As an internationally operating Company, CompuGroup Medical is subject to a variety of different risks. CompuGroup Medical is aware of the necessity to enter into risks, which also enable the Company to capitalize on opportunities.
The risk management system of CompuGroup Medical is implemented in all Group companies and in all the individual business units. A significant component of the risk management system is the Group-wide early warning system, for example in the form of internal benchmarking, cost efficiency nalysis and performance gap analysis related to Key Performance Indicators. An Internal Audit function was created during 2013, of which responsibility includes the review of the adequacy, effectiveness and efficiency of risk management. Within the framework of good corporate governance, the internal control system also operates alongside and in support of the risk management system.
The risk reporting system encompasses the systematic identification, quantification, documentation and communication of risks. Corresponding foundations, processes, and responsibilities within risk management are documented in guidelines distributed and used throughout the Group. New and relevant experience gained during risk management work is being used to update the guidelines and processes to ensure continuous improvement of the risk management system. One of the important objectives of the risk management system is to give management the ability to identify and assess risks that endanger the growth and going concern of CGM at an early stage and to support in the design of corrective measures to minimize the impact of risks.
The deliberate taking of calculated risk positions within our risk management system is an unavoidable part of running our business. Risks that endanger the going concern of the Group may not be taken and the risk management system helps management avoid such risk positions. If this is not possible then such critical risks must be minimized or proactively transferred, for example by obtaining appropriate insurance. Risks are controlled and monitored at the level of individual companies, at business area level and at Group level.
We see potential future developments or events that could lead to a negative impact on the financial results and the current year earnings forecast of CGM as part of our risk picture. The assessment of the identified risks in this area is essential for the one-year forecast horizon of CGM.
The annual risk reporting process begins by using checklists to identify all major risks within defined risk areas. CGM has defined eight risk areas as follows:
- Strategic risks
- Economic and political risk
- Operational risks
- Financial risks
- Regulatory risks
- Personnel risks
- Data processing risks
- Project risks
We evaluate the identified risks in a two stage process according to probability of occurrence and potential loss. Here, the gross loss is initially estimated by the responsible risk manager of individual Group companies. Furthermore, measures for risk prevention and minimization as well ways of risk transfer are proposed by the risk managers. Risk identification and risk assessment is supported by senior management in the relevant company or business area and also by the responsible regional financial officer "Head of Finance". The locally collated risks are then analyzed by the Group-level controlling function. After completion of the analysis of identified, reported and rated risks, risk aggregation and overall assessment is performed by the Group controlling function. The analytical procedures used for the aggregation and analysis of risks are based on a method similar to Monte Carlo simulation and an Operational Value-at -Risk analysis.
The risk aggregation resulting from the Monte-Carlo type simulation provides potential damage value for each risk class, each risk category and for the summary of all risks to the Group. The damage value is understood as the potential expected annual loss (at-risk entry). The Operational Value-at-Risk method provides information on the potential maximum annual loss for each risk class, each risk category and for the summary of all risks to the Group.
The subsequent risk reporting is done directly to the Chief Financial Officer of CGM AG, who again informs the Management Board and the Supervisory Board about the risk situation of the Group. In the event of unforeseen material changes, the CFO will be informed immediately and he in turn has the task to inform the Management Board and the Supervisory Board about such unforeseen developments. The coordination of the whole process and the analysis of the inventoried risks is the responsibility of the Group Controller. A comprehensive risk report is submitted from the Group Controller to the Management Board on a quarterly basis.
For the period from 1 January 2013 to 31 December 2013 the risks within the eight areas were reported to the Management Board. According to the quantity of the reported risks, the following ranking shows the risk areas in order of importance for the Group:
- Operational risks
- Strategic risks
- Regulatory risks
- Financial risks
- Economic and political risk
- Personnel risks
- Project risks
- Data processing risks
The risk reporting process is supported by an intranet-based database which ensures transparent communication throughout the Group. For the 2014 financial year, it is planned that the Internal Audit function periodically will assess the quality and function of our risk management system. As part of the annual audit in 2013, an external audit of the structure and function of our risk management system in accordance with section 317, paragraph 4 German Commercial Code (HGB) was performed, confirming that it is suitable to detect ahead in time developments that threaten the going concern of the Group.
