The internal control model of the AdP Group is based on the conceptual structure and best practices proposed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internationally accepted for the definition of criteria and parameters for evaluating internal control systems.
This model enables the implementation, development and continuous improvement of the internal control system, adopting a flexible, economic and reliable approach to the design and evaluation of this system in organisations that aim to achieve operational objectives, compliance and reporting as well as providing a reasonable, although not absolute, level of security to the governance and management structures of companies.
The methodology identifies five components for internal control (control environment, evaluation of risks, control activities, information and communications and monitoring), necessary to the existence of an effective and efficient internal control system, and which associate with seventeen fundamental principles and eighty-seven focal points. Based on the strategic and operational objectives defined, the Board decides on which of these focal points are essential to complying with the principles of internal control and attain efficiency in the internal control system.
A formalised internal control system enables the mitigation of risks and improvements to business processes through ensuring the standardisation of identification, design documentation and testing of the controls.
The Internal Control Manual, approved by the Board of Directors, systematises the internal control model of the AdP Group and correspondingly defines the general norms and principles of the internal control system as well as the rules and criteria for monitoring and evaluation. The manual details the importance of the internal control system to managing and mitigating risks that may hinder compliance with the objectives of AdP Group companies, safeguarding their assets and resources, fostering ethical conduct, identifying opportunities for improvement and the prevention and detection of irregularities occurring in company activities.
The internal control system, as a process designed by the team responsible for governance and management, involves the entire company, in accordance with the respective functions and levels of responsibility, with this intervention reflecting the three lines of defence model.
Within this framework, some of the key participants in internal control procedures are the following:
- The Board of Directors defines the strategy and approves the Internal Control Model that ensures compliance with the ethical values and transparency defined in the Group integrity policy and issues orientations on key business processes. The Board is also responsible for approving the Risk Management Model and defining the exposure to risk, supervising risk management and incorporating control activities into all business processes.
- The Executive Committee defines and implements high level controls, promotes the organisational culture and the commitment to internal control, defining the lines of reporting, competences and responsibilities for internal control.
- The External Auditor, while positioned outside of the organisation, performs a leading role in the control structure, through the analysis carried out on the accountancy system and the existing internal control procedures in order to issue an opinion on the financial reporting.
- The Supervisory Board is responsible for inspecting and simultaneously evaluating the functioning of the systems and the respective internal procedures, thus contributing to strengthening the internal control environment. Within the scope of its functions, the Supervisory Board accompanies the working plans of the Internal Audit Department.
- The Directors, Coordinators and Area Managers are responsible for the processes, risks and controls specified for their respective areas. They are to ensure compliance with the internal control system of the particular company, performing a more practical role in the design and, whenever necessary, proposing complementary control procedures, recommendations about the controls as well as continuously monitoring the controls and the effectiveness and efficiency of the processes they are responsible for.
- The Members of Staff in the diverse Operating and Support Functions of companies are responsible for the correct execution of the tasks associated with each process and control that they are attributed.
- The Department of Internal Audit and Risk Control includes in its structure distinctive areas of action, duly segmented and with the AdP Group playing a key role in the second and third lines of defence. The risk and control functions, central to the ways in which the Board maintains control over the business activities, are overseen by the Departments for:
- Internal Control, with the core functions of participating in the implementation and monitoring of the functioning of the internal control system, supporting and boosting its functions and the responsibility for the internal control of companies in the AdP Group, nurturing constant concerns over the appropriateness, efficiency and continuous improvement of the controls and the optimisation of the processes;
- Risk Management, responsible for monitoring and evaluating risks and mitigation measures, maintaining the alignment with the approved strategies and policies, guarantee the effective implementation of the risk management system, fostering a culture of risk and reporting on this to the Executive Committee and the Board of Directors.
The Internal Audit Department evaluates, independently and systematically, the appropriate functioning of the internal control and risk management systems of the AdP Group alongside the effectiveness and efficiency of the implementation of controls and mitigation actions.
