Description and Statement Relating to Risk and Compliance Management

The risk management report includes disclosures pursuant to ESRS 2.40 and ESRS 2.42 of the sustainability reporting on strategy, business model and value chain.

Integrated approach to risk and compliance management

Risk and compliance management are an integral part of corporate management at WACKER. As a global company, we are exposed to numerous risks directly attributable to our business activities. Starting from an acceptable overall level of risk, the Executive Board decides which risks we should take to seize the opportunities available to the company. The goal of risk management at WACKER is to identify risks as early as possible, evaluate them adequately, and take appropriate steps to reduce them. We define risks as internal and external events that may have a negative effect on the attainment of our targets and forecasts. In the reporting year, we geared the existing risk and compliance management system even more toward taking ESG (environmental, social, governance) risks into account.

As a chemical company, we have a particular responsibility to ensure plant safety and protect human health and the environment. At all our production sites, there are employees who are responsible for plant and workplace safety and for health and environmental protection. Our risk management system complies with the statutory requirements and is integral to all our decisions and business processes. The Executive and Supervisory Boards are regularly informed about the current risk status in the Group and at each business division.

WACKER follows the Three Lines of Defense model to effectively manage corporate risks and ensure compliance with legal provisions and the ethical principles of corporate management.

Three Lines of Defense model

The first line of defense lies with the managers of operational units. They are responsible for risk management and monitoring, including how risks are handled there. This includes maintaining functioning internal control systems in their operational units.

The second line of defense is formed by the company’s risk and compliance management system, as well as its IT security measures. Risk management involves systematically tracking the main risks facing operational units and reporting on the risks to the Executive Board. Compliance management ensures that the ethical principles of corporate management are observed. The compliance management team identifies the relevant legal requirements and amendments, forwards them to the affected corporate units, and holds compliance for employees. These courses are intended to increase the awareness of all employees to ensure that they do not breach the law – particularly with a view to preventing bribery and corruption, competition and antitrust violations, and other forms of economic crime. In addition, all customer-facing employees receive regular and extensive training on competition-law issues and the types of economic crime. The IT Security team develops effective strategies to combat cybercrime, digital industrial espionage and sabotage attacks, making the company more resilient in the face of all kinds of cyberattacks.

Both the Executive Board and the Supervisory Board are informed regularly and, if necessary, on an ad-hoc basis about compliance risks and any compliance incidents that have occurred, as well as any measures initiated. The Executive Board discusses relevant compliance issues on a monthly basis.

The tax compliance management system aims to ensure that Wacker Chemie AG and its subsidiaries comply fully and punctually with their obligations under tax law. Early involvement of the tax department in relevant transactions ,coupled with checks that are established components of preliminary tax-related processes, help minimize the corresponding risks.

The third line of defense is provided by the Corporate Auditing department, which acts as an independent monitoring body for the Executive Board. This department conducts audits at regular intervals to review the risk management activities in place at the various corporate units and to check whether the internal control systems run by the operational units are effective. Corporate Auditing also liaises with the compliance management team if, for example, anti-corruption investigations are undertaken or related measures implemented.

Internal control system (ICS) and internal control system for accounting

The objective of the internal control system for accounting is to ensure consistent and correct application of legal requirements, generally accepted accounting principles and International Financial Reporting Standards (IFRSs), and thus avoid misstatements in Group accounting and external reporting. WACKER’s ICS is based on the internationally recognized COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework. The establishment, maintenance and further development of the ICS is the responsibility of Corporate Accounting, the latter working on behalf of the CFO.

Our internal accounting control system aims to ensure that our accountants process every business transaction promptly, uniformly and correctly, and that reliable data on the Group’s earnings, net assets and financial position are available at all times. Our approach here complies with statutory provisions and accounting standards. One key internal guideline is the accounting manual, which is valid groupwide and available on the WACKER intranet. The manual specifies binding rules for groupwide accounting and measurement and contains stipulations on organizational responsibility for accounting-related topics. We also use organizational safeguards, such as compliance with the dual control principle, the separation of relevant functions and enlisting the support of external experts when addressing complex accounting matters to reduce the risk of accounting misstatements. We deploy user authorization systems, data release policies and access restrictions to protect all financial systems from misuse.

Process risks that impact reporting are identified, and adequate controls defined, at regular intervals. In the reporting year, an extensive process risk analysis for financial reporting, and for key parts of our sustainability reporting, was conducted for the parent company Wacker Chemie AG. The processes were visualized in flow charts, and additional risk-adjusted controls were defined and documented in a risk control matrix.

The subsidiaries are responsible for ensuring that all regulations are implemented in their local regions. Corporate Accounting assists them in this task. Each quarter, managers at our divisions, corporate departments and subsidiaries confirm for their areas that all key issues for the quarterly and annual financial statements have been reported. However, despite taking every possible precaution, we can never guarantee that the internal control system will be 100-percent effective.

Fundamental features of the internal control system (ICS)

Risk management

WACKER focuses on identifying, evaluating, responding to, and monitoring risks as part of a transparent and comprehensive system for all areas of the company. The system is based on a defined risk strategy and an efficient reporting procedure. The Executive Board regularly reviews and enhances the risk strategy.

All corporate areas are integrated into the risk management system. It consists of three intermeshed aspects:

• Division-specific risk management and early-warning systems
• Groupwide risk coverage
• Groupwide risk mapping

The Group’s risk management system draws on existing organizational and reporting structures, supplemented by additional elements:

• The risk management manual: It contains the system’s principles and processes. It explains reportable levels of risks and how risks are to be covered and mapped.
• The risk management regulation: It stipulates groupwide reporting requirements, including when a specific committee must be informed.
• Role of risk management coordinator: This coordinator is responsible for the risk management system and is supported by local risk coordinators.
• Risk list: In this list, we record each specific risk facing our divisions and other corporate sectors. Reporting is mandatory for individual risks where the effect on earnings would exceed €5 million.

