Governance

The Bilfinger Risk Committee (BRC) meets at the behest of the Executive Board and advises it on issues related to risk assessment. It consists of the Chief Financial Officer (CFO), the Financial Directors of the individual regions / divisions, and selected Heads of Corporate Departments. The BRC supports the organization of an effective and pragmatic risk management system and the monitoring of general risk developments. The assessment of non-financial risks to society and the  environment that could arise from Bilfinger’s activities is also carried out as part of the BRC processes. The BRC thus contributes to general process quality as well as to the identification, treatment and reporting of significant Group risks.   

The Safety Council is the responsibility of the Chief Operating Officer (COO) as a member of the Executive Board and is the exploratory and decision-making body for HSEQ-related issues at Bilfinger. Members of the Safety Council include the COO, the Executive Presidents of the individual regions / divisions and the Head of Corporate HSEQ. The Safety Council is responsible, for example, for the Group-wide, topic-specific minimum HSEQ requirements and determines the annual HSEQ  targets for the Group. The Safety Council thus makes a significant contribution to the implementation of the HSEQ objectives in the Group. 

The Compliance Review Board (CRB) manages and monitors the organization and implementation of our compliance management system. It is comprised of the full Executive Board as well as selected heads of the corporate departments and meets quarterly under the chairmanship of the Chief Compliance Officer. The CRB has a central role in ensuring the ongoing effectiveness of our compliance management system. 

The Independent Allegation Management Committee (IAMC) is comprised of the heads and the representatives of the corporate departments of Legal, Compliance, Internal Audit, Tax and Human  Resources. Under the chairmanship of the Chief Compliance Officer, the committee controls and monitors the conduct of internal investigations into possible serious violations of our Code of Conduct. The IAMC also advises on necessary responses to identified violations, including process changes, control activities and disciplinary measures.

The Disciplinary Committee consists of the Heads of Corporate Compliance and Corporate Human  Resources. The committee is chaired by the Head of Corporate Human Resources and evaluates the severity of any proven misconduct. In the event of a serious violation of the Bilfinger Code of Conduct, the Disciplinary Committee defines disciplinary measures to be taken with respect to the  relevant Bilfinger employee. 

In addition to legal provisions and the Articles of Association, the Supervisory Board has  adopted Rules of Procedure which set out, among other things, the tasks, items that require approval as well as other requirements for Supervisory Board members, together with the formalities for preparing, convening and holding meetings and adopting resolutions. This is reviewed on a regular basis and updated when necessary. It is available on the Bilfinger SE website. The Supervisory Board has established various committees in order to ensure more efficient operations. Information about the committees can be found in the Declaration of corporate governance and corporate governance report of the Annual Report. Among other things, the Supervisory  Board has transferred supervision and preparation of the topics of sustainability and Environmental, Social & Governance (ESG) to the Audit Committee, whereas the overall and final responsibility for this remains with the Supervisory Board.

Headquarters is responsible for the fundamental structural and functional management and administration of the Bilfinger Group. It is divided into corporate departments, in part with corporate functions as sub-units with each assigned to the area of responsibility of a member of the Executive Board. Operationally, the Group is divided into two service lines (Engineering & Maintenance and Technologies) and within these into eight regions and two divisions, to which in turn the individual Group companies are allocated. Within the framework of the decentralized structure, the regions and divisions are granted a high degree of entrepreneurial autonomy.  

Responsibility in each of the regions and divisions lies with an Executive President who is responsible for operating business and who reports to the Chief Operating Officer (COO) on the Executive Board, and a Financial Director, who is responsible for commercial matters and reports to the Chief Financial Officer (CFO). There are three Global Excellence Teams (HSEQ, Global Development and Operational Excellence) established in the form of corporate departments to provide targeted support to the regions, divisions and Group companies to develop new areas of business, increase efficiency and, moreover, ensure our HSEQ standards.  

This organizational form facilitates short decision-making paths and lean administration. Governance at Bilfinger is organized in line with this structure. 

