Risk management regulates the handling of risks and opportunities within a process, project or other company activities. The aim of the risk management process is to support management in its corporate decision-making, to improve corporate management and to provide transparency and certainty to stakeholders. Performance-oriented risk management is geared towards implementing the corporate strategy and is an integral part of corporate management. Risk management includes all measures taken to identify, analyze, evaluate, monitor, and control risks. The primary objective is to identify and reduce risks and to identify opportunities and their subsequent use cases. All SBUs or significant Group companies conduct risk management. Risk management with a focus on accounting and reporting is regulated in the Group Risk Policy, which falls under the remit of Group Controlling.
The Group companies employ a early detection system for risks to ensure that risks are identified at an early stage and countermeasures are initiated. The Group companies and the Risk Panel are responsible for setting up and monitoring the system at a higher level. It determines the risk-bearing capacity of the Zeppelin Group with the help of quarterly risk panel reports.
In addition to the Risk Management System (Group RMS), the Zeppelin Group also has other distinct governance, risk and compliance systems (GRC), which are used to evaluate risks in the central specialist divisions or sub-divisions. If significant risks are identified from these systems, these must be reported in the Group RMS. These include the GRC tool “OneTrust” (currently used for IT security, data protection and compliance), and the Tax Compliance Management System and the Tax Control Framework (TCF), through which the Group companies and the central divisions can identify, evaluate and deal with their risks. If significant risks are identified in these systems, these must be reported in the RMS.
In addition, the Group Management Board, together with the Risk Panel, determines which central divisions of Zeppelin GmbH report additional risks to the Risk Panel. These include IT security, data protection, compliance and corporate social responsibility. A detailed overview of the risks and opportunities of the Zeppelin Group can be found on page 87ff of the Annual Report 2023.
The procedure for determining risks and opportunities for processes and projects is contained in the “Risk Management” procedural instruction. The sponsor and/or the respective project manager are responsible for identifying risks and opportunities within a project. The process owner is responsible for identifying for his process the respective risks and opportunities, the persons involved, the necessary knowledge and the necessary tools, as well as other process-specific aspects. Identified opportunities and risks were assessed based on their probability of occurrence, failure rate or extent of damage. Risks and opportunities are assessed and taken into account in the decision-making process in all key decisions taken in the Group Management Board and the management bodies. Suitable measures for risk avoidance or mitigation and the use of identified opportunities are then defined. If the overall risk has decreased or is acceptable on account of the defined measures, key figures will be defined. If the overall risk has not decreased by the required amount, measures will be redefined. The effectiveness of the defined measures and KPIs is regularly reviewed as part of the ongoing improvement process and the management review process with the Group Management Board; changes are made as necessary.
Our business activities also have an impact on the environment and society. The following part of this report describes potential risks and opportunities of our corporate activities that could have a long-term impact on the environment and society, and explains which prevention and remedial measures are available in order to avoid potential risks, for each topic area.
Compliance and data protection
Environmentally and socially responsible corporate governance is not a direct legal requirement, but a matter of course anchored in Zeppelin’s corporate culture. Accordingly, Zeppelin’s Compliance Management System manages compliance risks. The focus in this regard is on the areas of corruption, export controls, and data protection. To this end, the Compliance and Data Protection department carries out appropriate risk assessments in order to identify, document and reduce risks.
Data security
The situation in the virtual space remained critical in 2023 – and the threat from cybercrime is greater than ever. Advancing digitalization and increasing networking are broadening the potential attack vectors and new, adapted attack methods seek to exploit them. For example, attacks based on artificial intelligence and the increasing level of professionalism with a service approach ("cybercrime-as-a-service") are worrying. In addition, the changing geopolitical security architecture also presents a major challenge for German companies: Hacktivism attacks and cyber wars in the context of political crises present risks that are difficult to assess. The main threat, however, remains ransomware as a financially motivated cyber attack. It is not just the professionalization (with the "ransomware-as-a-service" service), but also the increased pressure on affected organizations that poses victims additional challenges: the affected systems are no longer ‘just’ encrypted. Ransomware attacks are now associated with data outflow. For example, it is common practice for perpetrators to threaten the company concerned with the publication of the data in a second step (double extortion) and in a third step (triple extortion) and to demand non-disclosure for this in addition to ransom.
