Corporate risks

Risk management within the Capital Group is implemented based on the adopted policy, which makes it an integral part of processes and a major element affecting the decisions made. The basic objective of the policy is to implement mechanisms that will enable the earliest possible risk identification, limitation of its probability as well as the potential consequences representing a threat to the goals of the Capital Group.

The risk management process leads to:

providing complementary expert knowledge in monitoring and prevention of the negative consequences of risk realisation;
continuous improvement of the risk management process at the Capital Group;
provision of relevant information to the Management Board and Supervisory Board of Grupa KĘTY S.A. on the threats within the organisation and in its environment.

Risk management is implemented at the level of the Capital Group, the operating segments, and the particular companies.

The process covers for example:

determination of the maximum acceptable risk level;
identification of risk areas and assessment of their influence on business decisions;
creation, maintenance, and improvement of the processes of risk identification, assessment and monitoring;
inclusion of risk management in business processes, as well as decision-making processes;
determination of management priorities and effective use of resources;
implementation of processes ensuring business continuity in case of extraordinary situations;
creation of risk management framework within the performed projects;
assessment of risk related to regulatory environment, and supporting the compliance function in ensuring operations compliant with the binding legal regulations;
identification and ensuring control over financial risk areas;
implementation of control mechanisms (blockers), which limit the probability and consequences of risk occurrence.

Responsible for implementation of the risk management system in compliance with the adopted policy as well as monitoring is the Management Board of Grupa KĘTY S.A., supported by the Risk and Compliance Committee. The risk management system is monitored by the Supervisory Board of Grupa KĘTY S.A. The Risk Management and Compliance Director was responsible in 2023 for the proper functioning of the risk management process.

Risk management takes place at three levels:
In 2023, there were held 11 meetings of the Risk and Compliance Committee, in which there were:

the Capital Group (GKK) – refers to strategic and operating risks related to GKK as a whole, and other risks subject to consolidation at GKK level;
Operating Segment – refers to Segment risks and risk directly related to the respective Segment;
Company/Location – refers to specific risks applicable to the respective company or location, which do not apply to the whole GKK or a segment.

discussed and recommenced the approval of risk charts updated during the annual risk review;
discussed and recommended the exclusion of insignificant risks from the risk register, consolidation of similar risks, and introduction of new risks significant to the Capital Group;
discussed and recommended the acceptance of the updated register of risks significant to the Capital Group;
discussed the Key Risk Indicators (KRIs) which serve the monitoring of defined risk materialisation and are reported within the accepted frequency intervals;
discussed the principles of operation and functionalities of an application enabling the registration of significant risks and opportunities, their measuring and reporting in the form of the adopted indicators.

As a result of the annual risk review carried out in 2023 there was prepared a list of risks that are major to the Capital Group. The applied general risk rating (scale from 1 to 125) is the product of three parameters assessed at the scale of 1 to 5:

probability,
financial impact,
reputation-related impact.

Based on the carried out measurement, risks are rated as low or acceptable (scored at up to 8 points), medium or requiring control (scored at 8 to 24 points), and high or critical (scored at over 24 points). Blockers intended to keep the risk at acceptable level or reduce the risk are assigned to each type of risk. The effectiveness of the introduced mitigants is assessed with the use of KRIs reported with varied frequency, which reflect the risk level in reference to the assumed critical level.

In 2023, the Risk and Compliance Committee recommended the adoption of the risk register containing 31 risks major to the Capital Group, including 26 of high and medium rating. Each risk has an assigned risk owner. Below presented are risks applicable to the Capital Group in 2023 of high and medium rating, along with the updated risk level and reflection of change compared with the preceding year.