This risk area includes risks associated with research and development, markets and customers. The analysis of expected potential annual loss for all identified operational risks is approximately EUR 7 million (previous year: EUR 14 million). The potential annual maximum damage within this category inside a 95 percent confidence interval amounts to approximately EUR 25 million (previous year: EUR 38 million), with a 5 percent probability that there may be a higher, unexpected damage.
Research and development
Generally, there is always a risk that products and modules will not be able to be realized within the specified time frame as well as the adequate quality and cost budget constraints. To avoid this risk, the Group conducts systematic and regular reviews of project progress and compares the results at hand with the initially set targets. In case of deviations, measures can then be taken to compensate for impending damage. Due to the broad range of our research and development activities, it is not possible to identify a risk concentration on specific products, patents or licenses.
Market and customer risks
Due to the complexity and significant legal requirements of our products, the distribution of sales and service partners entails certain risks. To also ensure that quality requirements are also complied with by the sales and service partner, special trainings will be offered. The selection of the sales and service partners is subject to strict requirements.
The e-health market is characterized through strong competition and extensive saturation of the market. This intensive competition can lead to price erosion for our products and services as well as to increasing expenses to ensure customer loyalty and attraction. In the current financial year, CompuGroup Medical expects, as in the past financial year, consistently good business development with manageable risks which could have an impact on the profit situation.
This risk area includes risks which can endanger the target achievement due to an insufficient orientation of the Company to the respective market environment. The analysis of expected potential annual loss for all identified strategic risks is approximately EUR 6 million (previous year: EUR 10 million). The potential annual maximum damage within this category inside a 95 percent confidence interval amounts to approximately EUR 18 million (previous year: EUR 22 million), with a 5 percent probability that there may be a higher, unexpected damage.
Strategic risks may result from an inadequate strategic decision-making process, from unforeseen market developments or from a faulty implementation of the chosen corporate strategy. For CompuGroup Medical, the strategic direction of the Group is set at board level and subjected to regular reviews.
- Essential for CompuGroup Medical are risks associated with changes in the healthcare market. This mainly concerns the development of new products and services by competitors, the financing of health care systems and reimbursement in the health care sector.
- The e-health market is characterized by rapidly changing technologies, the introduction of new industry standards and new software introductions and new functionalities. This can lead to existing products and services becoming obsolete and therefore losing their competitiveness.
- Regulatory changes or the introduction of new industry standards, could affect the market positioning of CompuGroup Medical to the extent that the offered products and services no longer completely adhere to these new statutory requirements or industry standards.
The future success of CompuGroup Medical will partially depend on the ability to improve existing products and services to respond in a timely manner to the introduction of new products from competitors, and to meet changing customer and market requirements. Furthermore, CompuGroup Medical would be saddled with additional costs for product development as a result of products and services quickly becoming obsolete, which could lead in adverse effects on net results.
This risk area includes risks related to law and politics. The analysis of expected potential annual loss for all identified regulatory risks is approximately EUR 3 million (previous year: EUR 3 million). The potential annual maximum damage within this category inside a 95 percent confidence interval amounts to approximately EUR 19 million (previous year: EUR 16 million), with a 5 percent probability that there may be a higher, unexpected damage.
Risks related to law and politics
CompuGroup Medical’s business activities are strongly influenced by the regulatory environment in the public healthcare systems of the individual national markets and thus also by the market structures that are formed by these regulations. The regulatory structure of the European healthcare sector, which is the Company’s primary market at this time, is based on regulations, such as the laws and directives issued by the respective national states and/or by supra-national structures, the latter primarily enacted by the European Union and/or quashed or amended by court decisions. In particular, CompuGroup Medical hereby faces the risk that amendments to existing or the adoption of new regulations at a national or supra-national level (the latter primarily referring to the EU level) may adversely affect market conditions relevant to CompuGroup Medical and thus have a detrimental impact on the business activities of the Group or its individual subsidiaries. Exact projections with regard to the introduction and extent of potential amendments to national and supra-national regulations or their impact on the markets that are important for CompuGroup cannot be made as the introduction and extent of such regulations depend on the political process in the individual countries, and the subsequent impact of such regulations is strongly influenced by the reaction of the respective, affected market participants.
