The Group, and in particular its Board of Directors, dedicates a great deal of attention to the risks affecting the businesses and their objectives, and is committed to ensure that risk management is an effective and fundamental component of the corporate strategy, culture and value-creation process.
The approach to risk management is detailed in the Group’s Risk Management Policy, which sets out the Group’s risk management system and outlines the roles and responsibilities of the persons responsible for its execution.
a) Risk Management Objectives
The aim of the Group’s risk management system is not to eliminate risk completely from the Group’s activities, but rather to ensure that every effort is made to manage risk appropriately, maximising potential opportunities and minimising its adverse effects.
The Group’s risk management system has the objectives of structuring and consistently organising the way the Group identifies and evaluates risks, ensuring that they are assessed broadly, considering dependencies and correlations among various risk areas and also promoting alignment of the process across the organization. It establishes procedures for reporting that allow for an adequate monitoring of the risk mitigation and control measures.
Due to the size and geographical dispersion of Jerónimo Martins’ activities, successful risk management depends on the active participation of all employees, who should assume this as an integral part of their jobs, particularly through the identification, reporting and mitigation of risks associated within their areas of responsibility. Therefore, all activities must be carried out with an understanding of what the risk is, with an awareness of the potential impact of unexpected events on the Company and its reputation.
The Group is committed to ensure that all employees are provided with adequate guidance and training on the principles of risk management, on the criteria and processes set by the Risk Management Policy and on their responsibilities to manage risks effectively.
b) Organisation of Risk Management
The risk management governance model is defined in order to ensure the effectiveness of the Risk Management Framework and is aligned with the Three Lines Model, which distinguishes among three groups (or lines) involved in effective risk management, namely:
- First Line (Business Operations: Risk Owners) – responsible for the daily risk management activities aligned with the business strategy, with existing internal procedures and with the Risk Management Policy;
- Second Line (Oversight/Compliance Functions: Group and Business Unit Risk Managers) – responsible for the Risk Management analysis and reporting, as well as for suggestions or policies development that ensure an adequate management of risks. This second line also includes functions such as Financial Control, Physical Security, Information Security, Data Privacy, Corruption Prevention, Quality & Food Safety, amongst other corporate areas;
- Third Line (Independent Assurance: Internal Audit and External Audit) – responsible for providing assurance on the effectiveness of governance, Risk Management and internal controls, including the manner in which the first and second lines perform their Risk Management and control objectives.
The Risk Management organisational structure considers the following main roles and responsibilities, which were effectively exercised over the period under review:
- the Board of Directors is responsible for establishing the Risk Management Policy and strategy, which includes the process for establishing thresholds applicable to the Group’s risk exposure and for setting goals in terms of risk-taking. It is also the Board’s responsibility to provide for the creation of control systems necessary to ensure that the risks effectively incurred are consistent with the goals set. These duties were carried out, namely, through the approval of the aforementioned Risk Management Policy, which foresees the referred aspects, and which application was maintained in 2023;
- the Audit Committee approves the activity plans with regard to Risk Management, monitors their execution, and evaluates and monitors the effectiveness of the internal control, internal auditing and risk management systems. Its responsibilities include, namely, to evaluate global risk exposure levels and ensure that they are compatible with the objectives and strategies approved by the Board of Directors, to review mitigation actions defined for the most critical risks, to review the development of Risk Management initiatives and planning, and to review periodically the Group’s Top Risks, thus enabling the Board of Directors to make the necessary adjustment to the Risk Management Policy, as was done during 2023;
- the CEO, assisted by the Managing Committee, ensures the implementation of the Risk Management Policy and strategy as established by the Board of Directors, as well as promotes a risk awareness culture in the organisation ensuring that Risk Management is embedded in all processes and activities;
- the Risk Committee, which is made up of representatives from Functional Divisions of Corporate Support, referred to in no. 21, and by a member certified in the area of risk management, assists and advises the Managing Committee, as the CEO’s assisting body, in assessing and monitoring the mitigating measures for the different types of risk, and aims at ensuring the existence of an effective Risk Management Framework, that ensures a level of risk exposure compatible with the objectives and strategies approved by the Board of Directors, without prejudice to the duties of the Audit Committee;
- the Strategy and Risk Management Department is responsible for the implementation of the Risk Management framework, coordination of all Risk Management activities, supporting the Managing Committee and the Risk Committee in the identification of risk exposures that might compromise the Group’s strategic and business goals. Its responsibilities include the identification and recognition of Risk Management best practices, sharing recommendations from renowned organizations and/or compliance requirements. Strategy and Risk Management Department is also responsible for the coordination and alignment of the practices adopted by the Companies in the BCP;
- the Business Unit Risk Managers are responsible for the implementation of Risk Management initiatives at the Company level and to support the respective Risk Owners activities;
- the Risk Owners are all employees in charge of the execution and/or control over a given process or activity, within a business unit or a corporate structure, and are responsible for managing the risks involved in those activities;
- the Internal Audit Department focuses its work on the significant risks, as identified by management, and audits the controls of the most exposed processes, providing assurance regarding its effectiveness and efficiency and active support in the Risk Management process.