Group-Wide Opportunities and Risk Management

The business decisions we make daily in the course of business processes are based on balancing opportunities and risks. We therefore regard the management of our opportunities and risks as an integral part of our overall business management system rather than as the task of a specific corporate function. Opportunity and risk management at Covestro also includes nonfinancial opportunities and risks.

Our opportunity and risk management begins with strategy and planning processes, from which relevant external and internal opportunities and risks of an economic, ecological, or social nature are derived. Financial and nonfinancial opportunities and risks are identified by observing and analyzing trends along with macroeconomic, industry-specific, regional, and local developments. This contributes to identifying business potential and making decisions.

The identified opportunities and risks are subsequently evaluated and incorporated into our strategic and operational processes. We aim to avoid or mitigate risks by taking appropriate countermeasures, or to transfer them to third parties (such as insurers) to the extent possible and economically acceptable. At the same time, we strive to take maximum advantage of opportunities by incorporating them into our business decisions. We consciously accept and bear manageable and controllable risks that are in reasonable proportion to the anticipated opportunities. Covestro regards these as the general risks of doing business. Where we expect any opportunities and risks to materialize within the next 12⁠ ⁠months, they will be included in the statements in the Report on Future Perspectives. Opportunities and risks are continuously monitored so that, for example, changes in the economic or legal environment can be identified at an early stage and suitable countermeasures can be initiated, if necessary.

Under the global transformation program STRONG, the short-term opportunities were identified and systematically captured with various corporate functions in the year⁠ ⁠2025.

Additionally, we also identify medium- and long-term opportunities in order to stay agile and proactive in a dynamic environment and to respond to increasing regulatory requirements. This is done in close consultation with the corporate Strategy function, which actively monitors innovation streams, long-term market changes, and sustainability trends. The medium- and long-term opportunities identified, which go beyond the short-term opportunities included in the transformation program, relate, among other things, to the focus areas of innovation, customer centricity, optimization of our production processes, and digitalization. In this context, we regard the corporate Human Resources function as a key lever, ensuring a qualified, committed workforce that contributes to realizing the opportunities.

To enable the Board of Management and the Supervisory Board to monitor material business risks as legally required, the following systems are in place:

  • an internal control system,
  • a compliance management system, and
  • a risk management system with suitable measures for early detection of developments that could endanger the company’s continued existence.

The various management systems are based on different risk types, risk characteristics, and timelines. Different processes, methods, and IT systems are therefore applied to identify, evaluate, manage, and monitor risks. The principles underlying the various systems are documented in local procedures that are integrated into our central document control processes and are accessible to all employees via the intranet. Covestro’s Board of Management is primarily responsible for supervising the Group’s internal control system, the compliance management system, and risk management.

The effectiveness of the above management systems is evaluated at regular intervals by the Corporate Audit function, which performs an independent and objective audit focused on verifying compliance with laws and policies. In October⁠ ⁠2025, the Risk Management department was organizationally integrated into the Corporate Audit function. This allows synergies to be used as part of existing possibilities and in accordance with the Three Lines Model of the Institute of Internal Auditors (IIA). Functionally, the Risk Management department continues to report to the Chief Financial Officer within the Corporate Risk Committee. Corporate Audit systematically evaluates the efficiency and effectiveness of governance, risk management, and control processes in the company and helps to improve them. This includes internal monitoring of the appropriateness and effectiveness of the internal control system and the risk management system. The selection of audit targets follows a risk-based approach. Corporate Audit performs its duties according to internationally recognized standards. The Supervisory Board’s Audit Committee is regularly informed about the results of audits and also receives an annual report on the internal control system and its effectiveness.

Since the Risk Management department reports to the same management as the Corporate Audit function, this circumstance would be highlighted in case of an internal audit of Risk Management. Measures have, moreover, been implemented to ensure independence, avoid conflicts of interest, and enforce self-audit prohibitions. In addition, the two governance areas, Risk Management and Internal Audit, are regularly subjected to external audits independently of each other.