There are currently no known or threatened legal disputes in existence that might have a significant impact on the financial situation of the Group.
CompuGroup Medical is greatly dependent on its proprietary information and technology. However, risk that may arise from the illegal use of intellectual property cannot be fully eradicated. CompuGroup believes that the currently available options are sufficient to protect its intellectual property rights in order to prevent illegal use, which could lead to significant quantitative and qualitative damaged.
Although the license agreements with customers prohibit the misuse of the source code or other trade secrets, there is a residual risk that source code or trade secrets could arrive into the possession of third parties so that they benefit from them illegally. It is also conceivable that third parties thereby are able to develop independently similar or superior products, which are corresponding to the technology or design around the proprietary rights of CompuGroup Medical. Considering the present situation, we class this risk as low.
This risk area includes risks associated with liquidity and refinancing risks, currency risks, acquisition risks and control risks. The analysis of expected potential annual loss for all identified financial risks is approximately EUR 3 million (previous year: EUR 4 million). The potential annual maximum damage within this category inside a 95 percent confidence interval amounts to approximately EUR 14 million (previous year: EUR 14 million), with a 5 percent probability that there may be a higher, unexpected damage.
Liquidity and refinancing risks
Business models that are not exclusively financed through equity capital generally face the risk that the leveraged portion of the business is dependent on the given refinancing situation in the capital markets. As a precaution against this specific risk factor, CompuGroup Medical implemented a support structure that is based on credit lines with national and international Company-affiliated banks.
The syndicated loan (EUR 330 million – for details see Group notes) covers the Group’s basic capital requirements. It is composed of a term loan and a revolving loan. CompuGroup Medical has another credit line (current account with a EUR 17,245,800 million limit) as well as bilateral credit lines that are used for covering its short and medium-term liquidity requirements from operating activities and for expenses resulting from the Group restructuring measures, so as to provide additional capital if and when required.
Financial covenants have been agreed for the syndicated loan. If the Group breaches any of these covenants, the loan can be recalled immediately. This creates liquidity and refinancing risks. An additional short-term liquidity risk results from the risk of misjudgments during working capital planning that could mean that trade receivables and liabilities may not be collected or paid on time.
Corporate Treasury prepares a rolling one-week liquidity plan to monitor and manage short-term liquidity risks. Short-term fluctuations in working capital requirements are monitored on a daily basis and can be offset with bilateral credit lines. Short and medium-term structural liquidity requirements can generally be met by drawing on the revolving credit line.
Strict working capital management, whose methods and targets are regularly evaluated and adjusted, if necessary, also serves to manage short-term liquidity risks.
The medium-term liquidity risk is monitored and managed with the help of 12-month liquidity planning. Compliance with the financial covenants is consistently monitored as part of planning and the results are regularly reported to both management and the banks. For details on the financial covenants, please refer to the respective sections in the Group notes.
Essentially, CompuGroup Medical considered changes in interest rates as the primary market risk. The risk management strategy therefore aims to balance out all relevant fair value and cash flow risks. Keeping in mind that most of the long-term financial liabilities of the Company are closed on the basis of variable interest rates, an interest rate risk occurs, especially for cash flows. To hedge this risk, the Company has entered into several swap contracts for part of the variable-interest financial liabilities, and therefore fixed the interest rates, rather than exposing them to market fluctuations. Through the closing of interest rate swaps, a limitation of the interest rate risk on cash flows and steady payments can be ensured.
Despite all the preventive measures taken, it is not possible to entirely prevent certain refinancing interest rates that the Company must pay from undergoing unfavorable developments or refinancing through leverage from being refused in the medium term. Considering our current situation, there is no evidence that future refinancing or, generally, an increase in leverage might be subject to risk out of the ordinary.
Further financial risks refer to the risk of bad debt losses. Due to the diversified markets and customer structure of the Group, no agglomeration risks are evident. Given the high creditworthiness of the majority of our customers, the long-term average of bad debt risk is generally low.
Due to the international focus of the Group, incoming and outgoing payments are performed in various currencies. The Group conducts a comparison and balancing of payment streams in the individual currencies. The Company generally strives to achieve extensive natural hedging by its choice of locations and suppliers. At present, the Company does not use any derivative financial instruments to hedge the foreign currency exposure. The development of the relevant positions is monitored regularly to ensure adequate response to significant changes in the positions.
