Risk and opportunity management system

NORMA Group defines opportunities and risks as possible future developments or events that could have a positive or negative impact on the Group’s forecasts or targets. The focus with regard to possible deviations is on a period of three years for concrete opportunities and risks. Opportunities and risks that could have an impact on the Company’s success beyond this period of time are recorded and managed at the Group management level and taken into consideration in the corporate strategy. The assessment of the individual opportunity and risk categories accordingly takes into account a period of up to three years, unless another period is specified in the individual categories. NORMA Group assesses the identified opportunities and risks using systematic evaluation procedures and quantifies them both in terms of their financial impact – i.e., gross and net impact on the planned earnings figures – and in terms of their probability of occurrence. NORMA Group’s risk management system is fundamentally aligned with the regulatory requirements of the Institute of Public Auditors in Germany’s revised Auditing Standard 340 (IDW PS 340). Opportunities are considered and documented in a process that is separate from NORMA Group’s risk management system.

The Management Board of NORMA Group is responsible for maintaining an effective risk and opportunity management system. The Supervisory Board is responsible for monitoring the effectiveness of the Group’s risk management system. Compliance with the Group’s risk management policy in the individual companies and functional areas is subject to the internal audit department’s periodic reviews. Based on its review of the risk management system, the Management Board is not aware of any circumstances that would call into question the appropriateness and effectiveness of the implemented risk management system.¹²

Risk management process

NORMA Group’s risk management process includes the core elements of risk identification, risk assessment, and risk management and mitigation, as well as risk communication. The risk management process is coordinated by the Risk Management department at Group level and is fully mapped in an integrated software solution. The risk managers at all organizational levels of NORMA Group record the risks that are identified and assessed in this software. For all risks, a review and approval of the respective risks is carried out by the risk or functional managers at Group level. Furthermore, continuous monitoring and improvement measures have been established for the risk management system.

Risks are identified both “bottom up” by the individual companies and at regional level and “top down” by the functional managers at Group level. Various methods corresponding to the structure of the organization are used to identify risks. Such methods include, cross-functional workshops, interviews, checklists, and market and competition

¹² The Management Board’s assessment of the appropriateness and effectiveness of the internal control and risk management system is carried out in accordance with the German Corporate Governance Code (GCGC) and goes beyond the statutory requirements for the Condensed Management Report. In this respect, the disclosure is excluded from the audit of the Condensed Management Report by the auditor.

analyses. Risk managers are responsible for verifying on a regular basis whether all material risks have been recorded.

As part of the risk assessment process, the risks identified are evaluated using systematic assessment procedures and quantified in terms of both their financial impact (on earnings and liquidity) and their probability of occurrence. This involves recording those risks that can be specified and substantiated and that exceed a defined threshold in terms of the potential amount of damage. Risks are generally assessed taking possible scenarios into account in order to be able to present a risk assessment that is as realistic as possible.

As part of risk controlling, the appropriate risk mitigating measures are developed and implemented, and their implementation is monitored. These notably include strategies to avoid, reduce, and hedge against risks. Risks are managed in accordance with the principles of the risk management system as described in the Group risk management policy.

Risk reporting

Risks are recorded and assessed throughout the Group and reported to the Management Board and Supervisory Board on a quarterly basis, broken down by functional area. In addition, risks that are identified within a quarter and whose expected value could have a significant impact on the results of the Group are reported ad hoc to the Management Board and, if necessary, to the Supervisory Board.

In order to analyze NORMA Group’s overall risk situation and initiate appropriate countermeasures, all recorded and assessed risks are aggregated into a risk portfolio. For this purpose, a Monte Carlo simulation is used in the risk management software in use. Here, the scope of consolidation for risk management corresponds to the scope of consolidation in the Consolidated Financial Statements. In this context, the overall risk position determined in relation to NORMA Group’s risk-bearing capacity for the period under review is monitored regularly by the Management Board for developments that could potentially jeopardize the Company’s continued existence. In addition, NORMA Group categorizes risks according to type and the functional area they affect. This makes it possible to aggregate individual risks into risk groups in a structured manner. This aggregation enables NORMA Group to identify and manage not only individual risks, but also trends, and thus sustainably influence and reduce the risk factors with certain types of risks. If not indicated differently, the risk assessment applies for all regional segments.

Opportunity management process

Operational opportunities are identified, documented, and analyzed in monthly meetings at the local and regional level and by the Management Board. In addition, measures aimed at capitalizing on strategic and operational opportunities through local and regional projects are approved at these meetings. The identification and success of the implementation of potential opportunities are tracked and reviewed by producing regular forecasts as part of periodic reporting. Strategic opportunities are recorded and evaluated as part of annual planning. Significant opportunities are presented in NORMA Group’s Annual Report after the fiscal year has ended.