WACKER identifies risk on two levels: divisional and Group. We employ various instruments to detect and recognize risk. These include monitoring order-intake trends, market and competition analyses, customer talks, and ongoing observation and analysis of the economic environment.

Risk management system

Assessment, quantification and management of risks

We analyze each identified risk’s probability of occurrence and potential effect on earnings. Corporate Controlling compiles a monthly report to inform the Executive Board of current and expected business developments and their associated risks. We evaluate risks and opportunities at regular meetings with our divisions and weigh them up against each other.

Corporate Controlling’s task is to ensure that our risk management standards are implemented and our risk management process enhanced. It not only records every substantial risk groupwide, but also evaluates them systematically. Significant risks and those endangering the company’s continued existence are reported as soon as they are identified. As WACKER’s business divisions are responsible for their own results, this process is closely interwoven with operational controlling. Individual divisional risks are identified and evaluated on a monthly basis.

The Corporate Finance and Insurance department is responsible for managing financial risks and customer receivables.

Compliance Management (unaudited)

WACKER’s ethical principles of corporate management exceed the statutory requirements. The Compliance Management department is responsible for ensuring that these principles and all related legislation are observed groupwide. Training courses on compliance raise employees’ awareness of the relevant risks and convey binding rules of behavior for daily work routines. These aspects are covered by WACKER’s compliance regulation, by the Group’s corporate rules and by our code of conduct. Eight groupwide values underpin our code of conduct. They guide us in meeting the ethical behavior expectations that are fundamental to our global business activities. In the reporting year, we accompanied the introduction of our code of conduct (published in 2023) with communication measures and workshops, which also addressed the importance of the code’s four pairs of values.

For more information on our code of conduct, see the “Principles of corporate ethics” section in the Declaration on corporate management

Employees are instructed to inform their supervisors, the compliance officers, the employee council or their designated HR contacts of any violations that come to their attention. Any reported or known breach of the law is investigated and punished accordingly. Employees have the option of reporting suspected violations within the company anonymously via a protected channel. We have a groupwide whistleblower system in place, in line with European Union requirements. It enables WACKER’s employees, business partners and stakeholders who detect any potential violations of rules and regulations to report them to the company – directly, confidentially and anonymously. In our global communication concept for the whistleblower system, we describe the internal processes initiated by each reporting channel. We transparently explain to whistleblowers how we handle the reports submitted.

The Group’s compliance officers are responsible for ensuring that the compliance system is observed and are on hand to advise employees on all compliance-related matters.

Prevention is a key aspect of the compliance officers’ work. They train, inform and advise employees and management about the strategies and actions, for example, that prevent corruption and economic crime of any kind. In the reporting period, we expanded the face-to-face compliance courses that are conducted worldwide by our global compliance organization. We initiated comprehensive compliance-management measures for evaluating distributors. To this end, we specified global compliance safeguards and carried out compliance training measures tailored to our target groups.

WACKER has a compliance management system in place worldwide that is continuously reviewed and enhanced in accordance with internationally recognized auditing standards. We carry out ongoing compliance risk assessments throughout the Group, with Global Compliance collaborating with the relevant corporate functions. Targeted investigations are carried out in the event of suspected compliance violations. In addition, ad hoc audit procedures are carried out as a matter of routine.

In 2025, no major compliance infringements were identified that are subject to the above-mentioned reporting threshold of an earnings impact exceeding €5 million.

Corporate Auditing

The third line of defense is provided by the Corporate Auditing department, which acts as an independent monitoring body for the Executive Board. It monitors the effectiveness of the groupwide internal control and risk management system, compliance with internal and external requirements and efficacy across various operational processes and systems.

On behalf of the Executive Board, Corporate Auditing performs regular, mainly process-specific reviews of all relevant functions and corporate units, focusing on internal control systems. Audit topics are selected using a risk-driven approach. The audit universe, which covers all the Group’s main functions, sites and companies, is the basis of Corporate Auditing’s topics. It also includes risk-management reporting, as well as the reports and information provided by the corporate departments, business divisions and major joint ventures/associates. The audit plan is supplemented and adopted by the Executive Board and discussed with the Audit Committee. If necessary, there is flexibility to modify the plan during the year to reflect changes in underlying conditions.

Any measures derived from the audits for optimization of processes and the internal control and risk management system are implemented and systematically monitored by the Corporate Auditing department. The latter provides the Executive Board and Audit Committee with regular reports on the results and implementation status of the various measures.

The audits conducted in the fiscal year under review did not reveal any major findings that would pose a threat to the proper functioning of the internal control and risk management systems.

Executive Board (unaudited)

The Executive Board has overall responsibility for implementing suitable governance systems. It provides the Supervisory Board’s Audit Committee with regular updates on current issues related to these systems so that the Audit Committee can monitor their effectiveness.

The Executive Board declares that at the time this report was prepared, there had been no issues that would give rise to the assumption that the established internal control system, the risk management system or the compliance management system were not appropriate or effective in all material respects.

External auditor

The auditor adopts a risk-driven approach to examining the structure and effectiveness of the internal control system for accounting. In the course of auditing as per Section 317 (4) HGB, the auditor also examines the early warning system for detecting risks. The auditor’s findings are communicated to management and the Supervisory Board.