2 Report on Risks and Opportunities

2.1 Risk Management System (RMS)

2.1.1 Features of the RMS

The focus of the RMS that is presented here is on business risks and does not include opportunities. The operating segments, projects, and subsidiaries take opportunities into consideration based on the corporate strategy. Potential market opportunities, associated expenses, and the time horizon until commercial exploitation are evaluated as part of related planning processes.

BRAIN’s RMS includes the systematic identification, documentation, evaluation, management, and reporting as well as constant monitoring of all identified and relevant risks. The management thereby ensures that the targets that are set are not jeopardized by risks, and creates risk awareness within the entire Group in accordance with statutory regulations. The RMS is fully integrated into BRAIN’s corporate processes.

In other words, risks are modelled so that they continue to be monitored following implementation of countermeasures. The focus in this context is on medium and high risks, and on risks that might jeopardize the company as a going concern.

The aim of BRAIN’s RMS is not only to comply with statutory regulations but also to support internal management and business security. Overall, risk awareness should be created on a Group-wide basis in accordance with statutory regulations in order to ensure responsible handling of risks and counterstrategies accordingly.

The RMS focuses on ascertaining risks within BRAIN. Opportunities are weighed and considered based on the corporate strategy, which forms a process that is integrated into planning processes. Potential opportunities are evaluated within strategy and planning processes, and compared with potential risks. Opportunities are categorized and presented based on the probability of occurrence and the contribution to the company’s net present value (rNPV).

The RMS, which undergoes constant further development, has integrated previous years’ experience in its identification and management of risks. The effects of the risks as presented in the following risk and opportunities report are reported as annual risks. The evaluation of the presented risks relates to the 30 September 2023 reporting date, and was prepared from a survey in the relevant areas conducted shortly before the reporting date.

The Management Board conducted a review of risk management in the 2022/23 financial year, in particular in relation to further improvements and to adapt to further legislative developments (see point 5 below). Control self-assessments and the establishment of risk indicators are planned as part of the new RMS.

2.1.2 Risk identification

Risks are surveyed Group-wide as part of risk identification involving all decision-makers and experts with respective responsibilities. This iterative process first surveys all risks before aggregating them within a Group-wide risk inventory and evaluating them.

The Supervisory and Management Boards are in regular contact when new risks are identified or the general risk situation changes. If necessary, external consultants are also involved.

2.1.3 Risk evaluation

Risks identified as part of a risk analysis are evaluated in terms of their likelihood of occurrence (event risk) and impact. They are categorized into risk classes (“high”, “medium” and “low”) by multiplying their individual impact by their respective likelihood of occurrence. The range of both likelihood and impact starts at 1 (“very low”) and ends at 10 (“very high”).

Likelihood of occurring within the next two years

Likelihood score Note
0 – 2 Relatively unlikely (< 15 %)
3 – 5 Possible (15 – 45 %)
6 – 7 Probable (45 – 75 %)
8 – 10 Very probable (> 75 %)

Degree of impact

Likelihood score Note EBITDA impact
0 – 2 Minor negative impact on next two years’ forecast results of operations < € 100 thousand
3 – 5 Moderate negative impact on next two years’ forecast results of operations up to € 500 thousand
6 – 7 Considerable negative impact on next two years’ forecast results of operations up to € 2 million
8 – 10 Critical negative impact on next two years’ forecast results of operations > € 2 million

Impact is defined as the influencing parameter on BRAIN’s forecast EBITDA.

The so-called “risk score” – an individual risk evaluation for each risk for the classification – is calculated by multiplying the likelihood of occurrence by the impact. The range for the risk score consequently starts at 1 and ends at 100.

Risk score Risk class
0 – 10 points Low risks
11 – 40 points Medium risks
41 – 100 points High risks

“High” risk class (risk measure above 40 points)

Risks within this class include a high likelihood of occurrence combined with a major impact on the Group.

“Medium” risk class (risk measure between 11 and 40 points)

Risks within this class include a low likelihood of occurrence combined with a major impact, or a high likelihood of occurrence in combination with a low impact, on the Group.

“Low” risk class (risk measure below 11 points)

Risks within this class include a low likelihood of occurrence combined with a minor impact on the Group.

2.1.4 Risk management and monitoring

BRAIN deploys various measures to manage risks. Active risk measures include strategies such as risk avoidance (e.g. through refraining from engaging in excessively risky activities), risk reduction (e.g. through project controlling) and risk diversification (e.g. research and activities in different areas). Where appropriate, BRAIN also makes recourse to passive measures including either a transfer of risk (e.g. through insurance or risk sharing with partners) or the conscious assumption of risks.

In addition, identified risks are aggregated and extensively reviewed and discussed at BRAIN twice a year, enabling specific countermeasures to be implemented if required.

2.1.5 Reporting

The Management Board is informed at least on a half-yearly basis not only about medium and high opportunities and risks, but also about important changes in relation to their impacts and probabilities of occurrence. The Management Board also receives internal ad-hoc reports on significant risks that unexpectedly arise or are discovered. Information is submitted to the Supervisory Board as required via the Management Board during quarterly meetings or, if necessary, on an ad-hoc basis.

