Galp is an integrated energy operator, present in several geographies, and is exposed to internal/external factors characteristic of a VUCA context (Volatile, Uncertain, Compex and Ambiguous), which may bring uncertainty to its performance and achievement of strategic objectives.
To ensure the fulfilment of the strategic objectives the Risk Management Policy which has been approved by the Board of Directors, defines objectives, processes and responsibilities that enable Galp to establish a solid risk management structure.
Galp adopts a comprehensive Risk Management approach that follows a process based on 3 core activities, as illustrated below.
Identify and evaluate risks: Using internal and external sources Galp develops a risk identification process that may affect its strategy and performance.
Galp’s integrated risk level assessment is based on a bottom-up analysis model which allows the uncertainty about the Net income of the BUs and a top-down analysis of the global exposure values, namely FCF@Risk and EBITDA@Risk.
Risks are ranked and mapped in a Heat Map (Risk Matrix) and appropriate response measures are identified to minimize the likelihood of occurrence and/or the impact of the Risk.
The magnitude of Galp’s risk exposure is assessed by quantitative and qualitative methods, which consider individual risk distributions and correlations between risks.
Monitor, Control & Report Risks: The Risk Management Department in conjunction with the LROs continuously monitors the main risks and KRIs.
Whenever necessary mitigation actions are defined to be implemented by the BUs.
The resulting mitigation action plans are monitored monthly by DGR.
On a quarterly or ad hoc basis it prepares Risk Reports and Memos that are submitted to the CRO, the Risk Committee and the Supervisory Board enabling them to carry out effective risk oversight and make better risk based decisions. Reports are also made available to BUs.
Risk information is communicated through Heat Maps (risk matrix) KRI Map (provides an overview of actual KRI values, objectives and tolerances) and Mitigation Plans.
Oversee, Audit & Realign: Through annual audits of the Risk Management Process and quarterly meetings, respectively, the Internal Audit Department and the Audit Board monitor the ERM process, contributing suggestions for improvements or changes. This monitoring and review also includes assessing the company’s risk culture as well as the alignment between risk management and other business activities.
Galp’s business operations are long-term in nature, meaning that many of the risks to which it is exposed may be considered permanent. However, internal and external risk and opportunity triggers are changeable, may develop and evolve over time which may lead to a change in the identified risk, their likelihood, impact and detectability. Therefore, Galp’s “Value at Risk” assessment is carried out on an annual basis or “ad hoc” if there is a substantial change to its risk profile.
Legal and Compliance
For more detailed information on mitigation risks and strategic measures, see here the table of key risks in the Galp 2018 Integrated Report.
Galp’s internal control system is based on the guidelines set by the Committee on Sponsoring Organizations of the Treadway Commission (CoSo) with regard to the control environment, risk assessment, control activities, information and communication and monitoring risk exposure.
The Internal Control Manual, approved by the Board of Directors, establishes the general principles of, and requirements for, the internal control components, as well as the organisational model associated to the integrated and uniform management of internal control within the Galp group. This is defined as the series of processes implemented by the governing bodies, specialized committees, internal auditor and by Galp’s personnel, with a view to conferring reasonable assurance of the achievement by Galp of its objectives related to the operations, reporting and compliance.
The organisation and governance structure of internal control and risk management is based on the three lines of defence model, in accordance with generally accepted best practices, as outlined in the chart below.
The three lines of defence approach ensures that:
The first line of defence identifies and understands the risk environment, assesses and communicates the potential risk exposure, and determines and implements the best way of capturing opportunities or mitigating risk.
The second line of defence monitors risk at the corporate level, defines the risk standards and regularly reports the risk and status of mitigation action to the Risk Management Committee, the Executive Committee, the Audit Board, and the Board of Directors.
The third line of defence supervises and assesses the effectiveness of risk management and the internal control process.
In this approach the responsibilities for Internal Control and Risk Management are ensured by several organizational units:
The Board of Directors is responsible for defining the strategy, approving the risk policy, including the risk appetite, and supervision of the risk management, monitoring the performance of the duties delegated to the Executive Committee.
The Executive Committee is responsible for designing and implement high level controls, promote organisational culture and commitment to internal control, define reporting lines, competencies and responsibilities of internal control and attribute responsibilities over internal control.
The Risk Management Committee, based on documentation prepared by the Risk Management Department, monitors and evaluates the identified risks, tolerance levels and mitigation measures on a quarterly basis and reports all documentation and outputs of the meetings to the Audit Board.
The role of the Audit Board is to monitor the effectiveness of the internal control and internal audit systems, as well as assessing the functioning of the systems and their respective internal procedures on an annual basis, thereby strengthening the internal rules.
Internal Audit assumes an important third line of defence role. The Internal Audit Department is responsible for independently and systematically assessing the proper functioning of Galp’s internal control and risk management systems, as well as the efficiency and effectiveness of implementing mitigation controls and actions.
The relationship model between governing bodies, departments and committees responsible for the implementation of the internal control system privileges the centralized management of risks by the Risk Management Department. This department is responsible for: defining, monitoring and evaluating the risks and mitigation measures, maintaining alignment with the approved policies and strategies; defining and monitoring, through its information security team, policies and procedures regarding cybersecurity; promoting consistency of principles, concepts, methodologies and risk management tools across all business units and companies; assessing whether the risks that have been identified by the business units (risk ‘owners’) are within Galp´s defined tolerance levels; ranking risks according to their priority, probability and impact; reporting the risks to the CRO and Risk Management Committee; promoting effective implementation of the risk management system promoting a risk culture by demonstrating the relevance of matters to the Executive Committee, Risk Management Committee and the Group’s business units and companies.
The Legal and Governance Department establishes ethical and compliance controls. It monitors the internal control system by conducting internal inquiries, audits or risk assessments on ethics and compliance matters or by conducting due diligences on the same issues for relevant partners and transactions. Additionally, it delivers training to Galp’s employees on the aforementioned compliance matters and develops special projects with a view to consistently improving Galp’s compliance.
Local Risk Officers support the business units risk “owners” in identifying, assessing and managing risks in their respective business units, as foreseen in the risk management standards. They are also responsible for incorporating risk information into their decision-making processes and ensuring compliance with the approved risk management policies and procedures. Moreover, they prepare and report information on risk exposure in their business units.
In addition to the operating areas of the business units and corporate functions mentioned above, there are other directions involved in internal control activities.
The Environment, Quality, Safety and Sustainability Department is responsible for the corporate management of environmental risk (including those arising from climate change, safety (including security) and product quality) and has competencies for defining and proposing assessment and monitoring methodologies.
The cybersecurity area within the Information Systems Department is responsible for implementing the cybersecurity policy and the procedures that have been defined by the Risk Management Department.