Below presented are risks applicable to the Capital Group in 2023:

1. Risk of disturbances or breaks in IT infrastructure operation	Risk level: High	Risk level change:
Area: IT	Risk level: High	Risk level change:
The risk of IT systems failure which may result in downtimes or inability to perform tasks by the business units. Comment: Lower risk rating compared with the preceding year results from the process of development and modernisation of IT infrastructure, as well as implementation of risk-mitigating measures.
Risk-mitigating measures:
Outsource contract for IT operations Back-up policy IT staff participation in preparing strategic plans and budgets of the Segments HR procedures with regard to staff management Stress tests/socio-technical tests (penetration tests) Data Centre protection in compliance with the best sector practices (independent power supply, UPS, precise air-conditioning, extinguishing systems, monitoring, burglar control and access control systems)

2. Risk of profitability loss	Risk level: High	Risk level change:
Area: Finances	Risk level: High	Risk level change:
The risk of profitability loss as a result of financial risks related to instability of financial and commodity markets results from the fact that the Capital Group companies carry out exports, imports, sales and purchases based on variable prices depending on FX rates (denominated transactions). The prices of base materials, including aluminium for the EPS and the ASS, and petrochemicals for the FPS, undergo changes on the world’s markets, which is translated into changes in the costs of production and finished products prices.
Risk-mitigating measures:
Price formulas in trade contracts Duty to close term and derivative transactions as soon as they lose the financial risk hedging nature Defining hedge instruments allowed to be used Current effectiveness control, use of derivative instruments that are highly correlated with the underlying instrument Monitoring of interest in total costs, application of fixed interest rates

3. Risk related to cloud infrastructure utilisation	Risk level: High	Risk level change: New risk
Area: IT	Risk level: High	Risk level change: New risk
In relation to implementing cloud-storage IT solutions at Grupa KĘTY, risk related to data leakage, data loss or limited access to the data has been identified.
Risk-mitigating measures:
Redundant connections to cloud resources, alternative communication methods and tools Data encryption, two-factor authentication, security monitoring, data backup Dedicated data processing and entrusting agreements Audits of services and service providers, changes and modifications Dedicated service agreements

4. Risk of effective cyber attacks	Risk level: High	Risk level change:
Area: IT	Risk level: High	Risk level change:
Rapid growth of cyber threats is related to a growing number of attacks resulting in the risk of IT systems being stopped or destroyed, which may cause downtimes or inability of business units to complete their tasks. Comment: In 2023, Grupa KĘTY implemented a series of actions focusing on introducing state-of-the-art IT solutions in cyber-security and improvement of employee awareness. In order to ensure better traffic control between the particular segments, and specifically to improve the security of server segments and create protected segments for production areas, solutions securing traffic between the particular segments were introduced in LAN. New methods of securing the authorised logging into the network were introduced. A complete Security Operating Center (SOC) and EDR system were implemented. Also, standing cooperation with external consultants in cyber-security has been established.
Risk-mitigating measures:
Procedures of testing the changes introduced in systems Requirement to conclude support and guarantee agreements Training Cyber-Edge insurance

5. Risk of IT infrastructure inadequacy for strategic goals	Risk level: High	Risk level change:
Area: IT	Risk level: High	Risk level change:
Risk of IT infrastructure engineering condition being inadequate to the needs and strategy of the Group
Risk-mitigating measures:
IT staff participation in creating strategic plans and budgets of the Segments IT Committee consisting of the Capital Group Financial Director, Capital Group IT Director, Financial Directors of the Segments and Dekret CEO. The IT Committee was appointed to specify business objectives performed with the use of IT tools. It develops, coordinates and supports the central IT Department in building the IT strategy Creation of in-house IT solutions

6. Risk of IT system implementation failure	Risk level: High	Risk level change: New risk
Area: IT	Risk level: High	Risk level change: New risk
Risk of failure in the implementation of a ERP IT system
Risk-mitigating measures:
Committees controlling work at various levels Structured project team Stage control during the implementation process Acceptance tests and system capacity tests

7. Risk of staff shortages	Risk level: Medium	Risk level change:
Area: HR	Risk level: Medium	Risk level change:
Risk of appropriate staff shortages which may result in a failure to secure business areas with regard to the performance of strategic and operating goals and/or failure to comply with legal requirements or customers’ expectations. Comment: Higher risk rating results from the changed methods of risk valuation (acceptance of the value of comprehensive parameters of risk measurement compared with the previously applied consolidated average values, and further challenges in recruiting staff, such as duration of the recruitment process and offers availability).
Risk-mitigating measures:
Payroll reports, payroll analyses Information collected in recruitment processes, exit interviews Meetings with Labour Unions Additional pay for shift work and hard working conditions Suggestions systems (possibility to improve work, bonuses for inventors) Zero accidents programme Automation of processes Medical care, insurance Knowledge base, back-up staff, delegation of tasks

