Risk and Opportunity Report

In order to remain competitive and ensure sustainable success, adidas consciously takes risks and continuously explores and develops opportunities. Our risk and opportunity management principles and system provide the framework for our company to conduct business in a well-controlled environment.

RISK AND OPPORTUNITY MANAGEMENT PRINCIPLES

We define risk as the potential occurrence of an external or internal event (or series of events) that may negatively impact our ability to achieve the company’s business objectives or financial goals. Opportunity is defined as the potential occurrence of an external or internal event (or series of events) that can positively impact the company’s ability to achieve its business objectives or financial goals.

RISK AND OPPORTUNITY MANAGEMENT SYSTEM

The Executive Board has overall responsibility for establishing an effective risk and opportunity management system that ensures comprehensive and consistent management of all material risks and opportunities. The Risk Management department governs, operates and develops the company’s risk and opportunity management system and is the owner of the centrally managed risk and opportunity management process on behalf of the Executive Board. The Supervisory Board is responsible for monitoring the effectiveness of the risk management system. These duties are undertaken by the Supervisory Board’s Audit Committee. Working independently of all other functions of the organizations, the Internal Audit department provides objective assurance to the Executive Board and the Audit Committee regarding the adequacy and effectiveness of the company’s risk and opportunity management system on a regular basis. In addition, the Internal Audit department includes an assessment of the effectiveness of risk management processes and compliance with the company’s Risk Management Policy as part of its regular auditing activities with selected adidas subsidiaries or functions each year.

adidas risk and opportunity management system

Our risk and opportunity management system is based on frameworks for enterprise risk management and internal controls developed and published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Additionally, we have adapted our risk and opportunity management system to more appropriately reflect the structure as well as the culture of the company. This system focuses on the identification, evaluation, handling, monitoring and systematic reporting of risks and opportunities. The key objective of the risk and opportunity management system is to support business success and protect the company as a going concern through an opportunity-focused but risk-aware decision-making framework. Our Risk Management Policy outlines the principles, processes, tools, risk areas, key responsibilities, reporting requirements and communication timelines within our company.

Risk and opportunity management is a company-wide activity which utilizes key insights from the members of the Executive Board as well as from global and local business units and functions.

Our risk and opportunity management process comprises the following steps:

• Risk and opportunity identification: adidas continuously monitors the macroeconomic environment and developments in the sporting goods industry, as well as internal processes, to identify risks and opportunities as early as possible. Our company-wide network of Risk Owners (at least all leaders reporting directly to the Executive Board, including the Managing Directors of our markets) ensures an effective bottom-up identification of risks and opportunities. Risk Management has defined 25 categories to assist Risk Owners in identifying risks and opportunities. The Risk Owners use various instruments in the risk and opportunity identification process, such as primary qualitative and quantitative research including trend scouting and consumer surveys as well as feedback from our business partners and controlled space network. These efforts are supported by global market research and competitor analysis. Through this process, we seek to identify the markets, categories, consumer target groups and product styles which show most potential for future growth at a local and global level. Equally, our analysis focuses on those areas that are at risk of saturation or exposed to increased competition or changing consumer tastes. However, our risk and opportunity identification process is not only limited to external risk factors or opportunities; it also includes an internal perspective that considers company culture, processes, projects, human resources and compliance aspects.
• Risk and opportunity evaluation: We assess identified risks and opportunities individually according to a systematic evaluation methodology, which allows adequate prioritization as well as allocation of resources. Risk and opportunity evaluation is also part of the Risk Owners’ responsibility. The Risk Management department supports and guides the Risk Owners in the evaluation process. According to our methodology, risks and opportunities are evaluated by looking at two dimensions: the potential impact and the likelihood that this impact materializes. Based on this evaluation, we classify risks and opportunities into three categories: minor, moderate and major.

The potential impact is evaluated using five categories: marginal, low, medium, high and significant. These categories represent financial or equivalent non-financial measurements. The financial measurements are based on the potential effect on the company’s net income. Non-financial measurements used are the degree of media exposure affecting the company’s reputation, brand image and employer value proposition, the degree of damage to people’s health and safety, and the degree of legal and judicial consequences at the corporate and personal level. Likelihood represents the possibility that a given risk or opportunity may materialize with the specific impact. The likelihood of individual risks and opportunities is evaluated on a percentage scale divided into five categories: below 15%, 15% – 30%, 30% – 50%, 50% – 85% and above 85%.

