ORLEN ORLEN Group 2017
Integrated Report

Counteracting Corruption and Bribery


The ORLEN Group seeks to eliminate any instances of corruption and bribery. We prevent all forms of corruption and put in place preventive practices within the organisation and in the supply chain. If any form of corruption is identified, decisive steps are taken to remedy the situation and prevent further incidents of this type.

The anti-corruption and anti-bribery policies and internal regulations include:

  • Core Values and Standards of Conduct – describing standards of conduct in situations related to accepting or offering benefits representing financial gain.
  • Enterprise Risk Management Policy and Procedure – documents providing for the methods of identification, assessment and monitoring of risks in accordance with the methodology adopted at the company.
  • Rules of Control Procedures Performed by the Audit, Financial Control and Enterprise Risk Management Office – they define the rules of internal control at PKN ORLEN and its subsidiaries. The rules provide for all aspects of the process with regard to rationale for particular activities, good management, reliability, legality, organisational efficiency and correct conduct.
  • ORLEN Group Regulatory Risk Management Policy – governs regulatory risk management processes resulting from existing or proposed legal acts, excluding tax risks.
  • Anonymous Misconduct Reporting System – the system provides a framework for identifying potential irregularities and instances of misconduct, which can be reported via indicated information channels.
  • Corporate Governance Policy – it includes instructions on the selection of candidates for members of the ORLEN Group companies' governing bodies and the rules for setting and reviewing Individual Bonus-Related Tasks for members of the management boards of ORLEN Group companies. It provides for full corporate supervision over the ORLEN GIFT FROM THE HEART Foundation.
  • Rules for Managing the Risk of Losing Information Security Attributes – information and guidelines on the process of managing the risk of losing security attributes.
  • Supplier Code of Conduct – defines ethical standards that must be met by the ORLEN Group suppliers, includes guidance on activities related to counteracting corruption, and promotes high ethical standards in business activities.

In accordance with the Code of Best Practice for WSE Listed Companies, PKN ORLEN has in place effective functional control, risk management and compliance supervision systems, as well as an internal audit and control function. The simultaneous operation of all those systems and functions allows the Group to exercise ongoing and effective anti-corruption supervision.

Within its structure, PKN ORLEN has an organised management control system comprising a set of comprehensive procedures. The procedures are managed through a dedicated IT system which ensures their consistency through multifaceted agreements as well as approvals at each level in the organisation.

In order to minimise the risk of fraud and corruption, PKN ORLEN has adopted the popular three lines of defence / prevention model.

The first line of defence involves risk management by business units and controls related to the Company’s operational processes. The second line is compliance functions, and the third – internal audit and control, supporting the correct functioning of the specified prevention measures.

  1. First line of defence / prevention – Integrated Enterprise Risk Management System (ERM).

Risk management is a continuous process, though it is modified in response to the ever-changing economic environment. Therefore, in order to systematise and optimise the risk management process, PKN ORLEN has implemented the Enterprise Risk Management Policy and Procedure.

In line with the adopted methodology, the risk management process at the ORLEN Group comprises:

  • Risk identification.
  • Risk assessment based on the impact and probability of occurrence of specific events,
     taking into account both the gross risk (where no risk-specific controls have been implemented) and the net risk (based on the assessment of the effectiveness of controls). As part of risk assessment, the risk owner also determines the level of riskappetite enabling achievement of the strategic goals.
  • Development of remedial action plans where the effectiveness of controls is assessed as low.
  • Monitoring and reporting.

In order to provide up-to-date information on key risks, individual business areas assess risks once a year to ensure that the list of the most significant risks to the organisation is up to date. The assessment of the responsibility of the relevant process, risk and functional control owners.

Results of the self-assessment are used to develop plans of remedial actions for individual risks and risk controls, to help bring net risk (with risk-specific controls in place) in line with the organisation's desired risk appetite.

In order to ensure the proper quality of the self-assessment process carried out by business areas, the correctness of controls testing is reviewed on a regular basis, which also makes it possible to supervise financial and operational risk compliance.

Upon completion of each risk self-assessment exercise and risk controls testing a report is prepared and submitted to the Company’s Management Board and to the Supervisory Board's Audit Committee. The report identifies the most material risks to PKN ORLEN and recommends suitable mitigation methods. In 2017, the process of risk self-assessment and risk controls testing at PKN ORLEN was performed with the participation of key management personnel, which enabled assessment of 521 risks to be updated through verification of 1,251 risk controls in 83 business processes.

