Risk Prevention and Management

  • Training and awareness
    programs for employees on cybersecurity issues (in-person, e-learning, phising simulation exercises)

  • Priority
    is placed on the protection of personal data

  • 53
    internal audits (51 regular and 2 ad hoc), exceeding the established audit plan

  • Continuous updating
    of Emergency Plans and Procedures

Risk Prevention
& Management

The Group has invested in a robust and innovative Internal Audit System to expedite its energy transformation, focusing on the following important benhmarks: a) zero tolerance to corruption incidents, b) the implementation of a strict ethical procurement framework, and c) a high level of readiness to address potential emergencies.

Ηelleniq Εnergy |

Internal Audit and
Risk Management

HELLENiQ ENERGY’s System of Internal Control and Risk Management is designed to identify and manage potential threats and prevent potential failures. It includes control activities and audit mechanisms across different organizational levels within the Group, as detailed in the 2023 Annual Financial Report (pp. 50-51, 53-54, 64, 66, 67-71).

Risk prevention and management are key to HELLENiQ ENERGY’s strategy. The identification and assessment of risks are repeated every year, mainly during the preparation phase of strategic planning and the annual business plan. The probabilities and impacts as they arise are considered both in the context of the Group’s activities, and in relation to the different stakeholders potentially affected.

Part of the System of Internal Control is the Group’s Internal Audit General Division (GIAGD), which contributes to the improving the Identification, Assessment and Management of Risks, the System of Internal Control and the Corporate Governance. For the purpose of completeness and effectiveness of the audit coverage of Group’s business activities, GIAGD is organized into three (3) Divisions:

  • Administrative and Finance Internal Audit Division
  • Domestic and International Trading Internal Audit Division
  • Industrial Installations and Supply Internal Audit Division

In addition, GIAGD’s Quality Assurance Department aims to enhance audit methodology and ensure continuous compliance with the International Professional Practices Framework of Internal Audit.

Key milestones

The key milestones for GIAD in 2023 follow:

  1. Performed, for the 9th consecutive year, the Group’s risk identification and assessment. The exercise was carried out by the Group’s Division Heads and coordinated by the GIAGD. The coordination for the exercise was performed by Group’s Division Heads while it was enriched and redesigned with the support of an External Consultant. The exercise resulted in the documentation and evaluation of risks, corresponding control activities, and the risk residual value.
  2. An Evaluation of the Structure and Operation of GIAGD was performed in accordance with the International Framework for the Professional Implementation of Internal Audit and its Operating Manual, resulting in a “Generally Complies” assessment with International Standards of Internal Audit showing a significant improvement in overall compliance compared to the previous one in 2017.
  3. GIAGD committed to update the Audit Committee on the progress of the “Vision 2025” project, encompassing all transformation activities within the Group.
  4. Information Technology Internal Audit strategy was developed and approved.
  5. Participated in:
    a) the assessment of the System of Internal Control from External Evaluator,
    b) development of the Whistleblowing process and the Code of Conduct.
  6. Participated, as an observer, in various important Group Committees (Executive Committee, Credit Committee, Investments Evaluation Committee, and Refineries Coordinating Committee).
  7. For the further development of the skills of the GIAGD staff, 1 of its members obtained professional certification (Certified Operational Risk Officer), bringing the total number of certificates held by GIAGD’s staff to 12.
  8. According to internal audit best practices, the following initiatives took place: a) The Chief Audit Executive submitted – for the first time – to the BoD Declaration of Consent for the System of Internal Control and b) All of the auditors signed an Independence Declaration for year 2023
  9. A total of 53 audits were completed (51 regular and 2 extraordinary). The audited areas for 2023 as well as the coverage of the annual audit plan for the last 3 years are presented in the table below:
Audit Areas No. of Audits
Facilities of production, handling, and marketing of petroleum products 30
Social issues (COVID, Procurement, Human Resources) 1
Financial issues 15
Information Technology Issues 3
Corporate Governance 4
Total 53
Internal Audit Plan 2021 2022 2023 2024 (Target)
Annual audit plan coverage percentage 115% 107% 104% 100%
Risk Monitoring and Management Division

The Risk Monitoring and Management Division is being established to support the operation of the Internal Control System by defining the principles, establishing and implementing appropriate and updated policies and procedures for risk management in terms of identification, evaluation, quantification/ measurement, monitoring, audit, and management.

Critical Incident Risk Management

HELLENiQ ENERGY’s comprehensive Crisis Management and Business Continuity plan is tailored to its size and complexity, through the assignment of distinct roles and responsibilities to ensure the Group’s business continuity capability, i.e. the seamless operation of its facilities, protection from potential risks and their rapid restoration to the desired level in the event of an emergency. In addition to the Crisis Management and Business Continuity Plan, the Group maintains Internal Emergency Plans, which are updated periodically to align fully with national legislation and international Codes. The conclusions of the emergency preparedness drills that are carried out periodically or on an ad hoc basis at the Group’s facilities are also incorporated into these plans to ensure the best possible responses to emergency situations. As part of its ongoing engagement with local communities, HELLENiQ ENERGY considers suggestions for improvement coming from local authorities of municipalities and/or local stakeholders near its industrial facilities, in order to further enhance the effectiveness of the individual Emergency Plans.