Risk evaluation categories

When evaluating risks and opportunities, we also consider the earliest time period when the company’s target achievement may be impacted, in order to provide a broad perspective and ensure early identification and mitigation. Short-term risks and opportunities may affect the achievement of the company’s objectives already in the current financial year, mid-term risks and opportunities would impact the company’s target achievement in the next financial year, while long-term risks and opportunities might only have an effect on the achievement of the company’s objectives after the next financial year.

We consider both gross and net risks in our risk assessments. While the gross risk reflects the inherent risk before any mitigating action, the net risk reflects the residual risk after all mitigating action. On the one hand, this approach allows for a good understanding of the impact of mitigating action taken; on the other hand, it provides the basis for scenario analysis. Our assessment of risks presented in this report only reflects the net risk perspective. We measure the actual financial impact of the most relevant risks that materialized against the original assessment on a yearly basis. In this way, we ensure continuous monitoring of the accuracy of risk evaluations across the company, which enables us to continuously improve evaluation methodology based on our findings.

In assessing the potential effect from opportunities, each opportunity is appraised with respect to viability, commerciality and potential risks. This approach is applied to longer-term strategic prospects but also to shorter-term tactical and opportunistic initiatives at the corporate level as well as at the market and brand level. In contrast to the risk evaluation, only the net perspective exists for assessing opportunities.

• Risk and opportunity handling: Risks and opportunities are treated in accordance with the company’s risk and opportunity management principles as described in the Risk Management Policy. Risk Owners are in charge of developing and implementing appropriate risk-mitigating action and exploiting opportunities within their area of responsibility. In addition, the Risk Owners need to determine a general risk-handling strategy for the identified risks, which is either risk avoidance, risk reduction with the objective to minimize impact and/or likelihood, risk transfer to a third party or risk acceptance. The decision on the implementation of the respective risk-handling strategy also takes into account the costs in relation to the effectiveness of any planned mitigating action if applicable. The Risk Management department works closely with the Risk Owners to monitor the continuous progress of planned mitigating action and assess the viability of already implemented mitigating action. In 2019, we introduced a formalized risk acceptance process linked to the risk classification. Depending on the risk class determined by the risk and opportunity evaluation, the authority to make decisions to accept risks resides with the Executive Board, the Risk Owners and operational management. The decision to accept material risks without taking additional mitigating action can only be made by the entire Executive Board.
• Risk and opportunity monitoring and reporting: Our risk and opportunity management system aims to increase the transparency of risks and opportunities. As both risks and opportunities are subject to constant change, Risk Owners not only monitor developments but also the adequacy and effectiveness of the current risk-handling strategy on an ongoing basis.

Regular risk reporting takes place half-yearly and consists of a five-step reporting stream that is supported and facilitated by a globally used company-wide IT solution:

1. Risk Owners are required to report to Risk Management risks and opportunities that have a possible net impact of € 1 million and above, regardless of the likelihood of materializing.
2. Risk Management consolidates and aggregates the reported risks and opportunities and provides a consolidated report based on the Risk Owners’ input to each member of the Executive Board concerning his or her individual area of responsibility. Each report specifically highlights substantial individual risks and opportunities. Each member of the Executive Board reviews the reported risks and opportunities of his or her individual area of responsibility, adding his or her own assessment of risks and opportunities if necessary.
3. Risk Management provides a consolidated report to all members of the Executive Board that includes both the assessment of each member of the Executive Board and the major risks and opportunities reported by Risk Owners. The Executive Board reviews the report, jointly agrees on a final company assessment of risks and opportunities and decides if Risk Owners are required to take further action.
4. Based on the Executive Board’s decision, Risk Management creates the final risk and opportunity report that is also shared with the Core Leadership Group (CLG). see people and culture
5. The Executive Board in collaboration with Risk Management presents the final risk and opportunity assessment results to the Audit Committee of the Supervisory Board.

