Risk management

Risk management at Pelion is focused on identifying potential events which might affect the Group's operations, maintaining risks below pre-defined limits and ensuring delivery of the business strategy.

Risk management objectives are defined, classified and communicated on an ongoing basis. They are in particular:

to ensure the creation and protection of shareholder value by establishing a consistent approach to risk identification, assessment and analysis, as well as key risk response measures;
to support the achievement of business objectives through early warning tools for opportunities and threats;
to ensure support for decision making at all tiers of Pelion's organisation;
to improve the quality and effectiveness of project management, including mitigation of the risk of project failure;
to protect the employees' lives and health, the natural environment and reputation of Pelion brands;
to promote, across the Group, the awareness of accepted risks and active involvement in continuous improvement.

Pelion's risk management policy is based on the COSO II methodology. There are direct relations between the objectives (i.e. what Pelion intends to achieve) and components of its enterprise risk management (i.e. what is necessary to achieve them). Enterprise risk management is important for the entire organisation and its individual units. This is reflected in the third dimension of the cube containing Pelion's organisational units.

In line with the COSO II methodology, such relations are presented in the form of a three-dimensional matrix (cube).

Enterprise risk management process at Pelion

Risk management

The Supervisory Board of Pelion S.A. (Audit Committee)

The Management Board of Pelion S.A.

The first line of defence

Management of Pelion's organisational units
Operational Staff

The second line of defence

Risk Committee
Risk Management Officer
Other Risk Management process owners

The third line of defence

Internal audit

The Supervisory Board of Pelion S.A. (Audit Committee)

supervises the enterprise risk management process. It assesses the risk management system for completeness in terms of policies and procedures related to supervision, risk aggregation and quantification, reporting and monitoring.

The Management Board of Pelion S.A.

is responsible for enterprise risk management, including supervision and monitoring of measures taken, as well as effective risk response and transparent reporting lines.

The enterprise risk management process at Pelion provides for three mutually independent lines of defence:

The first line of defence

supported by risk owners (at operating units) through risk management at a level of the operating unit or process, following the defined procedures of risk management, risk identification and assessment, as well as risk response. The first line of defence involves the internal functional control function, ensuring that risk control activities are applied and legal regulations are complied with.

The second line of defence

supported, in line with a model, by risk management process owners (the Risk Committee, Risk Management Officer, as well as owners of the compliance, quality assurance, information security, physical security, controlling, monitoring and debt collection processes) through development and updating of risk management procedures, ensuring risk management consistency with Pelion's strategy, assistance to risk owners and coordination of their actions (support in designing and developing risk control and management processes), identification of trends in synergies and opportunities, and serving as a liaison between the first and third lines of defence. The second line of defence, currently being developed, is intended to form the risk management system, including methods, tools, process and organisation.

The third line of defence

supported by the Internal Audit department through monitoring of risk management and independent assessment of the risk management adequacy.

Risk identification consists in indicating such events that will affect the implementation of the strategy and achievement of objectives. In identifying risk, management considers internal and external factors, potential risks or opportunities, in the context of the entire organisation. Risk factors are identified at the Management Board level of the Pelion companies.

Risk assessment allows the organisation to analyse to what extent potential events may affect the achievement of objectives. In the first stage of assessment, the Management Boards of the Pelion companies analyse risk factors through the lens of inherent risk. Once responses to risk are defined, management analyses residual risk. Individual events should be analysed for their impact on:

finance,
reputation,
health, life and safety
environment.

All information on identified risks is aggregated and classified by business area, risk category, source, materiality and other criteria. In this way, the risk profile for the entire area of Pelion's business is determined.

In 2016, 62 processes were audited in the execution of 17 audit tasks at different Pelion family companies. The auditors issued 71 post-audit recommendations, upon which the companies developed appropriate remediation plans.

(for more information on the subject, refer to the Directors' Report o the operations of the Pelion Group in 2016, sections ‘Risk factors and threats’ and ‘Statement of compliance with corporate governance principles’).

KEY RISKS IDENTIFIED AT PELION

Life and health

RISK DESCRIPTION	MITIGATION MEASURES
Failure to maintain proper conditions of storage	Certified quality systems; implemented systems of good distribution practices; logistics base meeting the most stringent safety standards for storage; regular quality audits
Introduction of falsified products to trade	Supplier verification system

Technology

RISK DESCRIPTION	MITIGATION MEASURES
Loss of stability of IT systems; unauthorised access to confidential information on Patients and trade partners	Protection of IT systems and data using best practice in IT security, by a dedicated Group company

Market

RISK DESCRIPTION	MITIGATION MEASURES
Deterioration of market position / Strong price competition	Flexible pricing policy integrated with continuous monitoring of competitors' prices; launch of new distribution channels
Short supply of offered products	Supply optimisation; minimum delivery requirements; long-term contracts with suppliers
Loss of pharmacy locations	Monitoring of lease rights to premises; long-term lease agreements
Changes in the distribution model [Manufacturer, Wholesaler, Retailer] [Direct distribution (Manufacturer -> Retailer), Establishment of pharmacy GPOs	Modern logistics service for manufacturers; communication platforms for procurement market participants; specialised logistics base supporting storage and transport of thermally unstable products