In 2017, the group of key companies covered by the ERM system (ANWIL, ORLEN Lietuva, Unipetrol, and ORLEN Deutshland GmbH) was extended to include ORLEN Paliwa and ORLEN Centrum Usług Korporacyjnych.

  1. Second line of defence / prevention – compliance function.

PKN ORLEN’s compliance function is based on the following four elements:

  • With respect to the activities of the Audit, Control and Enterprise Risk Management Office:
  1. The internal audit and control function - with respect to compliance of the processes with internal regulations.
  2. Enterprise risk management, understood as a system for asessing financial and operational risk compliance with regard to the effectiveness of controls and the ERM Policy and Procedure in place.
  • With respect to the powers and responsibilities of Audit and other PKN ORLEN offices:
  1. Assessment of compliance with integrated management systems (ISO).
  2. Identification of regulatory risks, including in particular those related to the sector in which the Company operates.

PKN ORLEN has developed and announced its Integrated Management System Policy, whose implementation and validity are regularly assessed by managers of organisational units, including Executive Directors and Office Directors.

The Company’s Integrated Management System takes into account the findings of audits and reviews as well as complaints and grievances. Additionally – should the need arise – preventive / corrective measures are taken to address any instances of non-compliance identified in the above processes. All these measures aim to ensure compliance with the adopted reference standards, i.e.: ISO 9001 (quality management system), ISO 14001 (environmental management system), PN-N-18001 (occupational health and safety management system), and ISO 27001 (information security management system ), ISCC system (a certification system for biomass and biofuels), Factory Production Control System, and Food Safety Management System.

Once a year, based on the reviews, a comprehensive report is prepared on the organisation’s Integrated Management System, which is submitted to the Company’s Management Board and published on the Intranet.

PKN ORLEN’s compliance with applicable laws or draft legislation is monitored on an ongoing basis and, if necessary, relevant steps are taken to ensure that the Company meets the requirements of Polish and EU laws and regulations.

  1. Third line of defence / prevention – internal audit and control function.

The internal audit and control function is performed by the Audit, Finance Control and Enterprise Risk Management Office (the ‘GA Office’), whose responsibility is to assess functional control systems in an independent and unbiased manner, and to analyse business processes.

The activities of the GA Office conform to the International Standards for the Professional Practice of Internal Auditing, developed by the Institute of Internal Auditors (IIA). Compliance with the Standards is regularly reviewed by an appropriately authorised external entity. In 2016, KPMG ascertained the GA Office’s full compliance with relevant international standards and best practices.

The independence of the Audit, Control and Enterprise Risk Management Office is assured through appropriate functional and administrative subordination within the Company's organisational structure.

The GA Office carries out audits, inspections, and consultancy projects on the basis of annual audit and inspection plans approved by the Company’s Management Board. Additionally, the audit plan must be approved by the Supervisory Board's Audit Committee and the Supervisory Board. As part of its day-to-day operations, the GA Office reviews compliance issues by checking whether processes are performed in keeping with the applicable internal regulations. Ad-hoc audits and inspections may also be conducted by the GA Office when and as requested by the Company's Supervisory or Management Board.

Based on its principal activities, the GA Office defines, in the form of guidelines, post-inspection recommendations, and post-inspection instructions, solutions and standards designed to reduce the risk of non-achievement of the Group's objectives, improve effectiveness of the functional control system, and increase efficiency of business processes. The GA Office continuously monitors its guidelines, post-inspection recommendations, and post-inspection instructions, based on which it prepares, twice a year, a report indicating the degree of their implementation. Moreover, reports are prepared periodically on the activities of PKN ORLEN’s and the ORLEN Group’s audit function, describing in detail the key observations made. All those reports are submitted to the Company's Management Board and the Supervisory Board's Audit Committee, which performs ongoing assessment of the entire organisation’s operations.

The tasks performed by the internal audit and control function consist in prevention and detection. They are complemented by activities performed by ORLEN Ochrona, which has due authorisations and appropriate tools, including the ability to use the services of business intelligence agencies and detectives.
If any instance of corruption is suspected, relevant steps are taken in close cooperation with law enforcement agencies, including the police and Central Anti-Corruption Bureau (CBA). The simultaneous operation of all the systems and functions described above allows the Group to exercise ongoing and effective anti-corruption supervision.

1Risk level which is acceptable for the business owner.