Material changes in previously reported risks and opportunities and/or newly identified risks and opportunities that are classified as moderate or major as well as any issues identified which, due to their material nature, require immediate reporting, are also reported outside the regular half-yearly reporting stream on an ad hoc basis to the Risk Management department and the Executive Board.

COMPLIANCE MANAGEMENT SYSTEM (ADIDAS FAIR PLAY COMPLIANCE FRAMEWORK)

We consider compliance with the law as well as with external and internal regulations to be imperative. The Executive Board sets the tone right from the top – every employee is required to act ethically and in compliance with the law as well as with external and internal regulations while executing the company’s business. Violations must be avoided under all circumstances. However, we realize that it will never be possible to exclude compliance violations with absolute certainty.

The adidas Fair Play Compliance Framework is overseen by the company’s Chief Compliance Officer. We see compliance as all-encompassing, spanning all business functions throughout the entire value chain. Our central Compliance team works closely with Regional Compliance Managers and Local Compliance Officers to conduct a systematic assessment of key compliance risks on a yearly basis. In addition, the central Compliance team regularly conducts compliance reviews within selected entities.

The company’s Compliance Management System (CMS) is based on the OECD Principles of Corporate Governance. It refers to the OECD Guidelines for Multinational Enterprises, and is designed to:

• support the achievement of qualitative and sustainable growth through good corporate governance;
• reduce and mitigate the risk of financial losses or damage caused by non-compliant conduct;
• protect and further enhance the value and reputation of the company and its brands through compliant conduct; and
• preserve diversity by fighting harassment and discrimination.

The adidas Fair Play Code of Conduct stipulates guidelines for behavior in everyday work, which all employees are obliged to comply with. It is applicable globally and for all business areas, accessible on our website and on our intranet. In 2019, we revised the Code of Conduct to ensure it remains up-to-date and reflects our business environment.

The Code of Conduct and our CMS are organized around three pillars: prevent, detect and respond.

• Prevention: The foundation of our CMS is the adoption and implementation of our Fair Play Code of Conduct, the Compliance Policy, and the Privacy Policy. adidas issues targeted compliance-related communication by management and the Compliance department and provides mandatory training to all employees globally during onboarding and in regular, repeated cycles. In 2019, more than 3,500 employees completed online compliance training. Furthermore, we conducted targeted in-person compliance training as appropriate with senior management and newly promoted or hired senior executives across the globe in order to further enhance the compliance ‘tone from the top’, as well as the ‘tone from the middle’. We closely monitor the completion rates for these training measures and continuously update our web-based training.
• Detection: adidas has whistleblowing procedures to ensure timely detection of potential infringements of statutory regulations or internal guidelines. Employees can report compliance concerns internally to their supervisor, the Chief Compliance Officer, Regional Compliance Managers or Local Compliance Officers, the relevant HR manager or the Works Council. Employees can also report externally via an independent, confidential reporting hotline and website, and can choose to do so anonymously through the Fair Play hotline. The hotline is available at all times worldwide.
• Response: Appropriate and timely response to compliance violations is essential. The Chief Compliance Officer leads all investigations in cooperation with an established team of Regional Compliance Managers and a global network of Local Compliance Officers. We track, monitor, and report potential incidents of non-compliance worldwide. In 2019, we recorded 514 potential compliance violations (2018: 410). Most importantly, insights gained from the investigation of past violations are used to continuously improve the CMS. Where necessary, we react promptly to confirmed compliance violations, through appropriate and effective sanctions ranging from warnings to termination of employment contracts.

In 2019, we continued to reinforce the adidas compliance organization and activities and enhance cooperation with other governance functions, e.g. Internal Audit, Internal Controls, and Risk Management.

Potential compliance violations

Reporting of potential compliance violations in %

The company’s Chief Compliance Officer regularly reports to the Executive Board on the further development of the compliance program and on major compliance cases. In addition, the Chief Compliance Officer reports to the Audit Committee on a regular basis. In 2019, the Chief Compliance Officer attended five meetings of the Audit Committee of the Supervisory Board to report on the further development of the compliance program, major compliance cases and other relevant compliance topics.

