Review and revision
Internal Control review
The testing of the effectiveness of the key controls as included in our Internal Control Framework (ICF) is performed by the internal control department within GRM. This is one of the pillars of our House of Control supporting the Statements of the Managing Board.
COA, as the third line, conducts independent operational audits based on the mandatory guidance of ‘The Institute of Internal Auditors’ to provide additional assurance to the Managing Board that significant risks are being managed and controlled effectively, efficiently and sustainably. Some of these audits are unannounced. The scope and frequency of COA audits is set according to the ranking of the auditable units in terms of the magnitude of risk, based on a limited number of defined characteristics. This program is agreed by the Executive Committee and the Audit Committee of the Supervisory Board.
Enhancement of the risk management system
During 2020, the following main improvements were made to our risk management framework.
Climate Risk Assessments
To improve our understanding of the physical risks related to climate change, we conducted an initial mapping of the risk exposure of our top 30 sites. The assessment was based on three different scenarios, two time horizons (2030/2050) and for five hazards (flooding, water scarcity, cyclones, temperature increase, wildfires). Further analysis is ongoing to validate this initial mapping, to define the required management approach for these risks, and to define the approach for assessing similar risks in our value chains.
An approach was defined for assessing the climate risks coming from the transition to a low-carbon economy. The first pilot is underway using three scenarios, aligned with the ones used for the physical risk assessments.
In 2020, a dedicated and specialized internal control department was established within GRM, which provides independent assurance of the effectiveness of the key controls as included in the ICF.
The governance, tools and processes to manage SoD conflicts were strengthened.
Establishment of the Cybersecurity Governance Board that keeps oversight of the cybersecurity risks and controls in the IT, Operations Technology, and R&D domains.
Our Corporate Requirements have been updated in order to:
- Standardize identity verification and access authorization to our sites
- Standardize measures to reduce cybersecurity risks for our operations
- Streamline our ways of working when dealing with personal data