We face a variety of risks – some general, and others more specific, stemming from the nature of our operations. To be able to manage these various risks and, where possible and desirable, to reduce them, we have drawn up a risk management policy.
Within Gasunie, the Executive Board is responsible for risk management. With the assistance of the Corporate Risk Management department, the Executive Board has set up and arranged an internal risk management and audit system. The aim of this system is to provide a reasonable degree of certainty that:
- care is taken that the company’s objectives are being achieved and
- the principal risks facing the company are being properly managed.
Our risk management efforts are focused on:
- Managing the risks that threaten our strategic objectives
- Managing the risks that threaten our operational and financial objectives
- Guaranteeing our compliance with the law and regulations
- Ensuring the reliability of our financial and management reports
A proper system of risk management and internal control will reduce the number of mistakes, wrong decisions and unpleasant surprises due to unforeseen circumstances.
Our internal risk management procedures are laid down in our Risk Management Policy and in the Minimum Requirements for Management Control. The measures we take to manage risks are combined in our Risk Management Framework. This framework is designed so that risks can be managed both top-down and bottom-up.
Each year, a strategic risk analysis is drawn up, which the Executive Board submits to the Supervisory Board. This risk analysis contains an overview of the risks that form a threat to the company achieving its strategy and objectives, together with the management measures adopted. A similar process takes place at business unit level, using strategic risks analyses; while at operational level and in the case of projects, operational risk analyses and project risk analyses are used. In these risk analyses, the business unit objectives and project objectives respectively form the basis for identifying these threats and formulating the management measures.
All key processes are covered by the process descriptions laid down in the Gasunie ‘Process House’ digital manual. All staff are subject to our Code of Conduct. In the context of the annual accounts, external auditors periodically evaluate the main elements of the organisation and operation of the administrative system and internal audit measures included in it. They report their findings to the Executive Board and the Supervisory Board. Once a year, the Executive Board discusses the organisation and operation of the entire risk management and audit system with the Audit Committee.
Adjustments in 2013
In 2013, we formalised certain elements of the Risk Management Framework, such as the interrelation between risk management, the business plan cycle and the strategic cycle. In doing so, we make sure we take an integrated approach, one which looks at opportunities and threats from various angles and also forms part of the existing reporting cycle. In addition, we have included more explicitly how our operational excellence objectives relate to corporate process management and our objectives. Managing processes and operations means managing risks.
We are responsible for the continuity of a reliable and safe infrastructure for the transport of gas in the Netherlands and northern Germany. Taking risks is, of course, an integral part of doing business. When working out our strategic and operational objectives, we identified risks and appropriate measures for managing them. The extent to which we accept the remaining risks varies per objective and risk category. Acceptance or rejection of these risks is determined on the basis of risk limits, laid down in various policy documents, processes, instructions and other company documents.
The table below shows risk acceptance according to the COSO ERM categories. Risk management within our company is based on the Enterprise Risk Management (ERM) framework of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. COSO ERM takes the company’s objectives as its point of departure, classifying the risks into four categories: Strategic, Operations, Reporting and Compliance. Within these risk categories, we distinguish the following levels: strategic (corporate), tactical (unit) and operational (departmental). Depending on the area of expertise or the part of the company, derived models have been drawn up to meet the right level of abstraction and area of expertise (such as HSE, Asset Management, M&A Projects and Project Risk Management).
|Risk category (COSO ERM)||Risk acceptance||Explanation|
|Strategic||Low||In pursuing our strategic objectives, we try to strike a balance between the social TSO function (very low risk acceptance) and the commercial non-TSO activities (higher risk acceptance).|
|Operations||Very low||Risks to the safety of our surroundings or to Gasunie employees or contractors are avoided as much as possible; risk acceptance is very low. Risks to the continuity of a reliable infrastructure are also reduced.|
|Reporting / Finance||Low||Gasunie is not prepared to take risks that limit its access to the financial markets or endanger its credit ratings.|
|Compliance / Legal||Zero||Gasunie strives to comply with all applicable laws and regulations.|
Tasks, powers and responsibilities
The risk management within our company is based on the Three Lines of Defence model, which defines the relationships between and responsibilities of business/management control, risk management and internal audit.
The three lines of defense model
1st Line of Defence: Line management
Line management is responsible for controlling its own processes, management controls and AO/IC (Administrative Organisation and Internal Audit). Once a year, they report to the Executive Board on this and formal account is given by means of a Document of Representation. An important aspect of managing risks is to have good knowledge of the processes, particularly processes that involve several departments. In 2013, many of the processes detailed in manuals were incorporated into the Gasunie digital ‘Process House’. This process of incorporation will be continued in 2014.
2nd Line of Defence: Risk management and compliance functions
The second Line of Defence consists of risk management, financial control and compliance functions (such as Safety and Legal) for the purpose of ‘management assurance’. Corporate risk management, commissioned by the Executive Board, defines the policy frameworks for risk management and advises on risk management within Gasunie. In addition to providing support and advice to line management, corporate risk management carries out corporate and strategic risk assessments at unit level. Each year, an independent report of these activities is presented to the Executive Board, the Audit Committee and the Supervisory Board.
3rd Line of Defence: Operational Audit
The Operational Audit department helps us to achieve our objectives by assessing independently and objectively whether the organisation and operation of our management control measures are effective and efficient. Operational Audit reports to the CEO.
Our employees act on the basis of our core values and risk awareness, thus creating a ‘Base Line of Defence’.
The main risks are described below:
|Strategic/general risks||Management measures (selection)|
Market and profitability objectives
General regulatory uncertainty:
Capacity at risk
|Operational risks||Management measures (selection)|
The Executive Board is aware that the risk management and audit systems, no matter how professional, cannot offer absolute certainty that the company objectives will be achieved or that such systems can fully prevent material inaccuracies, loss, fraud or violations of the laws and regulations.
With respect to the financial reporting risks, the Executive Board states that the internal risk management and audit systems provide a reasonable degree of certainty that the financial reporting does not contain any material inaccuracies and that the risk management and audit systems in the year under review functioned properly.