NORMA Group’s internal control system

The internal control system as the totality of all systematically defined controls and monitoring activities aims to ensure the security and efficiency of business processes, the reliability of financial reporting, and the compliance of all activities with laws and guidelines. An effective and efficient internal control system is crucial to successfully manage risks in our business processes. Accordingly, NORMA Group’s internal control system is designed to cover all material business processes across the Group’s operations, with responsibility for the design resting with the Management Board.

As part of their regular controls and monitoring activities during the year, the operating companies and the management level of NORMA Group’s regions confirm the status of the implementation of the internal control system for the respective areas of responsibility at the end of each quarter in a structured process. In addition, to ensure the effectiveness of the internal control system, regular reviews of relevant processes and controls by Internal Audit are carried out. Based on its examination of the internal control system – including the regular reporting by the individual companies and regions – the Management Board is not aware of any circumstances that speak against the appropriateness and effectiveness of the internal control system.¹³

¹³ The Management Board’s assessment of the appropriateness and effectiveness of the internal control and risk management system is carried out in accordance with the German Corporate Governance Code and goes beyond the statutory requirements for the Condensed Management Report. In this respect, the disclosure is excluded from the audit of the Condensed Management Report by the auditor.

Internal control and risk management system with regard to the Group accounting process

NORMA Group’s internal control and risk management system with regard to the Group accounting process can be described as follows. The system is geared toward identifying, analyzing, assessing, and managing risks, as well as monitoring these activities. The Management Board is responsible for ensuring that this system meets the Company’s specific requirements. In accordance with the allocation of responsibilities, the Accounting and Finance functions responsible for financial reporting fall within the remit of the Management Board member responsible for Finance (CFO). These functions define and review the Group-wide accounting standards and consolidate the information used to prepare the Consolidated Financial Statements. The need to provide accurate and complete information within predefined timeframes represents a significant risk for the accounting process. Because of this, requirements must be communicated clearly, and the respective units must be put in a position to meet these requirements.

Risks that could affect the accounting process arise, for example, from the late or incorrect entry of business transactions or non-compliance with accounting rules. The non-recording of business transactions also represents a potential risk. In order to avoid errors, the accounting process is based on the separation of responsibilities and functions or competencies as well as plausibility checks as part of the reporting process. Both the preparation of the financial statements of the Group companies included in the Consolidated Financial Statements and the consolidation measures based on these are characterized by consistent observance of the “dual control principle.” Comprehensive and detailed checklists must be completed before the respective reporting deadlines. The accounting process is fully integrated into NORMA Group’s risk management system. This ensures that accounting risks are identified at an early stage and that measures to prevent and avert risks can be implemented without delay.

The correctness of NORMA Group’s financial reporting is ensured by the internal control system with regard to the accounting process. To ensure the effectiveness of the internal control and risk management system, regular audits of accounting-related processes are also carried out by Internal Audit.

The IFRS accounting standards as they are to be applied in the European Union are summarized in an accounting manual that includes an account assignment guideline (IFRS Accounting Manual). All companies in the Group must base their accounting processes on the standards described in the Accounting Manual. Important accounting and valuation standards, such as the recognition and measurement of fixed assets, inventories, and receivables, as well as provisions and liabilities, are defined in binding terms. Furthermore, IFRS instruction letters are sent to all Group companies before the start of the respective closing process and key accounting requirements are explained again. Tax issues and responsibilities are regulated in a Group tax guideline. The Group also has system-supported reporting mechanisms to ensure that identical situations are handled in a uniform manner across the Group.

The Consolidated Financial Statements and Condensed Management Report are prepared according to a uniform time schedule for all companies. Each company in the Group prepares its separate financial statements in accordance with the applicable local accounting guidelines and IFRS. Intra-Group deliveries and services are recorded in separately designated accounts by the Group companies. The balances of intra-Group offsetting accounts are reconciled on the basis of defined guidelines and schedules by means of balance confirmations. The financial reporting of the Group companies is carried out via a centralized reporting system. In accordance with NORMA Group’s regional segmentation, functional responsibility for finance is borne both by the financial officers in the Group companies and by the regional financial officer for the respective segment. They are involved in the quality assurance process for the financial statements of the Group companies included in the Consolidated

Financial Statements. The comprehensive quality assurance process for the financial statements of the Group companies included in the Consolidated Financial Statements is carried out by Group Accounting, Tax & Reporting, which is responsible for preparing the Consolidated Financial Statements. The preparation of the Condensed Management Report is the responsibility of the Investor Relations central department, which reported directly to the member of NORMA Group’s Management Board responsible for Finance (CFO) in fiscal year 2025. In addition, as part of the risk-based audit of the Consolidated Financial Statements and the Condensed Management Report, and taking into account the associated risks, the external auditor verifies the data and disclosures of the Group companies, the consolidation measures required for the preparation of the Consolidated Financial Statements, and the disclosures in the Condensed Management Report.

The financial accounting systems used by NORMA Group companies will continue to be successively standardized to the Group standard. Structured access authorizations are available in all systems. The respective management teams decide on the type, structure, and allocation practices of access authorizations in consultation with the central specialist departments.