Zeppelin therefore regularly reviews its existing information security measures to ensure they are adapted to the current threat level. Ensuring the availability, integrity, and confidentiality of data is an essential requirement for Zeppelin. Likewise, the resilience of the systems used and products provided against the threats described is essential. As part of the Group-wide information security management system, technical and organizational measures were therefore taken last year to counteract risks in a targeted manner. Examples of this are the establishment of Group-wide IT service continuity management to maintain business-critical business processes in the event of cyber attacks and IT crises, as well as further awareness training to strengthen the security culture in the Group. The human factor continues to play a key role in many attacks. For this reason, awareness training and regularly simulated phishing attacks are carried out for all Group employees. These campaigns raise staff awareness of these risks and are accompanied by further technical measures. Security monitoring and security analytics ensure that anomalies are detected and attack attempts are prevented. Cyber risks are expected to continue to grow rapidly in the coming years, which means additional risks cannot be ruled out in this volatile environment despite preventive security measures. Legislation at European level in the form of the NIS2 (Network and Information Security Directive) contributes to all of this. In particular, the responsible managing directors are included in the private liability. New measures and deadlines, such as the obligation to report suspicious incidents to the responsible authorities within 24 hours or applying common industry standards, aim to make companies more resilient. The most common industry standard in Europe, ISO27001:2022, requires the use of technology such as data loss prevention, third-party management, detective and reactive measures. Some of these new ISO controls, such as Threat Intel and Monitoring Activities, can already be mapped by Zeppelin today.
Quality management
In addition to optimizing internal processes and improving product and service quality, transparent and fair handling of complaints also plays an important role. Standardized processes can achieve lower reject rates, reduce material usage, and thus save resources and energy. Due to Zeppelin’s extensive product and services portfolio, a standardized procedure is crucial to ensure the health and safety of customers and to avoid risks in advance. To ensure high-quality products and services, and to meet our customers’ needs and requirements, we have implemented a uniform management system in accordance with DIN EN ISO 9001:2015 in the German companies. This underscores the quality awareness for internal and external purposes.
Supplier management
The Supply Chain Due Diligence Act gives particular relevance to human rights risks such as child labor, forced labor, and slavery. Failure to properly manage suppliers could result in risks in these areas. On the other hand, companies in Germany will have to ensure that their supply chains comply with the requirements of three international environmental agreements in the future. From 2023, for example, supply chains have also been subject to requirements for the use and handling of mercury, for the production and handling of certain hazardous persistent organic pollutants, and for the import and export of hazardous substances (Minamata Convention, Stockholm Convention and Basel Convention). Moreover, companies have had to prevent or mitigate certain environmental damage if human rights are otherwise violated. This means, for example, that companies must prevent harmful changes in soil, water or air pollution if this would significantly impair the production of food, deny a person access to safe drinking water, or damage a person’s health. In order to take this responsibility into account and operate sustainable supplier management, Zeppelin created a Code of Conduct for Suppliers in the 2023 reporting year. This contains provisions governing Zeppelin’s cooperation with the supplier and forms the basis for all future deliveries and projects. Zeppelin and the supplier undertake to adhere to the principles and requirements of the Code of Conduct and to comply with applicable laws. Zeppelin reserves the right to monitor the obligations to comply with the Code of Conduct as part of regular risk analyses and, among other things, to implement preventive measures with the supplier in accordance with the Supply Chain Due Diligence Act.
Customer health and safety
According to the German statutory accident insurance body, there is a high risk of injury within the construction industry. To prevent accidents and illnesses, it is particularly important for Zeppelin to draw customers’ attention to the risks involved, to encourage correct handling, and to conduct preventive work through training. Due to the company’s wide range of products, different approaches exist within the strategic business units (for further information refer to section 6.2).
