Risk identification
The risk management policy and internal control system adopted by the Polenergia Group as well as the procedures regulating the enterprise operating processes and principles enable management of various risks related to the achievement of its business objectives.
Risk is a combination of the likelihood of an event and its consequences that may arise and adversely affect the Company, as well as a failure to identify or an incorrect identification and use of opportunities.
Such incidents may lead to:
1.Loss/loss of profit.
2. Loss of reputation.
3. Non-compliance.
4. Interruptions in the provision of the services.
In order to mitigate the occurrence of risk events and to mitigate their impact on the operation of the Polenergia Group, we have identified the following activities in the risk management process:
Risk identification
Risk assessment and measurement
Risk response
Risk monitoring
Risk reporting
Risk identification involves the identification of reasonably foreseeable events or threats that could potentially impact the Company’s/Group’s activities and localization of such hazards in the process. An event is a situation caused by internal or external factors that influences implementation of the strategy or fulfillment of objectives. A risk is a combination of the probability of an event and its consequences, which may occur and adversely affect the fulfillment of business objectives and the implementation of the strategy.
Risk assessment is the process of analyzing operational, financial and reputational risks (including the risk of fraud) that encompasses the identification of the reasons for the risk and control mechanisms implemented to manage risk. Risk assessment allows the Company/Group to analyze the extent to which potential events could impact the fulfillment of its objectives.
Risks are assessed from two perspectives:
After risk assessment, the Management Board decides on its risk response: whether it accepts its current level or if certain measures must be taken to reduce it (introduction of control mechanisms).
The assessment of effects reflects the consequences of a risk for the activities of the Company/Group.
On the other hand, probability is the possibility that an event may occur that may have an adverse effect on the fulfillment of the Company’s/Group’s business objectives. Where possible, the probability is calculated on the basis of data on the past events, which, as opposed to subjective estimates, constitute an objective basis for assessing probability. Where such assessment is not possible, the estimation of probability is based on expert knowledge of the risk owner and the individuals involved in the risk assessment and measurement process.
During risk assessment, the Company/Group also considers the notion of inherent and residual risk. Inherent risk combines the probability of an event and its consequences in a situation where no risk management measures are taken (no control mechanisms implemented in this respect). Residual risk is the risk level after the Company implements a risk management strategy, assuming that the control mechanisms, including policies, procedures and controls, work effectively.
After all the risks are identified, the group prepares a consolidated register of risks, which contains only the information (risks) that is the most critical from the group’s point of view, i.e.:
Their occurrence results in a loss/loss of profit with the value specified earlier
Control mechanisms are the policies and procedures adopted and implemented in order to carry out risk response measures effectively. Control mechanisms occur throughout the organization, at all of its levels. They include activities such as: acceptance, review, consultations, performance review, asset protection, technological protection, contracts (including insurance or maintenance contracts, or allocation of duties).
Risk management (the risks and risk responses) are subject to continuous monitoring, or assessment of its existence and functioning of its components in a given period. The monitoring ensures that significant risks do not exceed the Company’s risk appetite, that new risks have been identified and properly addressed through implementation of the appropriate control mechanisms.
The Management Board of the Company is responsible for risk acceptance, risk response and for the overall risk management process. The Management Board is responsible for the review of strategic risks and the acceptance of control measures and mechanisms for risks of key importance for the Company. The Management Board and the Supervisory Board receive the consolidated risk register for the Company in order to ensure that the risk level does not exceed the approved level of the Company’s risk appetite. The consolidated risk register contains information (risks) whose occurrence has a significant impact on the Company’s activity.
The primary types of risk arising from the Group’s financial instruments include interest rate risk, liquidity risk, foreign exchange risk and credit risk. The Management Board reviews and consults on the policies for managing each of these risk types. The Polenergia Group also monitors the market risk related to all the financial instruments it holds.
The Polenergia Group manages climate risk and undertakes strategic steps to prevent climate change.
More on this topic in the Chapter entitled Managing the climate impact