Orange Polska is exposed to a range of external and internal risks of varying types which can impact the achievement of its objectives. Therefore, Orange Polska maintains a risk management framework to identify, assess and manage risks. This framework has been based on the ISO 31000:2009 standard. Leaders within the Group’s individual business areas and functions are responsible for the assessment and management of risks, including the identification and escalation of new/emerging circumstances, and monitoring and reporting on both the risks themselves and the effectiveness of control measures. Events are considered in the context of their potential impact on the delivery of our business objectives.
Event-based risks are subject to assessment based on their likelihood and impact in terms of financial, reputational, business continuity and human resources loss. If risk consequences are e.g. both financial and reputational, the risk is assessed according to the most negative consequence. The risks whose assessed negative impact on the Company exceeds the acceptable level are mandatorily assigned mitigation measures in order to prevent or minimise losses. The effectiveness of such measures is verified on an ongoing basis, and they are adjusted as required.
Risk management process
The list of TOP risks is developed as a result of individual meetings with Board Members and Executive Directors, who indicate significant events that have the potential to jeopardise the Company’s strategy. Based on the risks identified in this process, their owners continue with further assessment of the risk likelihood and impact, as well as assigning mitigation measures and appointing the managers responsible for the implementation thereof. The outcome of the analysis of each TOP risk is subject to approval by the Board Member or Executive Director responsible for the particular area and, in case of potential financial loss, also by the Chief Financial Officer.
The risk management process in Orange Polska
Indicative heat maps are used to report and evaluate risks. Sample heat map used as one of communication tools
This example presents a risk that has low reputational impact, but moderate impact in terms of business continuity. Therefore, the overall assessment of the risk would be medium.
The TOP risks are reviewed at meetings of the Management Board and the Supervisory Board.
The TOP risks (aggregated clusters of event-based risks), which are set out in the table on pages 80-83 reflect the categories of risks that define business activity or contributing factors where value can be lost or gained and could have a material impact on the business model, future performance, solvency or liquidity of the Group. In each case the extent to which the Management Board can mitigate the risk is highlighted.