The statement on the appropriateness and effectiveness of the internal control system, the risk management system, and the compliance management system, which is aligned with the company’s risk situation, can be found in the Declaration on Corporate Governance.

For further information, please refer to “Declaration on Corporate Governance.”

Internal Control System

»ESRS 2.36 (a), AR11 An appropriate, effective internal control system (ICS) is essential for successfully mitigating risk in business processes. Covestro’s ICS takes account of all business processes with a significant impact on financial and nonfinancial indicators, which also include metrics related to sustainability. The ICS scope is defined by a risk-based control approach that takes account of both materiality and risk aspects.

The implementation of the ICS at Covestro is based on the internationally recognized model of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in the currently applicable 2013 version, and on the Control Objectives for Information and Related Technology (COBIT) for IT controls.«

»ESRS 2.36 (b) − (d) A network of ICS and process owners has been established in the Group to identify and evaluate risk in a consistent and coordinated way and to develop and implement appropriate countermeasures. Risks are classified into different risk categories: risks of financial and nonfinancial reporting, operating risks, and risks relating to fraud and corruption. Risks of nonfinancial reporting can especially be seen in sustainability reporting, where there are, for example, controls on metrics relating to energy consumption, greenhouse gas emissions, and production waste. Process owners identify risks in their processes in terms of the potential scale of their impact and their likelihood and define appropriate mitigating controls to ensure that the data gathered are complete, correct, available, and timely. The ICS network, which consists of local and regional ICS specialists and process owners from all corporate functions, is managed centrally by a team of global ICS managers. Binding ICS standards have also been established throughout the Group. The management of each Covestro Group company is responsible for implementing these standards at the local level. If any issues such as process or control weaknesses are identified during the ICS cycle, they are discussed with the corporate function/responsible owners so that appropriate measures can be taken to eliminate or safeguard against these weaknesses.«

»ESRS 2.36 (e) In addition to controls that have to be regularly performed, the control environment also includes self-assessments relating to the controls and the underlying process. To ensure the effectiveness of the controls, the self-assessments are conducted at different levels – from the persons directly involved in the processes, through the principal managers responsible for the various operating processes, down to the Board of Management. Both CEO and CFO and the Audit Committee of the Supervisory Board are kept up to date with the status and results of the self-assessments, at least once yearly.«

Continuous reviews and, where necessary, adjustments to the control environment ensure in this process that our ICS is consistently effective and appropriate, even when business models change, acquisitions or divestments are made, or technical specifications/IT systems are adapted.

Internal Control System Related to the Group Accounting and Financial Reporting Process

(Group) accounting and financial reporting, which include the preparation of the Financial Statements and Consolidated Financial Statements of Covestro⁠ ⁠AG, are the responsibility of the corporate Accounting function. This function is also responsible for ensuring that all consolidated subsidiaries apply consistent accounting rules and for creating an ICS.

Accounting and financial reporting are based on a structured process with a corresponding organization and workflows and associated work instructions. In addition to the segregation of functions, the dual control principle and continuous plausibility checks are fundamental control and monitoring measures in the process of preparing financial statements.

The preparation of the Consolidated Financial Statements under the International Financial Reporting Standards (IFRSs) is governed by the Covestro Directive on Consolidated Financial Statements. It specifies how the consolidated companies have to apply accounting policies in accordance with IFRSs and submit the data to the standard consolidation system.

Once submitted, this data runs through various checks to verify plausibility and accuracy. For example, system-integrated validation rules ensure on submission that the companies’ data is consistent.

Appropriate controls have been implemented in the ICS to ensure proper accounting and reporting. The control environment has been designed to ensure that the requirements for reliable reporting can be met, i.e., that all relevant business processes and transactions are recorded in a correct, timely, and consistent manner. It is intended as a way to prevent material misrepresentations with reasonable assurance.