Bilfinger governance is essentially defined and implemented by its various elements, including the governance documents and the regulations they contain as well as their relationship to each other. This governance structure was further enhanced in the reporting year and a new Governance Portal was implemented. The Governance Portal makes all key governance documents available to Bilfinger employees in a bundled and transparent form. This is designed to effectively help employees use and implement Bilfinger governance in their daily work. 

There is a clear and transparent structuring of Bilfinger governance (as summarized in the illustration below). 

Our Mission Statement, our Group Principles and our Code of Conduct, together with the basic structure of the Group, form the framework for governance, with priority given to more general guidelines.  

Our corporate values are specified in the Mission Statement and Group Principles. Integrity and security serve as the foundation and are of the utmost priority. The Mission Statement also describes our passion, values and competences and illustrates the cornerstones of our corporate culture. On this basis, our Group Principles set out behavioral guidelines in abstract form for all employees, in particular for the areas of HSEQ and risk-conscious behavior.  

The principles laid out in the Code of Conduct serve as a further benchmark for our actions. The Bilfinger Code of Conduct applies to activities throughout the world and has been translated into a total of 18 languages. It provides specific guidance for responsible, compliant and integrity- oriented behavior in everyday business and is mandatory for all managers and employees – regardless of where they work and what job they do. It is valid throughout the Group and relates to how we deal with each other and how we deal with customers and business partners. In addition to the general principles of behavior in the area of compliance, the Code of Conduct includes, among other things, rules related to integrity as well as the handling of conflicts of interest, and prohibits corruption and discrimination of any kind. The individual topics are substantiated by corresponding Group Policies. The Code of Conduct and the substantiated Group Policies are regularly reviewed and adjusted for current needs and developments. 

The elements of Bilfinger governance also lay out specific guidelines for the management and organization of the Group. These can be divided into three pillars – content and process specifications (Group Policies and Standard Operating Procedures), specifications for the framework and limits for actions and measures (rules of procedure as well as approval and signature requirements) and further specifications for responsibility and organization (reporting lines and schedules of responsibility). 

In addition to the Group’s specific guidelines on the Code of Conduct, all other specialized issues and processes classified as requiring regulation throughout the Group are also set out in Group policies. Specific processes are, in turn, regulated in Standard Operating Procedures (SOPs), which are binding for all employees. In each case, local requirements must be taken into account. In individual cases, these permit more specific implementation regulations and, in exceptional cases, deviations. Responsibility for the Group Policies and SOPs lies with the corporate and specialist departments and Group functions at Group headquarters. The review of Group Policies and SOPs begun in the course of the realignment of the Group structure in 2020 was largely completed in the reporting year. In this context, the fundamental Group Policies on governance at Bilfinger were also updated. The Group Policies and SOPs are regularly reviewed to ensure they are up-to-date and adjusted as necessary. 

In addition to the content of the Group Policies and SOPs, the actions of individual Bilfinger employees and managers in the Group are guided by rules of procedure and approval requirements. The regional or division head as well as the managing director or other executive representative  of a Bilfinger company each has Rules of Procedure which define, among other things, the reporting line, internal approval requirements for certain actions and measures. Approval requirements exist for each unit and level of the Group, whereby the approval requirements in the regions and  divisions are determined by the respective management in its framework for action. In addition, binding requirements and limits exist for each Group unit for the signing or other drafting or issuing of business-relevant documents and declarations by Bilfinger employees. These elements ensure a clear framework for action for each individual Bilfinger employee and manager. Approval and signature requirements are regularly reviewed to determine whether they are up-to-date, most recently in the reporting year. They are also adjusted if necessary.  

The Rules of Procedure also contain the respective reporting lines as well as procedural regulations, for example the possible allocation of responsibilities and requirements for joint decisions in the relevant body of the Group company or the regional or divisional management. Reporting lines also exist for each Bilfinger employee. In principle, the reporting line corresponds to the disciplinary responsibility, but it can also be divided if the employee is assigned to a different function.  