DESCRIPTION OF THE MAIN FEATURES OF THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM RELATING TO THE CONSOLIDATED FINANCIAL REPORTING PROCESS PURSUANT TO § 315 SECTION 4 GERMAN COMMERCIAL CODE (HANDELSGESETZBUCH – HGB)

The internal control and risk management system relating to the consolidated financial reporting process of the company represents a process embedded within the company-wide corporate governance system. It aims to provide reasonable assurance regarding the reliability of the company’s external financial reporting by ensuring company-wide compliance with statutory accounting regulations, in particular the International Financial Reporting Standards (IFRS) and internal consolidated financial reporting policies (Finance Manual). We regard the internal control and risk management system as a process based on the principle of segregation of duties, encompassing various sub-processes in the areas of Accounting, Controlling, Taxes, Treasury, Planning, Reporting and Legal, focusing on the identification, assessment, mitigation, monitoring and reporting of financial reporting risks. Clearly defined responsibilities are assigned to each distinct sub-process. In a first step, the internal control and risk management system serves to identify, assess, limit and control risks identified in the consolidated financial reporting process which might result in the consolidated financial statements not being compliant with internal and external regulations.

Internal Control over Financial Reporting (ICoFR) serves to provide reasonable assurance regarding the reliability of financial reporting and compliance with applicable laws and regulations. To monitor the effectiveness of ICoFR, the Policies and Internal Controls department and the Internal Audit department regularly review accounting-related processes. Additionally, as part of the year-end audit, the external auditor assesses the effectiveness of selected internal controls, including IT controls. The Audit Committee of the Supervisory Board also monitors the effectiveness of ICoFR. However, due to the limitations of ICoFR, even with appropriate and functional systems absolute certainty about the effectiveness of ICoFR cannot be guaranteed.

All adidas companies are required to comply with the consolidated financial reporting policies (Finance Manual), which are available to all employees involved in the financial reporting process through the company-wide intranet. We update the Finance Manual on a regular basis, dependent on regulatory changes and internal developments. Changes to the Finance Manual are promptly communicated to all adidas companies. Clear policies serve to limit employees’ scope of discretion with regard to recognition and valuation of assets and liabilities, thus reducing the risk of inconsistent accounting practices within the company. We aim to ensure compliance with the Finance Manual through continuous adherence to the four-eyes principle in accounting-related processes. In addition, the local manager responsible for the accounting process within the respective company and the respective local Managing Director confirm adherence to the Finance Manual and to IFRS in a signed representation letter to the Accounting department semi-annually.

The accounting for adidas companies is conducted either locally or by our Global Business Services. Virtually all of the IT Enterprise Resource Planning (ERP) systems used are based on a company-wide standardized SAP system. Following approval by the Finance Director of the respective adidas company, the local financial statements are transferred to a central consolidation system based on SAP SEM-BCS. At the corporate level, the regularity and reliability of the financial statements prepared by adidas companies are reviewed by the Accounting and Controlling departments. These reviews include automated validations in the system as well as the creation of reports and analyses to ensure data integrity and adherence to the reporting logic. In addition, differences between current-year and prior-year financial data as well as budget figures are analyzed on a market level. If necessary, adidas seeks the opinion of independent experts to review business transactions that occur infrequently and on a non-routine basis. After ensuring data plausibility, the centrally coordinated and monitored consolidation process begins, running automatically on SAP SEM-BCS. Controls within the individual consolidation steps, such as those relating to the consolidation of debt or of income and expenses, are conducted both manually and system-based, using automatically created consolidation logs. Any inadequacies are remedied manually by systematically processing the individual errors as well as differences and are reported back to the adidas companies. After finalization of all consolidation steps, all items in the consolidated income statement and in the consolidated statement of financial position are analyzed with respect to trends and variances. Unless already otherwise clarified, the adidas companies are asked to explain any identified material deviations.

All financial systems used are protected against malpractice by means of appropriate authorization concepts, approval concepts and access restrictions. Access authorizations are reviewed on a regular basis and updated if required. The risk of data loss or outage of accounting-related IT systems is minimized through central control and monitoring of virtually all IT systems, centralized management of change processes and regular data backups.