The Company plans to further develop its presence in the national and international market, through such means as the acquisition of companies. In this process, acquisitions are prepared and analyzed with the greatest possible care and diligence. Nonetheless, every acquisition carries its own inherent risk, which, if encountered, may have an impact on the Group’s results.
CGM is planning to grow also in the future in the national and international markets, including growth through acquisitions, Acquisitions are prepared with the greatest possible care and diligence. Nevertheless, a risk is generally associated with any acquisition, which in the case arising, may have impact on the Group's results.
A significant part of assets from a Group perspective are the intangible assets which were purchased by acquisitions. In accordance with mandatory applicable accounting standards, the goodwill is evaluated at least annually, and other assets are also to be evaluated, in the case of so-called “triggering events”. If an impairment of assets results from such a valuation, a corresponding adjustment to the carrying amount of these assets to the determined fair value less cost to sell has to be carried out. Hereby, many different parameters like changes in legislation or the competitive environment can have a significant impact on the value of these intangible assets. If intangible assets are subject to any impairment losses, these have to be recognized, which leads to a corresponding reduction of the net results.
The risk that the tax authorities may carry out an audit and demand backdated tax payments for which the Company has not recognized any or only insufficient provisions cannot be completely excluded. Considering the present situation, CompuGroup Medical has recognized sufficient provisions for general risks from ongoing tax audits.
This risk area includes risks arising from political changes and the influence of macroeconomic developments. The analysis of expected potential annual loss for all identified macroeconomic risks is approximately EUR 3 million (previous year: EUR 3 million). The potential annual maximum damage within this category inside a 95 percent confidence interval amounts to approximately EUR 12 million (previous year: EUR 13 million), with a 5 percent probability that there may be a higher, unexpected damage.
The products and services offered by CompuGroup Medical are currently marketed in 43 countries. Both the development of business relations in these countries as well as the business activity itself is associated with the usual risks for international business dealings. This is in general and in particular related to the existing general economic or political situation of the single countries, the diversity of different tax systems, legal barriers in terms of import and export restrictions, competition regulations and laws for the use of the Internet or restrictions for the development and deployment of software products and services.
CompuGroup Medical counteracts these risks by regularly consulting with local lawyer’s offices and tax advisors in countries where it is entering the market or conducting further business activities and by communicating with local public authorities. In general, risks that may arise from changes in macroeconomic factors can never be excluded completely.
This risk area includes risks arising from the concentration of business-relevant expertise to individual employees, staff turnover, staff over-and-under utilization, poor working environment, etc. The analysis of expected potential annual loss for all identified risks in this area is approximately EUR 2 million (previous year: EUR 6 million). The potential annual maximum damage within this category inside a 95 percent confidence interval amounts to approximately EUR 9 million (previous year: EUR 13 million), with a 5 percent probability that there may be a higher, unexpected damage.
To a large degree, the economic success of the Group is related to the management and strategic leadership of previous and current Management Board members as well as to a few Company employees in key positions. Despite the fact that there are, aside from Management Board members, additional employees who perform management tasks, it can be safely assumed that in the event of individual persons leaving the circle of key position holders, the business activities of the Company as well as the results and financial position would be negatively impacted.
The Group considers the performance of its employees to be essential for its growth and development. Thus, the Group is in competition with other companies for highly qualified specialists and executives. As a result, the Group offers an attractive compensation system as well as individually tailored continuing education to win employees and retain them over the long term. Currently, no significant risks are known that may have an impact on the recruitment of specialists and executive personnel, and that could thus endanger the growth targets we have set.
CompuGroup Medical considers its employees to be an integral part of the Group’s public image. In the event of non-compliance with the ethical principles firmly anchored in CGM’s management culture, risks may arise through possible negative effects on the image and good reputation of the Company. A temporary higher probability of risk by non-compliance with CGM’s principles may arise in the case of newly-acquired companies.
This risk area includes risks arising from non-compliance with agreed timelines, missing or inadequate staff resources, lack of or inadequate material resources, lack of customer acceptance of the project deliverables etc. The analysis of expected potential annual loss for all identified risks in this area is approximately EUR 2 million (previous year: EUR 2 million). The potential annual maximum damage within this category inside a 95 percent confidence interval amounts to approximately EUR 8 million (previous year: EUR 7 million), with a 5 percent probability that there may be a higher, unexpected damage.
