Within the scope of our activities, we observe the generally recognized principles of responsible corporate governance. For Bilfinger, goodcorporate governancemost importantly means responsible behavior toward shareholders, employees, business partners, society and the environment. It also determines the actions of Bilfinger SE’s executives and management bodies in particular. It is generally understood to refer to the entire management and control system of a company, including its organization, its business management principles and guidelines as well as the internal and external monitoring and control mechanisms.
A comprehensive and transparent corporate governance ensures the responsible, value-oriented and sustainable management and control of the company. It forms the foundation for sustainable business success and fosters trust among our shareholders, employees, and customers as well as our business partners and the financial markets. We view good corporate governance as an all-encompassing topic that is inextricably linked to the other aspects of sustainability.
Management committees and leadership
Bilfinger SE, a European stock corporation headquartered in Germany, has a dual management and control structure consisting of the executive bodies Executive Board and Supervisory Board. While the Executive Board is responsible for managing the business of the company and the Group, the Supervisory Board supervises it and has personnel authority over the members of the Executive Board. The two committees work in close cooperation for the benefit and in the interest of the company. The third corporate body is the Annual General Meeting, which, in accordance with the law, is primarily responsible for fundamental decisions.
In the course of implementing corporate governance, Bilfinger follows the recognized standards of the German Corporate Governance Code (GCGC). The Executive Board and Supervisory Board of Bilfinger issue an annual declaration of compliance with regard to the application of the recommendations of the GCGC.
The declaration of compliance and the GCGC as well as further details on the duties and responsibilities of the boards of the company are provided in the Declaration of corporate governance and corporate governance report of the Annual Report.
The Executive Board conducts the business and manages the company and the Group in the interests of the company on its own responsibility. It also takes into account the sustainability aspects of environment, social and governance (ESG). The Executive Board has established specific committees to implement and ensure corporate governance in the company and the Group. This includes in particular the Group Executive Management, the Bilfinger Risk Committee, the Safety Council, the Compliance Review Board, the Independent Allegation Management Committee and SustaiNet.
This year, the Executive Board created Group Executive Management (GEM), a management team to advise and support the Executive Board on the operational and strategic issues of the Group. The committee discusses and develops relevant topics and, where relevant, prepares them for decision by the Executive Board. The main goal of the GEM is to achieve a reduction in administrative processes, strengthen individual responsibility and allow for faster decision-making. In addition to the Executive Board, the GEM comprises the heads of the three segments (Engineering & Maintenance Europe, Engineering & Maintenance International, Technologies), the Head of Products & Innovation, the Head of Corporate HR & HSEQ and the Head of Corporate Procurement. The GEM meets at least once a month.
The Bilfinger Risk Committee (BRC) meets quarterly at the behest of the Executive Board and advises it on issues related to risk assessment. It consists of the members of the Executive Board and Chief Financial Officer (CFO), the Finance Directors (FDs) of the individual regions / divisions, and selected heads of corporate departments. The BRC supports the design of an effective and pragmatic risk management system, the monitoring of general risk developments and promotes risk awareness and risk culture within the Group. The assessment of non-financial risks to society and the environment that could arise from Bilfinger’s activities is also carried out on an annual basis as part of the BRC. The BRC thus contributes to general quality assurance as well as to the identification, treatment and reporting of significant Group risks.
The Safety Council is the responsibility of the Executive Board member responsible for HSEQ and is the exploratory and decision-making body for Bilfinger HSEQ issues. The Executive Board member responsible for HSEQ chairs the Safety Council. Other members include the Head of Corporate HR & HSEQ as well as the Executive Presidents (EPs) of the individual regions / divisions. The Safety Council meets monthly and decides on all Group-wide HSEQ issues. In this regard, the Safety Council makes a significant contribution to the implementation of HSEQ objectives throughout the Group.
The Compliance Review Board (CRB) manages and monitors the organization and implementation of our compliance management system. It is comprised of the full Executive Board as well as selected heads of the corporate departments and convenes quarterly under the chairmanship of the Chief Compliance Officer. The CRB has a central role in ensuring the effectiveness of our compliance management system.
