CONTENT ABOUT PENNY SUSTAINABILITY STRATEGY SUSTAINABILITY STEP BY STEP SUSTAINABLE ASSORTMENT ENERGY, CLIMATE AND RESOURCES EMPLOYEES AND SOCIETY REPORT ASSURANCE GRI & SASB INDEX Reportable risks are identified in an annual inventory by risk managers, using a bottomup approach, whereby the identified risks are classified and evaluated in the same manner within the Group. Consequently, in 2021, at the Group level, the following risk categories were identified*: Risk type Specifics of relevant risks Value at risk The probability of incidence Data security and cybercrime Cyber-attacks and data security requirements Substantial/ Essential Less often Valuation risk Evaluation and depreciation Substantial/ Essential Less often Pandemic risk – Substantial/ Essential Occasional Compliance Antitrust law Substantial/ Essential Less often IT-Delivery Introduction of the IT system Considerably Occasional Purchase of goods Supply chain Considerably Less often Electricity supply The price of energy Considerably Probable Customer Marketing Advertising processes Considerably Less often To properly manage all these identified risks, we continuously apply the precautionary principle. Therefore, for the risks identified at the Romanian level in 2021, we have established 115 specific actions to reduce risks and address opportunities. Among the actions that are taken, we mention: z Updating the standard operation procedures z Updating the contractual clauses with our partners z Employee participation in online and physical training on various topics z Organisation of training courses in the field of data protection z Realization of round tables z Updating the Monitoring Measures of Quantitative Key Performance Indicators z Updating the working conditions with suppliers z Applying the four eyes principle for designing work tasks The top management is informed of the results of the analyses carried out by the risk managers and the degree of implementation of the management plans. At the same time, according to the mandatory provisions, any significant risks identified, new or existing, that may have a material impact, are reported on time and directly to the management. For the identification and classification of risks, the following parameters are taken into account: the relevance of their potential threat to activity, financial situation and earnings, cash flows, as well as the reputation of the group. Each identified risk is categorized as high, medium, or low. The tools we implement for riskmanagement are those defined at the REWE Group level by applying our fundamental values: z Codes of Conduct z Guideline to a Sustainable Economy z Specific guidelines concerning rawmaterials rawmaterials z Self-assessments – the Governance, Risk, and Compliance (GRC) approach to identifying, assessing, and managing the risks with a focus on the ”antitrust” and ”corruption” components z Risk to chance ”R2C” software tool, primarily intended to identify and reassess compliance risks To ensure compliance with legal and internal regulations, we implement several tools, such as: z A compliance program that includes a variety of preventive measures, such as risk assessments, training, and counselling z Compliance Management System (SMC), to ensure compliance with legal and internal regulations and ensure the personal liability of company management members and employees z Telephone line dedicated to customers, partners, and employees for informing on compliance issues z Training for all employees in procedural and compliance rules at least once a year The compliance management system (SMC) is managed by the local Compliance Department, through a specific system, implemented at the Group level; in addition, there is a Compliance Officer with administrative authority, established at the Group level. All referrals reported by internal and external stakeholders, on topics such as ethics, corruption, unfair competition, and discrimination, are evaluated by the Compliance Officer through interviews and internal checks, paying particular attention to confidentiality. An internal reporting tool is also provided. For more details on how we manage risk and ensure legal compliance, you can access previous sustainability reports. *The information presented in the table above is transposed as it appears in the REWE Group Management Report 2021, page 27
RkJQdWJsaXNoZXIy NTg3MTAy