As a global science and technology company, identifying risks and opportunities is an intrinsic part of making our business sectors resilient and generating value. We operate in a highly complex, global and interconnected business environment that further necessitates the competent management of risks and opportunities. Therefore, managing risks and opportunities is an imperative and a core component of our internal business planning and forecasting. We have processes, tools and responsibilities in place to enable the early identification of risks and to supply effective and efficient mitigation strategies.
In our internal risk reporting framework, we define risks as potential future events or developments that could result in unfavorable deviations from our financial and non-financial targets. Risk parameters in this context are the probability and the financial impact (EBITDA pre/free cash flow) or non-financial impact (e.g. on reputation or environmental, social and governance (ESG) aspects, among other factors).
Opportunities imply favorable deviations from our targets. Future events and expected developments are considered in internal planning if a likely occurrence can be assumed within the planning period. The following section presents the risks and opportunities that could result in favorable and unfavorable deviations from existing plans and targets.
The following report is relevant from the perspective of both Merck KGaA, Darmstadt, Germany, and the overarching Group. For additional information and details regarding the non-financial topics, please refer to the Sustainability Statement.
Three Lines of Defense
To organize risk management and controls, we use the well-established “Three Lines of Defense” model, which was developed by the Federation of European Risk Management Associations (FERMA), the European Confederation of Institutes of Internal Auditing (ECIIA) and the Institute of Internal Auditors (IIA). The model divides our company functions for controlling risks properly and effectively into three areas, referred to as lines of defense:
The first line of defense consists of all functions that are responsible for the operational business and whose day-to-day business risks can have an impact. Risk owners (i.e. the heads of the business units, enabling functions and local management) establish processes in accordance with the requirements set by the second line of defense to identify, assess and monitor risks, and to develop measures for proper risk mitigation. Results of these assessments are regularly communicated to the Executive Board.
The second line of defense includes enabling functions at both Group and local level that control and monitor the operational business (first line of defense). This includes the design and implementation of methods and procedures for risk management and the internal control system (financial and non-financial) as well as their regular monitoring.
The third line of defense is our Internal Auditing function. As an objective and independent auditing body, it examines both the operational business (first line of defense) and the controls and monitoring functions (second line of defense) to ensure that risks are effectively identified, evaluated and controlled vis-à-vis the Executive Board and the Supervisory Board.
Both the second and third line of defense functions regularly report to the Executive Board and the Audit Committee of the Supervisory Board.
Internal control system
The objective of the internal control system for the financial reporting process is to implement controls that provide assurance that the financial statements are prepared in compliance with the relevant accounting laws and standards. This system covers measures designed to ensure the complete, correct and timely reporting and presentation of information that is relevant for the preparation of the Consolidated Financial Statements, Annual Financial Statements of the Merck KGaA, Darmstadt, Germany, and the Combined Management Report.
Our internal control system for financial reporting is based on the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework, a globally recognized standard divided into five components: control environment, risk assessment, control activities, information and communication, and monitoring activities. Each of these components is regularly documented, reviewed and/or assessed. This control system aims to ensure the accuracy of the consolidated accounting process through functioning internal controls with reasonable assurance.
The Group Reporting function centrally steers and monitors the preparation and requirements of the Consolidated Financial Statements of Merck KGaA, Darmstadt, Germany, as the parent company of the Group. This consolidation process ensures the proper elimination of intragroup transactions. Group-wide accounting guidelines defined by Group Reporting form the basis for the preparation of the financial statements. In accordance with the IFRS Accounting Standards, the guidelines are adapted in a timely manner to reflect changes in the financial regulatory environment and are updated to reflect internal reporting requirements. For special issues, such as the accounting treatment of intangible assets within the scope of business combinations in accordance with IFRS 3 or defined benefit obligations, external experts are additionally involved where necessary.
The individual legal entities, including Merck KGaA, Darmstadt, Germany, have a local internal control system within a global framework. Where financial processes are handled by Global Enterprise Solutions, the internal control system of Global Enterprise Solutions is additionally applied. Both ensure that accounting complies with IFRS Accouting Standards and the Group accounting guidelines.
Group Financial Reporting provides support to the local contacts and ensures a consistently high quality of financial reporting throughout the entire process.
