RISK
MANAGEMENT AND
COMPLIANCE
CAP Group has defined as a core business objective the identification, mitigation and timely control of all those risks that jeopardize the fulfillment of corporate goals and the company development strategy.
In 2017, CAP Group elaborated its new Risk Management Policy. This document will be in force on January 2018 and will be applicable to all Group companies.
It has been mainly designed to set up the general definitions and criteria to be used by the company for corporate risk management purposes.
The responsibility borne by every worker in the identification, communication, mitigation and control of the events threatening the fulfillment of their responsibilities and company goals is highlighted as a company core value by the new policy. It also determines that, in order to manage those risks, the CAP Group will draw on the terms of ISO 31000 management standard (Risk Management Principles and Guidelines) and COSO (Enterprise Risk Management).
This new internal framework provides a detailed definition of the duties to be performed by each company actor in the risk management process. As for the Board, the following are its responsibilities:
- Define and monitor the risk objectives and policies.
- Define and communicate the necessary values and culture to conduct an effective risk management process.
- Approve the risk management model and supervise company compliance.
- Approve risk methodologies.
- Define and monitor the risk level desired for the company.
The Policy also includes the role and responsibilities of Risk Coordinators, new participants in the company’s risk management structure. According to this document, each CAP Group affiliate will appoint a risk coordinator who, among others, will coordinate risk management activities along with the Internal Control and IT Management, keep updated the risk control system and the action and KRI compliance plans and organize, within its area, risk identification, assessment and management activities.
In 2017, and while the policy was being developed, CAP Group Board surveyed the most relevant company risks, including those associated to sustainability. This participative process included two workshops where Directors were guided by an external consultant. In this activity, 54 risks were identified to be the most relevant at Board level. Thus, the 10 most critical risks for the organization were ranked and determined. Based on this diagnosis, the company will prepare mitigation and management actions plans to be put in place in 2018.
In 2017, and with the object of complementing the corporate risk management structure, CAP crated a new Committee of Risk Management Directors, integrated by three Directors, attended also by the General Manager and the Minutes Secretary.
In the new risk management policy, the CAP Group broke down the risks the organization is exposed to into six categories:
As to sustainability aspects, the main risks identified by CAP were:
Operational impacts on the environment and/or communities.
Weaknesses / mistakes in relationships with stakeholders: regulators, financial system, customers and suppliers.
Management and retention of talents and critical positions.
Change management.
Corporate governance roles.
CYBERATTACKS: ANOTHER MANAGEMENT FOCUS
In 2017, the company made key advances in preventive management. The review of control processes implemented by the company to prevent cyberattacks is one of those achievements. In this sense, once the technological risks were updated, CAP made a diagnosis of all operations to later on execute self-attacks and identify vulnerabilities.
During 2018, CAP Group will implement the integrated SAP EHS (Environmental, Health & Safety) platform to not only monitor and manage its potential incidents but also to ensure compliance of the standards and obligations undertaken in environmental and safety & hygiene aspects.
This software keeps control of the obligations arising from the in excess of the 50 Environmental Qualification Resolution (RCA) granted to the company and of the environmental permits granted to all its companies while it identifies the occurrence of potential infringements and breaches of the respective plans of action.
Considering the fact that over 80% of the laws and regulations the company is subject to involve environmental management aspects, the large majority of preventive incident compliance and monitoring tasks conducted by the Group as well as the internal and external audits conducted on the organization, are focused on that direction.
Audits
As observed in the risk map drawn by each company area, the Group prepares an audit schedule for the year. This program covers all the affiliates and audits all company functions and processes, including sales, accounts receivable & payable processes, cash flows, operations, sustainability and people, among others.
Audits are mainly aimed at providing feedback on the risk areas and, thence, develop action plans to mitigate potential effects of materialized risks.
In 2017, 38 audits and follow-up processes were applied to Group companies; these covered all their processes and the investigation of all grievances received.