Material organizational risks
HUGO BOSS considers IT risks, personnel risks, and governance and compliance risks to be among the material organizational risks.
IT risks
Smooth business operations with efficient processes are strongly dependent on a powerful and secure IT infrastructure uniformly implemented throughout the Group. Serious failures of the IT system of the Group can result in significant business interruptions. In addition, cyber attacks can lead to major system interruptions, loss of confidential data and the ensuing loss of reputation and liability claims. In order to reduce these risks, preventative system maintenance and security checks are carried out by the central IT department on a regular basis, multi-level security and anti-virus concepts are implemented and job-related access rights are assigned. In addition to this, access control systems, daily data backups of the Group-wide ERP system, an uninterrupted power supply as well as regular online training sessions for staff should increase IT security in the Group. The internal audit function regularly monitors the security and reliability of the IT systems as well as the effectiveness of the control mechanisms which have been implemented.
HUGO BOSS assumes that global cyber attacks will continue to increase in future, and consequently classes it as an “emerging risk”. The Group implemented a Security Information and Event Management (SIEM) System in fiscal year 2018. This approach to security management makes it possible to take a comprehensive view of the Group’s IT security going forward. The planned construction of a security operation center should further enhance the responsiveness of the Group to potential cyber attacks in this regard. Furthermore, HUGO BOSS also works with external service providers to avert risks. Due to the measures carried out, management currently considers the occurrence of IT risks to be unlikely. The financial impact is assessed as moderate.
Personnel risks
Achieving the Group’s strategic and financial targets is largely dependent on the skills and commitment of its employees and on safeguarding a fair and value-based corporate culture. Personnel risks mainly stem from recruitment bottlenecks, shortages of specialists and excessive employee turnover. HUGO BOSS combats this risk with a forward-looking HR policy, comprehensive development and training measures, the continuous development of its performance-based remuneration system and a variety of measures to support a healthy work-life balance. HUGO BOSS considers itself to be well positioned in the increasing international competition for skilled workers and so classes this risk as unlikely, however at the same time, it would have a significant financial impact. Employees
Governance and compliance risks
All employees of the HUGO BOSS Group are required to comply with the Code of Conduct applicable throughout the Group and the compliance rules applicable in specific areas. All Group companies are subject to regular risk analyses and detailed audits where applicable. Adherence to the compliance rules is monitored by the central compliance division and breaches are reported to the Managing Board and Supervisory Board. Corporate Governance Report including the Corporate Governance Statement Combined Non-Financial Statement, Anti-Corruption and Bribery Matters
Breaches of data protection laws represent an increased compliance risk. The Group aims to counter this risk with a system that complies with data protection laws as well as robust security and data privacy controls. All employees are educated on data protection matters through activity-related training courses and the obligation to adhere to the Code of Conduct. All internal processes and systems for processing personal data are measured on an ongoing basis and continually improved to ensure that they comply with the legal data protection requirements. With the EU General Data Protection Regulation now applicable, there has been more of a focus on data protection, and on the implementation of and compliance with the new changes in the law. Combined Non-Financial Statement, Data Protection
Management classifies risks in the context of governance and compliance as possible and considers the potential financial risk to be significant.