The Independent Allegation Management Committee (IAMC) is composed of heads and representatives of Compliance, Legal & Insurance, Internal Audit & Investigations, Accounting, Controlling & Tax, and HR & HSEQ and meets as often as necessary, but at least once a month. Under the chairmanship of the Chief Compliance Officer (CCO), the committee controls and monitors the conduct of internal investigations into possible serious violations of our Code of Conduct. The IAMC also advises on necessary responses to identified violations including process changes, control activities and disciplinary measures.
The Disciplinary Committee (DC) convenes on an ad-hoc basis – generally when a case has been presented by the Independent Allegation Management Committee – to decide on disciplinary measures for employees in connection with a violation of the Bilfinger Code of Conduct. The DC is chaired by the Head of Corporate HR & HSEQ. The committee also includes the General Counsel / Chief Compliance Officer, the Head of Labor Law / Co-Determination and the direct supervisor of the business unit where the matter under review occurred.
SustaiNet is a sustainability network responsible for coordinating and harmonizing sustainability management at Group level. It is coordinated by Corporate Treasury & Investor Relations in the area of responsibility of member of the Executive Board Matti Jaekel (Chief Financial Officer). Members of Sustainet include heads of selected corporate departments and functional units whose areas of responsibility have a bearing on sustainability issues, as well as the executive management of regional and divisional operations.
SustaiNet meets at least twice a year; in addition, meetings are convened on an ad-hoc and project-related basis.
In accordance with Article 11 of the Articles of Incorporation, the Supervisory Board of Bilfinger SE consists of 12 members, including equal representation of the shareholders and the employees. It advises and monitors the Executive Board and is responsible for the appointment and dismissal of Executive Board members, their employment contracts and remuneration. Monitoring also covers the topics of sustainability environmental, social & governance (ESG) and the corresponding reporting.
In addition to legal provisions and the Articles of Association, the Supervisory Board has adopted Rules of Procedure which set out, among other things, the tasks, items that require approval as well as other requirements for Supervisory Board members, together with the formalities for preparing, convening and holding meetings and adopting resolutions. These were last reviewed and updated in the reporting year and are available on the Bilfinger SE website. The Supervisory Board has established various committees in order to ensure more efficient operations. Details of the committees are explained in Section Declaration of corporate governance and corporate governance report of the Annual Report. The Supervisory Board has, among other things, assigned the supervision and preparation of the topic of sustainability with regard to ESG to the committees responsible for the corresponding (financial) topic areas, with the overall and ultimate responsibility for this remaining unchanged with the Supervisory Board.
Fundamental structure the Bilfinger Group
The Bilfinger Group is hierarchically and decentrally organized. It is managed by Bilfinger SE as the parent company and headquarters.
Headquarters – under the leadership of the Executive Board – is responsible for the fundamental structural and technical management as well as the administration of the Bilfinger Group. It is divided into corporate departments, in some cases with corporate functions as subunits and each of them is assigned to the responsibility of a member of the Executive Board. Operationally, the Group has been divided into two service lines (Engineering & Maintenance and Technologies) and within these into eight regions and two divisions, to which in turn the individual Group companies are allocated. The regions and divisions have a high degree of entrepreneurial autonomy within the framework of the decentralized structure.
Responsibility in each region and division lies with an Executive President who is responsible for operating business and who reports to the Chief Executive Officer (CEO) on the Executive Board, and a Finance Director, who is responsible for commercial matters and reports to the Chief Financial Officer (CFO). There are three Global Excellence Teams (HSEQ, Global Development and Operational Excellence) established in the form of corporate departments that provide targeted support to the regions, divisions and Group companies to develop new areas of business, increase efficiency and, moreover, ensure our HSEQ standards.
This organizational form enables short decision-making paths and lean administration. Governance at Bilfinger is closely aligned with this structure of the Bilfinger Group. The dual control principle generally applies to all actions and measures, especially those with a binding external effect.
Frameworks and regulations
Our frameworks and regulations for the implementation of governance in the Group go beyond statutory requirements for the management of German listed companies. We provide both guidelines and binding regulations for the actions of each individual, oriented on the needs of our business.