Employee satisfaction and diversity
Societal trends such as the demographic change and the shortage of skilled workers increase the risk of bottlenecks. Zeppelin’s long-term success is based on attracting and retaining qualified employees. For this purpose, Zeppelin relies on the work-life balance, health initiatives such as Z FIT, flexible working hours and employee networks to take into account the different needs of a diverse workforce. Strategic employer branding strengthens attractiveness as an employer. Leadership plays a decisive role in employee motivation, supported by modern principles and feedback from the global Z VOICE employee opinion survey. Further training opportunities are used to reduce the risk of employees leaving the company. Change management measures with targeted training for the workforce are also intended to facilitate adaptation to market trends and digitalization in order to reduce the adaptation risk.
Occupational health and safety
At Zeppelin, the health and safety of employees are paramount. Particularly in field service, hazardous situations can arise in which employees have to react independently and flexibly. With the help of our Vision Zero and our occupational health and safety measures, we want to prevent accidents to the fullest extent possible. The occupational health and safety management system in accordance with DIN ISO 45001 in all German companies helps us to be legally compliant and to continuously improve our processes.
Donations & sponsorship
For Zeppelin as a foundation-owned company, business and corporate social responsibility are inseparable. Charitable organizations and charitable projects can be supported through targeted funding. This establishes a better understanding and better cooperation within the company in the long term. To ensure that no preference is given to specific stakeholders, it is important to be careful when selecting donation and sponsorship activities and to ensure that they are in line with the company’s values and beliefs. For this reason, Zeppelin has developed a donation and sponsoring policy as well as internal review processes (see the “Donations & sponsorship” section for more details).
Environmental risks
Significant environmental risks may arise as a result of the company’s activities. Some examples of these risks are the release of harmful chemicals or waste, the use of fresh water within water stress areas, and the impact of climate change on greenhouse gas emissions. These risks may not only harm the environment, but also have a negative impact on people’s health and on the economy. Zeppelin actively counteracts these risks through regular official audits, the energy and environmental management system, and many site-specific measures. An in-depth context analysis with regard to environmental conditions along with the assessment of environmental aspects help to assess risks and opportunities in detail.
Climate risks
Various climate risks have the potential to affect Zeppelin’s business activities.
Transitory climate risks can be associated with the transition to an environmentally friendly, carbon-free economy. Zeppelin has identified regulatory adjustments due to new or stricter laws and requirements as a risk and field of action in this regard, for example. In addition, there are higher operating and investment costs, which arise, among other things, from the technical need to convert systems and devices or to renovate existing properties to be more energy efficient. Furthermore, it is expected that current sales markets will change because of the transformation of the economy, and that the demand for products that use fossil energy sources will decrease in the long term, and the need for environmentally friendly, low-emission products and services will rise significantly. As a sustainable company, Zeppelin reacts in good time to the changes that the transformation to a more environmentally friendly economy entails. We also anticipate opportunities that arise as a result, such as tapping into new sales markets, generating new business models, improving competitiveness by changing the product and services portfolio, or increased resilience.
Physical climate risks can arise from the direct consequences of climate change, for example from an increase in extreme weather events, floods, forest fires, and periods of drought. Depending on the respective macro and micro situation, these environmental events can potentially affect each of Zeppelin’s locations with varying severity, probability, and extent of damage. Long-term changes, such as the increase in average temperatures, as well as indirect risks, such as restricted functionality of international supply chains due to local environmental damage, are also considered. At the same time, physical climate risks offer opportunities for Zeppelin, as these risks must be countered by appropriate structural measures such as the expansion of flood protection, irrigation and drainage systems and energy-efficient building refurbishment. Caterpillar, as Zeppelin’s most important business partner and supplier, is also committed to sustainability and thus contributes to a lower carbon future. Caterpillar demonstrates this, e.g. through progress in reducing greenhouse gas (GHG) emissions from its own operations, and its ongoing investments in new products, technologies, and services to help customers meet their climate-related goals. Caterpillar is developing a range of alternative power and propulsion solutions to support a lower-carbon future, including battery-powered construction machinery. Zeppelin counteracts potential climate risks at an early stage through sustainable corporate governance and its voluntary commitment to achieving its own sustainability goals. In particular, this includes the goal of becoming a carbon-neutral company in ongoing business operations by 2030. As in previous years, further climate risks and possible fields of action will be identified and prioritized in the coming years, and measures to reduce risks and identify opportunities will be defined as required.