Annual Report 2023

Management of risks and opportunities

All commercial activities inevitably entail both risks and opportunities. HHLA believes that the effective management of risks and opportunities is a significant success factor in the sustainable enhancement of enterprise value.

Managing risks and opportunities is a key component of the HHLA Group’s management strategy. The planning and controlling process, the reporting system and the boards of the Group’s affiliates are all cornerstones of this risk and opportunity management system. At regular business development meetings, HHLA’s Executive Board discusses strategy, targets and control measures, with due consideration of the risk and opportunity profile.

HHLA’s risk and opportunity management system fosters a keen awareness of dealing with corporate risks and opportunities. It aims to identify risks in good time and take steps to manage or avert them while exploiting opportunities and preventing situations that could jeopardise the existence of the HHLA Group. An important element of the system is the promotion of entrepreneurial thinking and independent, responsible action.

Risk and opportunity management system

Structure of the system

The risk and opportunity management system is an essential part of HHLA’s corporate governance system. Its structure is based on the international risk management standard “COSO Enterprise Risk Management (2013)”. Key elements of the risk management system are: identifying, assessing, managing, monitoring and reporting risks; clear responsibilities for process participants (Executive Board and managers of affiliates, Internal Audit, Group Controlling); incorporating all majority shareholdings and companies consolidated using the equity method into the risk consolidation group. The Executive Board bears overall responsibility. Its members deal with and assess the risk management reports on a quarterly basis.

Risks are catalogued regularly in the course of the annual planning process. All identified risks are described clearly and classified according to defined risk areas.

Risks are categorised by the likelihood of their occurrence and the scale of the potential damage. This reflects the anticipated reduction of the operating result or cash flow before taxes if the risk were to materialise.

Categorisation of the probability of occurrence







most likely

< 25 %


≥ 25 %


≥ 50 %


≥ 75 %

Categorisation of the damage amount as proportion of Group equity1 (capability)

not significant









< 1 %


< 5 %


< 10 %


< 25 %


≥ 25 %


Status: Planning

Risks are assessed in the context of the actual circumstances or a realistic projection. In addition to estimates and economic or mathematical/statistical inferences, sensitivities derived from planning can be used as a basis for assessment. The Group’s affiliates, divisions and corporate staff departments regularly coordinate with the central Risk Management unit of the holding company to ensure that all identified risks are consistently mapped and assessed throughout the Group.

After identifying and assessing the risk, the company defines control measures aimed at reducing the likelihood of its occurrence and/or the loss or damage. A distinction is made between the gross risk (excluding measures) and the net risk (including measures). Based on the provisions of the German Act to Strengthen Financial Market Integrity (FISG) with regard to the appropriateness and effectiveness of risk management systems, a systematic examination of the effectiveness of risk management measures is underway. In order to determine risks within the Group, a systematic risk aggregation is conducted, thereby taking account of any interdependencies of risks with risk-increasing or risk-decreasing effects.

Risks are monitored continuously and any significant changes are reported and documented on a quarterly basis. Additional ad hoc reports are issued whenever material risks emerge, cease to apply, or change. Risks are reported using standard Group-wide reporting formats in order to ensure a consistent overall picture of current risks.

To supplement the established risk management system, a climate risk and vulnerability assessment was conducted in 2022 in accordance with the requirements of the EU Taxo­nomy and is updated every year. Specific temperature, wind, water and solids-related climate risks for relevant business activities and their locations are assessed in terms of their relevance, potential damage and probability of occurrence. The risk assessment is based on current climate data on the basis of the greenhouse gas concentration pathways RCP 2.6, RCP 4.5, RCP 6.0 and RCP 8.5 for the period up to 2050. Corresponding adaptation plans are defined for significant climate risks. Reporting takes place once a year. Climate risks

Opportunity management is comparable to the risk management process. Opportunities are systematically identified and measures developed as part of an annual planning process. When opportunities are identified, there is no requirement for them to be quantified. Opportunity management focuses on the monitoring and analysis of individual markets and on the early recognition and assessment of trends as a means of identifying opportunities. This includes monitoring developments affecting the overall economy or individual sectors as well as regional and local trends. The affiliates’ responsibilities include identifying strategic opportunities in their core markets. HHLA’s Executive Board defines the strategic framework for this objective, for example in the form of strengthening our core business and tapping additional growth areas. When planning, managing and controlling strategic projects for a specific segment or all segments, the Executive Board of HHLA primarily uses the proprietary resources of the holding company.

The most important elements of the risk and opportunity management system and risk and opportunity reporting are described in a corporate guideline.

Reviewing and monitoring the appropriateness and effectiveness of the risk management system

Internal Audit reviews the risk management processes in the course of its individual audits. Moreover, Internal Audit conducts a review of the appropriateness and effectiveness of the risk management system on a regular basis, but no later than in the event of significant structural changes or material findings coming to light from the individual audits.

HHLA’s Supervisory Board monitors the appropriateness and effectiveness of the risk management system. The external auditors assess the early risk identification and monitoring system in accordance with IDW PS 340 on behalf of the Supervisory Board as part of their audit of the consolidated financial statements.

In addition, the risk management system is regularly audited for adequacy and effectiveness in accordance with IDW PS 981. In 2022, the risk management system was audited in accordance with IDW PS 981. No material findings resulted from the audit work.