In this context, Bilfinger governance is essentially defined and implemented through its various components, including the governance documents and the regulations they contain as well as how they relate to each other. Bilfinger employees are provided with all key governance documents in a combined and transparent form through a governance portal. Updates and changes are administered accordingly in the portal. This is designed to effectively help employees apply and implement Bilfinger governance in their daily work.
Our Mission Statement, our Group Principles and our Code of Conduct, together with the basic structure of the Group, form the framework for governance, with priority given to more general guidelines.
Our corporate values are specified in the Mission Statement and Group Principles. Integrity and security serve as the foundation and are of the utmost priority. The Mission Statement also describes our passion, values and competencies and illustrates the cornerstones of our corporate culture. On this basis, our Group Principles set out behavioral guidelines in abstract form for all employees, in particular for the areas of HSEQ and risk-conscious behavior.
The principles laid out in the Code of Conduct serve as a further benchmark for our actions. The Bilfinger Code of Conduct applies to activities throughout the world and has been translated into a total of 18 languages. It provides specific guidance for responsible, compliant and integrity-oriented behavior in everyday business and is mandatory for all managers and employees – regardless of where they work and what job they do. It is valid throughout the Group and relates to how we deal with each other and how we deal with customers and business partners. In addition to the general principles of behavior in the area of compliance, the Code of Conduct includes, among other things, rules related to integrity as well as the handling of conflicts of interest, and prohibits corruption and discrimination of any kind. The individual topics are specified by associated Group Policies and Group Standard Operating Procedures (Group SOPs). The Code of Conduct as well as the substantiated Group Policies and Group SOPs are regularly reviewed and adjusted for current needs and developments.
The components of Bilfinger governance provide specific guidelines for management and organization within the Group. These requirements can be divided into three pillars – content and process requirements (Group Policies and Group SOPs), requirements for the framework and scope of actions and measures (Rules of Procedure as well as approval and signature requirements) as well as further requirements for responsibility and organization (reporting lines and schedules of responsibility.
In addition to the content of the Group Policies and Group SOPs, the actions of individual Bilfinger employees and managers in the Group are governed by rules of procedure and approval requirements. The regional and divisional heads as well as the managing directors or other board representatives of a Bilfinger company each have rules of procedure that contain, among other things, internal approval requirements for certain actions and measures. Approval requirements exist for each unit and level of the Group and the approval requirements within the regions and divisions are defined by the respective management in its scope of action. Furthermore, binding guidelines and limits exist for each Group unit regarding the signing or other execution or submission of business-relevant documents and declarations by Bilfinger employees. These elements ensure that a clear framework for action is in place for each individual Bilfinger employee and manager. The approval and signature requirements are regularly reviewed to ensure that they are up to date, and adjusted as necessary, as was most recently the case in the reporting year.
In addition to the Group’s specific guidelines on the Code of Conduct, all other subject-related issues and processes classified as requiring regulation throughout the Group are also set out in Group Policies. Special processes are, in turn, regulated in Group SOPs, which are binding for all employees. In each case, local requirements must be taken into account. In certain exceptions, these also allow for specific implementation regulations and deviations in exceptional situations. Responsibility for the Group Policies and SOPs lies with the corporate departments and corporate functions at Group headquarters. Group policies and Group SOPs are regularly reviewed to ensure that they are up to date, and adjusted as necessary.
The rules of procedure also contain the relevant reporting lines and procedural regulations, including the possible allocation of responsibilities and requirements relating to joint decisions in the relevant executive bodies of the Group company or the regional or divisional management. Reporting lines also exist for each Bilfinger employee. The reporting line corresponds in principle to the disciplinary responsibility, but may also be split if there is a different functional allocation.
The provisions in the rules of procedure are supplemented by a mandatory schedule of responsibility, in which the responsibilities for each member of the executive body of a Group company or a region / division head are clearly allocated. The purpose of this approach is to ensure that there is clear accountability and organization for each respective manager.
The implementation of governance at Bilfinger as described serves as a basic structure and framework in the design of the corresponding material factors, which are organized by the relevant specialist departments. Where relevant, the concepts are described in more detail in the chapters that follow.
Bilfinger is committed to the fight against corruption and bribery. Corrupt behavior is contrary to our values. We are also convinced that corruption undermines business relationships, distorts competition and exposes companies and individuals to unnecessary risks.
