Risk evaluation is carried out by appraising impact and probability. Bearing in mind some key elements of the strategy, impact criteria are defined by the company as follows:
The criteria for appraising probability that have been defined by the company are as follows:
Top management establishes priorities for dealing with key risks, based on the results of the residual appraisal, and the following criteria are established for defining additional mitigations. In the case of risks classified as extreme, additional mitigations have to be defined in order to reduce the probability of the risk occurring or to absorb the consequence associated with the risk materializing. When risks are classified as high or moderate, top management or the process leader can propose additional risk mitigators, in accordance with the analysis of whether it is viable to introduce them, where applicable, and if the nature of the risk so permits, such as with regulatory risks.
|
|
Success with risk management depends on all stages of the aforementioned cycle being applied; partial application does not contribute to achieving the company’s strategic goals.
Reinforcement of risk monitoring in 2020 paved the way for the evaluation of inherent high-impact, strategic, and information security risks. Part of this monitoring included helping the first line of defense to identify changes in risks and controls in their processes because of the pandemic.
Similarly, the phase relating to the identification and evaluation of third parties and intermediaries as a segment of implementing the corporate third-party management methodology (TPRM/TPI) was completed, and a virtual third-party risk management training session was held. This was attended by 61 third parties considered critical for the company, and transportation and distribution companies. It was part of activities under the risk culture reinforcement program entitled ‘Promigas Connections, More United with our Suppliers’. A start was also made on regulatory risk management, in the form of structuring the Regulatory Compliance Program, the purpose of which is to administer the risk of default on internal and external standards and regulations that are binding on the company. The respective policy and procedures were drawn up for execution. With a view to strengthening and evaluating risk management and identifying trend, behaviors and how risks evolve over a period of time, Key Risk Indicators (KRI) and Key Performance Indicators (KPI) have been implemented. |