253 BMW Group Report 2024 To Our Stakeholders Combined Management Report Group Financial Statements Responsibility Statement and Auditor’s Report Remuneration Report Other Information Internal Control System, Risks and Opportunities, Compliance Purchasing The main risk regarding purchasing relates to supply shortages due to disruptions at the supplier level. Production problems at the supplier level could lead to short or long-term increases in costs and even production interruptions, prompting a reduction in sales for the BMW Group. Furthermore, the Group could suffer damage to its reputation if customer demand cannot be ade- quately met. Potential reasons for the failure of suppliers to deliver include shortages of raw materials, energy and base products, natural disasters and fires, security risks in certain countries, IT prob- lems, and non-compliance with sustainability or quality stand- ards. The BMW Group classifies this risk as high. During the selection of suppliers, risk criteria such as location or sustainability requirements are assessed as standard practice. The effects of climate change that are already apparent, and short-term future effects such as an increase in natural disasters, are taken into account. An increasingly complex supplier network, particularly with indi- rect sub-suppliers, may jeopardise the delivery of supplies to plants. A prevention programme was put in place by the BMW Group in order to identify such developments early on and to take suitable measures. Shifts in sales planning and thus also in the product mix could lead to over- or under-utilisation by sup- pliers. This in turn could result in subsequent claims due to ca- pacity expansions, or to compensation claims due to residual costs. Additional risks arise from the high level of inflation in recent years, prompting higher price demands from suppliers. Further- more, the number of suppliers at risk of insolvency which the BMW Group supports to maintain supplier operations is increas- ing. Cyberattacks along the entire value chain also represent risks to the security of supply and the protection of expertise. The BMW Group actively supports the supplier network by requiring certificates (such as TISAX) when awarding projects and by implementing other preventive measures, in some cases directly at suppliers’ locations. ↗ Purchasing and Supplier Network The BMW Group sees opportunities in the development of local supplier structures and in innovative manufacturing technologies that could lead to lower material expenses. These opportunities are classed as insignificant. Sales network In order to sell its products and services, the BMW Group uses various sales models and operates a global sales network com- prising subsidiaries, importers, branches and independent deal- erships. The insolvency of major dealerships may have a nega- tive impact on global vehicle sales and the range of services available to our customers. Developments in the dealerships are monitored on an ongoing basis so that measures can be imple- mented at an early stage if necessary. Overall, the risks arising from the sales network can be catego- rised as low. The BMW Group is aligning its sales organisation with the needs of the future and prioritising the expectations and needs of its customers even more consistently. Additional opportunities aris- ing as a result are classified as insignificant. Information security, data protection and IT Digitalisation and automation across all areas of the business and its products offer numerous opportunities for the BMW Group. Potential uses as well as risks are evaluated on a continuous basis, especially in the field of Artificial Intelligence. Any opportunities beyond this are classified as insignificant. At the same time, information technology (IT) requirements regard- ing the confidentiality, integrity and availability of information are becoming increasingly strict. The threat level has continued to rise over recent years. Increasing geopolitical conflicts are also contributing to the rise in cyberattacks. Moreover, legal and reg- ulatory requirements are becoming ever stricter worldwide, which could also necessitate higher investments in hardware and software. Due to the continuing increase in the number of attacks ob- served, the level of risk – despite extensive security measures – is classified as high. In order to protect IT systems, we have introduced processes such as standardised safety assessments and regular penetra- tion tests. However, in this environment, risks cannot be fully ruled out due to the high complexity and increasing connectivity. Information and data can also be compromised by a lack of risk awareness and inappropriate behaviour. The main direct conse- quences would be negative effects on business performance, disruption in production or reputational damage. For this reason, the BMW Group has launched a programme to increase em- ployee awareness of information and IT security through appro- priate measures and to establish a lasting security culture. The BMW Group has implemented the known requirements of the EU AI Act and set up corresponding processes. Protecting information, for example from unauthorised access or misuse, has the highest priority. In conjunction with risk manage- ment requirements, risks relating to information security, data protection and IT are systematically documented, provided with measures by internal specialised departments, and continuously monitored with regard to threat level and risk mitigation. Regular analyses and controls as well as tight security management pol- icies ensure an appropriate level of security. However, despite continuous testing and preventive security measures, it is impossible to completely eliminate risks in this area. All authorised persons are required to treat information such as confidential business, customer and employee data with great care, use information systems securely and handle risks in a transparent manner. Uniform requirements that apply through- out the Group are documented in a comprehensive set of rules and guidelines. A consistently applied policy of updating such rules and regulations to the current situation, coupled with regu- lar communication, awareness-raising and training measures, form the basis for a high level of security and risk awareness in general.