The Group ensures that it has the necessary resources across all facilities and activities to manage possible safety incidents or any potential environmental impact promptly. In addition, the Group commits to taking immediate measures to respond to emergencies, thereby ensuring operational continuity of its activities and/ or a return to normal operations as quickly as possible, effectively limiting any potential negative impact. HELLENiQ ENERGY recognises that seamless operation and proper management of critical incidents are linked to the sustainability of its business operations. Also, in the event of a safety incident or environmental impact, timely and effective communication with all stakeholders is considered essential to deal with the emergency and minimise implications.

The Group’s Plans encompass strategies for responding to both internal and external emergency scenarios. In addition to these, there are additional procedures for:

  • internal and external communications (providing for periodic tests for emergency calls);
  • access to human resources and equipment;
  • access to useful information (e.g. Safety Data Sheets, Plans, etc.);
  • communication with companies, local communities (e.g. municipalities), as well as emergency response agencies (include compatibility and integration of plans where appropriate); and
  • use of third-party assistance.

Additionally, the Group’s broader Crisis Management and Business Continuity plan includes:

  • mechanisms for assessing the operational impact of the disruption of its activities and the risks to its overall operation; and
  • business continuity plans.

It is worth noting that both the Emergency Response Plans and Procedures and the readiness and adequacy of resources, infrastructure, and equipment undergo annual reviews to ensure they remain responsive to initial planning. Observations from exercise evaluations and incident analyses are documented, monitored, and addressed and the Plans are revised accordingly.

More information on the Group’s Process Safety Performance can be found in the chapter “Health and Safety/ Health and Safety Indicators – Installation Performance”.

Information and Information
Systems Security

Prioritising Personal Data Protection Policy

HELLENiQ ENERGY’s commitment to respectfully manage the personal data that come into its possession within the scope of its business activities is reflected and expressed in its Personal Data Protection Policy, which binds all Group companies.

The Policy follows the European Personal Data Protection Regulation (known as GDPR), Greek legislation, internationally recognised best practices at European and international level, and modern technological developments.

The protection of personal data is a top priority for the Group and in order to ensure proper data governance, a Group Data Protection Officer has been appointed at Group level, as well as Privacy Officers in each organisational unit and subsidiary of the Group.

Five of the subsidiaries (EKO S.A., KALYPSO KEA S.A., ELPEFUTURE, EKO Bulgaria, and OKTA) have appointed independent Data Protection Officers who collaborate with the Group Data Protection Officer.

This way, an organisational structure has been created throughout the Group in order to ensure compliance with applicable legislation, the Personal Data Protection Policy and the specific procedures and actions used to implement the Policy in the Group’s daily operations.

Reinforced Information Systems Security

Shielding the Group’s information systems against the risks of cyberattacks is a matter of utmost importance for the Management. In order to create a positive impact towards society and its customers, HELLENiQ ENERGY protects both society and its citizens from the risks and damages caused by cyberattacks.

Moreover, the Group recognises the criticality of cybersecurity for its sustainability and evolution, primarily for the secure operation of its facilities, but also for the digital transformation of its internal processes.

Having been recognized as an OES (Operator of Essential Services) by the National Cybersecurity Authority, it is committed to harmonisation and compliance with the NIS Directive (EU 2016/1148) and the relevant National Legislation (Law 4577/2018).

For the reasons mentioned above, HELLENiQ ENERGY has appointed a Chief Information Security Officer, who reports to the Audit Committee on a frequent basis, and is responsible for defining the Group’s cybersecurity strategy and overseeing its cybersecurity program.

This program, bound by the Group Information Security Framework, ensures that an appropriate level of governance, as well as the necessary capabilities, skills, and control mechanisms are in place to achieve adequate protection of the Group’s information assets.

In 2023, particular emphasis was placed on initiatives that will take HELLENiQ ENERGY beyond simply strengthening cybersecurity defences, to creating organizational resilience by cultivating the ability to anticipate, withstand, respond, and adapt to disruptive events, in order to minimise any negative impact, expedite recovery, and emerge stronger in case of a potential cyberattack.

In addition, the Group is further investing in AI-enabled cutting-edge security solutions, that allow for constantly improving support of the digital transformation strategy, while addressing the hostile cybersecurity landscape.

At the same time, employee awareness is recognised as a key component of a successful cybersecurity strategy. To this end, a comprehensive cybersecurity training and awareness program was developed in 2023, which expanded the scope of the existing program and included training via e-learning tools, live training sessions, and phishing simulation drills.

Particular emphasis is placed on the training of employees at industrial facilities which are vital to the Group’s seamless operation.

Helleniq Energy | Απολογισμός Βιώσιμης Ανάπτυξης 2023 | Πρόληψη & Διαχείριση Κινδύνων
Corporate Governance Previous Chapter Corporate Governance and Transparency