Risk management and internal control

Governance Model

Galp is an integrated energy operator, present in several geographies, and is exposed to internal/external factors characteristic of a VUCA context (Volatile, Uncertain, Compex and Ambiguous), which may bring uncertainty to its performance and achievement of strategic objectives.

To ensure the fulfilment of the strategic objectives the Risk Management Policy which has been approved by the Board of Directors, defines objectives, processes and responsibilities that enable Galp to establish a solid risk management structure.

Galp adopts a comprehensive Risk Management approach that follows a process based on 3 core activities, as illustrated below.

Identify and evaluate risks: Using internal and external sources Galp develops a risk identification process that may affect its strategy and performance.

Galp’s integrated risk level assessment is based on a bottom-up analysis model which allows the uncertainty about the Net income of the BUs and a top-down analysis of the global exposure values, namely FCF@Risk and EBITDA@Risk.

Risks are ranked and mapped in a Heat Map (Risk Matrix) and appropriate response measures are identified to minimize the likelihood of occurrence and/or the impact of the Risk.

The magnitude of Galp’s risk exposure is assessed by quantitative and qualitative methods, which consider individual risk distributions and correlations between risks.

Monitor, Control & Report Risks: The Risk Management Department in conjunction with the LROs continuously monitors the main risks and KRIs.

Whenever necessary mitigation actions are defined to be implemented by the BUs.

The resulting mitigation action plans are monitored monthly by DGR.

On a quarterly or ad hoc basis it prepares Risk Reports and Memos that are submitted to the CRO, the Risk Committee and the Supervisory Board enabling them to carry out effective risk oversight and make better risk based decisions. Reports are also made available to BUs.

Risk information is communicated through Heat Maps (risk matrix) KRI Map (provides an overview of actual KRI values, objectives and tolerances) and Mitigation Plans.

Oversee, Audit & Realign: Through annual audits of the Risk Management Process and quarterly meetings, respectively, the Internal Audit Department and the Audit Board monitor the ERM process, contributing suggestions for improvements or changes. This monitoring and review also includes assessing the company’s risk culture as well as the alignment between risk management and other business activities.

Main Risks

Galp’s business operations are long-term in nature, meaning that many of the risks to which it is exposed may be considered permanent. However, internal and external risk and opportunity triggers are changeable, may develop and evolve over time which may lead to a change in the identified risk, their likelihood, impact and detectability. Therefore, Galp’s “Value at Risk” assessment is carried out on an annual basis or “ad hoc” if there is a substantial change to its risk profile.

Main Risks

  • Project Execution

  • Price

  • Legal and Compliance

  • Portfolio

  • Business Continuity

  • Markets

  • Partnerships

  • Cybersecurity

  • Geopolitical

  • Credit

For more detailed information on mitigation risks and strategic measures, see here the table of key risks in the Galp 2019 Integrated Report.

Internal Control

Galp’s internal control system is based on the guidelines set by the Committee on Sponsoring Organizations of the Treadway Commission (CoSo) with regard to the control environment, risk assessment, control activities, information and communication and monitoring risk exposure.

The Internal Control Manual, approved by the Board of Directors, establishes the general principles of, and requirements for, the internal control components, as well as the organisational model associated to the integrated and uniform management of internal control within the Galp group. This is defined as the series of processes implemented by the governing bodies, specialized committees, internal auditor and by Galp’s personnel, with a view to conferring reasonable assurance of the achievement by Galp of its objectives related to the operations, reporting and compliance.

The organisation and governance structure of internal control and risk management is based on the three lines of defence model, in accordance with generally accepted best practices, as outlined in the chart below.

The three lines of defence approach ensures that:

  • The first line of defence, considering the risk environment, identifies, assesses and communicates potential risk exposure, establishes and implements the best way of capturing or mitigating risk exposure; executes the day-to-day risk and control activities.

  • The second line of defence monitors the internal control system and the main risks at the corporate level, establishes risk standards and regularly reports the risks and the status of mitigation action plans to the Risk Management Committee, the Executive Committee, the Audit Board and the Board of Directors.

