Security of the PKP CARGO Group’s operations, both now and in the future, is achieved by implementing and maintaining, in PKP CARGO S.A. and its subsidiaries, the following internal systems and functions matching the size, type and scale of their business: risk management, internal control, compliance, internal audit as well as Integrated Management System and SMS and MMS security system consistent with the operations of the PKP CARGO Group. These internal systems and functions and their interrelations as well as their place in the company’s hierarchy at PKP CARGO S.A. are illustrated using the model of three lines of the organization’s defense against risk.
PKP CARGO S.A.’s internal systems and functions used to ensure security of operation of PKP CARGO S.A. and the PKP CARGO Group, presented using the model of three lines of defense against risk.
First line of defense consists mainly of lower- and mid-level managers, who manage risk and control in daily operations. Operational managers create and implement controls in processes and risk management in the organization. These include control mechanisms to identify and assess relevant risk factors and whether activities and tasks are performed correctly, to identify inadequate processes, address the issue of ineffective control and to communicate with key participants in the process. Senior management (department and unit directors) has overall responsibility for all first line activities. In some high risk areas it can also exercise direct oversight over lower and mid-level managers or even carry out some of the first line duties themselves.
Second line of defense consists of various risk management and compliance functions created by the management to ensure that the risk management processes and controls implemented by the first line of defense are properly designed and operate as intended. These are management functions that are separate from the first line operational management but still controlled and influenced by senior management. The primary responsibility of the second line functions is to monitor control and risk on an ongoing basis. They often work closely with operational managers, supporting them in defining strategies for the implementation of objectives, providing knowledge of risks, implementing policies and procedures and gathering information to map risks and controls from the company-wide perspective. PKP CARGO S.A. is a strongly regulated organization, where all these functions are separated and operate independently. Second line functions include specialized groups such as:
- Risk management;
- Integrated Management System;
- Safety Management System (SMS),
- Maintenance Management System (MMS);
- Internal control.
Second line activities are, in a sense, independent of the first line of defense, but they are still management functions by nature. Second line functions may directly develop, implement or modify the Company's control mechanisms and risk management processes. They may also take decisions on certain operational activities. The role of the second line of defense requires its involvement in the first line of defense.
According to the organizational bylaws of PKP CARGO S.A., the functions of:
- risk management;
- internal control;
- Integrated Management System; and
- compliance related to prevention of corruption and bribery and the PKP CARGO S.A. Code of Ethics;
are performed within the Security and Audit Office, which reports directly to the President of the PKP CARGO S.A. Management Board. The substantive units performing these functions have the possibility of reporting directly to the Company’s Management Board and, with the exception of the internal control function and the Ethics Officer, also to the Audit Committee of the PKP CARGO S.A. Supervisory Board. The compliance function, defined as analyzing compliance of the Company's activity with the applicable law is performed, according to the PKP CARGO S.A. organizational bylaws, by the substantive unit located within the structure of the Legal Support and Corporate Governance Department, which reports directly to the President of the Company’s Management Board.
Third line of defense – Internal audit serves as the third line of defense for the organization. The Institute of Internal Auditors defines internal audit as “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes, and by providing advice”. The scope of internal auditing covers all aspects of the organization’s activities. A high level of organizational independence and objectivity sets internal audit apart from the other two lines of defense. Internal auditors do not design and implement inspection as part of their normal duties and are not responsible for operational activities. According to the Organizational Bylaws of PKP CARGO S.A., the internal audit functions are performed in the Security and Audit Office, which reports directly to the President of the Company’s Management Board. The independence of the internal audit function is further strengthened by direct reporting of the head of the Internal Audit Unit to the Management Board and to the Audit Committee of the Company's Supervisory Board. Because of this high level of independence, internal auditors are best positioned to provide the Company’s Supervisory Board and Management Board with reliable and objective assurance on the effectiveness of governance, risk and control.