Regulatory

RISK DESCRIPTION	MITIGATION MEASURES
Ban on advertising in pharmacies, threat to competitiveness	Seeking legal advice; dialogue with market participants, including the regulator
Threats to the chain's development: standards governing concentration on the wholesale and retail markets; concentration criterion for the pharmacy market [1%]	Monitoring the concentration level; active participation in consultations on new statutory regulations applicable to the Group's business Appointment of Compliance Officer Conducting regular quality audits
Protests against operations; loss of a licence/permit for specific activity
Regulations on official prices and margins; the government's reimbursement policy	Proactive inventory management; cooperation with manufacturers to limit potential losses resulting from discounts; compensation agreements
Trade in medical devices threatened by supply shortages in Poland	Proactive inventory management; cooperation with manufacturers to limit potential losses resulting from discounts; compensation agreements

Human resources

RISK DESCRIPTION	MITIGATION MEASURES
Loss of key personnel	Incentive schemes for employees, including development of a fringe-benefit system: drug insurance for employees, promotion of healthy lifestyles, medical care programme
Violating employee and human rights	Monitoring ethical aspects and analysing all issues reported to the Ethics Officer (e.g. mobbing, molestation, discrimination, violation of employee rights or employees' right to join organisations, or working hour schedules)

Financial

RISK DESCRIPTION	MITIGATION MEASURES
Credit risk/liquidity risk Concentration of receivables from a single customer relative to the Company's assets Incorrect assessment of a customer's creditworthiness	Regular monitoring of the share of receivables from a single customer in total assets; definition of thresholds Constant monitoring of payments, written and telephone reminders, analysis of balances and amounts of receivables due supported by IT tools Implementing a limit-driven procedure for trade credit risk management at the decision-making level, defining the timing and conditions of granting/increasing a trade credit limit Implementing credit limits into the sales system, system protections preventing sales in excess of relevant trade credit limits Activities of a Group company dedicated to credit risk management
No access to capital; loss of financing	Cashpooling arrangements within the Group; diversification of credit facilities

RISK DESCRIPTION

MITIGATION MEASURES

Credit risk/liquidity risk

Concentration of receivables from a single customer relative to the Company's assets
Incorrect assessment of a customer's creditworthiness

Regular monitoring of the share of receivables from a single customer in total assets; definition of thresholds
Constant monitoring of payments, written and telephone reminders, analysis of balances and amounts of receivables due supported by IT tools
Implementing a limit-driven procedure for trade credit risk management at the decision-making level, defining the timing and conditions of granting/increasing a trade credit limit
Implementing credit limits into the sales system, system protections preventing sales in excess of relevant trade credit limits
Activities of a Group company dedicated to credit risk management

No access to capital; loss of financing

Cashpooling arrangements within the Group; diversification of credit facilities

Intellectual property theft

RISK DESCRIPTION	MITIGATION MEASURES
Unlawful appropriation of R&D results	Patent protection of R&D results on the Polish, European and global markets. Data protection and limiting key personnel turnover.

Social

RISK DESCRIPTION	MITIGATION MEASURES
Nuisance to local communities, leading to disputes or conflicts (e.g. noise or excessive traffic)	Monitoring local communities' opinions, analysis of complaints and opinions, taking remedial measures. Undertaking social outreach initiatives compensating the adverse effect of nuisances.
Abuse, corruption, bribery	Compliance with the Code of Ethics and the procedures for preventing unethical behaviour. Internal audit and monitoring of areas particularly at risk.

RISK DESCRIPTION

MITIGATION MEASURES

Nuisance to local communities, leading to disputes or conflicts (e.g. noise or excessive traffic)

Monitoring local communities' opinions, analysis of complaints and opinions, taking remedial measures.

Undertaking social outreach initiatives compensating the adverse effect of nuisances.

Abuse, corruption, bribery

Compliance with the Code of Ethics and the procedures for preventing unethical behaviour.

Internal audit and monitoring of areas particularly at risk.

Environmental

RISK DESCRIPTION	MITIGATION MEASURES
Inventory and waste management: Improper storage of inventories of raw and other materials and finished goods, posing a threat of chemical leakage Improper management of waste, including in particular expired drugs, posing a threat of chemical leakage Improper waste sorting Failure to comply with obligations imposed on an entity which introduces packaging to the market (waste packaging)	Inventory storage procedures and monitoring system. Cooperation only with reliable waste management companies which guarantee and are able to document proper methods of waste management or disposal. Cooperation only with established package recycling organisations that guarantee reliable delivery of recovery confirmation documents.

RISK DESCRIPTION

MITIGATION MEASURES

Inventory and waste management:

Improper storage of inventories of raw and other materials and finished goods, posing a threat of chemical leakage
Improper management of waste, including in particular expired drugs, posing a threat of chemical leakage
Improper waste sorting
Failure to comply with obligations imposed on an entity which introduces packaging to the market (waste packaging)

Inventory storage procedures and monitoring system.

Cooperation only with reliable waste management companies which guarantee and are able to document proper methods of waste management or disposal.

Cooperation only with established package recycling organisations that guarantee reliable delivery of recovery confirmation documents.