Bilfinger is committed to the fight against corruption and bribery. Corrupt behavior is contrary to our values. We are also convinced that corruption undermines business relationships, distorts competition and exposes companies and individuals to unnecessary risks.
Bilfinger's Compliance Management System aims to avoid rule violations through preventive measures, to recognize any misconduct at an early stage and to react quickly and consistently. The Compliance Management Systemmainly consists of the following components:
- Code of Conduct and Declaration of Principles on Respect for Human Rights for all Bilfinger employees worldwide
- Guidelines for compliant behavior, for example when dealing with third parties, accepting or giving gifts and in the event of conflicts of interest
- Training for employees and extensive advice and information on all compliance-related topics and processes, including anti-corruption and anti-trust issues
- Monitoring and verifying sanctions lists, embargoes and export controls
- Support with HR compliance, e.g. conflicts of interest, integrity screening of (potential) employees
- Supplier Code of Conduct and compliance monitoring in purchasing
- Regular risk analysis in the fields of anti-corruption/anti-bribery, competition law as well as sanctions list review, embargoes and export controls
- Uniform Group-wide internal control system
- Operational support of our regions and divisions from on-site compliance employees
- Confidential whistleblower system for Bilfinger employees and external whistleblowers
- Compliance Review Board consisting of Executive Board and department heads. This Board monitors and manages the organization and implementation of the Compliance Management System
Our Compliance Management System does not remain static. We continuously review and optimize its effectiveness and efficiency to meet changing regulatory requirements, market and business changes as well as the demands of our customers.
Our compliance training modules include on-site training and e-learning programs in which knowledge is conveyed and case studies are discussed. The total number of people in the target group of the individual trainings sometimes varies greatly from year to year as a result of a multi-year training concept.
Responsibility for the anti-corruption and anti-bribery framework lies with the corporate function Compliance at Group headquarters.
Bilfinger’s compliance management system covers all areas of the business and pursues the objective of preventing compliance violations through preventive measures, recognizing early any type of misconduct and, in the case of confirmed violations, reacting quickly and consistently punishing misconduct.
The Bilfinger compliance management system is also laid out in the Code of Conduct, which is binding for all those employed at Bilfinger worldwide. Bribery and corruption are prohibited for all employees. They may not hold out the prospect of or grant to our customers, suppliers or other business partners money or anything of value, either directly or indirectly, to influence their decisions or to gain any improper advantage. This principle also applies in reverse: No one acting for or on behalf of Bilfinger can allow him- or herself to be corrupted or bribed through the acceptance of unfair economic advantages from business partners. Accepting small payments to secure or accelerate routine official acts (“acceleration payments”) is also prohibited for employees of the Bilfinger Group.
In our Code of Conduct, we also lay out principles in connection with donations, sponsoring activities, gifts, hospitality and entertainment events as well as dealings with public officials.
The Chief Compliance Officer of the Bilfinger Group reports directly to the Chairman of the Executive Board and has an additional reporting line to the Supervisory Board and its Audit Committee.
Managers have a special role to play in the implementation of the Code of Conduct and the compliance management system: they must act as role models. The annual performance evaluation of managers therefore includes an individual integrity assessment that then forms part of the annual dialog on career development. In addition, variable remuneration for managers at management levels 1 and 2 includes an individual integrity factor. This factor is determined and taken into consideration annually with regard to the extent a manager implements the topics of integrity and compliance into his or her daily actions and how much he or she actively supports and promotes them in his or her environment.
To manage and monitor the design and implementation of our compliance management system, the Executive Board has established a Compliance Review Board (CRB), whose tasks and composition are described in Chapter B.5.4.1 Good corporate governance.
Our subsidiaries are supported by compliance managers and compliance officers at both the regional and divisional levels. In addition, each regional or divisional management, each executive management and each departmental management assume responsibility for the effectiveness of the compliance management system, including the internal control system (ICS).