The regulations in the Rules of Procedure are supplemented by a mandatory schedule of responsibility, in which the responsibilities for each member of the executive body of a Group company or a regional / divisional head are clearly assigned. This ensures that there is clear accountability and organization for each respective manager.  

The described implementation of governance at Bilfinger serves as a structural guide in the design of the respective key factors that are organized by the corresponding specialist departments. The concepts are described in greater detail in the following chapters. 

Counteracting corruption and bribery is a central component of our compliance management system. For this reason, Corporate Compliance is responsible for the framework to counteract corruption and bribery at Bilfinger. 

Bilfinger’s compliance management system covers all areas of the business and pursues the objective of preventing compliance violations through preventive measures, recognizing early any type of misconduct and, in the case of confirmed violations, reacting quickly and consistently punishing misconduct.  

The Bilfinger compliance management system is illustrated in, among other places, the Code of Conduct, which is binding for all employees worldwide. In the Code of Conduct, we prohibit bribery and corruption among our employees. They may not hold out the prospect of or grant to  our customers, suppliers or other business partners money or anything of value, either directly or indirectly, to influence their decisions or to gain any improper advantage. This principle also applies in reverse: No one acting for or on behalf of Bilfinger can allow him- or herself to be corrupted or bribed through the acceptance of unfair economic advantages from business partners. Accepting  small payments to secure or accelerate routine official acts (acceleration payments) is also prohibited for our employees. 

In our Code of Conduct, we also describe constellations that are often associated with a risk of corruption in business life. These include donations, sponsoring activities, gifts, hospitality and entertainment, dealing with public officials and accounting. 

Corporate Compliance is headed by the Chief Compliance Officer. He reports directly to the Chairman of the Executive Board or, on an interim basis during the reporting period, to the COO and has an additional reporting line to the Supervisory Board and its Audit Committee. Managers have a special role to play in the implementation of our Code of Conduct and the compliance management system: they must act as role models. The annual performance evaluation of managers therefore includes an individual integrity assessment that then forms part of the annual dialogue on career development. In addition, variable remuneration for managers at management levels 1 and 2 includes an individual integrity factor. This factor is determined and taken into consideration annually with regard to the extent a manager implements the topics of integrity and compliance into his daily actions and how much he actively supports and promotes them in his environment. 

To manage and monitor the design and implementation of our compliance management system, the Executive Board has established a Compliance Review Board (CRB), whose tasks and composition are described in Chapter B.5.2.1 Good corporate governance.  

Our subsidiaries are supported by compliance managers and compliance officers at both the regional and divisional levels. In addition, each regional and divisional management, each executive management and each department head at Bilfinger assumes responsibility for the effectiveness of the compliance management system including the Internal Control System (ICS) in their respective area of responsibility.  

The international network of Compliance Representatives ensures that employees in the business units have an additional local compliance contact person. The Compliance Representatives are specially trained employees who, in addition to their primary functions in the company, support their colleagues with compliance and integrity questions and thus strengthen the presence and visibility of the topic of compliance at their locations. The Compliance Representatives maintain a regular exchange of information with Corporate Compliance and contribute experience and challenges of the individual locations to the further development of the respective Compliance program.  

All employees also have access to a central Compliance Help Desk that offers support in all compliance-related questions. 

Number of inquiries to the Compliance Help Desk

In order to deliver our services as a company, we are dependent on cooperation with numerous business partners. Because the compliant behavior of our business partners is an indispensable prerequisite for us, we use a risk-based, IT-supported process to review our potential business partners before entering into a business relationship (so-called third-party due diligence). When carrying out such integrity audits, the business units of Bilfinger are supported by the compliance department in the risk evaluation.  

In addition to prevention, the rapid identification of any misconduct and an appropriate response to such misconduct are essential components of our compliance management system. There is a whistleblower system in place for the receipt, documentation and processing of suspicious cases in connection with possible violations of our Code of Conduct: Our employees and external parties can, on a confidential basis and if desired also anonymously, provide information on potential misconduct on the part of Bilfinger employees. 

