Training and awareness
programs for employees on cybersecurity issues (in-person, e-learning, phising simulation exercises)
Priority
is placed on the protection of personal data
53
internal audits (51 regular and 2 ad hoc), exceeding the established audit plan
Continuous updating
of Emergency Plans and Procedures
HELLENiQ ENERGY’s System of Internal Control and Risk Management is designed to identify and manage potential threats and prevent potential failures. It includes control activities and audit mechanisms across different organizational levels within the Group, as detailed in the 2023 Annual Financial Report (pp. 50-51, 53-54, 64, 66, 67-71).
Risk prevention and management are key to HELLENiQ ENERGY’s strategy. The identification and assessment of risks are repeated every year, mainly during the preparation phase of strategic planning and the annual business plan. The probabilities and impacts as they arise are considered both in the context of the Group’s activities, and in relation to the different stakeholders potentially affected.
Part of the System of Internal Control is the Group’s Internal Audit General Division (GIAGD), which contributes to the improving the Identification, Assessment and Management of Risks, the System of Internal Control and the Corporate Governance. For the purpose of completeness and effectiveness of the audit coverage of Group’s business activities, GIAGD is organized into three (3) Divisions:
In addition, GIAGD’s Quality Assurance Department aims to enhance audit methodology and ensure continuous compliance with the International Professional Practices Framework of Internal Audit.
The key milestones for GIAD in 2023 follow:
Audit Areas | No. of Audits |
---|---|
Facilities of production, handling, and marketing of petroleum products | 30 |
Social issues (COVID, Procurement, Human Resources) | 1 |
Financial issues | 15 |
Information Technology Issues | 3 |
Corporate Governance | 4 |
Total | 53 |
Internal Audit Plan | 2021 | 2022 | 2023 | 2024 (Target) |
---|---|---|---|---|
Annual audit plan coverage percentage | 115% | 107% | 104% | 100% |
The Risk Monitoring and Management Division is being established to support the operation of the Internal Control System by defining the principles, establishing and implementing appropriate and updated policies and procedures for risk management in terms of identification, evaluation, quantification/ measurement, monitoring, audit, and management.
HELLENiQ ENERGY’s comprehensive Crisis Management and Business Continuity plan is tailored to its size and complexity, through the assignment of distinct roles and responsibilities to ensure the Group’s business continuity capability, i.e. the seamless operation of its facilities, protection from potential risks and their rapid restoration to the desired level in the event of an emergency. In addition to the Crisis Management and Business Continuity Plan, the Group maintains Internal Emergency Plans, which are updated periodically to align fully with national legislation and international Codes. The conclusions of the emergency preparedness drills that are carried out periodically or on an ad hoc basis at the Group’s facilities are also incorporated into these plans to ensure the best possible responses to emergency situations. As part of its ongoing engagement with local communities, HELLENiQ ENERGY considers suggestions for improvement coming from local authorities of municipalities and/or local stakeholders near its industrial facilities, in order to further enhance the effectiveness of the individual Emergency Plans.
The Group ensures that it has the necessary resources across all facilities and activities to manage possible safety incidents or any potential environmental impact promptly. In addition, the Group commits to taking immediate measures to respond to emergencies, thereby ensuring operational continuity of its activities and/ or a return to normal operations as quickly as possible, effectively limiting any potential negative impact. HELLENiQ ENERGY recognises that seamless operation and proper management of critical incidents are linked to the sustainability of its business operations. Also, in the event of a safety incident or environmental impact, timely and effective communication with all stakeholders is considered essential to deal with the emergency and minimise implications.
The Group’s Plans encompass strategies for responding to both internal and external emergency scenarios. In addition to these, there are additional procedures for:
Additionally, the Group’s broader Crisis Management and Business Continuity plan includes:
It is worth noting that both the Emergency Response Plans and Procedures and the readiness and adequacy of resources, infrastructure, and equipment undergo annual reviews to ensure they remain responsive to initial planning. Observations from exercise evaluations and incident analyses are documented, monitored, and addressed and the Plans are revised accordingly.
More information on the Group’s Process Safety Performance can be found in the chapter “Health and Safety/ Health and Safety Indicators – Installation Performance”.
HELLENiQ ENERGY’s commitment to respectfully manage the personal data that come into its possession within the scope of its business activities is reflected and expressed in its Personal Data Protection Policy, which binds all Group companies.
The Policy follows the European Personal Data Protection Regulation (known as GDPR), Greek legislation, internationally recognised best practices at European and international level, and modern technological developments.
The protection of personal data is a top priority for the Group and in order to ensure proper data governance, a Group Data Protection Officer has been appointed at Group level, as well as Privacy Officers in each organisational unit and subsidiary of the Group.
Five of the subsidiaries (EKO S.A., KALYPSO KEA S.A., ELPEFUTURE, EKO Bulgaria, and OKTA) have appointed independent Data Protection Officers who collaborate with the Group Data Protection Officer.
This way, an organisational structure has been created throughout the Group in order to ensure compliance with applicable legislation, the Personal Data Protection Policy and the specific procedures and actions used to implement the Policy in the Group’s daily operations.
Shielding the Group’s information systems against the risks of cyberattacks is a matter of utmost importance for the Management. In order to create a positive impact towards society and its customers, HELLENiQ ENERGY protects both society and its citizens from the risks and damages caused by cyberattacks.
Moreover, the Group recognises the criticality of cybersecurity for its sustainability and evolution, primarily for the secure operation of its facilities, but also for the digital transformation of its internal processes.
Having been recognized as an OES (Operator of Essential Services) by the National Cybersecurity Authority, it is committed to harmonisation and compliance with the NIS Directive (EU 2016/1148) and the relevant National Legislation (Law 4577/2018).
For the reasons mentioned above, HELLENiQ ENERGY has appointed a Chief Information Security Officer, who reports to the Audit Committee on a frequent basis, and is responsible for defining the Group’s cybersecurity strategy and overseeing its cybersecurity program.
This program, bound by the Group Information Security Framework, ensures that an appropriate level of governance, as well as the necessary capabilities, skills, and control mechanisms are in place to achieve adequate protection of the Group’s information assets.
In 2023, particular emphasis was placed on initiatives that will take HELLENiQ ENERGY beyond simply strengthening cybersecurity defences, to creating organizational resilience by cultivating the ability to anticipate, withstand, respond, and adapt to disruptive events, in order to minimise any negative impact, expedite recovery, and emerge stronger in case of a potential cyberattack.
In addition, the Group is further investing in AI-enabled cutting-edge security solutions, that allow for constantly improving support of the digital transformation strategy, while addressing the hostile cybersecurity landscape.
At the same time, employee awareness is recognised as a key component of a successful cybersecurity strategy. To this end, a comprehensive cybersecurity training and awareness program was developed in 2023, which expanded the scope of the existing program and included training via e-learning tools, live training sessions, and phishing simulation drills.
Particular emphasis is placed on the training of employees at industrial facilities which are vital to the Group’s seamless operation.