The procedure set forth in the LOTOS Group’s Integrated Management System document specifies detailed rules for risk identification and assessment, monitoring and reporting methods, and reviews aimed to check if the measures taken have brought the expected results. The procedure is designed to ensure that the planned activities are carried out regularly, the applied methodology is optimal and suitable for various areas of operations, and the risk management process is coherent and effective.

Enterprise Risk Management (ERM) at the LOTOS Group is designed to:

• support stable and sustainable growth with a view to meeting the stated objectives through regular and recurrent identification of risks which may hinder their achievement;
• provide comprehensive information on risks inherent in the LOTOS Group’s operations (both threats and opportunities);
• enable swift and effective decision-making based on risk analysis;
• prepare the LOTOS Group to respond promptly if a risk materialises.

In order to meet the above objectives, a systemic approach to risk management is being implemented, which covers:

• identification of risks and their qualitative and quantitative assessment,
• determination of risk management strategy,
• implementation of planned measures,
• review of implemented measures to check if they have delivered the expected results,
• constant monitoring and control of both the risk level and status of implemented measures,
• introduction of uniform communication and reporting rules.

Grupa LOTOS’ response to risk involves the following four types of measures:

• reducing the probability of risk occurrence, for instance through control measures or process adjustments,
• transferring risk, for instance by means of insurance or outsourcing,
• avoiding risk through withdrawal from a given risk area or refraining from risk laden activities (the least frequently applied strategy),
• accepting a given risk level when it is impossible to reduce it or the risk is too immaterial to be mitigated.

The key principles and scope of responsibilities under the system are defined in the Enterprise Risk Management Policy of the LOTOS Group, available to all the Company’s employees. Additionally, an Enterprise Risk Management Committee operates at Grupa LOTOS as advisory body. The Committee’s primary function is to check whether any mitigation measures planned by risk owners are consistent from the point of view of the entire Group’s operations and do not raise risks in other areas to dangerous levels.

Once a year, a review of the Enterprise Risk Management System is undertaken (as part of the so-called maturity assessment). The results serve to further improve the system. Information on the operation of the Enterprise Risk Management System is provided to the Board and the Audit Committee of the Supervisory Board of Grupa LOTOS.

Key instruments

Grupa LOTOS identifies risks which may affect the achievement of its strategic, process and operational objectives. In most cases, the identification is made at group workshops, but each employee is also obliged and entitled to report any observed risks and opportunities relating to ongoing processes which may affect the Company’s performance against objectives.

Risk assessment is undertaken from two different time perspectives – the following year and until the end of the period covered by the LOTOS Group’s strategy (currently until the end of 2015). For each risk, the probability of its occurrence is estimated, followed by an assessment of its possible impact on Grupa LOTOS’ financial standing and reputation. The assessment takes into account the expected impact on safety of people, environmental impact and reception by key stakeholders.

Relevant controls, security measures and monitoring methods are indicated for all registered risks. Each risk has its owner, who is responsible for overseeing the risk, monitoring it in line with adopted criteria and implementing agreed mitigation plans. The monitoring results are regularly reported.

The risk assessment serves as a basis for the LOTOS Group’s aggregated Risk Map. The Map is subject to changes and is regularly updated in response to external volatility, internal business processes, completion of some projects and commencement of other (which may entail new risks), as well as application of measures aimed at mitigating identified risks, which has the effect of reducing risk pricing.

All risks assessed as significant relative to the stated objectives are subject to detailed analysis aimed to identify the relevant risk factors and the management and monitoring methods to be applied at a given time. Based on the analysis, risk mitigation plans and action plans in case the risk materialises are prepared.

Grupa LOTOS also manages project risks, especially with respect to its investment projects. The risk assessment criteria are slightly different in this case, as they are adjusted to the specific nature of project management. However, the risk management procedures remain consistent for the entire Company, enabling the secure and effective execution of planned projects.

Development plans

Grupa LOTOS is working on the implementation and development of an IT tool designed to support the Enterprise Risk Management System, with a view to enhancing its functionality to end users and preparing required analyses.

In 2011, Grupa LOTOS completed the first stage of development of the new comprehensive IT tool. The new IT system will be subject to constant expansion and functional improvement based on user suggestions, as well as process and system needs. It will allow us to monitor the levels of different risks using predefined Key Risk Indicators (KRI)and will be integrated with the other systems used by Grupa LOTOS (e.g. SAP), so as to be able to directly retrieve and process data stored in those systems.

Work is also in progress on an incident database to be used across the entire Company (incidents being events which may cause the related risks to materialise and may provide information on new, emerging threats and opportunities that have not been previously identified).