NORMA Group defines opportunities and risks as possible future developments or events that could have a positive or negative impact on the Group’s forecasts or targets. The focus with regard to possible deviations is on a period of three years for concrete opportunities and risks. Opportunities and risks that could have an impact on the company’s success beyond this period of time are recorded and managed at the Group management level and taken into consideration in the corporate strategy. The assessment of the individual opportunity and risk categories takes a period of up to three years into account, unless a different period is specified in the individual categories. NORMA Group assesses the opportunities and risks it identifies using systematic evaluation procedures and quantifies them in terms of both their financial impact – i. e. gross and net impact on the planned earnings figures – and their probability of occurrence. NORMA Group's risk management system is based on the regulatory requirements of the new version of "Auditing Standard 340" issued by the Institute of Public Auditors in Germany (IDW PS 340 n. F.). Opportunities are considered and documented in a process that is separate from NORMA Group's risk management system.

The Management Board of NORMA Group is responsible for maintaining an effective risk and opportunity management system. The Supervisory Board is responsible for monitoring the effectiveness of the Group’s risk management system. Compliance with the Group’s risk management policy in the individual companies and functional areas is subject to the internal audit department’s periodic reviews. The Management Board is not aware of any circumstances from dealing with the risk management system that speak against the appropriateness and effectiveness of the implemented risk management system.4

Risk management process

The risk management process at NORMA Group includes the core elements of risk identification, risk assessment and controlling and monitoring risks and is coordinated by the Risk Management department at Group level. The risk management process is fully depicted in an integrated software solution. The risk managers at all organizational levels of NORMA Group record the risks that are identified and assessed in this software. For all risks, a review and approval of the respective risks is carried out by the risk or functional managers at Group level.

4 The Executive Board's assessment of the appropriateness and effectiveness of the internal control and risk management system is made

  in accordance with the German Corporate Governance Code ("GCGC") and goes beyond the legal requirements for the management

  report. In this respect, the disclosure is excluded from the auditor's examination of the content of the management report.

The process of identifying, evaluating and controlling risks is accompanied by continuous monitoring and communication of the reported risks by the respective risk managers.

Risk identification is carried out bottom-up by the individual companies as well as top-down by the individuals responsible for functions at the regional and Group levels. Various methods that correspond to the structure of the organization are used to identify risks. Such methods include interdisciplinary workshops, interviews and checklists, but also market and competitive analyses. In certain cases, analyses of the process workflows as well as results from internal and external audit reports are used. NORMA Group’s risk managers are responsible for verifying on a regular basis whether all material risks have been recorded.

As part of the risk assessment process, the risks identified are evaluated using systematic assessment procedures and quantified in terms of both their financial impact (on earnings and liquidity) and their probability of occurrence. This involves recording those risks that can be specified and substantiated and that exceed a defined threshold in terms of the potential amount of damage. Risks are generally assessed taking possible scenarios into account in order to be able to present a risk assessment that is as realistic as possible.

As part of risk controlling, the appropriate risk mitigating measures are developed and implemented, and their implementation is monitored. These include, in particular, strategies to avoid, reduce and hedge against risks. Risks are managed in accordance with the principles of the risk management system as described in the Group risk management policy.

Risk reporting

Group-wide recording and assessment of risks as well as their reporting to the functional managers and individual companies by functional areas, the management of the segments, the Management Board and the Supervisory Board take place on a quarterly basis. In addition, risks that are identified within a quarter and whose expected value could have a significant impact on the results of the Group are reported ad hoc to the Management Board and, if necessary, to the Supervisory Board.

In order to analyze NORMA Group’s overall risk situation and initiate appropriate countermeasures, all recorded and assessed risks are aggregated into a risk portfolio. For this purpose, statistically reliable methods are applied in the newly implemented risk management software. Here, the scope of consolidation for risk management corresponds to the scope of consolidation in the Consolidated Financial Statements. In this context, the overall risk position determined in relation to NORMA Group’s risk-bearing capacity for the period under review is monitored regularly by the Management Board for developments that could potentially jeopardize the company’s continued existence. In addition, NORMA Group categorizes risks according to type and the functional area they affect. This makes it possible to aggregate individual risks into risk groups in a structured manner. This aggregation enables NORMA Group to identify and manage not only individual risks, but also trends, and thus sustainably influence and reduce the risk factors with certain types of risks. If not indicated otherwise, the risk assessment applies for all regional segments.

Opportunity management process

Operational opportunities are identified, documented and analyzed in monthly meetings at the local and regional level and by the Management Board. In addition, measures aimed at capitalizing on strategic and operational opportunities through local and regional projects are approved at these meetings. The identification and success of the implementation of potential opportunities are tracked and reviewed by producing regular forecasts as part of

periodic reporting. Strategic opportunities are recorded and evaluated as part of annual planning. Significant opportunities are presented in NORMA Group’s Annual Report after the fiscal year has ended.

