Introduction
The Management Board of PKP CARGO S.A. adopted on 25 September 2018 the resolution No 324/2018 on implementation of Risk management policy in PKP CARGO S.A. changes in the resolution were aimed at strengthening the linking level of risk with financial resources which are allocate on its decrease, in particular in investment area.
The Internal Control and Audit Department together with the Security Department have been obligated to exercise supervision over the implementation and execution of the provisions of the Policy.
Participating entities
The risk management process permeates throughout the organization and everybody, to the extent of their capabilities, manages the risk. However individual roles change together with the hierarchy in the Company.
Supervisory Board Audit Committee. This is a PKP CARGO Supervisory Board committee, whose basic task is to verify the correctness and effectiveness of carrying out internal financial audits in the Company and the Group, and monitoring the effective operation of internal control, internal audit and risk management systems. The Supervisory Board Audit Committee assesses the risk management system.
The PKP CARGO S.A. Management Board is responsible for risk management on the basis of the adopted Strategy; it primarily defines the Company’s directions of development and makes decisions regarding risk handling plans.
Risk owner. The Director of the Company’s Unit or Head Office Department responsible for risk management in the reporting area. He/she is responsible for identifying the risks occurring in their activities, analyzing and assessing them and then comparing them with the expected results. Depending on the obtained results of the comparison, different actions are taken to retain the status quo or reduce the risk level.
PKP CARGO S.A. employees are obligated to comply with the provisions of the Policy within the scope of their powers.
The Policy designates a Risk Leader – a person whose task is to coordinate all matters associated with risk management. Collection and analysis of information and reporting to the Management Board and Supervisory Board Audit Committee. Each entity has different tasks. All employees manage risk in the organization.
Risk validation
The risks which, from the Company management’s perspective, are particularly important, have been subjected to special monitoring. With regard to the risks indicated by the Management Board Members, indicators illustrating the risk level have been designed. Currently 26 indicators are monitored. Once a month the PKP CARGO Management Board receives a report which presents the indicator levels (neutral, alert and catastrophic), the trend in the given ratio and information about the causes of deviations and actions taken by the risk owners in connection with the deviations.
The indicators in most cases are of quantitative nature and present information which is verifiable and without incurring excessive costs, generated from PKP CARGO S.A.’s IT systems.
The PKP CARGO Management Board has the possibility of changing the monitored indicators depending on their information needs.
Course of the process
The policy has been developed on the basis of the provisions of the ISO 31000 standard “Risk management”.
The risk assessment process takes place at least once a year, as part of self-assessment. During the assessment the risk owners identify the risks in their area and the information assets with regard to the risks associated with information security and plan actions aimed at reducing the risk level if it is unacceptable. If there are important circumstances affecting the risk level, the risk owner should carry out a self-assessment before elapse of one year.
The assessment process takes place in 3 stages: it starts with risk identification, then the risk is analyzed and the results obtained are compared with the expectations, which determines the next steps regarding the risk handling. The risk may be accepted or the risk owner prepares a Risk Handling Plan.
With regard to the risks associated with information security with regard to assets which have been found critical by their owners, Business Continuity Plans are developed. The asset owner is responsible for maintaining, updating and testing the Plan.
Cyclicity of the process assumes its continuous changes aimed at improvement.
Risk evaluation
- Comparing the results of the analysis with the risk criteria to determine whether the risk level is acceptable;
- The risk is on a neutral level: we accept it and regularly, but not too frequently, monitor it;
- The risk is on alert or catastrophic level: we fill up the “Risk Handling Plan” document.
The risk owner makes a decision on taking actions to mitigate the risk level or on not taking any actions.
The risk matrix includes quantified risk being the product of the probability value of the occurrence of risk and the value of the consequences of the risk impact. Detailed explanations and description of the risk measurement methodology are provided in the tables below.
Risk description
Risk description according to the probability criterion
Probability of risk | Detailed description | The point value of probability |
---|---|---|
nearly impossible | an event can only occur in exceptional circumstances (probability of occurring within 1 to 20% of the year); and most probably it will not exist at all; has not occurred so far; it concerns individual matters; |
1 |
unlikely | there is a small probability (from 21 to 40% that will occur in a year) the occurrence of this event; may occur several times over a five-year period; concerns a small number of cases; |
2 |
average | the occurrence of an event is on average possible, but in some cases such an event may take place (from 41 to 60%, it will occur within a year); applies to certain matters; |
3 |
likely | the occurrence of an event it is very likely (from 61 to 80% that it will occur regularly at least once a year); applies to most cases; |
4 |
almost certain | it is expected that this event will occur (from 81 to 100%, that it will occur regularly every month or more); applies to all or almost all cases. |
5 |
Risk description according to the criterion of consequences
The impact of risk | Detailed description | Point value effects |
---|---|---|
Close to impossible | negligible impact on achieving the organization's goals and tasks; no legal consequences; slight financial effect; no impact on employee safety; no impact on the organization's image; |
1 |
low | little impact on the achievement of goals and tasks, without legal consequences; small financial effect; no impact on employee safety; little impact on the image of the organization; |
2 |
medium | medium impact on the achievement of goals and tasks; moderate legal consequences; average financial effect; no impact on employee safety; medium impact on the image of the organization; |
3 |
serious | serious impact on the implementation of the task, including a serious threat to the date of its implementation and the achievement of the goal; serious legal consequences; threat to employees' safety; serious financial losses; serious impact on the image of the organization; |
4 |
catastrophic | failure to complete the task and lack of implementation purpose; very serious and extensive legal consequences; violation of employee safety (negative consequences for their life and health); high financial losses; loss of a good image of the organization in the environment and in public opinion. |
5 |