Opportunity and Risk Report Group-wide Opportunity and Risk Management System As a global life science enterprise, the Bayer Group is constantly exposed to a wide range of internal or external developments and events that could significantly impact the achievement of our financial and nonfinancial objectives. Opportunity and risk management is therefore an integral part of corporate management at Bayer. We regard opportunities as positive deviations, and risks as negative deviations, from projected or target values for potential future developments. Following the deconsolidation of Covestro at the end of the third quarter of 2017, the opportunity and risk management of Covestro is no longer analyzed. The operational risks of Covestro are no longer part of Bayer’s risk profile. Opportunity management system We identify opportunities as part of the annual strategic planning cycle, during which the segments analyze internal and external factors that may positively affect the development of our business. These may be factors of a social, economic or environmental nature. The core phase of our strategic planning process normally takes place in the first half of the year and starts with a comprehensive analysis of the markets. The segments build on this by analyzing their respective market environments to identify their opportunities. They base these analyses on different time periods to take into account the fact that trends or developments may impact our business over the short, medium or long term. In addition, opportunities are identified by the management and employees through daily observation of internal processes and markets. We have already taken account in our planning of opportunities that we believe are highly probable to materialize. Risk management system In connection with the reorganization of the Bayer Group initiated at the beginning of 2016, coordination of risk management activities was combined within the Risk Management function, which reports directly to the Chief Financial Officer, and the risk management system was comprehensively and extensively realigned. This realignment involved, among other things, the adjustment of the risk management process – Enterprise Risk Management (ERM) process – to include a revised risk catalogue (Bayer Risk Universe) and a modified assessment system. The Bayer Group has implemented a holistic and integrated risk management system designed to ensure the continued existence and future target attainment of the Group through the early identification, assessment and treatment of risks. The Bayer Group’s risk management system is aligned to internationally recognized standards and principles such as the ISO 31000 risk management standard of the International Organization for Standardization (ISO). Structure of Bayer’s Risk Management System Structure of the Risk Management System Board of Management / Supervisory Board The Board of Management of Bayer AG holds overall responsibility for an effective risk management system. The Audit Committee of the Supervisory Board examines the appropriateness and effectiveness of the risk management system at least once a year. Bayer Risk Committee The Bayer Risk Committee, which is chaired by the Chief Financial Officer, is comprised of representatives from the segments and corporate functions. It ensures that all relevant risks are adequately addressed with risk mitigation measures, and also discusses and regularly evaluates the risk portfolio and the mitigation status. Business operations Responsibility for the identification, assessment, treatment and reporting of risks lies with the operational business units in the segments and corporate functions. Control and monitoring systems To enable the Board of Management and the Supervisory Board to monitor material business risks as required by law, the Bayer Group has implemented a risk early warning system pursuant to Section 91, Paragraph 2 of the German Stock Corporation Act (AktG), an internal control system for (Group) accounting and financial reporting processes and a compliance management system. Various corporate functions are responsible for these systems. As the main corporate function for control and monitoring systems, the Risk Management function assumes governance and coordination responsibilities in relation to the risk management system. It provides overarching standards, methods and tools, is responsible for the risk early warning system, steers the annual ERM process and ensures reporting to the Bayer Risk Committee and the Board of Management. The three systems in place at Bayer are described below. Risk early warning system Our ERM process meets the requirements set out in Section 91, Paragraph 2 of the German Stock Corporation Act. This uses a risk early warning system to identify at an early stage developments that are material and / or could endanger the company’s continued existence. This process establishes a consistent framework and uniform standards for the risk early warning system throughout the Group. Internal control system for (Group) accounting and financial reporting (Report pursuant to Sections 289, Paragraph 4 and 315, Paragraph 4 of the German Commercial Code) As part of the comprehensive risk management system, Bayer has an internal control system (ICS) in place for the (Group) accounting and financial reporting process. This process comprises defined structures and workflows implemented throughout the organization. The purpose of our ICS is to ensure proper and effective accounting and financial reporting in accordance with Section 289, Paragraph 4 and Section 315, Paragraph 4 of the German Commercial Code. The ICS is designed to guarantee timely, uniform and accurate accounting for all business transactions based on applicable statutory regulations, accounting and financial reporting standards and the internal Group policies that are binding upon all consolidated companies. Risks are identified and assessed, and mitigated using suitable countermeasures. Mandatory ICS standards such as system-based and manual reconciliation