Risk management and internal control

Risk management

As an integrated energy operator, with a presence in a large number of geographies, Galp faces a progressively more challenging business environment, and is exposed to internal and external factors characteristic of a VUCA (Volatile, Uncertain, Compex and Ambiguous) context that can introduce variability to its performance and make uncertain the capacity of the company to reach its strategic objectives.

A comprehensive approach to risk management ensures continuous monitoring of risks and opportunities and an assessment of potential impacts, enabling the management of the inherent exposure and ensuring compliance with the Group's strategic challenges.

The objectives, processes and responsibilities that will enable Galp to establish a sound risk management structure are defined in the Risk Management Policy.


Risk Management governance model

Galp has adopted the model of the three lines of defense for risk management, in accordance with generally accepted best practices.

This model enables a consistent relationship between risk management activities developed at different levels and of different periodicity.

Corporate Risk Management - incorporated in the cycle of preparation and follow-up of the Group's business plan, it is the responsibility of the Risk Management Department.

Business Risk Management - in an articulated and integrated manner with the Business Units’ Local Risk Officers (LRO), the Risk Management Department promotes the systematic review of the main uncertainties, based on the context analysis and the Galp’s strategy, as well as on other analyzes performed by the LROs.

Operational Risk Management - it incorporates risks identified by Business Units (with support in appropriate methodologies), as well as the results of the surveys promoted by the Risk Management Department with the participation of industry experts.

Strategic Decisions - as part of the decision-making process, the Risk Management Department is responsible for evaluating non-technical risks for all investments in excess of € 75m or others, as decided by the Executive Committee.

Corporate risk management


Major Risks

The risk management structure should ensure that all material risks that could lead to losses are identified, evaluated and managed. Although they may be updated in response to changes caused by endogenous or exogenous factors, the main risks that Galp faces are:

Principal risks Other significant risks
Disruptive events Recruitment and retention of skilled human capital
Project execution Competition
Failure of information systems and cybersecurity Credit
Exploration and engagement of oil and natural gas resources
Geopolitical Financing needs and liquidity
Losses from trading activities
Regulatory uncertainties (including climate change) and compliance Partner dependency
Market and price volatility

For more detailed information on risks and mitigation strategies, please see the principal risks table of the Governance Report 2017.

Internal control

Galp´s internal control system draws inspiration from the guidelines of the Committee of Sponsoring Organisations of the Treadway Commission (CoSo) on control, evaluation, monitoring, information and communication of our risk exposure.

The internal control system is based on the general principles and requirements of the 5 internal control components (1. Control environment; 2. Risk assessment; 3. Control activities; 4. Information and Communication; 5. Monitoring activities), with the objective to jointly respond to the risks to which Galp is exposed, namely in relation to (i) the achievement of its strategic objectives, (ii) the preparation and disclosure of financial and non-financial information to be provided to internal and external stakeholders; (iii) compliance with applicable law and regulations; (iv) the safeguarding and protection of assets; and (v) efficiency and effectiveness in operations.

The governance model for internal control is structured according to the principles of three lines of defense.

  • 1st line - identifies and understands the control environment; implements and monitors the controls on a daily basis; promotes the improvement of the design of the processes and respective controls; fosters a culture of accountability among the personnel; reports any flaws that are detected in the internal control system;
  • 2nd line - monitors internal control at a corporate level; periodically discloses the risk and status of the internal control to the Board of Directors, Executive Committee and Audit Board; follows-up, appraises and monitors the suitability and effectiveness of the measures and procedures adopted;
  • 3rd line – supervises, monitors and appraises the compliance and effectiveness of the internal control system based on the risks, issuing results and recommendations on their efficiency; provides independent advice to management and operating areas on internal control.

Internal Audit plays an important role as third line of defense for internal control. As an independent area that reports functionally to the Audit Board, it systematically and independently evaluates the proper functioning of the Group´s internal control and risk management systems, as well as the effectiveness and efficiency of implementation of controls and mitigation actions.

To reinforce the importance of ensuring compliance and conformity, the Company has a Compliance area, part of the Legal and Governance Department, which has the following responsibilities:

  • Define and implement internal control policies;
  • Prepare and conduct training activities;
  • Support and advise Galp's governing bodies; and
  • Carry out or manage internal investigations.

Galp implemented internal control measures, including Know Your Counterparty (KYC) and Know Your Transaction (KYT) which form part of the counterparties’ analysis processes.