In order to meet the requirements for proper corporate governance, RAG has implemented all of the elements necessary in accordance with a modern three lines of defence model* and integrated them into its operations.
These are mainly related to the groups of issues typically associated with compliance, risk management and the internal control system. Additional elements – such as an information security management system (ISMS) and a business continuity management system – are in place to help us fulfil our duties as an operator of critical infrastructure.
RAG’s compliance management structures cover all principles, measures and activities aimed at ensuring that the company conforms to all applicable regulations. The head of Internal Audit also serves as the Compliance Officer, with responsibility for all core aspects related to compliance, and reports to the Executive Board.
These aspects include corruption prevention, the avoidance of conflicts of interest and the establishment of a mandatory whistleblower system.
Compliance with the policies and guidelines is reviewed in the course of internal compliance management audits, and internal audits are also planned in 2023.
*Framework for a governance, risk and compliance management system
Binding central corporate governance policies
We conscientiously comply with all laws, guidelines and voluntary agreements. This is an integral part of our compliance frameworks as well as our corporate culture.
A significant proportion of compliance-related matters – in particular those which are essential for the proper operation of technical facilities, including engineering and integrity management – are managed on-site on a decentralised basis by the various specialist departments, which ensure compliance with legislation, regulations and official notices, such as mining law regulations and legislation on employee protection.
Managers in particular have a key role to play in this regard, as they have a duty of care which obliges them to take appropriate steps to ensure regulatory compliance. Employees form the basis of the company’s compliance structures, as they conscientiously comply with both internal and external regulations in the course of their everyday work. The various specialist departments serve as points of contact for queries on decentralised compliance-related matters connected with their operations.
Breaches of compliance policies can either be reported directly to the Executive Board by the manager concerned or reported through the whistleblower system. Investigation of such reports depends on the circumstances under which they were made. The confidentiality of reports submitted through the whistleblower system is guaranteed by law, and RAG has implemented appropriate structures in this respect. The Compliance Officer also prepares a comprehensive report for the Executive Board at least once a year.
Compliance with internal guidelines and processes is ensured using an internal control system. This is characterised by a functioning organisational structure, a four-eyes principle, separation of functions, and internal guidelines for business processes.
All business transactions concluded on RAG’s behalf must be booked or documented in accordance with the applicable regulations, and must be verifiable. Under the process-oriented ICS, selected business processes are subject to systematic controls – the individual control steps are documented and checks are made to ensure they are carried out. Annual evaluations ensure that the ICS is kept up to date, and its effectiveness is continuously monitored by Internal Audit.
The ICS focuses primarily on financial reporting, but it also covers key operational aspects, such as tank farm inventories in order to ascertain stocks of crude oil held as compulsory emergency reserves, and reserve accounting for oil and gas.
In view of the importance of sustainability, an evaluation was carried out as part of our risk assessment procedures, and sustainability risks will be included in the annual assessment for the first time as part of the 2023 ‘risk run‘. In the course of this process, risk owners received trained based on examples, with the goal of raising awareness of the financial and non-financial impacts of risks.
