Annual Report 2023

Topics filter


Key Aspects of the Internal Control and Risk Management­system

The information provided in this section is extraneous to the management report and therefore not part of the audit.

Internal control system (ICS) and risk management system (RMS)

The ICS and RMS of HUGO BOSS are designed in accordance with the principles, guidelines, and measures defined by the Managing Board, aiming to execute the strategic and operational decisions of the Managing Board from an organizational perspective. It includes the management of risks and opportunities with regard to the achievement of business objectives, the correctness and reliability of internal and external accounting, and compliance with the legal provisions and regulations relevant to HUGO BOSS. This also includes sustainability aspects, which are continuously further developed in accordance with regulatory requirements. Our ICS and RMS are based on the globally recognized COSO framework (Committee of Sponsoring Organizations of the Treadway Commission) and are continuously adapted to the specific requirements of HUGO BOSS.

HUGO BOSS has a comprehensive, integrated ICS and RMS methodology (RIC methodology) with a standardized procedure according to which necessary controls are defined, documented according to uniform specifications and regularly reviewed for their appropriateness and effectiveness. Further information on our RMS can be found in the Risk Management System section of this Report on Risks and Opportunities. Risk Report, Risk Management System

Three-lines model

First line Second line Third line Risk Owner/Business Units/Subsidiaries Risk Management &Internal Controls/Compliance Internal Audit Risk Ownership Risk Control Risk Assurance Supervisory Board Managing Board External Group Auditor

HUGO BOSS has implemented the “Three Lines” model to clearly define and allocate responsibilities and to effectively defend against risks. In the first line of defense, the operating units assume responsibility for defining and implementing appropriate and effective controls to mitigate risks in their respective areas of responsibility in accordance with Group-wide standards. The second line of defense consists of specialized governance functions, in particular the central Risk Management & Internal Controls and Compliance & Human Rights departments. These are responsible for the definition and methodology of the internal control framework as well as the management of the assessment and control process, providing objective monitoring and advice independently of the operating units. The Managing Board, the Audit Committee and the Supervisory Board of HUGO BOSS are informed regularly and on an ad hoc basis about potential material control weaknesses, the appropriateness and effectiveness of the controls in place and the Company’s risk situation. The Audit Committee and the Supervisory Board of HUGO BOSS AG are responsible for monitoring the ICS and RMS, including their appropriateness and effectiveness. As part of its monitoring function, the third line of defense, Internal Audit, reviews compliance with the legal framework and internal Group guidelines for the Group’s ICS and RMS, in particular the design, compliance and effectiveness of the controls defined as part of the ICS and RMS. If necessary, appropriate measures are initiated in cooperation with Risk Management & Internal Controls and the relevant specialist department in order to eliminate the identified weaknesses as part of a defined process. Internal Audit regularly reports the results of its work to the Managing Board and the Audit Committee of HUGO BOSS.

As part of the audit of the consolidated financial statements, the external Group auditor assesses the suitability of the measures implemented in the Company for the early identification of risks that could jeopardize its continued existence. They also report to the Audit Committee and the Supervisory Board on any material weaknesses identified in the ICS and the accounting-related RMS as part of the audit of the financial statements. The Company continuously monitors the processes and systems for both the ICS and the RMS in order to eliminate identified weaknesses and ensure continuous improvement of the processes and systems. In light of the complex process landscape and the rapid pace of change in the legal requirements for non-financial information, the maturity level of the ICS with regard to sustainability-related aspects in particular does not yet correspond to that of the accounting-related ICS.

As of the reporting date, there are no indications in all material respects that the ICS and RMS are inadequate or ineffective as a whole. Notwithstanding this, there are inherent limitations to the effectiveness of any ICS and RMS. Even if a system has been assessed as appropriate and effective, there is no guarantee that all risks that actually arise can be identified in advance or that any breaches of processes can be ruled out under all conceivable circumstances.

Compliance management system (CMS)

The ICS and RMS of HUGO BOSS also include risks and controls from the CMS, which are derived from the close cooperation between Risk Management & Internal Controls and Compliance & Human Rights. The CMS is an integral part of the ICS and RMS and is based on the elements of the IDW PS 980 standard. It covers relevant risk areas such as anti-corruption, antitrust law, data protection, money laundering prevention, sanction prevention and the safeguarding of human rights and is based on a comprehensive set of internal guidelines. The HUGO BOSS Code of Conduct defines the fundamental principles and standards of behavior that must be observed by all employees in the business units and in dealings with external stakeholders. In addition, there are comprehensive internal compliance regulations, including corresponding controls, which oblige all employees to ensure that the CMS is being executed. They contain topic-specific application provisions on compliance processes and tools as well as additional guidelines and information for the individual risk areas.

Compliance risk management and compliance reviews are components of the CMS, aimed at identifying compliance risks at an early stage and thus enabling appropriate and effective measures to avoid or minimize these risks. The results of the CMS are incorporated into the Company-wide RMS. The Compliance department uses various measures to ensure that the CMS and the corresponding processes are executed, adhered to and continuously developed throughout the Group. Taking into account the findings of compliance risk management and compliance controls and audits, the CMS is continuously adapted to Company-specific risks and local legal requirements in particular. The Managing Board and Supervisory Board are regularly informed about key compliance issues.