Senior management actively participates in reviewing the risks of Promigas, and our Comprehensive Risk Management facilitates the decision-making process in achieving the corporate objectives.
Promigas has implemented the three-lines approach to strengthen the Organization’s control environment and risk culture. The aim is to effectively manage risks by clearly assigning responsibilities related to risk, control and supervision. This methodology is based on the following six-stage cycle:
In 2021, the risks of all Company processes at all levels were identified, measured and monitored, which provided senior management a full view of the risks and their adequate management, classified as:
-
Strategic risks, for which adjustments were made in the methodology based on the 10-year Strategic Plan, for three scopes: short-, medium- and long-term.
-
Inherent risks of greatest impact.
-
Business risks.
-
Information security and cybersecurity risks.
-
Risks of corruption and of money-laundering and terrorism financing.
The group companies also strengthened monitoring of strategic risks and inherent risks of greatest impact, and formal semi-annual reviews and reports to the Risk and Compliance Committee and the Board of Directors of Promigas were established.
For these risks, the board of directors defined the role of Risk Champion, with the following functions and responsibilities:
-
Being familiarized with the assigned risks in terms of their definition, assessment and the associated controls.
- Support their teams in strengthening of mitigation and control actions.
- Assist the team in interpreting and using risk-based information for decision-making.
- Strengthen the risk cultures of their teams.
The first monitoring of business risks was performed, covering risks rated as ‘extreme’.
Other relevant risk management activities included:
-
The approval and implementation of the Regulatory Compliance Policy and its procedures, and progress made in the first phase consisting in the identification, rating and assurance of compliance with the applicable regulations to the processes of all group companies.
-
A channel was created to address inquiries and statements of conflicts of interest of third parties and employees, through the website, in order to promote the disclosure and timely action on these situations.
-
Inadequate Climate Change Management (physical and transition) was included as a strategic risk of the Company, to assign it greater relevance and strengthen the Organization’s commitment to the environment.
-
Risk management on financial reporting (SOX) was strengthened, increasing the effectiveness of the controls from 76 % to 93 % on 23 points in the first phase testing in 2021.
-
The assessment of third party risks was incorporated as a regular activity of the purchasing/creation of third parties process.
-
Risk management training was provided to 234 suppliers, represented by 387 participants, as part of the Conexiones Promigas Program.
-
At the Transportation SBG, corporate indicators were defined and implemented in connection with monitoring of information security and cybersecurity risks.
-
A pilot was carried out at CEO for the diagnosis of the cybersecurity culture, with a focus on people, which enabled knowing the level of assimilation and application of key concepts and controls.
Risk and Opportunity Management from a Comprehensive PerspectiveThe Risk and Opportunity Management process identified each risk and opportunity, based on the definition of the three major risk categories, which are:
Emerging Strategic: New or emerging risks that arise from local or international conditions, situations or trends that could significantly affect the financial strength, competitive position or reputation of the companies or of the industry. These are infrequent, high-impacting and highly uncertain risks that are difficult to measure due to the absence of data.
Key Strategic: They are risks that directly affect fulfillment of the strategic business objectives and the organization’s core processes.
High-impact inherent risk (HIIR): Risks that are inherent to the business, without taking into consideration the effect of controls, that affect the core business, the strategic objectives and business continuity and that have a high impact on reputation. They are located on the ‘extreme’ side of the risk map.
These categories are located in an external or internal context to provide a general outlook.
Using a comprehensive view and overall approach, we connected the key risks with the principles, material topics, mitigation actions and the efforts made in 2021, taking into consideration the economic, government, social and environmental aspects, which are conducive for value creation and drivers of the continuous improvement of our management.