The Company makes part of its sales in the project business. There are longer time periods between the order assignment and the payment for the order, during which the Company has to take care of advance payments. The risk the Company faces in these periods is specifically the credit risk of its customers. Furthermore, the risk the Company faces in the project business is the continuous need for new orders/projects to be able to generate the necessary sales volume or sales volume growth. Resulting from the extremely high initial implementation costs of software solutions and the resulting long-term product life cycle, the HPS II business segment is especially exposed to the risk that profitable new business may take a long time to materialize. Hence, the Company strives to establish long-term business relationships with its customers, often by taking over software maintenance, in order to be a contact partner and to be able to participate in the bidding process when new orders/ projects are awarded. Risks may also arise when the market is not sufficiently monitored, resulting in an inadequate bidding and order pipeline. In the absence of new business and the expiration of software maintenance contracts, the Company may suffer a loss in sales, which would have a negative impact on the Group’s results.
In the reporting period, CGM has started the largest internal IT and organizational project in the history of the Group. The project is named ‘OneGroup’ and entails the standardization and optimization of roles, structures and processes in all our companies and business areas world-wide based on a centralized SAP IT platform and other integrated IT solutions. All existing internal IT solutions will be migrated to this platform once the new solution is finished and proven. From this project, there are risks of non-compliance with agreed timelines, start-up problems, etc. that can result in corresponding financial risks.
This risk area includes risks arising from a lack of coordination and alignment of IT strategy with corporate objectives, insufficient data in IT systems, inadequate documentation, etc. The analysis of expected potential annual loss for all identified risks in this area is approximately EUR 1 million (previous year: EUR 1 million). The potential annual maximum damage within this category inside a 95 percent confidence interval amounts to approximately EUR 5 million (previous year: EUR 5 million), with a 5 percent probability that there may be a higher, unexpected damage.
CompuGroup Medical’s customers use the Company’s products and services to store, process and transmit highly confidential information about the health of their patients. Due to the sensitivity of this information, security features are very important as an integral part of our products and services. If despite all efforts the security features offered by CompuGroup Medical products do not work in an orderly manner, claims for damages, fines, penalties and other liabilities due to a violation of applicable laws or regulations could arise. Also, extensive costs to rectify any deficiencies and re-engineering to prevent such vulnerabilities in the future could arise. Moreover, the image of CompuGroup Medical as a trustworthy business partner could suffer severe damage.
Adding all risk areas together, the level of potentially expected total annual loss for the Group is EUR 28 million (previous year: EUR 43 million). The potential annual peak damage at Group level within a 95 percent confidence interval is EUR 109 million (previous year: EUR 128 million), with a 5 percent probability that there may be a higher, unexpected damage.
After evaluation of the currently identified existing risk positions, the continued existence of the CGM AG and the Group is not compromised. The resulting accumulated potentially expected annual total damage could be covered by the anticipated operating cash flows of the Group.
Internal control system and risk management system relevant for the consolidated financial reporting process
In our financial reporting, there is a risk that the consolidated annual and interim financial statements contain errors and misrepresentations that may have a significant influence on the decisions of their addressees. Our accounting-related internal control system (ICS) aims to identify possible sources of error and to minimize the resulting risks. It encompasses the financial reporting throughout the Group. In this way, we can provide assurance that the consolidated financial statements are prepared according to statutory rules. The following disclosure of the financial reporting process conforms to Section 289 (5) and Section 315 (2) No. 5 of the Handelsgesetzbuch (HGB – German Commercial Code) in accordance with the German Accounting Modernization Act (BilMoG), effective 29 May 2009. The main features of CompuGroup Medical AG’s existing internal control system and the risk management system in relation to the (Group) financial reporting process can be described as follows:
- Within CompuGroup Medical, a clear management structure and enterprise structure is implemented. Key regional and sector functions are controlled centrally through CompuGroup Medical AG. Operationally active subsidiaries have a high level of individual responsibility. A clear separation of functionalities is ensured in the areas of “Group Accounting”, “Controlling”, “Financial Accounting”, “Human Resources”, “Internal IT”, “Risk Management”, “Procurement” and “Investor Relations”, which are involved in the financial reporting process. Responsibilities are clearly defined.