For Group financial reporting purposes, most of our subsidiaries use standard SAP software. SAP software is also used to prepare the Consolidated Financial Statements. A detailed authorization concept ensures the segregation of duties with respect to both single entity reporting and the Consolidated Financial Statements. The accounting process is generally designed to ensure that all units involved adhere to the principle of dual control.
The operational effectiveness of our financial internal control system is regularly tested by our legal entities and enabling functions within the scope of self-assessments. The quality is systematically reviewed by a dedicated enabling function for internal controls and governance. Control deficiencies are properly recorded and, where necessary, adequate countermeasures are taken to remediate them in a timely manner.
In the context of constantly evolving external and internal requirements for the management of non-financial risks, we continued to develop and implement procedural and organizational measures for non-financial risk management. The non-financial risk assessment was further refined in fiscal 2025 as part of the overarching risk management approach.
The non-financial internal control system aligns with the sustainability strategy and is set up in accordance with the requirements of the Corporate Sustainability Reporting Directive (CSRD). The goal is to continuously prepare for and ensure regulatory compliance, pursuant to existing and upcoming regulatory requirements, by implementing organization-wide measures and controls.
The overall effectiveness of our internal control system with regard to accounting and the compliance of the relevant individual companies’ financial reporting is confirmed by both the local Managing Director and the local Chief Financial Officer by signing the single entity reporting and a separate confirmation regarding the effectiveness of the control system. For the accounting treatment of balance sheet items, Group Reporting closely cooperates with Risk Management to reflect potential risks correctly in the balance sheet.
All the structures and processes described in the foregoing relate to the Group Reporting procedures and are subject to regular review by Group Internal Auditing based on an annual audit plan set out by the Executive Board.
The results of the self-assessments, quality reviews and internal audits are dealt with by the Executive Board, the Supervisory Board and the Audit Committee. Our internal control system makes it possible to lower the risk of material misstatements in accounting. However, residual risk cannot be entirely ruled out as no internal control system is infallible, irrespective of its design.
Risk and opportunity management
Group Risk Management provides the organizational framework for risk management and reports to the Group Chief Financial Officer. We have established a holistic risk management system aimed at safeguarding the long-term achievement of our Group’s goals and addressing risks to ensure our continued existence and future success. Within the scope of audits, Group Internal Auditing regularly reviews the performance of risk management processes within the company and, at the same time, the communication of relevant risks from the operating businesses to Group Risk Management. Additionally, the external auditor examines the risk early warning system in accordance with section 317 (4) of the German Commercial Code (HGB) as part of the year-end audit of Merck KGaA, Darmstadt, Germany.
Our risk management activities aim to continuously and promptly identify, assess and manage risks so that appropriate measures can be implemented to mitigate their potential negative impact. The responsibilities, objectives and procedures of risk management are outlined in our internal Group standard for risk management. The designated risk owners, including business heads, Managing Directors of the subsidiaries and heads of Group functions, are responsible for overseeing and running risk management processes. These processes encompass various requirements, such as identifying risks while considering internal and external factors (impacting both financial and non-financial targets), analyzing risks, implementing appropriate mitigation actions, establishing preventive measures and contingency plans if applicable, as well as documenting risks and mitigation efforts.
The risk owners continuously assess the status of risks and report their risk portfolio to Group Risk Management twice per year. To facilitate and support these activities, we employ dedicated risk management tools. Group Risk Management coordinates and supervises the bottom-up risk reporting process. This includes validating the plausibility of the reported risks, assessing the effectiveness of mitigation measures and time frames and determining the residual risk. The net risk is then presented in the internal risk report.
For the internal bottom-up risk reporting process, reporting is based on defined thresholds and a variety of distribution functions are used to reflect scenarios with various probabilities. Risks below the global reporting threshold are managed and monitored at a local level. The time frame applied for internal risk and opportunity reporting is five years. In 2025, the time frame was extended to 2030 in order to align with the financial planning process. It may be extended further in specific cases, such as for regulatory risks related to climate change. The outlined risks and their evaluation are based on respective annual values within the reporting period. The assessment of the risks presented relates to December 31, 2025. No significant changes occurred after the balance sheet date that would necessitate an amended presentation of the Group’s risk situation.