Internal Control System to Ensure Compliance

Compliance risks are systematically identified and assessed as part of Covestro’s Group-wide risk management. Risk owners assess the compliance risks that have been identified. A risk matrix is used to define focal points of compliance tasks at Covestro. If the risk profile changes, new controls are implemented if needed.

Many controls have been implemented at both the global and local levels to reduce the number of compliance risks. To the extent possible, we integrate the compliance controls into our internal control system. The effectiveness of the compliance controls is evaluated on the basis of a cascaded self-assessment system, as are the other ICS processes. The results of the effectiveness evaluations are documented in the global system for the ICS processes. The Corporate Audit function regularly reviews the compliance activities in independent, objective audits as part of dedicated compliance checks in the larger companies. In the smaller companies, compliance aspects are part of a general review.

Risk Management System

»ESRS 2.36 (a) – (d) Covestro has implemented a structured risk management process for the early identification of any potentially disadvantageous developments that could have a material impact on our business or endanger the continued existence of the company. This process complies with the legal requirements regarding an early warning system for risks pursuant to Section⁠ ⁠91, Paragraph⁠ ⁠2 of the German Stock Corporation Act, and is aligned with the international risk management standard COSO⁠ ⁠II Enterprise Risk Management – Integrated Framework (2004).

Corporate Risk Management defines, coordinates, and monitors the framework and standards for this risk management system, ensuring adequate risk communication and reporting to both management and the responsible risk managers. Covestro uses risk management software that simplifies the aggregation of risks, provides displays of various interdependencies, and enables the risk-bearing capacity to be determined.«

»ESRS 2.36 (e) Risks are identified, evaluated, and handled in the operating business entities and corporate functions by the respective risk managers, who are organized in various global sub-committees. The Covestro Corporate Risk Committee met three times in fiscal⁠ ⁠2025 to review the risk landscape as well as the various risk management and monitoring mechanisms that are in place, and to take any necessary measures. The opportunities portfolio is, moreover, presented once a year in the Corporate Risk Committee and approved by the Head of the Corporate Risk Committee. Additionally, we conduct an ad-hoc process for newly identified risks throughout the year so that these are immediately integrated into the risk management system. These ad-hoc risks are identified and their handling is determined based on risk assessments and depending on the defined thresholds. In addition, the Corporate Audit function complements the monitoring process with process-independent monitoring.«

»ESRS 2.53 (e) Risks are evaluated using estimates of the potential impact after taking into account countermeasures and the likelihood of their occurrence. The potential economic losses are projected using the expected EBITDA loss and, in some individual cases, the FOCF loss. If the financial impact cannot be estimated, a qualitative assessment is made of the extent of the damage on the basis of criteria such as strategic effect, influence on our reputation, or possible loss of confidence among groups of stakeholders. Opportunities are currently assessed qualitatively, because they are not limited only to direct financial planning metrics, but also reflect the growing importance of innovation, sustainability, and long-term value creation. All material opportunities and risks as well as the respective (counter)measures are documented and regularly updated in the risk management software, which is used throughout the Group. The risk management system is reviewed regularly by Corporate Risk Management over the course of one year. Significant changes are promptly entered in the software and reported to the Board of Management. In addition, a report on the risk portfolio is submitted to the Audit Committee several times a year and to the Supervisory Board at least once a year.«

»ESRS 2.36 (b), ESRS 2.53 (c) iii Risks in connection with material sustainability topics and in relation to our operating activities, business relationships, or products are taken into account as part of our Group-wide risk management with the same care as financial types of risks. We report in our Group Sustainability Statement on how these risks are taken into account during the double materiality assessment.«

For further information, please refer to “Impact, Risk and Opportunity Management.”

The following matrix illustrates the quantitative and qualitative criteria for rating a risk as low, medium, or high. The same applies to the classification of nonfinancial risks.

1 An individual risk that could have both a direct financial and an indirect financial impact of different severities is always classified based on the higher level of risk.