  • The third line of defence supervises, monitors and assesses the effectiveness of the risk management and internal control processes.

In this approach the responsibilities for Internal Control and Risk Management are ensured by several organizational units:

The Board of Directors defines the strategy, approves the risk policy, the risk appetite and supervises risk management, monitoring the performance of the duties delegated to the Executive Committee.

The Executive Committee establishes and implements high level controls, fosters organisational culture and commitment to internal control, defines reporting lines and internal control powers and responsibilities.

The Chief Risk Officer (CRO), as a member of the Executive Committee, ensures that discussions about risk are consistent and effective at all levels. The Risk Management Committee, comprising 3 non-executive Board members, is responsible for monitoring Galp’s main risks; evaluating the compliance with the tolerance levels and the execution and effectiveness of decided mitigation actions; assessing Galp Group’s internal control and risk management systems; issuing appropriate opinions and recommendations; and evaluating compliance with Galp’s risk management policy.

The role of the Audit Board is to monitor the effectiveness of the internal control and internal auditing systems, as well as to assess the functioning of the internal systems and procedures on a yearly basis, thereby contributing to enhancing the internal control environment.

As part of its supervisory function, the Audit Board monitors the work plans and resources assigned to the Internal Audit and Legal and Governance Departments and receives periodic reports from these departments, including the auditing reports and the annual Compliance Plan, as well as information on reporting matters, the identification or settlement of conflicts of interest and the detection of potential illegalities. The Audit Board meets monthly with the Head of Internal Audit and quarterly with the Head of Legal and Governance. It also receives the documentation and results of Risk Management Committee meetings and meets on a quarterly basis with the Head of Risk Management Department to discuss the Group’s most important risk management issues.

The Audit Board also provides its assessment of the annual strategic guidelines and risk policy established by the Board of Directors.

Although the External Auditor is positioned outside the organisation, it plays an important role in the control structure, analysing the accounting systems and the internal control system to the extent necessary to issue an opinion on the financial statements and making recommendations to the stakeholders, including the Executive Committee, the Board of Directors and the Audit Board.

Similarly to the External Auditor, the regulatory entities are not part of the organisation but have a significant control role, setting down the rules of functioning and establishing controls for assessing compliance, particularly in Galp’s regulated electricity and natural gas business.

The relationship model between the company bodies, departments and committees responsible for implementing the internal control system favours the centralised management of risks by the Risk Management Department. This department is responsible for:

  • establishing, monitoring and assessing risks and mitigation measures, maintaining alignment with the approved policies and strategies;
  • establishing and monitoring, through its information security team, cybersecurity policies and procedures;
  • ensuring the consistency of principles, concepts, methodologies and the risk assessment and management tools of all the Group’s business units and companies;
  • assessing whether the risks identified by the business units (risk ‘owners’) are within the established tolerance levels;
  • ranking risks according to their priority, probability and impact;
  • reporting the risks to the Chief Risk Officer and the Risk Management Committee;
  • ensuring effective implementation of the risk management system, fostering a risk-aware culture by demonstrating the relevance of such matters to the Executive Committee, the Risk Management Committee and the Group’s business units and companies.

The Legal and Governance Department establishes ethical and compliance controls, monitors the internal control system by conducting internal inquiries, audits or risk assessments on ethics and compliance matters (such as bribery and corruption, money laundering and terrorism financing, fraud, conflicts of interest, political, economic and financial sanctions and other restrictive measures, compliance with financial and market regulations), as well as by conducting due diligences on the same issues for relevant partners and transactions. Additionally, it administers training to Galp’s employees on the compliance matters and appraises ethics and compliance performance in the various business units. It also develops special projects with a view to consistently improving Galp’s compliance with ethics and regulatory matters.

The Local Risk Officers (LRO) assist the business units responsible for identifying, assessing and managing the risks in their respective business units, in line with risk management standards.

They are also responsible for incorporating risk information into their decision-making processes and ensuring compliance with the approved risk management policies and procedures.

Moreover, they prepare and report information on risk exposure in their business units. To ensure full coverage of Galp´s risk taxonomy, a stronger and transversal LRO structure was approved in 2019 and the number of officers was increased.