RISK FACTORS AND RISK MANAGEMENT

Risk Management

As a global enterprise, we are exposed to an extensive variety of risks across our entire range of business operations. In the broadest sense, we define risk as the danger of not achieving our financial, operative, or strategic goals as planned. To ensure our long-term corporate success, it is therefore essential that risks be effectively identified and analyzed and then eliminated or at least limited by means of appropriate control measures. We have a comprehensive risk management system in place, which is intended to enable us to recognize and analyze risks early on and to take the appropriate action. This system is implemented as an integral part of our business processes across the entire SAP Group; it comprises multiple control mechanisms and constitutes an important element of the corporate decision-making processes. These mechanisms include recording, monitoring, and controlling internal enterprise processes and business risks, a number of management and controlling systems, a planning process that is uniform throughout the Group, and a comprehensive risk reporting system. To ensure our corporate risk management efforts are effective and to enable us to aggregate risks and report on them transparently, we have opted for an integrated approach that is uniformly implemented throughout the Group by a global GRC organization with a direct reporting line to the chief financial officer of SAP AG. The risk-management responsibilities of this organization are:

• To continually identify and assess the risks incurred within all important business operations using a uniform, methodical approach
• To monitor implementation of the measures defined to counteract risks
• To report on risks to management and the Executive Board on a regular basis
• To oversee a global, risk-oriented insurance strategy as a means of risk mitigation 
• To ensure compliance with regulations governing the establishment and monitoring of effective internal control over financial reporting in line with the U.S. Sarbanes-Oxley Act, section 404

As a stock corporation domiciled in Germany that issues securities listed on a U.S. stock exchange, we are subject to both German and U.S. governance-related regulatory requirements. We have conducted an assessment of the effectiveness of our internal control over financial reporting in accordance with the requirements in the U.S. Sarbanes-Oxley Act, section 404. The assessment determined that our internal control over financial reporting was effective on December 31, 2006 and December 31, 2007. We applied PCAOB Auditing Standard No. 5 to the assessment of the effectiveness of our financial reporting control for the first time in respect of 2008. The audit had not found any indication by March 10, 2009, that our internal control over financial reporting was not effective on December 31, 2008. We have documented key business processes of SAP AG and its major subsidiaries, as well as the controls contained in these processes, in accordance with the requirements mentioned above. Our global internal audit service and dedicated process champions periodically assess these standard processes and their documented procedures and test the design and effectiveness of the process controls. Further elements of the system include a corporate Code of Business Conduct for employees and members of the Executive Board, and the work of the Supervisory Board in monitoring and controlling the Executive Board.