8. Risk of limitations in natural gas consumption	Risk level: Medium	Risk level change:
Area: Production and quality systems	Risk level: Medium	Risk level change:
Risk of gas supply limitation based on the binding legal regulations (Regulation of the Council of Ministers of 17 February 2021 on the methods and modes of imposing gas consumption limitations), and the resulting possible gas supply limitations. Comment: Lower risk rating results from the lack of the risk materialisation in the period of 2022/2023, when alternative sources of gas supply were used (Baltic Pipe and LPG Terminal) on the domestic level, and installation of dual-fuel burners (gas and electric energy) at selected lines.
Risk-mitigating measures:
Monitoring of natural gas consumption limitations Procedures to limit gas consumption Supervision of the current capacity and its adjustment to the degrees of natural gas supply limitations System of natural gas consumption monitoring per device/plant (‘power guardian’) Verification of the possibility of including certain recipients in the group of ‘protected recipients’ Appointment of persons responsible for contacts with natural gas distributor/seller Analysis of contracted power vs production plans

9. Risk of electric energy consumption limitations	Risk level: Medium	Risk level change:
Area: Production and quality systems	Risk level: Medium	Risk level change:
Risk of electric energy supply limitation based on the binding legal regulations (Regulation on the detailed principles and methods of imposing limitations in fossil fuels sales as well as supply and consumption of electric energy and heat). Comment: Lower risk rating results from the lack of the risk materialisation in the period of 2022/2023 and installation of dual-fuel burners (gas and electric energy) at selected lines.
Risk-mitigating measures:
Monitoring of electric energy consumption limitations Procedures to limit electric energy consumption Supervision of the currently used power and its adjustment to the limitation degrees Verification of excessive consumption on 15-minutes’ basis System of electric energy consumption monitoring (‘power guardian’) Appointment of persons responsible for contacts with electric energy distributor/seller Analysis of contracted power vs production plans

10. Risk of polluting the environment	Risk level: Medium	Risk level change:
Area: Production and quality systems	Risk level: Medium	Risk level change:
Risk of polluting the environment as a result of the operations carried out, resulting in the plant closure and high administrative penalties imposed on the operations causing water, air or soil pollution with substances or radiation in quantities or in the form which may threaten human life or health, or bring about water, air or soil quality deterioration, or significant damage to fauna or flora.
Risk-mitigating measures:
Environmental permits and decisions, including conditions and limits for using systems Inspections by authorities and certifying bodies Supervision of legal requirements and environmental permits with regard to the allowed emissions, monitoring and tests Regulations regarding the use of best available technology (BAT) Supervision of environmental protection and pollution reduction infrastructure and emitters, as well as the technical condition of the sources of emissions, machines and systems using hazardous substances, waste treatment plants, etc. Current identification and assessment of the conditions of applying, approving for use, and contents analysis of hazardous substances and mixtures Keeping documentation (Material Safety Data Sheets Register) Training in environmental protection Solutions preventing release of hazardous substances as well as fire and explosion protection systems and equipment Waste recipients verification, agreements on waste collection/treatment Legal regulations regarding environmental protection – current monitoring and use of information tools

11. Risk of ineffective compliance system	Risk level: Medium	Risk level change:
Area: All companies of the Capital Group	Risk level: Medium	Risk level change:
The risk that the operations of the Company will not comply with the legal regulations results from a failure to abide by legal acts, ordinances, laws or internal standards, policies, codes of conduct, which exposes the Company to paying fees. Comment: Lower risk rating results from the extension of the Compliance function and verification of the measurements of the risk financial consequences.
Risk-mitigating measures:
Compliance management system Regulatory environment monitoring system Periodical staff training Periodical management staff training, management staff engagement in the compliance management system Cooperation with speciality law firms, operation of internal control and internal audit areas

