OUR RISK MANAGEMENT

Internal Control and Risk Management System

As a global company, SAP is exposed to a broad range of risks across our business operations. As a consequence, our Executive Board has put comprehensive risk management and internal control structures in place that enable SAP to identify and analyze risks early and take appropriate action. Our risk management and internal control system is designed to identify potential events that could negatively impact the Company and to provide reasonable assurance regarding the operating effectiveness over our financial reporting in place ensuring the achievement of the Company objectives, specifically our ability to achieve our financial, operational, or strategic goals as planned.

This system comprises numerous control mechanisms and is an important element of our corporate decision-making process; it is therefore implemented as an integral part of SAP’s business processes across the entire Group. To ensure that our global risk management efforts are effective while also enabling us to aggregate risks and report on them transparently, we have adopted an integrated risk management and internal control approach.

Due to our public listings in both, Germany and the United States, we are subject to both, German and U.S. regulatory requirements that relate to risk management and internal controls over financial reporting, such as provisions in the German Stock Corporation Act, section 91 (2) and the U.S.

Sarbanes-Oxley Act (SOX) of 2002, specifically sections 302 and 404. Hence, our Executive Board has established an early warning system (risk management system) to ensure compliance with applicable regulations and an effective management of risks.

Our risk management system is based on five pillars, which include a dedicated risk management policy and a standardized risk management methodology as well as a global risk management organization. Our internal control system consists of the internal control and risk management system for financial reporting (ICRMSFR) that also covers the broader business

environment. In 2015, we adjusted existing control designs to adequately address the changed risk environment and continued to automate our internal control landscape leveraging continuous control monitoring and continuous auditing activities in selected business areas. Using the current Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework of 2013, we define and cover internal controls along the value chain on a process and subprocess level to ensure that sound business objectives are set in line with the organization’s strategic, operational, financial, and compliance goals. In addition, we have a governance model in place across risk management and the internal control system to ensure both systems are effective, as well as a central software solution to store, maintain, and report all risk-relevant information.

Risk Management Policy and Framework

The risk management policy issued by our Executive Board governs how we handle risk in line with the Company’s risk appetite and defines a methodology that is applied uniformly across all parts of the Group. The policy stipulates who is responsible for conducting risk management activities and defines reporting and monitoring structures. In 2015, as part of our regular review, we updated and rolled out this mandatory policy to all employees. Our global corporate audit function conducts regular audits to assess the effectiveness of our risk management system. Every year, SAP’s external auditor assesses if the SAP SE early risk identification system is adequate to identify risks that may endanger our ability to continue as a going concern. SAP’s enterprise risk management covers risks in the areas of strategy, operational business, financial reporting, and compliance. As of today, the risk management system analyzes risks and only assesses or analyzes opportunities where deemed appropriate.

Risk Management Methodology and Reporting

The following sections describe the key elements of the risk management process as part of SAP’s risk management policy:

risk planning, identification, analysis, response, and monitoring.

Risk planning and risk identification for both internal and external risks are conducted in cooperation between risk managers and the business units or subsidiaries across the

Group. We use various techniques to identify risks. For example, we have identified risk indicators and developed a comprehensive risk catalog that includes risk mitigation strategies for known product and project risks. Risk identification takes place at various levels of our organization to ensure that common risk trends are identified and end-to-end risk management across organizational borders is enabled. We apply both a qualitative and quantitative risk analysis as well as other risk analysis methods such as sensitivity analyses and simulation techniques.

To determine which risks pose the highest threat to the viability of the SAP Group, we classify them as “high,” “medium,” or

“low” based on the likelihood that a risk will occur within the assessment horizon as well as the impact the risk would have on SAP’s business objectives if it were to occur. The scales for measuring these two indicators are given in the following tables.

Probability/Likelihood of Occurrence

Description

1% to 19% Remote

20% to 39% Unlikely

40% to 59% Likely

60% to 79% Highly Likely

80% to 99% Near Certainty

In this framework, we define a remote risk as one that will occur only under exceptional circumstances and a near certain risk as

one that can be expected to occur within the specified time horizon. The period for analyzing our risks is at least the used forecast period. The period for analyzing our risks that could be possible threats to the Group’s ability to continue as a going concern is eight rolling quarters.