The international network of Compliance Representatives ensures that employees in the Group’s business units have an additional local compliance contact person. The Compliance Representatives are specially trained experts who, in addition to their primary functions in the company, support their colleagues with compliance and integrity questions and thus strengthen the presence and visibility of the topic of compliance at their locations. The Compliance Representatives maintain a regular exchange of information with compliance managers and compliance officers and contribute experience and challenges of the individual locations to the further development of the respective compliance program.
To prevent future misconduct, we rely on measures such as practical advice from compliance managers and officers as well as the Compliance Help Desk, guidelines, supporting IT tools, training and communication measures.
Compliance is a key component of our company's business. We therefore use a variety of formats to train and raise awareness among employees. The Virtual Compliance Week is an excellent forum to reach many of our employees within a short period of time and in an efficient manner. "
All Bilfinger employees also have access to a central Compliance Help Desk that offers support in all compliance-related questions. The Compliance Help Desk is a long-established point of contact within the Group for initial information on how to proceed in the event of any compliance-related issues. In the year under review, 441 (previous year: 296) Compliance Help Desk requests were documented.
In order to deliver our services to the market, we depend on cooperation with numerous business partners. Because the compliant behavior of our business partners is an indispensable prerequisite for us, we use a risk-based, IT-supported process to review our potential business partners before entering into a business relationship (so-called third-party due diligence). When carrying out such integrity audits, Bilfinger business units are supported by the Compliance department in the risk evaluation.
In addition to prevention, the rapid identification of any misconduct and an appropriate response to such misconduct are essential components of our compliance management system. There has been a whistleblower system in place for many years to manage the receipt, documentation and processing of suspicious cases in connection with possible violations of our Code of Conduct. It is available to our employees as well as to outside individuals and entities. The contact details are available on the Bilfinger Group’s website as well as on the Group intranet. Indications of any misconduct can be given on a confidential basis with this system – anonymously if desired.
A department at Group headquarters specializing in internal investigations deals with all notifications related to suspicious cases from internal and external sources and, in cooperation with the compliance organization, conducts a preliminary review of the notifications received. If the suspicions of a violation are confirmed, an internal investigation is initiated. Particularly serious allegations are forwarded to the Independent Allegation Management Committee for assessment and for a decision on further action. The composition and duties of this body, which is appointed by the Executive Board, are described in Good corporate governance.
In the extremely rare event that an employee is found to have been involved in serious misconduct, the Disciplinary Committee headed by Corporate Human Resources at Group headquarters takes any decisions on disciplinary measures and sanctions that are to be initiated. These range from informal warnings through to immediate termination including negative financial consequences. If misconduct on the part of a business partner is identified, the Independent Allegation Management Committee decides on necessary measures. These measures can include, among other things, termination of the business relationship, assertion of civil claims or the filing of an official complaint.
REPORTING VIOLATIONS OR CONCERNS
Are you aware of any violations or concerns about known or suspected violations of the Bilfinger Code of Conduct? Bilfinger applies a zero-tolerance policy to any violations of the Code of Conduct and as such, encourages employyes and other stakeholder to raise any concerns you may have.
In such a situation please contact your supervisor or colleagues from other departments such as the Human Resources, Corporate Comliance or any other person of trust within Bilfinger.
CONFIDENTIAL REPORTING LINE
If you are uncomfortable with any of these channels, or if you are not a Bilfinger employee, you may use our Confidential Reporting Line, consisting of an elextronic postbox and teleohone-hotline, 24 hours a day, 365 days a year, operating in multiple languages.
The Confidential Reporting Line is managed by an idependent services provider.
00800 – B-I-L-F-I-N-G-E-R
(00800 - 245 34 64 37)
If you cannot reach the hotline, please check here, wether a different number applies in your country. If this is not the case, please click on the link above to access our electronic postbox.
In 2022, the Executive Board of Bilfinger SE adopted a Statement of Principles on Human Rights, which is binding throughout the Group. The declaration governs the human rights-related principles applicable to all employees and suppliers at Bilfinger. It defines the human rights and environmental expectations of the Group’s employees and suppliers, describes the human rights and environmental risks that are a priority for the company and the procedures Bilfinger uses to fulfill its obligations under the German Act on Corporate Due Diligence to Prevent Human Rights Violations in Supply Chains (Supply Chain Due Diligence Act – LkSG).