12. Risk of being unprepared to continuity loss resulting in long-term suspension of a key part of production (over 1 month)	Risk level: Medium	Risk level change:
Area: Production and quality systems	Risk level: Medium	Risk level change:
Risk of being unprepared for continuity loss resulting in long-term operations suspension, including inability to use a production or warehouse building, lack of resources (e.g. semi-products), shortage of human resources, long-term failures and engineering downtimes
Risk-mitigating measures:
Adjustment of the particular actions to the specifics of the Segments. These include on a standard basis: Continuity plans Risk Team activities Regular monitoring of the market of raw materials and utilities Diversification of suppliers and recipients Technical inspection Adjustment of machines and equipment to the changing regulations List of machines and equipment subject to special supervision Diversification of location for some production processes All risks insurance including business interruption (BI) cover, and insurance of selected property, plant and equipment against damage

13. Risk of faulty inventory management policy resulting in production delays or downtimes	Risk level: Medium	Risk level change:
Area: Production and quality systems	Risk level: Medium	Risk level change:
Lack of proper inventory management policy poses a hazard for the continuity of production and timely order completion, consequently leading to negative financial results and loss of customers’ trust.
Risk-mitigating measures:
Adjustment of the particular actions to the specifics of the Segments. These include on a standard basis: Production management systems Consignment store, warehouse stock at suppliers Safe warehouse stock based on forecast consumption and orders on the go Forecasts for supplier in order to book their production capacity at a certain time Production planning systems, monitoring and recording of the production process, inventories monitoring Diversification of raw materials suppliers (also with regard to the geographic aspect) Regular verification of demand for production components

14. Risk of incidents regarding personal data protection (e.g. due to non-compliance with GDPR), resulting in fines and reputation tarnishing	Risk level: Medium	Risk level change:
Area: HR	Risk level: Medium	Risk level change:
Risk of improper personal data securing.
Risk-mitigating measures:
Personal Data Officer’s opinions and audits Compliance management system Employee declarations Access verification by the Personal Data Officer Verification of access to electronic databases Access procedures for employees and visitors Staff training Ban on installing software without IT authorisation, training in systems use, access control

15. Risk of malfeasance, understood as actions or omissions in breach of the generally binding laws	Risk level: Medium	Risk level change:
Area: All companies of the Capital Group	Risk level: Medium	Risk level change:
Purposeful actions or omissions in breach of the generally binding laws, as a result of which the perpetrator obtains illegal gains, causing losses or failure to attain the assumed results (fraud, theft, misuse, etc.).
Risk-mitigating measures:
Anti-corruption Policy Generally binding laws Internal audit and internal control Compliance management system Regular staff training, information campaigns in Intranet Articles of Association, by-laws, regulations Code of Ethics

16. Risk of credibility loss by the Company due to rejection from stock listing by the Management Board of the Warsaw Stock Exchange	Risk level: Medium	Risk level change:
Area: Communication	Risk level: Medium	Risk level change:
Adoption of a resolution by the Management Board of the Warsaw Stock Exchange to delist the Company shares as a result of violation of the Warsaw Stock Exchange regulations, including disclosure obligations, lack of transactions in the Company shares for a period of three months, undertaking by the Company of activities prohibited by the binding laws, which may result in civil claims against the Company and its managers for acting to the detriment of the Company or shareholders, increased costs of finance as a result of the Company reputation tarnishing, or penalties imposed by the Management Board of the Stock Exchange.
Risk-mitigating measures:
Interim reports: multi-stage verification of the report contents Current reports: multi-stage verification of the report contents Active communication policy as regards the investors Legal environment monitoring by people responsible for the particular areas of the Company operations, compliance management system

17. Risk of non-compliance with the MAR regulation, resulting in imposing fines	Risk level: Medium	Risk level change:
Area: Communication	Risk level: Medium	Risk level change:
Possible imposition of fines for non-compliance with disclosure obligations and/or lack of relevant documents. Imposition of fines for disclosure or use of confidential information by an employee of the Company before the information is officially published.
Risk-mitigating measures:
Regulated information flow system Periodical training