Impact Level Impact Definition

Insignificant Negligible negative impact on business, financial position, profit, and cash flows

Minor Limited negative impact on

business, financial position, profit, and cash flows

Moderate Some potential negative impact on business, financial position, profit, and cash flows

Major Considerable negative impact on

business, financial position, profit, and cash flows

Business-Critical Detrimental negative impact on business, financial position, profit, and cash flows

Based on the combination of the likelihood that a risk will occur and its impact on SAP’s reputation, business, financial position, profit, and cash flow classify the risks as “high,” “medium,” or

“low.”

Probability Insignificant Minor Moderate Major Business Critical

80-99% L M H H H

60-79% L M M H H

40-59% L L M M H

20-39% L L L M M

1-19% L L L L M

Impact

L = Low Risk M = Medium Risk H = High Risk

Risk analysis is followed by risk response and risk monitoring.

Our risk managers work in close cooperation with the business owners, ensuring that effective strategies are implemented to address risks. Business owners are responsible for continuously monitoring the risks and the effectiveness of mitigation strategies, with support from the respective risk managers.

Risks may be reduced by taking active steps based on risk approval. To provide greater risk transparency and enable appropriate decision making for business owners, we have established a risk delegation of authority (RDOA) for relevant parts of the organization as deemed appropriate. Risk DOA is a risk management decision-making hierarchy that helps business owners gain timely insight into projects and processes with the greatest risk, so they are better able to review the relevant information, understand the risk profile and associated mitigation strategies, and determine if their approval is warranted. Depending on the exposure, approval is required at different levels of the Company, up to and including the Executive Board.

All identified and relevant risks are reported at the local, regional, and global levels in accordance with our risk management policy. At local, regional, and global levels, we have established executive risk councils that regularly discuss risks and countermeasures and that monitor the success of risk mitigation. In addition, the Executive Board is informed quarterly about individual risks based on clearly defined reporting criteria.

Newly identified or existing significant risks that are above a defined threshold or with a potential significant impact are also reported to the chairperson of the Supervisory Board and to the Audit Committee of the Supervisory Board. This includes any risks of potential ongoing concern.

We also have a process in place that analyzes those risks with respect to potential effects on liquidity, excessive indebtedness, and insolvency, which could be possible threats to the Group’s ability to continue as a going concern.

Risk Management Organization

Our risk management organization ensures the coverage of the functions of risk management governance, strategic, operational, financial, and compliance risk management. Our Global Governance, Risk & Compliance (GRC) organization comprises a Group-wide governance function, including regular maintenance and implementation of our risk management policy. The uniform process model comprises all essential elements of risk management: risk planning, risk identification, risk analysis, risk response, and risk monitoring. This function is also responsible for standardized risk reporting to risk committees at different levels of the Company, including the Executive Board as well as the chairperson and the Audit Committee of the Supervisory Board.

Our strategic risk management function resides within our Global Controlling organization and is responsible for enabling early identification and mitigation of risks that could threaten

the successful execution of SAP’s strategic priorities and targets. It also supports the successful execution of our corporate strategy by creating transparency regarding risks that could threaten commercial interests or intangible assets such as corporate or product reputation and brand image.

Operational and financial risk management is uniformly implemented at SAP. Independent GRC risk managers are assigned to each of SAP’s important business units and business activities and to selected strategic initiatives. All GRC risk managers, together with assigned risk contacts in the business units, continuously identify and assess risks associated with material business operations using a uniform approach and monitor the implementation and effectiveness of the measures chosen to mitigate risks. Further financial risk management activities are performed by our global treasury function.

During the merger and acquisition and post-merger integration phase, newly acquired companies are subject to risk management performed by our Corporate Development M&A function. Furthermore, as long as they are not integrated, existing risk management structures are maintained or enhanced within the acquired companies to ensure that legal requirements are met.

Risk managers are responsible for supporting and monitoring the implementation of risk management across the Group that is both effective and compliant with regulatory requirements and SAP’s global risk management policy. Based on our risk management policy, all risks and risk-related matters have to be reported to the Global GRC organization.