schließen Reconciliation The reconciliation records, on the one hand, those business activities not assigned to any other segment (“All Other Segments”), including particularly the services provided by Business Services and Currenta. It also includes “Corporate Functions and Consolidation,” which largely comprises Bayer holding companies and Leaps by Bayer (formerly the Bayer Lifescience Center). processes and functional separation have been derived from these frameworks and promulgated throughout the Group by the Risk Management function on behalf of the Chief Financial Officer of Bayer AG. The ICS standards are implemented by the Group companies and their compliance overseen by the respective management. Using Bayer’s shared service centers, these companies prepare their financial statements locally and transmit them with the aid of a standard Group data model. This data model is based on the Group accounting policy and thus ensures the regulatory compliance of the consolidated financial statements. The Board of Management has confirmed the effective functioning of the ICS and the relevant criteria for the 2017 fiscal year. However, it should be noted that an internal control system, irrespective of its design, cannot provide absolute assurance that material misstatements in the financial reporting will be avoided or identified. Compliance management system Our compliance management system is aimed at ensuring lawful and responsible conduct by our employees. It is designed to identify potential violations in advance and systematically prevent their occurrence. The compliance management system thus contributes significantly to the integration of compliance into our operating units and their processes. Details on compliance management can be found under A 4.2 “Compliance.” This section describes in particular the process used to identify risks and measures taken to mitigate them. Process-independent monitoring Among other tasks, the Internal Audit function supports the Board of Management in the independent monitoring of the risk management system. It examines individual risk areas and the measures undertaken. In addition, the external auditor, as an independent external body, assesses the fundamental suitability of the early warning system as part of its audit of the annual financial statements. Basic Elements of the Risk Management System Basic Elements of the Risk Management System The basic elements of the risk management system are described below and established in binding documents. Risk culture and objectives of the risk management system The principles of the risk management system are based on the strategic objectives of the Bayer Group as a whole and its individual segments, and establish the foundation for proper and responsible risk management. The incorporation of all levels of the company into this process heightens awareness about and understanding of risks, which is essential for creating a risk culture. Furthermore, the clearly defined roles and responsibilities, principles, standards, methods, tools and training measures create the foundation for the independent, proactive and systematic management of risks. Risk management process Identification: Risks are identified by risk owners in the operational companies and functions. To support the most complete possible identification of risks, the Bayer Group maintains a Risk Universe that reflects the potential risk categories of Bayer as a life science company. The Bayer Risk Universe also expressly accounts for risks of a nonfinancial nature that are linked with our business activity or business relationships, products and services. Pursuant to the CSR Directive Implementation Act, such risks can include environmental, employee and social issues, as well as human rights, and corruption and bribery (compliance). The Bayer Risk Universe is regularly examined and updated if necessary. Assessment: As set out in the following matrix, the identified risks are evaluated according to their potential impact and likelihood of occurrence, taking into account mitigation measures. Beginning this year, risks are classified in a 5x5 matrix; previously a 3x3 matrix was used. Risk Assessment Matrix The extent of the impact is rated according to quantity and / or quality. The quantitative assessment reflects the possible loss of cash flows, whereas an earnings parameter was previously used. A qualitative assessment of damages is based on criteria such as the impact on our strategy or reputation, the potential loss of stakeholder confidence, and the potential violation of sustainability principles (e.g. in the area of safety, environmental protection or human rights). The highest rating – qualitatively or quantitatively – determines the overall assessment. The likelihood of occurrence is calculated based on a period of ten years. Risks are classified as high, medium or low to assess their materiality regarding the overall risk portfolio. Risks with a potential impact of over €4,000 million are separately examined by the Bayer Risk Committee to determine their potential to endanger the company’s continued existence. Treatment: The risk owners decide on a targeted risk level based on a cost-benefit analysis and define a risk management strategy as well as risk management measures. These include risk avoidance, risk reduction, risk transfer and risk acceptance. Reporting: The results are reported to the Bayer Risk Committee by the Risk Management function. In addition, new risks above a defined threshold are reported to the Risk Management function on an ad-hoc basis and, if relevant, to the Bayer Risk Committee and the Chief Financial Officer. A report on the risk portfolio is submitted to the Board of Management and the Audit Committee of the Supervisory Board once a year. Monitoring and improvement The appropriateness and timeliness of the principles, standards, methods and tools are continuously evaluated by those responsible for ERM. Should the targets and / or the Bayer Risk Universe change, for example, this leads to an adjustment.