18. Risk of ineffective ownership supervision over the Group’s financial assets, resulting in impairment, liquidation or disposal of high-value assets	Risk level: Medium	Risk level change:
Area: All companies of the Capital Group	Risk level: Medium	Risk level change:
Risk of high-value assets loss (liquidation, disposal), necessity to recognise assets impairment.
Risk-mitigating measures:
Entries in corporate documents (articles, company deeds, memoranda of association) regarding: the duty to approve strategies and budgets (including investment budgets) by supervising authorities; the duty to obtain supervising authorities approval with regard to the principles of voting in General Meetings of companies in which the Company holds at least 20% shares; the requirement to hold Supervisory Board Meetings on regular basis; the duty to obtain approval of competent bodies with regard to some liabilities, or approving liabilities exceeding the set out amounts. Procedures regarding companies take-overs or establishing companies, which introduce, for example, the necessity of: reporting acquisition plans at the moment of budgets creation; notifying the competent bodies about projects exceeding the agreed values; preparing analyses, including NPV measurements for development projects of specific value.

19. Risk of non-compliance with tax regulations, resulting in high administrative penalties	Risk level: Medium	Risk level change:
Area: Accounting	Risk level: Medium	Risk level change:
The risk of fines imposed by the Tax Office (PIT, CIT, VAT) or local authorities (tax on real estate).
Risk-mitigating measures:
Training in tax changes Monitoring of tax changes and current practices in that regard Analysis of the possible tax consequences and conditions for planned transactions Bookkeeping system updates with regard to legal changes Contractors verification, monitoring of the ‘White List’ of taxpayers

20. Risk of missing effective supply chain, which results in delays or stoppages in production/sales order performance	Risk level: Medium	Risk level change:
Area: Purchases	Risk level: Medium	Risk level change:
Risk of discontinuity of supplies resulting in shortages of materials/production goods/sales goods. Comment: Lower risk rating results from cancellation of limitations due to SARS-CoV-2 pandemic and shortening of the periods of materials deliveries, as well as changes in demand.
Risk-mitigating measures:
Adjustment of the particular actions to the specifics of the Segments. These include on a standard basis: Suppliers diversification Adequate stocks in-house and at selected suppliers Suppliers trustworthiness verification Purchase/delivery plans Cooperation agreements Inventory reports and analyses Geopolitical situation monitoring Alternative geographic destinations for deliveries

21. Risk of ineffective receivables management policy, which affects financial liquidity or financial results	Risk level: Medium	Risk level change:
Area: Finances	Risk level: Medium	Risk level change:
Risk of losing receivables of significant value, necessity of recognising provisions as a result of, for example, high sales concentration, faulty customer analysis, insufficient security. Comment: Lower risk rating results from increased insurance cover for receivables
Risk-mitigating measures:
Determination of the maximum value of the unsecured part of receivables Verification of information at business intelligence companies Appointment of persons responsible for debt-collection supervision Current monitoring of the receivables ageing structure Receivables insurance Other security measures applicable to receivables (e.g. blank promissory notes, mortgages on customers’ real properties, letters of credit, bank guarantees, security bonds by other entities, etc.)

22. Risk of unforeseeable/extraordinary events occurrence, resulting in losing operating facilities (plant, warehouse), limiting or stopping production processes, or and incurring financial losses on that account	Risk level: Medium	Risk level change:
Area: Production and quality systems	Risk level: Medium	Risk level change:
Risk of operations disturbance or break as a result of losses originating from an extraordinary event (e.g. fire, hurricane, whirlwind, rockburst, building catastrophe, lightning stroke, earthquake, motor vehicle impact, aircraft crash, explosion, meteorite fall), or natural disaster (e.g. drought, heavy snowfall, extreme heat or frost, storm, flood, hail). Comment: Lower rating results from implementation of the selected recommendations, including those following independent audits.
Risk-mitigating measures:
Adjustment of the particular actions to the specifics of the Segments. These include on a standard basis: Regular technical inspections Fire detection systems in certain areas Staff training in fire protection measures Development of procedures and instructions in liaison with third parties as regards hot works Internal OHS and fire protection inspections Smoking ban apart from set out places Periodical verification of fire systems efficient functioning (alarms and extinguishers) Evacuation trainings Plants security service Insurance against accidents and natural disasters (including BI cover) Lightning protection systems