BUSINESS RISK MANAGEMENT
In order to ensure compliance with the strategic objectives, the AdP SGPS Board of Directors defined the Business Risk Management Model of the AdP Group, which sets out defined objectives, processes and responsibility that enable the Group to establish a solid risk management structure.
The deployment of this Model enables an integrated evaluation of company risks and the maturing of a risk culture that develops the usage of a shared language in the definition and conception of each risk in addition to alignment with the objectives for risks and their respective controls in effect in the company, reducing the risk of investment and asset losses and helping guarantee the reliability of the financial reporting as well as legal and regulatory compliance.
The appropriateness of the internal control system aligns with a risk management model and always subject to adjustment whenever, through risk evaluation processes, there is identification of risks attaining a level deemed unacceptable or on detection of shortcomings or failures in the analysis of the controls they are submitted to.
The AdP Group risk management processes reflect the best internationally accepted risk management practices and were defined in accordance with, and in particular, the COSO II framework and therefore made up of a set of seven interrelated phases, themselves incorporating a circular process of continuous improvement.
Establishing context: with the objective of conceptually defining not only the AdP Group risk management model but also its approach to risk assessment. Development of the risk management model should take the following points into consideration: identification of the organisational scope of risk management; identification of the organisational objectives; definition of a set of criteria according to which risks are subject to evaluation; and definition of the interlocutors for each risk assessment process.
Identifying risks: the objective of this phase consists of drafting a list of events that would have adverse or favourable impacts on implementing the objectives identified in the previous phase.
Analysing risks: involves two core objectives: identifying the causes potentially leading to the occurrence of risks and identifying the controls able to contribute to mitigating the risk. The causes or risk factors condition the occurrence of risks while the controls enable the evaluation of means of reducing both the impact of risks and the likelihood of their occurrence.
Evaluating risks: the objective of evaluating risks is to assist in defining priorities and decision-making for dealing with the identified risks. This evaluation takes place at the levels of Inherent Risk and Residual Risk and expresses the risk through the combination of two components: Impact and Probability.
Dealing with risks: the objective of this phases is to draft a risk treatment plan, setting out the priorities, the scope and the treatment applicable to each risk, which are then approved by the Board and monitored by the Risk Management area of the Department of Audit and Risk Control.
Communication: communication is essential so that all participants and parties affected by these processes understand and share the reasons behind the need to implement particular actions or take specific decisions. Risk related information is communicated through reports that include Heat Maps (risk matrices), the trend in risks and the Risk Treatment and Implementation of Opportunity Plans and submitted to the management bodies to enable them to carry out the effective supervision of risk and take better risk based decisions.
Monitoring and review: the monitoring and periodic review of the Risk Management processes are essential to guarantee that the evaluation of risks was undertaken correctly and remains contemporary.
The organisation of risks defined by the AdP Group takes into account the 4 Classes recommended by the COSO II framework (Strategy, Operating, Conformity and Reporting) and 1 additional Class for Governance risks. Furthermore, there were 12 Risk Categories defined, distributed across the aforementioned Classes as follows:
As stated, the evaluation of risks is carried out from the perspective of the probability of their occurrence and the resulting impacts, considering the respective risks as inherent or residual. Hence, this strives to ascertain the effectiveness of the internal control system set up to maintain risks at levels deemed acceptable in accordance with the following matrix:
The following represent some of the key risks the AdP Group is exposed to:
- Extreme climate events
- IT security
- Exchange rates and commodities
- Retail supply losses
- Upstream sanitation infiltrations
RISK PREVENTION PLAN
The Risk Prevention Plan for Corruption and Similar Infractions strives, to a large extent, to identify the areas potentially subject to the occurrence of acts of corruption in addition to the respective resulting risks and the controls established by the company for their mitigation. The Plan also aims to strengthen the culture of the group and respective employees as regards respecting ethical behaviours and best practices in commercial relationships with clients, suppliers and other entities.
The Plan is subject to annual evaluation that results in a report on levels of compliance and situations relating to any irregular acts occurring interconnected with corruption.