business even when the Company is enjoying a long-term growth trend. Once they have been commissioned, major projects are characterised by multiple uncertainties due to the sheer fact of their size. For example, risks may ensue in relation to the maintenance of both schedules and project budgets. secunet takes account of these risks by means of a comprehensive project management system, which is used to regularly generate management reports for project managers, business unit heads and the Management Board.

No risks that threaten the continued existence of the Company have currently been identified.

Description of the key characteristics of the internal control and risk management system in reference to the Group accounting process (HGB Article 289 Para. 5 and Article 315 Para. 2 no. 5)

Elements of the internal control and risk management system

The secunet Group’s internal control system includes all principles, procedures and measures for ensuring the effectiveness, efficiency and correctness of the accounting system and for ensuring compliance with the applicable legal provisions.

The secunet Group’s internal control system consists of an internal control system and an internal monitoring system. The Management Board of secunet Security Networks AG – in its function as the
managing body of the Company – has appointed managers responsible for the secunet Group’s internal control system, in particular in the areas of controlling, finance and human resources that are run by secunet Security Networks AG.

Process-integrated and process-independent monitoring measures are the cornerstone of the secunet Group’s internal monitoring system. In addition to manual process controls – such as the dual-control principle for example – automatic IT process controls also form a key part of the process-integrated measures. Process-integrated monitoring continues to be assured by means of committees such as the risk committee and by specific functions within the Group such as the legal unit.

The Supervisory Board and the Group internal auditors of secunet Security Networks AG are involved in the secunet Group’s internal monitoring system through process-independent auditing functions.

Use of IT systems

At secunet Security Networks AG, accounting processes are mainly recorded by the ERP system provided by the manufacturer SAP.

Specific Group accounting-related risks

Specific Group accounting-related risks may result, for example, from the conclusion of unusual or complex transactions that are not routinely performed.

Key regulatory and controlling activities for ensuring the correctness and reliability of Group accounting

The controlling activities for assuring the correctness and reliability of the accounting system include tasks such as the analysis of circumstances and developments using specific key ratio analyses. The allocation of administrative, management, billing and approval functions and their implementation by separate people reduces the possibility of fraud. The organisational measures are also designed to ensure that restructuring initiatives or changes to the business activities of individual business units are recorded promptly and correctly in the Group accounting. They also ensure, for example, that in the event of changes to the IT systems for the underlying accounting in the affiliated companies, the accounting processes are recorded in their entirety for the relevant periods. The internal control system also ensures the mapping of changes in the economic and legal environment of the secunet Group and ensures that the Group accounting is adjusted in line with new legal provisions or amendments to such provisions.

The secunet Group accounting principles, which include compliance with International Financial Reporting Standards (IFRS), ensure that the companies included in the Consolidated Financial Statements of secunet Security Networks AG follow consistent accounting and measurement policies.

At Group level, the specific controlling activities designed to ensure the correctness and reliability of Group accounting include the analysis and correction, if necessary, of individual financial statements submitted by the Group companies, with due consideration for the reports created by the auditors and the concluding meetings.

Thanks to the internal control system measures aimed at upholding the correctness and reliability of the Group accounting it is ensured that transactions are recorded completely, promptly and in compliance with the legal and statutory provisions. It is also ensured that inventories are carried out correctly and that assets and debts are reported, evaluated and declared appropriately in the Consolidated Financial Statements. Regulatory activities also ensure that reliable and transparent information is made available in the accounting documents.

Restrictive details

Internal control and risk management allows complete recording, preparation and evaluation of Company-related data and the proper representation of that data in the Consolidated Financial Statements through the organisation, control and monitoring structures within the secunet Group.

In particular, individual discretionary decisions, defective controls, criminal actions or other circumstances cannot be ruled out and may lead to limited effectiveness and reliability of the internal control and risk management system used to the extent that the Group-wide application of the system cannot absolutely guarantee the correct, complete and timely recording of facts in the Consolidated Financial Statements.