The issue of compliance in our supply chains is of fundamental importance to us at Bilfinger. In order to ensure the high quality of our services over the long term, our purchasing department is guided by a defined set of criteria when selecting new suppliers. Human rights, environmental and occupational safety standards play an important role in this context. Bilfinger has an important competitive advantage with these quality features. "
In this context, the Policy Statement forms the basis of governance for Human Rights Risk Management, which is fully integrated into Bilfinger’s compliance management system (CMS).
Respect for human rights is closely linked to the principles for acting with integrity that have been established at Bilfinger for many years and are set out in the Group’s Code of Conduct. The Code of Conduct defines principles of acting with integrity both toward other employees and toward external persons and organizations. It is aimed at all employees throughout the Group – regardless of where they work and what they do. Our managers and employees are obligated to adhere to the principles formulated in the Code of Conduct and to confirm in writing that they have received and familiarized themselves with it. The Code of Conduct is explained in detail in Counteracting bribery and corruption.
The Code of Conduct, together with the Statement of Principles on Human Rights, establishes a framework for exercising responsibility for society and the environment. Violations of the Code of Conduct or the Declaration of Principles on Respect for Human Rights are not tolerated; the handling of indications or suspected cases and the sanctioning of potential violations are governed by the compliance management system that has been in place throughout the Group for many years.
In its Statement of Principles on Human Rights Bilfinger commits itself to the Universal Declaration of Human Rights of the United Nations. Furthermore, the principles of the UN Global Compact initiative apply, which Bilfinger has committed to uphold as a member. Because human rights can also be impacted by environmental damage, Bilfinger clearly acknowledges its responsibility to protect the environment.
Bilfinger expects its employees and its suppliers in the supply chain to fully commit to the following core principles:
- All people have the right to be treated with dignity, fairness and respect.
- We respect the fundamental freedoms and human rights of our employees, business partners and the communities in which we live and work.
- We do not tolerate any form of discrimination, harassment or physical violence, nor do we tolerate any form of child, forced or compulsory labor.
- We provide an environment that promotes diversity and inclusion, and monitor and enforce compliance with human rights throughout the value chain.
- We protect the environment by ensuring sustainable business practices.
- We do not make any compromises when it comes to integrity, human rights or health and safety.
Bilfinger expects all employees and suppliers in the supply chain to assume responsibility for the values and measures listed below and to consistently align their actions with these measures:
- No use of or contribution to slavery, servitude, forced or compulsory labor or human trafficking.
- No employment for workers under the age of 15.
- For heavy labor in accordance with the ILO Agreement 182, no workers under the age of 18 may be employed.
Respect and non-discrimination
- Promote equal opportunity and treatment of employees regardless of origin, religion, marital status, abilities and personality and education, skin color, nationality, ethnicity, political affiliation, social background, disability, sexual identity and orientation, marital status or age.
- No tolerance for psychological abuse, sexual harassment or discrimination through gestures, language and physical contact that is sexual, coercive, threatening, abusive or exploitative.
Health and safety
- Maintaining safe working conditions.
- Provide training on health and safety issues.
- Conduct and document audits as part of occupational health and safety management systems.
- For us, respect for employee rights is an important component of human rights. This position is based in particular on our commitment to Principles 3 to 6 of the UN Global Compact Initiative, which apply throughout the Group. They relate to employees’ rights to freedom of association and collective bargaining, the elimination of all forms of forced labor and child labor, and the elimination of discrimination with respect to employment and occupation. The rights of employees to freedom of association and collective bargaining are expressed – depending on local legislation – in the company’s employee representative bodies or the trade union. These bodies endeavor to uphold employee rights, including through the application of collective bargaining agreements. Bilfinger’s management maintains a regular and constructive dialog with employee representatives.
- Compliance with global working time regulations.
- Compliance with all wage and compensation laws worldwide, meaning fair compensation for workers.
- Acting in accordance with applicable legal requirements when assigning personnel across borders, particularly with regard to minimum wages.
Freedom of association
- The rights of employees to freedom of association and collective bargaining are expressed – depending on local laws – in the company’s employee representative bodies or the trade union. These bodies endeavor to uphold employee rights, including through the application of collective bargaining agreements. Bilfinger’s management maintains a regular and constructive dialog with employee representatives.