Risk and opportunity management

Risk and opportunity management and the internal control system for accounting (diagram)

Internal control system (ICS)

Structure of the system

HHLA’s internal control system is designed to ensure that the strategic, operational and financial reporting processes used throughout the company are consistent, transparent and reliable. It also ensures they comply with legal standards and the company’s own guidelines and requirements. It comprises principles, procedures and methods designed to reduce risk and ensure the effectiveness and propriety of HHLA’s processes.

The internal control system is regularly monitored and assessed according to documented processes, risks and controls. In this way, transparency of its structure and functionality are assured for the purposes of internal and external reporting.

HHLA’s internal control system is based on the criteria laid out in the “Internal Control – Integrated Framework” working paper published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

The internal control system is regularly monitored on the basis of control documentation and assessed with regard to its structure and functionality for the operating activities.

Accounting processes are assessed to determine whether the existence, completeness, accuracy, valuation, ownership and reporting of transactions are at risk. The company also conducts a risk assessment regarding the possibility of fraud. Concluding unusual or complex transactions can lead to specific accounting risks. There is also a latent risk of error when processing non-routine transactions. Out of necessity, employees are given a certain amount of leeway when recognising and measuring balance sheet items, which can give rise to further risks.

Those parts of the internal control system that focus on compliance with other legal requirements are significant for the audit of the financial statements insofar as they can typically have repercussions on the audited financial statements and management report.

Appropriate and effective controls aim to ensure that Group-wide risks are reduced and business transactions are handled properly. Transactions must be documented, recorded, processed and assessed correctly in the balance sheet, as well as being quickly and correctly adopted in financial reporting. Controls are in place for all relevant business processes.

The internal control system is monitored by Internal Audit, which reports on its status to the Executive Board and the Supervisory Board. The external auditor also assesses the effectiveness of the accounting-related internal control system, primarily by carrying out spot checks.

The internal control system will always have certain limitations, regardless of how carefully it may be designed. For this reason, it is impossible to fully guarantee that corporate objectives will always be met or that every incorrect statement will always be avoided or identified.

Significant regulations and controls

Tasks and functions relating to business processes are clearly defined within the Group. Separating execution, settlement and authorisation functions and giving these responsibilities to different members of staff reduces the risk of errors and fraud. Multi-stage approval and authorisation thresholds for ordering, payment transactions and accounting are employed across the Group. These include using the double-checking principle. A single accounting manual covers the consistent application and documentation of accounting rules for the entire Group. Other strategic and operational guidelines are also in place. Like the accounting manual, they are reviewed regularly and updated if necessary.

Business transactions are generally recorded by ERP systems developed by SAP. For the purpose of preparing HHLA’s consolidated financial statements, affiliates add more information to their separate financial statements to form standardised report packages. These are then fed into the SAP ECCS consolidation module for all Group companies.

The IT systems are protected against unauthorised access. The principles for assigning function-related authorisations are set out in the HHLA SAP authorisation guidelines. These form part of a comprehensive IT security guideline that regulates general access to the IT systems.

The specific formal requirements for the consolidation process as pertaining to the consolidated financial statements are clearly defined. In addition to a definition of the consolidated group, there are detailed rules requiring affiliates to use a standardised and complete report package. There are also specific provisions regarding the recording and handling of Group clearing transactions and subsequent balance reconciliations, and the determination of the fair value of shareholdings. As part of the consolidation process, the Group accounting team analyses the separate financial statements submitted by affiliates and corrects them if necessary. Incorrect information is identified and rectified as necessary using control mechanisms defined in the SAP ECCS system, or by means of system-based plausibility checks.

Monitoring the internal control system

The efficacy of the internal control system is assessed systematically. A risk analysis is first conducted to identify and assess significant risks to material corporate processes within the companies, organisational units and Group functions, and to establish and implement suitable controls for processes identified as being at-risk. The necessary controls are documented and monitored in accordance with Group-wide guidelines.

On the basis of the risk inventory – which is conducted regularly and if necessary on an event-driven basis – the ICS is assessed at least once annually by the respective managing directors or divisional managers. The results are documented consistently throughout the Group, and include statements on the up-to-dateness and completeness of the documentation, as well as the appropriateness and efficacy of the ICS during the current business year.

The managing directors of Group companies report on the results of the self-assessment to their relevant supervisory boards. For holding company functions, the discussion is based on the reporting of the central ICS officer and is led by the Executive Board.

The results of the ICS efficacy review are reported by the member of the Executive Board on the HHLA Audit Committee. The Audit Committee also reports its findings to the Supervisory Board.

Review of the appropriateness and effectiveness of the ICS

A system-independent assessment of the adequacy and effectiveness of the ICS is carried out by Internal Audit in the course of its audit assignments. As part of its risk-oriented audit approach, Internal Audit examines the appropriateness of the internal control system as standard in each audit. The effectiveness of the individual internal controls is also assessed by means of suitable audit procedures.

Based on the knowledge gained in this process, Internal Audit develops future-oriented measures to eliminate any weaknesses, or to optimise processes in cooperation with the relevant departments.

As part of the audit of the annual financial statements, the auditor conducts audit procedures to verify the effectiveness of the accounting-related ICS, mainly on the basis of random samples, taking into account the revised version of IDW PS 261 and IDW PS 330, which are specialised for this purpose.

EU Taxonomy
The EU taxonomy is a legally binding classification system that defines which economic activities of a company are considered sustainable. This is linked to specific requirements for the performance of business activities and the calculation methods of various key figures. The aim is to channel more investment into sustainable companies and technologies and thus support the European Union's 2050 climate neutrality target.

Topic filter