23. Risk of non-performance or lack of strategy update in the sustainable development area (social responsibility), resulting in non-compliance with new legal and business requirements	Risk level: Medium	Risk level change:
Area: CSR	Risk level: Medium	Risk level change:
Risk of damage to the Company’s reputation as one operating in compliance with the idea of sustainable development and, thus, inability to cooperate with companies for which the idea is major in their operational policy. Simultaneous risk of legal and financial consequences. Comment: Lower rating results from the achievement of the assumed strategic goals in the ESG area, and the fact that the adopted strategy did not result in customers loss. Moreover, in the recent period the Group received higher independent ratings with regard to ESG.
Risk-mitigating measures:
Committee for Sustainable Development and Corporate Social Responsibility Defined ESG strategic goals Key indicators monitoring Speciality knowledge outsourcing Systems and equipment to monitor environmental factors excesses Compliance system Speciality training, improvement of professional qualifications

24. Risk of non-compliance with the principles of ethics, resulting in non-ethical culture at the organisation and claims on account of breaching the Code of Ethics	Risk level: Medium	Risk level change:
Area: CSR	Risk level: Medium	Risk level change:
Risk of tarnishing the Company’s reputation as one operating in compliance with ethical business principle and, thus, inability to cooperate with companies for which the ethical values are major in their operational policy. Consequent possible claims against the Company or tarnished reputation. Comment: Higher risk rating results from the changed methods of risk valuation. During risk valuation update the previous model was verified, such as to bring higher attention to the fact that along with headcount growth the probability of negative behaviour occurrence increases. Moreover, in the public space and within the organisation itself the awareness of the importance to abide by the Code of Ethics has been growing, which brings higher reputation risk in case the Code of Ethics is breached.
Risk-mitigating measures:
Training Communication of ethical issues in the Intranet, the corporate newsletter, on information boards at production departments, information on dedicated screen displays CSR Policy Respect for Human Rights Policy Code of Ethics Committee for Sustainable Development and Corporate Social Responsibility Compliance system

25. Risk of non-attainment of the expected sales (drop in sales volume), resulting in budget and strategic plans non-performance	Risk level: Medium	Risk level change:
Area: Sales & Marketing	Risk level: Medium	Risk level change:
The risk that budget assumptions and, in consequence, the result/profit will not be achieved, drop in the number of active customers, threat to strategies and planned projects performance. Comment: Lower risk rating results from the changed methods of risk valuation. The analysis of historical data with regard to non-attainment of budget assumption reflected lower probability of the risk occurrence that it has been assumed before. Change of probability resulted in the risk rating reduction.
Risk-mitigating measures:
Adjustment of the particular actions to the specifics of the Segments. These include on a standard basis: Customers and credit limits verification for the particular Segment Extension of cooperation with the existing customers Offering new products in response to market requirements and customer expectations Customer satisfaction level verification Monitoring of the competitors’ actions Current control of margin levels

26. Risk of ineffective OHS policy, which may result in fatal accidents or permanent health impairment, as well as staff shortages difficult to back up	Risk level: Medium	Risk level change:
Obszar: Produkcja i systemy jakości	Risk level: Medium	Risk level change:
Risk related to the possible accidents at work or while commuting to or from work.
Risk-mitigating measures:
Adjustment of the particular actions to the specifics of the Segments. These include on a standard basis: Regular technical inspection, maintenance and repair of plant and equipment Regular tests and measurements of workplace parameters Occupational risk assessment Casings and protections on machines OHS warning signs Selection of proper personal protection equipment Staff training in OHS, fire protection measures, and first aid Fire alarm systems Extinguishing systems

Key:
Risk level increase	Risk level unchanged	Risk level decrease

Below presented are two risk charts comprising solely the financial and reputation-related impacts for the aforesaid risks.

Details concerning financial risk management are presented in note 36 to the consolidated financial statements of the Capital Group of Grupa KĘTY S.A. for the year 2023.

Diversity Policy with regard to the managing and supervisory bodies

Related to ESG