- Recognition of the right of workers to form or join trade unions and to bargain collectively.
- No discrimination against or preferential treatment of members of employee organizations or trade unions.
- Putting particular importance on climate protection and contribution to the reduction of greenhouse gases.
- Strengthening environmentally sustainable economic activities.
- Raising awareness of climate change and the need to accelerate the launch of global energy transition initiatives.
- Establishing a protected procedure for reporting possible violations of human rights principles.
- Identification and management of risks.
- Active reduction of negative impacts.
- Providing a structured incident response with structured processes to resolve these issues when they occur.
Bilfinger has integrated the measures with which the company upholds its human rights-related due diligence obligations into its compliance management system, which has been an established part of the company for many years. The system follows a risk-based approach and is based in its design and operationalization on the prevent-detect-respond model, which has proven itself in Group practice. The model is explained in detail in the Bilfinger Group’s Statement of Principles on Human Rights. It covers all areas of business activity and is designed in such a way that compliance violations are prevented through precautionary measures, misconduct of all kinds is recognized at an early stage and, in the case of confirmed violations, remedial measures are taken quickly and applied consistently.
The institutional basis for upholding human rights and environmental due diligence obligations is the Group’s governance system, which is explained in detail in Good corporate governance.
To monitor compliance with the due diligence obligations of the company, its employees and its suppliers, as well as for the ongoing development of human rights risk management, Bilfinger also appointed the Group’s Chief Human Resources Officer as Human Rights Officer at the end of 2022. Together with a compliance officer as deputy, he is responsible for human rights risk management. Both report regularly to the Executive Board and to the Group Executive Management.
To effectively meet our due diligence obligations in the Group’s supply chain, we have set the goal of conducting at least 600 internal supplier audits per year in accordance with defined standards beginning in financial year 2023.
For us, the satisfaction of our customers is directly linked to the quality of our services. This link is also part of the DIN EN ISO 9001 standard. This standard is applied centrally as a benchmark for our quality management system. The expectation in the Group is that operating units will meet the criteria defined in DIN EN ISO 9001, even if they do not pursue external certification.
In order to be able to provide the quality required by our customers, we have established an extensive quality and process management system. It starts with the operating units, which are responsible for the quality of their products and services and for their monitoring. They are supported by the quality management of the regions and / or divisions as well as by the corporate function HSEQ. System requirements, internal audits as well as training and education measures for quality assurance are intended to ensure that our standards of quality are maintained at all possible times and continuously developed.
For the project business, we have established a Group-wide process that is oriented toward different risk classes. The so-called stage-gate process is used to standardize and ensure the quality of business processes in the operating companies when it comes to offers and orders. This process begins in the business development phase and ends with the expiration of the warranty period. The stage gates are predefined points (decisions and reviews) in the life cycle of an offer or order, the successful completion of which is determined by a stage-gate certificate.
In addition, Bilfinger has had a cross-regional matrix certificate since 2015 which helps ensure uniform quality standards in the Group and which, by the end of 2022, already included 150 locations in 41 Bilfinger companies. Our Health, Safety, Environment and Quality (HSEQ) processes and their implementation in the operating units are audited and certified by external companies.
Data security and data protection
To be able to provide our services, we collect, store and process a range of data. On the one hand, this relates to personal data of our employees and of our suppliers, but also to data about plants, processes and people at our customers’ sites, because we are providing an increasing number of services for the digitalization of plants. Information is therefore an integral part of our business processes and thus represents an important corporate asset that must be protected in an appropriate manner against unauthorized access. In the context of an ever-increasing global networking of computer systems, protection against abuse, manipulation, espionage or theft requires increasingly complex procedures.
Data leaks or issues related to accessing data could have a serious impact on the relationship to employees or business partners. For this reason, our processes and activities for data security and data protection are important prerequisites for the acceptance of our business model by our stakeholders.
Bilfinger takes the protection of personal data very seriously. With a strong global network and our adherence to Group-wide standards on data protection, we take into account not only compliance with applicable data protection laws, but also the very personal interest of our employees, customers and business partners."
