Risks arising from information technology

We have taken all the necessary steps to be able to effectively identify and counter IT risks. These risks are monitored across the Group by Risk Management, IT Audit, Data Protection and Corporate Security. The Information Security Committee provides for secure IT in the divisions. At a minimum, we aim to meet the ISO 27002 industrial safety standard.

Our logistics and service processes can only function smoothly if the necessary IT is available. Complete failure of one or more systems could cause a significant disruption to operational processes and lead to loss of data. For this reason we want to avoid malfunctions entirely.

We take the following measures to reduce the probability of IT risk materialising: we have two main data centres, in the Czech Republic and Malaysia. Additional processing capacity is provided by T-Systems, a service provider with which we have agreed on standards for outsourced services and which has likewise distributed its capacity amongst several data centres. In addition, we have established emergency procedures throughout the Group for business-critical applications.

We continuously improve our security mechanisms to protect against unauthorised access to, and manipulation of, data, and this includes mobile devices. Persons with access authorisation are required to encrypt critical data as a standard procedure and to change passwords every eighty to ninety days. Critical data are secured by means of back-ups, either on a case-by-case basis or in real time in several data centres depending on relevance.

Our services require the use of frequently updated and newly developed software. This involves not only a general cost risk in the case of complex IT systems in particular, but also the risk of development delays and functional deficiencies when putting the new software into operation. This risk is reduced by an efficient project management system spanning the entire process from software planning and design to implementation.

The precautions we take lower the probability of occurrence of IT risks having grave consequences. We are prepared to minimise the impact of any risk that does materialise such that customers are not, or only minimally, affected. However, an element of risk involving medium to high financial consequences cannot be fully ruled out.