Group Risk Management analyzes the reported information to determine the current risk portfolio of the Group. This assessment is presented in a comprehensive report, accompanied by detailed explanations, to the Executive Board, the Supervisory Board and relevant committees twice per year. This also encompasses a quantitative aggregation of risks at Group level using a Monte Carlo simulation. Moreover, any notable changes in the assessment of existing risks or the identification of new significant risks can be reported at any time and promptly communicated to the Executive Board.
Our internal controlling processes incorporate the opportunity management process, which is aligned with the Group’s strategy within the business units. As part of the strategy and planning processes, the business sectors analyze and evaluate potential business-related opportunities. In this context, investment opportunities are carefully examined and prioritized primarily in terms of their potential value proposition, ensuring optimal resource allocation. We target investment in growth markets to leverage the opportunities of dynamic development and customer proximity at a local level.
Identified opportunities that are deemed likely to occur are integrated into the business plans and forecasts. Additionally, trends and events that have the potential to positively impact EBITDA pre and/or free cash flow are taken into consideration. These opportunities have the potential to have a positive effect on our medium-term prospects.
Overall evaluation
The aim of our internal control system is to prevent and reduce potential risks and to actively steer existing risks in business processes. In this way, it helps ensure that the company’s activities comply with laws and regulations. The entire internal control system and the methods applied are refined continuously. The respective senior leaders or risk and process owners are responsible for the effectiveness of the internal control system of the accounting processes and the further development of the non-financial key metrics.
Relevant aspects for evaluating the overall effectiveness of the internal control system and risk management were conducted as a single confirmation process in 2025. This process included respective confirmations by the enabling functions, the local Managing Director, the local Chief Financial Officer, and the business functions. The results of this assessment were presented to the Executive Board, taking the recommended opportunities for improvement into consideration where applicable.
The non-financial internal control system was further enhanced and its maturity increased. Based on risk-based assessments of the financial and non-financial internal control system, compliance and risk management, stakeholder confirmations, and regular general audits by Internal Auditing, as of December 31, 2025, the Executive Board was not aware of any material issues that would indicate that this system is not appropriate or effective.
Risk and opportunity assessment
The significance of a risk is evaluated based on its potential unfavorable deviation from our financial and non-financial targets in conjunction with the probability of occurrence of the respective risk. This evaluation focuses on the most likely risk scenarios.
The underlying scales for measuring these factors are shown below:
Probability of occurrence |
|
Explanation |
|---|---|---|
≤ 1% |
|
Highly improbable |
> 1 – 5% |
|
Improbable |
> 5 – 20% |
|
Possible |
> 20 – 50% |
|
Likely |
> 50% |
|
More likely than not |
Degree of impact |
|
Explanation |
|---|---|---|
≥ € 500 million |
|
Critical negative impact on EBITDA pre and/or free cash flow |
€ 100 – < 500 million |
|
Significant negative impact on EBITDA pre and/or free cash flow |
€ 25 – < 100 million |
|
Moderate negative impact on EBITDA pre and/or free cash flow |
€ 10 – < 25 million |
|
Minor negative impact on EBITDA pre and/or free cash flow |
< € 10 million |
|
Immaterial negative impact on EBITDA pre and/or free cash flow |
To enable a thorough evaluation of both financial and non-financial risks, a qualitative rating scale is available to evaluate the indirect financial impact. The used scale includes dimensions such as ESG, reputational, strategic, and/or operational aspects and is mandatory for the assessment of non-quantifiable and qualitative risks. The scale categorizes the risks’ impact as minor, moderate, significant, or critical and provides a comprehensive reference for assessment.
Opportunities are assessed within their respective business environment. General measures of business functions are quantified during short-term and strategic planning, typically in relation to EBITDA pre (earnings before interest, taxes, depreciation, and amortization) and free cash flow. In addition, we identify and leverage opportunities as part of our regular business operations and through our daily observation of internal processes and markets.
Investment opportunities are primarily evaluated and prioritized using metrics such as net present value, internal rate of return, return on capital employed, and the payback period of the investment. These indicators are used to assess the potential of investment projects and to prioritize them accordingly. Similarly, scenarios are used to simulate the impact of potential fluctuations and changes in the respective parameters on results.
* The contents of this chapter or section are voluntary and therefore not audited. However, our auditor has read the text critically.