Risk management process

Risk Identification

Fraport defines risks as future developments or events that could have a negative impact on the achievement of operational planning and strategic targets. Opportunities are regarded as future developments or events that can lead to a positive planning or strategic target deviation. Risks are identified using various instruments by the operational business, service, and central units of Fraport AG and the group companies and top-down by the REW-RS department, RMA, and Executive Board. The risk identification methods used are for example market and competition analysis, evaluation of customer surveys, information about suppliers and institutions or monitoring risk indicators from the regulatory, economic, and political environment. The heads of the Fraport AG units and the executives of the Group companies are responsible for the accuracy of the information from their units/companies that is processed in the risk management system. They are obligated to constantly monitor and manage risk areas, and report on all risks in their divisions and their company to the REW-RS department on a quarterly basis. Central risk management can use the risk reports to identify risk trends in the Fraport Group. Outside of regular quarterly reporting, newly identified substantial risks must be reported immediately.

Risk Evaluation

The systematic evaluation of risks determines the impact and probability of occurrence of the identified risks, and makes it possible to estimate the extent to which the individual risks could jeopardize the objectives and strategy of the Fraport Group, or which risks will very likely, due to their nature, jeopardize the company as a going concern. Risk evaluation is always based on a rolling 24-month period. However, this does not mean that risk owners only analyze and evaluate the risks from a short-term perspective; possible infrastructural risks are in particular monitored in accordance with their long-term impact. The evaluation system divides the potential impact (= impact level) into four categories: “low”, “medium”, “high”, and “very high”. It then assesses the impact level based on how the risks affect the relevant detection variable (EBIT, financial result, or liquidity). Furthermore, qualitative factors (media reporting/attention, effect on stakeholders), which could be important for Fraport’s reputation and which also determine the risks, are also included in the analysis. The probability of occurrence for individual risks is also divided into four categories: “unlikely”, “possible”, “likely”, and “very likely”. The risk level (“low,” “moderate,” “considerable” and “substantial”) arises from the combination of impact level and probability of occurrence.

The risk evaluation is conservative, i.e., it reflects the worst-case scenario for Fraport. A distinction is made between gross and net risk. Gross risk is the worst-case (financial) impact before countermeasures. The net risk represents the expected residual (financial) impact after initiation or implementation of countermeasures. The risk assessment in this report only reflects the net risk.

In order to assess possible combination effects between individual risks, the REW-RS department annually prepares a risk aggregation as part of the planning process. The impacts of the risks are aggregated by Monte Carlo simulation and applied to the balance sheet and income statement of Fraport AG in the planning horizon, taking account of planning uncertainties. The resulting impacts on the financial performance indicators of Fraport AG are analyzed and reported to the Executive Board as part of the adoption of the plans resulting from the risk-bearing capacity analysis.

Management of Risks

Risk owners are tasked with developing and implementing suitable countermeasures to minimize and manage risks. In addition, general strategies must be developed to deal with the identified risks. These strategies include risk avoidance, risk reduction with a view to minimizing the (financial) impact or the probability of occurrence, transfer of risk to a third party (for example in purchasing insurance policies), or risk acceptance. The decision regarding the implementation of the relevant strategy and/or measures also considers the costs in relation to the effectiveness of potential countermeasures. Here, the REW-RS department works closely with the risk owners in order to monitor the progress of countermeasures and to evaluate their effectiveness from a Group perspective.

Risk monitoring and reporting

Integrated risk management aims to ensure a transparent presentation of the Fraport Group’s risk situation. Risks are reported to the Executive Board when they are classified as “considerable” or “substantial” based on their net risk according to systematic evaluation standards used Group-wide.

In the event of very significant changes to previously reported risks or newly identified “substantial” risks, ad hoc reports are also issued outside of the regular quarterly reporting schedule.

Twice a year, the Executive Board reports the considerable (amber) and substantial (red) risks, including any changes in the same, to the Supervisory Board’s Finance and Audit Committee. The figure below shows the recipients of the risk reporting, according to the net risk.

This process ensures the early detection of trends that could jeopardize the Fraport Group as a going concern.

An integral component of the risk management system of Fraport is also the assessment of financial risks, whereby the presentation in the accounts of financial instruments overall and hedging transactions in particular is monitored and controlled. This process is described in the financial risks section (“Risk report” in accordance with section 289 (2) no. 1 HGB and section 315 (2) no. 1 HGB). At Fraport, this process represents a subsection of the accounting-related internal control system.