- The departments involved in the financial reporting process are in line with the quantitative and qualitative requirements defined by the Group.
- Financial accounting, with the exception of the majority of German and French subsidiaries, which are centrally managed via the CGM AG, is decentralized. The local subsidiaries sometimes in turn provide bookkeeping and other financial functions for its subsidiaries or affiliates. As the parent company of the Group, CGM AG performs key tasks in the field of accounting and finance, e.g. the Group consolidation, the accounting treatment of pension provisions in Germany, accounting for business combinations and the impairment tests of recognized goodwill. CGM AG furthermore performs the administration, accounting and monitoring of financial instruments, transaction banking, cash management and the calculations and disclosures related to the German tax group. External service providers and advisors are consulted in this respect.
- An internal directive written according to Company requirements is implemented (among other things a Group-wide accounting directive, risk management directive and research and development directive). The financial systems used are protected against unauthorized access by adequate security mechanisms. The financial systems used are mostly standard software.
- To ensure a Group-wide analysis and control of income relevant risk factors and risks that endanger the continuing operations of the Company, the Group uses standardized planning, reporting, control and early warning systems and processes.
- Group Accounting, in particular, is centrally organized and pools the Group’s (global) information in one place. The subsidiaries’ segment managers/company managers, and ultimately the Management Board, continuously monitor Group Accounting’s reporting activities.
- CGM AG uses a Group-wide reporting system for the preparation of financial statements. This system is also used for the preparation of budgets and forecasts. All consolidated subsidiaries use this system which forms the basis for a standardized data reporting process in the Group
- The members of the Board of CGM AG take an internal balance-sheet oath for the external full-year reporting and sign the Responsibility Statement. They thus confirm that the prescribed accounting standards have been complied with and that the figures give a true and fair view of the assets, financial and earnings position.
- A review of the financial reporting process is performed. An internal audit department was established during the reporting period to perform such reviews
- Required financial reporting processes are subject to regulated analytical tests. The Group-wide risk management system is regularly updated in line with current developments and its adequacy reviewed in terms of quantity and quality. To comply with the standards for the Group financial reporting processes, the function of regional responsibility through the position "Head of Finance" is implemented Group-wide. These regional financial managers report in all finance-related and accounting-related areas directly to the Chief Financial Officer of CGM AG. The Chief Financial Officer shall inform the Management Board and the Supervisory Board on critical or high-risk subjects and advises on corrective measures as needed. Other special departments involved in the financial reporting process to implement the activities and / or tracking of actions involved are "Group Accounting", "Group Controlling", "Financial Accounting", "Human Resources", "Internal IT”, "Risk Management", "Procurement " and " Investor Relations ". Furthermore, a regular review of complex and significant changes in underlying accounting-related topics (e.g. receivables management, impairment test, balance sheet analysis for compliance with the financial covenants and the sustainability of further acquisitions and initial consolidation of subsidiaries). The impact of accounting-related risks is evaluated for their influence on financial reporting by means of impact analysis (e.g. forward-looking balance sheet simulation). This also includes the analysis of the measures introduced to limit identified risks, including the effectiveness of the measures.
- For key issues in accounting, risk management and the audit mandate of the auditor, the Supervisory Board has established an Audit Committee.
For all main financial reporting processes, a “four-eye principle” is applied.
The accounting-related internal control and risk management system, whose main features have been described earlier, ensures that corporate balance sheet issues are properly recorded, processed, assessed and incorporated in the external accounts. Group Accounting is a central function and as such monitors all these processes. It is monitored in turn by the CFO and Audit Committee.
A strict organization, Company, control and monitoring structure forms the basis for efficient work processes. The staffing and equipment of the accounting-related areas in accordance with the requirements of the Group ensure effective and accurate work, in terms of both personnel and material. Legal and corporate directives and guidelines ensure that a unified and proper financial reporting process is implemented within the accounting-related areas. The clear delineation of responsibilities and various control and verification mechanisms ensure correct accounting and reliable handling of potential Company risks. Here, the task of the Group-wide risk management system, which is in accordance with the statutory requirements, is to identify risks at an early stage and to assess and communicate them appropriately.