We use a variety of IT systems and processes to optimally support our globalization. Trends in information technology offer various opportunities but also harbor risks.
Risks due to cybercrime and the failure of business-critical IT applications
Increasing international networking and the related possibility of IT system abuse are resulting in cybercrime risks for us. Such risks include the failure of central IT systems, the loss of data integrity or the disclosure of confidential data from R&D or business activities, the manipulation of IT systems in process control, and an increased burden or adverse impact on IT systems as a result of virus attacks.
We maintain and operate an information protection management system based on ISO 27001. Our governance framework contains organizational, process-related and technical information security countermeasures based on recognized international standards. In addition, we employ harmonized electronic and physical security controls (e.g. access control and security monitoring) to bolster our ability to handle sensitive data, such as trade secrets.
Cybersecurity is part of our Corporate Security Office. In addition, we have a Group Chief Information Security Officer and a network of Information Security Officers within the business sectors, each supported by dedicated networks. The individual sectors hold risk ownership and act as our first line of cybersecurity defense. Our Corporate Cybersecurity function acts as a second line of defense and has responsibilities regarding cybersecurity risk governance and oversight. Our third line of defense consists of internal audits.
Globally used IT applications form the basis for the contractual delivery of products and solutions. The failure of business-critical IT applications could therefore have a direct influence on our ability to deliver and on the quality of our products. This also applies to the failure of a data center. To achieve the required service quality, we use a quality management system certified in accordance with ISO 9001 that also applies to the provision of IT. In addition, to reduce the risk of failure, we operate several redundantly designed data centers. Furthermore, insurance solutions for cybercrime offenses are in place at Group level.
Likewise, complications with the changeover of IT systems could negatively impact the earnings situation. Close monitoring of critical IT projects serves to mitigate this risk.
The risks of cybercrime or the failure of business-critical IT applications and their influence on EBITDA pre and free cash flow are considered to be improbable to likely and with a moderate impact, while highly improbable events could lead to significant or critical impacts.
Artificial intelligence risks
We increasingly use artificial intelligence (AI) – including generative AI and machine learning – across our Life Science, Healthcare and Electronics business sectors and the Group functions to streamline operations, accelerate R&D and improve decision-making. As we embrace innovation, we recognize that new technologies come with risks and uncertainties. We proactively manage associated risks through secure-by-design enablement (e.g. our myGPT generative AI companion), clearly defined ethical guardrails (our Group Code of Digital Ethics and the independent Digital Ethics Advisory Panel), robust data and AI quality, governance and security controls, and broad upskilling via our Group Data & Digital Academy.
Nevertheless, potential AI-related risks remain. These include model and data quality issues, bias and limited explainability, evolving regulation across various jurisdictions (e.g. the EU AI Act), and cyber security threats. If not appropriately managed, these could lead to operational, legal or reputational impacts or hinder effective scaling of AI. Our mitigation measures are designed to reduce these risks while enabling responsible adoption of AI in our business processes and product offerings. While residual risks remain, we continue to refine our controls and practices as the technology and regulatory landscape evolve. Failure to successfully adopt these technologies into our business processes and product offerings or the inability to scale AI effectively could result in competitive disadvantages.
Based on current risk exposure and mitigations, we assess the probability on EBITDA pre and free cash flow as highly improbable; however, should risk materialize, the potential impact could be significant. We therefore maintain disciplined monitoring, regularly reviewing our AI risk and adopting a roadmap to ensure responsible scaling consistent with our vision: “Sparking Discovery, Elevating Humanity”.