Number of notices of compliance violations 

Employees, customers and other stakeholders must be able to rely on the fact that the data entrusted to Bilfinger is protected against abuse and loss. Bilfinger has therefore adopted targeted regulations with regard to information security and data protection and has taken appropriate organizational measures. 

The fundamental regulations for the secure and legally compliant handling and processing of data are summarized in our Group Policy on Information Security. It is binding for all Group employees and for all those working on behalf of Bilfinger. It describes the components of information security, principles for handling and processing data and the obligations of managers, IT specialists, employees and external parties. Violations of the provisions of this Group Policy and its annexes or of existing laws may result in disciplinary, contractual or criminal consequences. 

In addition to the Group Policy on Information Security, various Standard Operating Procedures (SOPs) have been defined with the goal of implementing the Group Policy on Information Security in all Group companies. These include, for example, SOPs on the topics of information management standard, physical protection of data, emergency security and IT audit. 

Technical responsibility for information security lies with the manager responsible for information security at Bilfinger Global IT GmbH, who is supported by the dedicated, central competence center for the topic of information security. The Information Security team checks to ensure that IT services that are planned or in operation are compliant with the Group Policy on Information Security as well as regulatory requirements. In addition, each organizational unit must appoint a person responsible for data protection who works together with the manager responsible for information security as a coordinator.  

We counter the risks in the cyber security environment with a broad package of measures, such as increased monitoring of incoming and outgoing e-mail traffic to prevent malicious e-mails with a cloud-based e-mail gateway. In the event of specific threats, we work together closely with the relevant authorities. The central data centers were migrated to Microsoft Azure in the cloud and will continue to be subject to ISO 27001 certification. In addition, measures to make network access more stringent are checked by means of regular vulnerability analyses, e.g., through so-called friendly hacking. To monitor security-relevant incidents, Bilfinger uses a Security Information and Event Management System (SIEM) which collects all central logs and evaluates them for anomalies. Another focus of our efforts is the swift closure of newly reported weaknesses from software manufacturers, such as the hafnium vulnerability in Microsoft’s Exchange software. In this case, the security vulnerability was closed within a few days and there were no longer any visible indications of a potential breach. In addition, training requirements have been defined for all employees with computer workstations to raise awareness of the increasing risk. 

Every employee or person working on behalf of the Bilfinger Group is obligated to report any possible or actual threat to the information available in the Group as a security incident in a timely manner. In addition, each business unit is obligated to establish and maintain a comprehensive and effective emergency management system in accordance with its business area and area of responsibility. Should there be a security incident, the Independent Allegation Management Committee (IAMC) is, when necessary, commissioned with an investigation into the violation. 

In order to create a uniform standard for handling personal data in accordance with the European General Data Protection Regulation, a standardized Group Privacy Policy applies in our Group. It is based on the provisions of the European General Data Protection Regulation and on globally accepted basic data protection principles for the processing of the personal data of employees, customers, suppliers and other business partners. The policy describes the tasks and responsibilities of the external Data Privacy Officer, the internal Data Privacy Officer as well as the Data Privacy Coordinator. It also outlines the data protection principles, specifications for data transmission and commissioned data processing, the rights of data subjects and the responsibilities of Group companies. 

The policy is binding for all Group companies and is intended to ensure that the data protection standards described in the policy are not undercut. It also applies to Group companies in countries that do not have their own statutory data protection regulations.  

If data protection violations occur or are suspected, the Group Privacy Policy lays out a procedure for the reporting of data protection violations. A reporting form is available for employees as a guideline for this purpose. For further processing and for the purposes of evaluation, the reports are fed into a database in which the (suspected) data protection violation is described. 

The Executive Board is informed about data security and the structure of data protection at least once a year. The Executive Board is informed of any incidents of particular significance.