The Enterprise Risk Management (ERM) system implemented at the LOTOS Group supports the effective implementation of business strategies and processes. We make the most important business decisions based on risk analysis. The principles of identification and risk assessment applied by us allow us to respond to threats in a timely manner and to reduce or eliminate them altogether. We actively shape the business risk profile, minimizing the impact of threats on achieving the set goals, for the entire organization, our social environment and the environment. Our risk management system also allows to identify and use emerging opportunities.
The main principles of risk management in our organization are presented in the „Corporate risk management policy at the LOTOS Group”. They are described in detail in the procedure of conduct applicable to all companies in the Group.
Active management of opportunities and threats has been defined as one of the strategic objectives for 2017-2022. We implement them through two strategic initiatives:
- risk management optimizing value for stakeholders,
- building a strong culture of open discussion and early response to the first signals of threats, and in the long term also more effective management of risk appetite.
In 2017, we developed directions for further development of the ERM system based on the best market practices. We have introduced changes to the organizational structure of Grupa LOTOS S.A. by appointing, among others, Corporate Risk Management Office. We also made improvements in the concept and operation of the ERM system in the LOTOS Group.
As part of the ERM system, our activities focus on key operational risks, in particular on forecasting their impact on the organization’s operations. This allows defining risk scenarios, forecasting the possible impact of risk (the so-called risk exposure) and developing of pre-emptive actions that may affect the reduction or use of risk or its consequences. We are working on further strengthening of this key functionality in the system.
In 2017, in the segment of risk management, we introduced:
- categories of so-called TOP RISK, that is the most important threats for organizations that are prioritized by the management boards of the group’s companies and additionally analyzed by the Corporate Risk Management Office and reported to the Management Board of Grupa LOTOS S.A.,
- changes in risk assessment matrices in the scope of financial and reputation assessment criteria,
- a new matrix for assessing opportunities, which enables the identification of those opportunities that are most beneficial from the point of view of the strategy being implemented and their use,
- we appointed coordinators in the LOTOS Group companies who are developing
and supporting the risk identification and assessment process in subsidiaries. They are also responsible for risk communication in the company, - shortening formal processes and focusing on taking pre-emptive and mitigating actions.
Activities implemented as part of the corporate risk management process in the LOTOS Group are supported by an internal IT tool – the ERM Portal, which is subject to constant development and improvement.
Risk management model at the LOTOS Group
Our risk management model is based on three lines of defense.
The operational mechanisms of current risk management are embedded in existing business processes (so-called 1st line of defense), which are tailored to the specifics of a given activity and the scale of potential risk effects on the LOTOS Group’s results.
Another level of risk management (the so-called 2nd line of defense) is supervision and assessment of the effectiveness of operational ways of managing a given risk, ensured by effective organizational functions of areas: Risk, Compliance and Finance.
Ultimately, the adequacy and effectiveness of the entire risk management system is periodically verified by the Internal Audit (the so-called 3rd line of defense).
1st LINE OF DEFENSE
Business
- operational risk management in processes and projects
- development of operational procedures
- identification and assessment of risk at the stage of business decisions and periodic risk reviews
2ND LINE OF DEFENSE
Risk, Finance, Compliance
- establishing risk management principles in the LOTOS Group
- connecting risk management to the LOTOS Group’s strategy
- forecasting and shaping the risk exposures and risk profile of the LOTOS Group
3RD LINE OF DEFENSE
Internal Audit
- independent assessment of the effectiveness and adequacy of the risk management process in the LOTOS Group
Structure of risk management system (ERM)
We implement the management of opportunities and threats at the corporate level as a part of a process which assumes important stages (in accordance with the guidelines of the ISO 31000 standard):
- identification of risks – risks are recognized in the context of strategic and operational (annual) objectives,
- risk analysis and assessment – the assessment takes place in two time perspectives: annual and long-term.
The evaluation criteria are both financial and reputation effects, aggregated as an impact on non-financial parameters: image, environment and people, - determining the way of dealing with risk – for each of the material risks, the current management method is determined, control measures and protective mechanisms are indicated. For the most important category of threats (so-called TOP RISK) detailed risk management cards are prepared, the actions to reduce risks and take advantage of opportunities are planned, as well as the manner in which risks are materialized,
- implementation of risk mitigation and exploitation measures – implementation of tasks defined in the risk management plans and ongoing monitoring of their status,
- monitoring the risk indicators – key risks are defined for key risks (KRI – key risk indicator), which allow monitoring the level of exposure to risk and the likelihood of risk materialization, in accordance with the adopted principles,
- risk reviews – periodically (twice a year) review and update of the assessment of all defined risks,
- communication and reporting – standards for communicating and reporting results of implemented activities were implemented at every stage of the process; The Management Board and the Supervisory Board receive systematically a quarterly report on the risk within the organization and effectiveness of actions taken to limit (concerns risks) or use (concerns opportunities) it,
- In the annual cycle, we analyze the effectiveness and adequacy of the risk management system and make decisions regarding the directions of further development of the ERM system.