The head of Global GRC, together with other key functions (for example, Global Controlling or Global Treasury), is responsible for SAP’s internal control and risk management program, and provides regular updates to the Audit Committee of the Supervisory Board. The overall risk profile of the Group is consolidated by the head of Global GRC, who reports to the Group CFO.

Internal Control and Risk Management System for Financial Reporting

The purpose of our system of internal control over financial reporting is to ensure with sufficient certainty that its financial reporting is reliable and in compliance with applicable generally accepted accounting principles. Because of the inherent limitations of internal control over financial reporting, it may not prevent or bring to light all potential misstatements in our financial statements.

SAP’s internal control and risk management system for financial reporting (ICRMSFR) is based on our Group-wide risk management methodology. The ICRMSFR includes organiza-tional, control, and monitoring structures designed to ensure that data and information concerning our business are collected, compiled, and analyzed in accordance with applicable laws and

properly reflected in the IFRS Consolidated Financial Statements.

Our ICRMSFR also includes policies, procedures, and measures designed to ensure compliance of SAP’s financial reports with applicable laws and standards. We analyze new statutes, standards, and other pronouncements concerning IFRS accounting and its impact on our financial statements and ICRMSFR. Failure to adhere to these new statutes, standards, and other pronouncements would present a substantial risk to the compliance of our financial reporting. Finally, the ICRMSFR has both preventive and detective controls, including, for example, automated and non-automated reconciliations, segregated duties with two-person responsibility, authorization concepts in our software systems, and monitoring.

Our Corporate Financial Reporting department codifies all accounting policies in our global Group Accounting and Revenue Recognition Guidelines. These policies, the corporate closing schedule, and our process handbooks together define the closing process. Under this closing process, we prepare, predominately through centralized and outsourced services, the financial statements of all SAP legal entities for consolidation by our Corporate Financial Reporting department. The Corporate Financial Reporting department and other corporate departments assist in the efforts to comply with Group accounting policies and monitor the accounting work. Our Corporate Financial Reporting department conducts reviews of our accounting processes and books.

We have outsourced some work, such as valuing projected benefit obligations and share-based payment obligations, quarterly tax calculations for most entities, and purchase price allocations in the context of asset acquisitions and business combinations. We have also outsourced the preparation of the local statutory financial statements of most of our subsidiaries.

The employees who work on SAP’s financial reporting receive training in the respective policies and processes.

Based on an analysis of the design and operating effectiveness of our respective internal controls over financial reporting, a committee presents the results of the assessment on the ICRMSFR effectiveness with respect to our IFRS Consolidated Financial Statements as at December 31 each year to the Group CFO. The committee meets regularly to set the annual scope for the test of effectiveness, to evaluate any possible weaknesses in the controls, and to determine measures to address them adequately. During its own meetings, the Audit Committee of the Supervisory Board regularly scrutinizes the resulting assessments of the effectiveness of the internal controls over financial reporting with respect to the IFRS consolidated financial statements.

The assessment of the effectiveness of the ICRMSFR related to our IFRS consolidated financial statements was that on

December 31, 2015, the Group had an effective internal control system over financial reporting in place.

Risk Management and Internal Control Governance

Our Executive Board is responsible for ensuring the effectiveness of the risk management and internal control system. The effectiveness of both systems and their implementation in the different Executive Board areas is monitored by each board member. We regularly provide a status on the risk management and the internal control system to the Audit Committee. Key risks are reported quarterly to the chairperson of the Supervisory Board and to the Audit Committee of the Supervisory Board. The Audit Committee of our Supervisory Board regularly monitors the effectiveness of SAP’s risk management and internal control system. In this regard, our Audit Committee requested the Corporate Audit department to regularly audit various aspects of the risk management system and its effectiveness. Additional reassurance is obtained through the external audit of the effectiveness of our internal control system over financial reporting and the internal warning system.

Software Solution Deployed

We use our own risk management software (SAP solutions for GRC) powered by SAP HANA to effectively support the governance process. Risk managers record and address identified risks using our risk management software to create transparency across all known risks that exist in the Group, as well as to facilitate risk management and the associated risk reporting. This information is available to managers through a mobile app as well as regularly issued reports, and is consolidated and aggregated for the quarterly risk report to the Executive Board. The solution also supports the risk-based approach of SAP’s internal control and risk management system for financial reporting (ICRMSFR).