Risk management We consistently apply the precautionary principle and implement the same robust risk management system: z We identify the risk factors and opportunities that could impact our activity, considering all the dimensions that could affect us z We assess the causes and potential impact in detail and in a structured way z We aggregate risks into distinct categories, depending on the type and severity of the impact and relevance to our business z We address both risks and opportunities by formulating appropriate measures z We reduce risks by implementing concrete actions to reduce negative impacts We align ourselves with the risk management system implemented at the level of the REWE Group, which uses a uniform risk management system throughout the Group to reduce potential risks and identify long-term opportunities. Thus, risk management is a continuous process that is integrated into our operational activities. For all identified risks, appropriate management measures are outlined, and the degree of complexity of the action and the timing of implementation depend on the urgency (probability of materialization and occurrence of the risk as soon as possible), as well as on the threat potential (potential damage determined by the monetary, reputational and legal impact) of the risk. At Group level, the general conditions, guidelines, and processes for the uniform management of corporate risks are carried out by Corporate Controlling, in cooperation with the departments of governance and compliance, finance, business administration, tax, IT strategy and governance and information security, as well as Corporate Security. Risk managers independently identify, assess and manage risks in specific risk areas throughout the year, using a bottom-up approach. Each risk area presents once a year the risks identified based on the Group's uniform standards, in the form of an inventory of the risk area. The uniform risk management system defined at the level of the REWE Group implements the same fundamental values in all companies belonging to the Group: z Self-assessments – the Governance, Risk and Compliance (GRC) approach for identifying, assessing and managing risks with a focus on the "antitrust" and "corruption" components z 4 risk management strategies: avoidance, mitigation, transfer, and acceptance. At the same time, we use the Risk to change "R2C" software tool, which is primarily intended for identifying and reassessing compliance risks. We maintain the same procedure for identifying and classifying risks, considering the following parameters: the relevance of their potential to threaten the business, financial situation and earnings, cash flow, as well as the reputation of the Group. The risk managers in PENNY Romania inform the top management about the results of the risk analyses carried out and the degree of implementation of the previously defined management plans. At the same time, according to the mandatory provisions, any significant risks identified, new or existing, which may have a material impact, are reported on time and directly to management. Risks of relevant importance are managed and monitored by the corporate departments selected according to their expertise. The most important categories of risks identified in 2023 at Group level were: Identified risk Specificity of the relevant risks Value at risk* Compliance Violations of antitrust law Material IT, information security, data protection Cybercrime, I&T compliance, misuse of data and information, GDPR violations Elevated Epidemic Pandemic Elevated * Risk assessment is made because of realistically foreseeable or given circumstances. In principle, risks are assessed on a net basis (= monetary loss minus impact mitigation measures plus costs incurred for these measures). SUSTAINABILITY REPORT PENNY ROMANIA 2023 98/256 MESSAGE FROM THE GENERAL DIRECTORS SUSTAINABILITY STRATEGY AND GOVERNANCE ABOUT US AND OUR VALUE CHAIN ABOUT THE REPORT THE FUTURE IS MADE TODAY SUSTAINABILITY MILESTONES CONTENTS
RkJQdWJsaXNoZXIy MjUyMDg2Nw==