Digitalization runs through all areas of life and work. Data leaks, cyber attacks or unprotected access to information can have a serious negative impact on the relationships with our employees or business partners. That's why we have established a broad range of processes that enable the security and protection of our information."
Bilfinger has therefore adopted targeted regulations with regard to information security and data protection and has taken appropriate organizational measures.
The fundamental regulations for the secure and legally compliant handling and processing of data are summarized in our Group Policy on Information Security. It is binding for all those employed by the Group and for all those working on behalf of Bilfinger. It describes the components of information security, principles for handling of data, the processing of data and the obligations of managers, IT specialists, employees and external parties. Violations of the provisions of this Group Policy and its annexes or of existing laws may result in disciplinary, contractual or criminal consequences.
In addition to the Group Policy for Data Security, various Standard Operating Procedures (SOP) have been defined with the goal of implementing the Group Policies on information security in all Group companies. These include, for example, SOPs on the topics of information management standards, ERP, web and cloud services, emergency security as well as ethics and IT practice.
Technical responsibility for information security lies with the manager responsible for information security at Bilfinger Global IT GmbH, who is supported by the dedicated, central competence center for the topic of information security. The Information Security team checks to ensure that IT services that are planned or in operation are compliant with the Group Policy on Information Security as well as regulatory requirements. In addition, each organizational unit must appoint a person responsible for data protection who works together with the manager responsible for information security as a coordinator.
We counter the risks in the cyber security environment with a broad package of measures, such as systematic monitoring of incoming and outgoing e-mail traffic to prevent malicious e-mails with a cloud-based e-mail gateway. In the event of specific threats, we work together closely with the relevant authorities. The central data centers have been migrated to Microsoft Azure in the cloud and are subject to ISO 27001 certification, which lays out the requirements for establishing, implementing, maintaining and continuously improving an information security management system. In addition, measures to make network access more stringent are checked by means of regular vulnerability analyses, e.g., through so-called friendly hacking. To monitor security-relevant events, Bilfinger uses a Security Information and Event Management System (SIEM) which collects all central logs and evaluates them for anomalies. A further focus of activities is the timely elimination of newly reported vulnerabilities of software manufacturers. In addition to the immediate elimination of security vulnerabilities that have become known, training requirements are also defined in such cases for all those employed in the Group with computer workstations in order to raise awareness of the increasing risk.
Every employee or person working on behalf of the Bilfinger Group is obligated to report any possible or actual threat to the information available in the Group as a security incident in a timely manner. In addition, each business unit is obligated to establish and maintain a comprehensive and effective emergency management system in accordance with its business area and area of responsibility. If there is a security incident, the Group-internal Independent Allegation Management Committee (IAMC) is, when necessary, commissioned with an investigation into the violation.
A uniform Group Policy on Data Protection applies in the Bilfinger Group, defining a uniform standard for the handling of personal data. It is based on the provisions of the European General Data Protection Regulation and on globally accepted basic data protection principles for the processing of the personal data of employees, customers, suppliers and other business partners. The policy is binding for all Group companies and is intended to ensure that the data protection standards described in the policy are not undercut. It also applies to Group companies in countries that do not have their own statutory data protection regulations.
The policy describes the tasks and responsibilities of the external Data Privacy Officer, the internal Data Privacy Officer as well as the Data Privacy Coordinator. It also outlines the data protection principles, specifications for data transmission and commissioned data processing, the rights of data subjects and the responsibilities of Group companies.
If data protection violations occur or are suspected, the Group Policy on Data Protection lays out a procedure for the reporting of data protection violations. A reporting form is available to all those employed by the Bilfinger Group as a guideline for this purpose. The reports flow for further processing and for the purposes of evaluation into a database in which the (suspected) data protection violation is described.
The Executive Board is informed about data security and the structure of data protection at least once a year. The Executive Board is immediately informed of any serious incidents at work.
In financial year 2022, 16 (previous year: 4) data protection incidents were identified, 1 of which was classified as a reportable data protection breach (previous year: 1). The main reason for the increase in data breaches are the numerous conversions from on-premise to cloud-based solutions and the associated new analysis options in the IT landscape, which can be used to uncover vulnerabilities.