Governance, risk & compliance

GRI 102-16, GRI 415-1

Because legislative activities have a major impact on the business activities of 50Hertz, the company represents its positions transparently and publicly as part of the political process. This is the responsibility of the Communications and Public Affairs department. This political communication is conducted responsibly and without donations to political parties. Ethical principles for political lobbying were set out. The guidelines on conduct in the political arena, which apply for the whole company and are agreed with the management, define these principles. They stipulate that 50Hertz makes no donations to politicians, parties, or political institutions, and when providing sponsorship ensures appropriate consideration and proper balance. Responsibility for contributions to party-affiliated foundations and associations is embedded centrally in the Communications and Public Affairs department. In this way, together with specific training programmes, 50Hertz ensures that employees who are active in terms of social and energy policy are guided in their communications and their actions by clearly defined principles. Furthermore, 50Hertz is entered in the EU Transparency Register and is committed to its Code of Conduct. In 2018, 50Hertz did not make any contributions to politicians or political parties.

GRI 205-1, GRI 205-2

The Company Charter and guidelines on preventing corruption set out 50Hertz’s understanding of correct ethical conduct and make it clear that the Company complies with the law and does not tolerate corruption. These principles flow into organisational measures that are binding for the whole Company.

Since 2010, 50Hertz has had a policy in place that regulates the whistleblower system and prescribes the establishment of an internal Compliance Committee and an external ombudsman. The Compliance Committee comprises one member from Legal Affairs, one member from Human Resources and a compliance coordinator. The ombudsman reports to the Compliance Committee once a year in writing about how it has been used and the number of tip-offs received. If the ombudsman passes on a justified tip-off to 50Hertz, the Compliance Committee is convened immediately to deal with the case in hand and take further internal action if necessary. The Committee reports to the management of 50Hertz annually and on an ad hoc basis as required. In 2018, the ombudsman did not receive any tip-offs about corruption. No significant fines were imposed on 50Hertz in the fiscal year 2018 in connection with general business activities, power line construction projects or operations. The reporting threshold for administrative offences was set at EUR 25,000.

50Hertz also regularly provides all employees involved in the procurement process with training on the basics of procurement, anti-corruption and compliant behaviour. Since 2016, 19 training sessions have been held across different sites for 200 employees from throughout the Company. For 2019, 4 training sessions are planned for an expected 50 participants.

GRI 102-30, GRI 102-11

As part of its systematic risk management, 50Hertz regularly surveys and assesses the following risk areas:

50Hertz aims to avoid risks to the Company’s continued existence,to reduce risk positions as much as possible where feasible and to optimise the opportunity/risk profile. Risk guidelines set down how risks are systematically identified, recorded, assessed and monitored on a quarterly basis. A risk conference is held once a year in which all department heads (secondmanagement level), as risk owners, and the risk manager meet with the management to discuss the most significant risks and risk-related issues. In the area of CSR, for example, these are occupational safety and new requirements from environmental legislation. In the upcoming months the risks assessed and monitored will be extended related to risk based on climate change.

In the sense of a holistic approach to risk management and the principle of precaution, 50Hertz involves suppliers and the associated processes. The company has anchored requirements regarding occupational safety and environmental protection inits purchasing and procurement policy, which are binding for all suppliers. In the future 50Hertz will analyse its influence on the structure of the sustainable supply chain in detail, expand upon documents relevant to its suppliers on sustainability related aspects and make its business partners even more aware of occupational safety, health protection and environmental protection topics.

G4-EUS-DMA Disaster/Emergency Planning and Response

As an operator of critical infrastructure, 50Hertz isrequired to ensure information security under the IT-SiG [“IT-Sicherheitsgesetz”: IT Security Act]. Information must be processed, stored and communicated such that the availability, confidentiality and integrity of the information and the systems are adequately ensured.

To this end, an information security management system was introduced in 2017 and certified in 2018 in accordance with ISO27001. This established security process ensures that IT risks are systematically identified and addressed. In particular, security alerts and warnings that are issued by the German Federal Office for Security Technology (BSI) are recorded and evaluated as part of this process. If required, necessary protective measures are derived and implemented. In the reporting year, no targeted cyberattacks on 50Hertz were registered and no damage from information security incidents was recorded. 50Hertz employees, as well as temporary and external employees, participated in an online training session on information security in2018.

In January 2018, 50Hertz received the ISO 27001 information security management system certification, as a result of which 50Hertz has to fulfil its obligation as an operator of critical infrastructure on the basis of the IT security catalogue of the Federal Network Agency. In November 2018, the repeat audit was performed.

For 50Hertz, security goes beyond its corporate boundaries. Therefore, both internal and external stakeholders receive training in crisis management and communication in the form of regular crisis team exercises, among other things. As a result of this, not only existing structures, processes and reporting channels are evaluated and continuously improved, but the crisis team participants and employees also receive intensive training on how to deal with unexpected events under special stresses and quickly make appropriate decisions to manage crises. These and further measures aim to continuously and holistically increase the resilience of 50Hertz.