6. CORPORATE GOVERNANCE, 6.2. Risk management
The Budimex Group operates in a dynamic business environment, which exposes the company to diverse risks and is also a potential source of many additional conditions and events. In this context, meticulous monitoring of the above factors and their flexible management is of key importance to the effective execution of the company’s strategic priorities.
The principal document regulating the area of risk identification is the Risk Control and Management Policy in the Budimex Group. It is the Budimex SA Management Board (at the Group level) and presidents of the subsidiaries which are responsible for defining a policy on controlling and managing risks, including tax risk. In addition, they bear responsibility for monitoring information systems and internal control mechanisms.
Risk management is performed at two levels: strategic and operational.
The strategic risk management includes the following risk categories:
- strategic: potential events threatening the pursuit of the company’s mission or strategy,
- operational: potential events threatening effective and efficient exploitation of the company’s resources,
- compliance: potential events threatening the fulfillment of the company’s contractual obligations or its liabilities following from internal and external regulations,
- financial: potential events threatening effective management or control of finances and/or reliability of the company’s financial data.
The operational risk management includes the following risk areas:
- formal requirements: potential events threatening the achievement of the company’s production objectives in accordance with formal/contractual requirements,
- designing: potential events threatening effective management of the performance of contractual budgets,
- procurement: potential events threatening effective management of contractual budgets or completion of works in accordance with the adopted implementation plan,
- completion schedule: potential events threatening completion of works in accordance with contract performance schedules or schedules of organizational units,
- other: potential threats for the achievement of assumed objectives that cannot be assigned to the above groups.
Risk management is overseen by the Budimex SA Management Board. The system of risk identification in the Budimex Group is based on risk reviews: annual, half-yearly and quarterly.
A map of strategic risks is presented to the Audit Committee of the Budimex SA Supervisory Board.
The course of the risk identification and assessment process is as follows:
- Risk identification – performed by managers of organizational units based on determination of a risk which constitutes an important threat for the achievement of set objectives and using the fRm tool, which serves for identifying, estimating and reporting strategic and operational risks and unforeseen events.
- Risk assessment – takes place in accordance with a detailed instruction, which is made up of an assessment of the impact of the risk occurrence on business objectives (very serious, serious, moderate, insignificant, no impact) and the probability of the risk’s occurrence (high, medium, low and rather unlikely).
- Risk classification – determination of the probability of occurrence and potential impact of a risk.
- Description of remedies – specific actions to be taken to reduce the probability of a risk’s occurrence or to minimize its impact should it occur.
During a review of risks for 2023 performed within the strategic risk management process, significant risks were identified in the Budimex Group, as presented in table below.
Table: Significant risks identified for the Budimex Group in 2023