The risk management process permeates throughout the organization and everybody, to the extent of their capabilities, manages the risk. However individual roles change together with the hierarchy in the Company.
Supervisory Board Audit Committee This is a PKP CARGO Supervisory Board committee, whose basic task is to verify the correctness and effectiveness of carrying out internal financial audits in the Company and the Group, and monitoring the effective operation of internal control, internal audit and risk management systems. The Supervisory Board Audit Committee assesses the risk management system.
The PKP CARGO S.A. Management Board is responsible for risk management on the basis of the adopted Strategy; it primarily defines the Company’s directions of development and makes decisions regarding risk handling plans.
Risk owner. The Director of the Company’s Unit or Head Office Department responsible for risk management in the reporting area. He/she is responsible for identifying the risks occurring in their activities, analyzing and assessing them and then comparing them with the expected results. Depending on the obtained results of the comparison, different actions are taken to retain the status quo or reduce the risk level.
PKP CARGO SA employees are obligated to comply with the provisions of the Policy within the scope of their powers.
The Policy designates a Risk Leader – a person whose task is to coordinate all matters associated with risk management. Collection and analysis of information and reporting to the Management Board and Supervisory Board Audit Committee. Each entity has different tasks. All employees manage risk in the organization.
The risks which, from the Company management’s perspective, are particularly important, have been subjected to special monitoring. With regard to the risks indicated by the Management Board Members, indicators illustrating the risk level have been designed. Currently 26 indicators are monitored. Once a month the PKP CARGO Management Board receives a report which presents the indicator levels (neutral, alert and catastrophic), the trend in the given ratio and information about the causes of deviations and actions taken by the risk owners in connection with the deviations.
The indicators in most cases are of quantitative nature and present information which is verifiable and without incurring excessive costs, generated from PKP CARGO S.A.’s IT systems.
The PKP CARGO Management Board has the possibility of changing the monitored indicators depending on their information needs.
Course of the process
The policy has been developed on the basis of the provisions of the ISO 31000 standard “Risk management”.
The risk assessment process takes place at least once a year, as part of self-assessment. During the assessment the risk owners identify the risks in their area and the information assets with regard to the risks associated with information security and plan actions aimed at reducing the risk level if it is unacceptable. If there are important circumstances affecting the risk level, the risk owner should carry out a self-assessment before elapse of one year.
The assessment process takes place in 3 stages: it starts with risk identification, then the risk is analyzed and the results obtained are compared with the expectations, which determines the next steps regarding the risk handling. The risk may be accepted or the risk owner prepares a Risk Handling Plan.
With regard to the risks associated with information security with regard to assets which have been found critical by their owners, Business Continuity Plans are developed. The asset owner is responsible for maintaining, updating and testing the Plan.
Cyclicity of the process assumes its continuous changes aimed at improvement.
- Comparing the results of the analysis with the risk criteria to determine whether the risk level is acceptable
- The risk is on a neutral level: we accept it and regularly, but not too frequently, monitor it
- The risk is on alert or catastrophic level: we fill up the “Risk Handling Plan” document.
The risk owner makes a decision on taking actions to mitigate the risk level or on not taking any actions.