Internal control system of NORMA Group

The internal control system as the totality of all systematically defined controls and monitoring activities aims to ensure the security and efficiency of business processes, the reliability of financial reporting and the compliance of all activities with laws and guidelines. An effective and efficient internal control system is crucial to successfully manage risks in our business processes. In its design, NORMA Group's internal control system therefore fundamentally considers all material business processes of Group-wide activities, whereby the design of the internal control system falls under the responsibility of the Management Board.

As part of their regular audits and monitoring activities in the course of the year, the operating companies and the regional management of NORMA Group confirm the status of  implementation of the internal control system for the respective areas of responsibility in a structured process at the end of each quarter.

In addition, to ensure the effectiveness of the internal control system, regular reviews of relevant processes and the implementation of controls by Internal Audit are carried out. The Management Board is not aware of any

circumstances in dealing with the internal control system – based, among other things, on regular reporting by the individual companies and regions – that militate against its appropriateness and effectiveness.5

Internal control and risk management system with regard to the Group accounting process

NORMA Group’s internal control and risk management system with regard to the Group accounting process can be described as follows. The system is geared towards identifying, analyzing, assessing and managing risks as well as monitoring these activities. The Management Board is responsible for ensuring that this system meets the company’s specific requirements. Based on the allocation of responsibilities within the company, the CFO is responsible for the Finance and Accounting divisions. These functional areas define and review the Group-wide accounting standards within the Group and compile the information used to prepare the Consolidated Financial Statements. The need to provide accurate and complete information within predefined timeframes represents a significant risk for the accounting process. Because of this, requirements must be communicated clearly, and the respective units must be put in a position to meet these requirements.

Risks that could affect the accounting process arise, for example, from the late or incorrect entry of business transactions or non-compliance with accounting rules. The failure to enter business transactions also represents a potential risk. In order to avoid errors, the accounting process is based on the separation of duties and functions or responsibilities as well as plausibility checks as part of the reporting process. Both the preparation of the financial statements of the Group companies included in the Consolidated Financial Statements and the consolidation measures based on these are characterized by consistent observance of the “dual control principle.” Comprehensive and detailed checklists must be completed before the respective reporting deadlines. The accounting process is fully integrated into NORMA Group’s risk management system. This ensures that accounting risks are identified at an early stage and that measures to prevent and avert risks can be implemented without delay.

The internal control system ensures the accuracy of NORMA Group’s financial reporting with respect to its accounting process. The internal audit department also reviews the accounting processes on a regular basis to ensure that the internal control and risk management system is effective. External specialists also support these efforts.  As part of the audit, the auditor also performs procedures in the area of accounting-related internal control system in accordance with the risk-oriented audit approach

The IFRS accounting standards as they are to be applied in the European Union are summarized in an accounting manual that includes an account assignment guideline (IFRS Accounting Manual). All companies in the Group must base their accounting processes on the standards described in the Accounting Manual. Important accounting and valuation standards, such as the recognition and measurement of fixed assets, inventories and receivables, as well as provisions and liabilities, are defined in a binding manner. Tax issues and responsibilities are regulated in a Group tax guideline. The Group also has system-supported reporting mechanisms to ensure that identical situations are handled in a uniform manner across the Group.

The Consolidated Financial Statements and Combined Management Report are prepared according to a uniform time schedule for all companies. Each company in the Group prepares its separate financial statements in accordance with the applicable local accounting guidelines and IFRS. Intra-Group deliveries and services are recorded in separately designated accounts by the Group companies. The net balances of Intra-Group offsetting

5 The Management Board's assessment of the appropriateness and effectiveness of the internal control and risk management system is

  made in accordance with the German Corporate Governance Code ("GCGC") and exceeds the legal requirement for the management

  report. In this respect, the disclosure is excluded from the substantive examination of the management report by the auditor.

accounts are reconciled on the basis of defined guidelines and schedules by means of balance confirmations. The companies in the Group use the COGNOS reporting system for financial reporting. In accordance with NORMA Group’s regional segmentation, technical responsibility for the financial area is shared by both the financial officers in the Group companies as well as by the regional CFO for the respective segment. They are responsible for the quality assurance of the financial statements of the respective Group companies. The comprehensive quality assurance of the financial statements of the Group companies included in the Consolidated Financial Statements is carried out by Group Accounting, Tax & Reporting, which is responsible for preparing the Consolidated Financial Statements. The preparation of the Combined Management Report is the responsibility of the Investor Relations department, which reports directly to the member of the Management Board of NORMA Group responsible for finance, the CFO. In addition, the data and disclosures of the Group companies as well as the consolidation measures for the preparation of the Consolidated Financial Statements as well as the disclosures in the Condensed Management Report are verified by the external auditor, taking into account the associated risks, as part of the risk-oriented audit of the Consolidated Financial Statements and the Management Report.

The financial accounting systems used by the NORMA Group companies will continue to be successively standardized to the Group standard Microsoft Dynamics 365. All systems have structured access authorizations. The local management decides on the type, design and allocation practices of the access authorizations in consultation with the central IT department.

Legend

These contents are part of the Non-financial Group Report and were subject to a separate limited assurance examination.