2.2 Internal control system (“ICS”)

All units of the BRAIN Biotech Group are included in our ICS. The level of maturity of the ICS depends on the size and materiality of the units for the Group.

In addition to the accounting-related internal control system, the following controls should be emphasized:

  • Decisions that originate obligations for BRAIN are executed on a binding basis in accordance with the four-eye principle. This principle is only waived if the business units are too small.
  • Quality controls are applied continuously in production operations in order to ensure compliance with production processes. Where necessary, this is realized within the framework of internationally recognized quality systems and quality standards.

The reorganization into One-BioProducts leads to a larger, cohesive business unit, which favors the formalization and professionalization of processes and controls.

The instruments for managing the Group, the subsidiaries, and the projects were developed further and expanded on a business-related basis. With an optimized internal control and risk management system, we are taking account of the expanding revenue level and the increasing complexity of exogenous factors.

As part of the management-based control system, the company’s Management Board and Head of Group Finance discuss identified control weaknesses and inefficiencies in the monthly meetings with the managing directors. If action is required as a consequence, measures are developed and taken together with the Management Board and Head of Group Finance to mitigate existing control weaknesses.

2.3 Accounting-related internal control system and RMS

The overriding objective of our accounting-related ICS and RMS is to ensure the correctness of financial reporting in terms of compliance of the consolidated financial statements and the management report with all relevant regulations.

Accounting-related risk identification is also conducted by means of a survey of Group-wide risks, whereby all relevant decision-makers and experts are involved. This iterative process first surveys all risks before aggregating them within a Groupwide risk inventory and evaluating them.

Similar to the procedure for general risks, the identified accounting-related risks are also assessed based on their likelihood of occurrence and their impact. They are categorized into risk classes (“high”, “medium” and “low”) by multiplying their individual impact by their respective likelihood of occurrence. The range of both likelihood and impact starts at 1 (“very low”) and ends at 10 (“very high”). Details of the risk classification are explained in section 2.1.3.

Please refer to the general procedure in sections 2.1.4 and 2.1.5 for information on risk management and monitoring of accounting-related risks and their reporting.

The accounting-related internal control system aims to appraise appropriately in financial accounting terms, and to report in full, Group business transactions in accordance with respective applicable accounting regulations. The system consists of fundamental rules and procedures, as well as a clear functional separation through the four-eye principle. Especially when preparing separate financial statements, when performing the reconciliation to IFRS, as well as when performing consolidation and related standard measurement and reporting, controls exist in the form of the four-eye principle. The clear separation between preparation and internal review enables BRAIN to identify deviations and errors, and ensures that information is complete.

The accounting-related appraisal and recording of business transactions is implemented by the respective Group companies where such transactions occur, as a matter of principle. As an exception to this principle, BRAIN Biotech AG evaluates and records the transactions of the subsidiaries Mekon Science Networks GmbH (Zwingenberg, Germany), BRAIN US LLC (Rockville, Maryland, USA), BRAIN UK Ltd. (Cardiff, UK), BRAIN UK II Ltd. (Cardiff, UK), and BRAIN Capital GmbH (Zwingenberg, Germany). The subsidiaries’ annual financial statements are prepared by the respective subsidiary’s management. External service providers assist in the preparation of monthly and annual financial statements based on commercial law. Amendments to acts, accounting standards, and other publications are monitored regularly in relation to relevance and their effect on the separate and consolidated financial statements.

Business transactions within the Group are appraised in accounting terms based on standard Group accounting guidelines. The finance department of BRAIN Biotech AG with the support of external service providers converts financial statements prepared according to commercial-law accounting standards to IFRS financial reporting standards (quarterly) and prepares the separate annual financial statements of BRAIN Biotech AG as well as the consolidated financial statements. The independent auditor appointed by the AGM audits both the separate and the consolidated annual financial statements. Significant risks for the financial accounting process are monitored and evaluated based on the risk classes specified below and applying their individual risk classification. Requisite controls are defined and subsequently implemented.

Each corporate activity reports personally to the Management Board and to the company’s central finance department on a monthly basis. Current business performance, adherence to budgets, and changes to the risk profile are reviewed. In addition to risks, we also identify opportunities for the company.

The separate annual financial statements and the consolidated financial statements of BRAIN Biotech AG are submitted to the Supervisory Board of BRAIN Biotech AG for approval. At least one Supervisory Board member is an independent financial expert in the meaning of Section 100 (5) of the German Stock Corporation Act (AktG). The Supervisory Board’s Audit Committee monitors the financial accounting process and the auditing of financial statements.

The accounting-related internal control system ensures that the financial accounting process complies with German commercial-law (HGB) regulations and International Financial Reporting Standards (IFRS).

2.4 Overall assessment of the risk management system and internal control system

At the time of this report, in all material respects no indications existed that the internal control and risk management system as a whole was inadequate or ineffective.