Integrated
Report
2019

Orange Polska

Risk management

Introduction

Orange Polska is exposed to a range of external and internal risks of varying types which can impact the achievement of its objectives. Therefore, Orange Polska maintains a risk management framework to identify, assess and manage risks. This framework has been based on the ISO 31000:2018 standard and ISO 27005 (for Information Security Management System only). Leaders within the Group’s individual business areas and functions are responsible for the assessment and management of risks, including the identification and escalation of new/emerging circumstances, and monitoring and reporting on both the risks themselves and the effectiveness of control measures. Events are considered in the context of their potential impact on the delivery of our business objectives.

Orange Polska’s three lines of defence

Appetite for risk

We assess event-based risks according to their likelihood and impact in terms of financial, reputational, business continuity and human resources loss. If the consequences are, for example, both financial and reputational, the risk is assessed according to the most negative consequence. When the negative impact of a risk is assessed as exceeding the acceptable level, mandatory mitigation measures are put in place to prevent or minimise losses. The effectiveness of such measures is verified on an ongoing basis, and they are adjusted as required. The risks and the mitigation measures assigned to them feed into the development of the Annual Internal Audit Plan.

Clusters and risk domains

In addition, similar risks are grouped into clusters to ensure consistent and effective risk management across the Orange Polska Group. The risk assessment process, illustrated in the diagram below, is managed by domain co-ordinators.

The division of risks into the domains of operating risks, loss of information, business continuity, compliance, fraud and social risks ensures a uniform and objective approach to the assessment of risks with similar consequences (cause and effect analysis).

Risk management process

A list of TOP risks is developed following individual meetings with Board Members and Executive Directors, who indicate significant events that have the potential to jeopardise the Company’s strategy. Based on the risks identified in this process, their owners continue with further assessment of the risk likelihood and impact, as well as assigning mitigation measures and appointing the managers responsible for the implementation thereof. The outcome of the analysis of each TOP risk is subject to approval by the Board Member or Executive Director responsible for the particular area and, in case of potential financial loss, also by the Chief Financial Officer.
The risk management process in Orange Polska

Reporting

Indicative heat maps are used to report and evaluate risks.

Sample heat map

This example presents a risk that has low reputational impact, but moderate impact in terms of business continuity. Therefore, the overall assessment of the risk would be medium.
The Audit Committee monitors the effectiveness of the risk management system and reviews reports on the system’s design and operation.
The TOP risks are reviewed at meetings of the Management Board and the Supervisory Board.

TOP risks

The TOP risks, which are set out in the table on page Risk exposure, are clusters of event-based risks that could have a material impact on the business model, future performance, solvency or liquidity of the Group. In each case, the extent to which the Management Board can mitigate the risk is highlighted. The risk areas included in the TOP list are those which most strongly define our business activities and contribute to the loss or gain of value, and they are subject to change. For example, in 2018 we determined that the risk related to labour shortage had been sufficiently mitigated by our remedial actions, and could be delegated to the respective business areas.
We also identify and monitor risks related to our impact on society and the natural environment. However, these are not included in the TOP risks as they do not meet the threshold for value impact.

The website use cookies and simililar technologies to improve the performance and make experience better. Your use of our website indicates your consent to the cookies described in our policy. You can modify, block or delete cookies at eny time by changing your browser’s settings. For more information, please see our Privacy Policy.