Risk Management Policies and Procedures

1.Purpose

All of the activities undertaken by Logistable Limited (“Logistable”, “the Company”, “it”) carry some element of risk. The exposure to those risks (both opportunities and/or threats that derive from them) is dealt with by way of the process of Risk Management. Logistable Limited will look to take advantage of potential business opportunities as and when they present themselves while managing the potential adverse effects.

Overall the purpose of this risk management policy is therefore to provide support and guidance for the identification and management of the risks faced by Logistable.

The risk management policies and procedures in this document are designed to ensure; the achievement of Logistable’s business objectives, protect staff members and business assets (both physical and intangible) and ensure the Logistable remains on a sound financial footing.

2.Scope

This document applies to all of Logistable’s activities. It is an essential part of Logistable’s governance framework and applies to its board of directors, employees and third parties with whom Logistable transacts business.

3.Risk Appetite and Communication

Logistable has a Low Risk Appetite across all of the activities that it undertakes. To that end all of Logistable’s employees are required to bring to the attention of senior management as soon as practically possible any risk that they have identified and that they believe could affect the business and proper functioning of the Company.

Logistable has a number of supporting management policies and procedures in place that are designed to be an integral part of its risk mitigation process. These are contained in targeted policies such as, but not limited to:

  • AML/CTF/ CPF policies and procedures.
  • A risk based approach to on-boarding clients.
  • GDPR policies and procedures.
  • Complaints policy and procedures.
  • Conflicts of Interest policies and procedures.
  • Staff transactions policy.
  • Business Continuity/Disaster Recovery policy and procedures.
  • Departmental policies and procedures

4.Understanding Risk Management

Risk is generally defined as the combination of the consequences of an event occurring and the likelihood of it actually occurring.

Risk is therefore the chance of an event taking place that will have an impact on the stated objectives of Logistable, whereas risk management is the culture, procedures and structures that are directed towards identifying and realising potential opportunities while managing any potential adverse effects.

Logistable’s management system is therefore designed to identify the risks it faces and keep them at an acceptable level. Logistable’s risk management processes consist of the following main elements;

  • Identify: Identify the opportunities or threats and document the risks associated with them.
  • Assess: Identification, analysis, evaluation and documentation of the risks identified by assessing the following;
    • The likelihood of the risks materialising
    • The impact on Logistable of each risk
    • The proximity of the risk and the speed at which it may materialise
  • Plan: The preparation of management responses to maximise opportunities and mitigate the threats.
  • Implement: The implementation of the risk responses prepared by management.
  • Monitor and review: The monitoring and review of the risk management system and its effectiveness and the necessary changes required.
  • Communicate and consult: The provision of regular reports to senior management at designated times and communicating any changes across all employees of Logistable.

 

5.Risk Governance

As indicated above the scope of this document applies to the board of directors, senior management, employees and third parties.

Board of directors: The board provides policy, oversight and review of the risk management policies and procedures of Logistable.

Chief Operating Officer (COO): The COO is responsible for this document and drives the culture of risk awareness within Logistable and sets the standard for its management within Logistable.

Head of Risk: The primary function of the head of risk is to continuously revise, adapt and develop the risk management policy, its implementation strategy and the framework that surrounds and supports it.

Department Heads: Department heads must ensure that their staff are aware of and comply with the risk management policy. They must also support and promote a culture of risk awareness that encompasses the identification and addressing of risks (as and when they arise) following the relevant procedures.

Staff and Third Parties: All staff and third parties must comply with the risk management policies and procedures set out in this document.

6.Risk Management Process

The summary of the risk management process outlined below is designed to be dynamic and adapt to on-going developments be they changes in the profile of a previously identified risk and/or the emergence of a new risk. The process takes into account the internal and external risks that may impair Logistable’s ability to operate in an efficient and effective manner.

Internal Risks: Identified as relating to Logistable’s business itself and therefore generally deemed to be within its control. Examples include; risks associated with a business relationship, employee related risks, internal governance, financial risks and strategic risks.

External Risks: These risks are generally identified as being outside of Logistable’s control. Examples include; changes to legislation, cyber security risk, global macro-economic conditions and global pandemics.

The main constituents of the process are as follows:

1.Establish the context:

Prior to formally assessing the risks it faces Logistable needs to establish the internal, external and risk management environment in which the rest of the risk assessment and management process will take place. This will require consideration of the agreed risk appetite and tolerance established by the board of Logistable in relation to how it views it’s;

    1. Reputation.
    2. Financial position.
    3. Commercial circumstances.
    4. Corporate governance and management structure.
    5. Operational activities.

2.Risk identification:

The risk identification process involves identifying and documenting risks (both internal and external) across all areas of Logistable’s business including where, when and how a risk event could prevent, delay or enhance the achievement of Logistable’s objectives. Risks can be identified in various ways and by any employee of Logistable. Risks could therefore be identified;

  • Simply by the process of carrying out day to day activities.
  • In reaction to the occurrence of an unforeseen event.
  • Proactively via formally established systematic risk management processes such as;
    • Strategic planning: by the board of directors on all aspects of Logistable’s business.
    • Operational activities: regular meetings of senior management/department heads, data processing and analysis, financial and business reviews and forecasting.
    • Assessments: external audits and internal reviews and reporting covering all aspects of Logistable’s business.
    • Event Log: recording internal incidents and risks, tracking them, identifying and implementing solutions and where necessary creating new procedures to mitigate future events.

 

3.Record risk identified:

Risks identified must be communicated to the head of risk and recorded in the Logistable Limited Risk Register.

4.Risk analysis:

This step involves the calculation of the risks identified based on two factors these being;

  • The consequences for Logistable of that risk event occurring; and
  • The likelihood and velocity at which the risk event identified will occur.

Performing an analysis on this basis enables Logistable to assign a level of risk to the risk event identified.
Consequences of a risk event occuring:
Logistable has established parameters setting out and grading, across the main areas of its business, the consequences of the risk identified materialising. (see table 1 below).

Table 1. Consequences matrix.

 

Likelihood and velocity of a risk event occurring:
Logistable has established a guide setting out and grading across the main areas of its business, the likelihood of the risk identified materialising and velocity at which the risk identified could potentially occur (see Tables 2 and 3 below).

Risk velocity adds a further dimension to the process of analysing risk. Velocity considers the following factors associated with any risk identified.

  • Speed of onset: Consideration is given to how quickly a risk might occur and the timeframe that Logistable has to prepare for the onset of that risk.
  • Speed of impact: Tries to establish how quickly and in what way Logistable will be affected by the onset of that risk.
  • Speed of reaction: Establishes Logistable’s ability to identify the risk and its ability and agility to react and adapt in a timely manner.

Table 2. Likelihood guide.

Table 3. Velocity scale

In order to establish a consistent approach towards assessing the material business risks identified, Logistable has established (with the sole exception of ML/TF & PF risks for which a separate risk assessment matrix has been developed in line with the Proceeds of Crime Act 2015, the GFSC’s ML, TF and PF Guidance Notes and the Gibraltar’s National Risk Assessment for 2020) a risk assessment matrix (see table 4 below) and a standard risk register in order to record all identified risks. The risk register is maintained and managed by the Head of Risk and is a “living” document. A copy of the risk register is attached to these policies and procedures.

Table 4. Risk assessment matrix.

5. Risk evaluation:

The risk rating assigned by the risk assessment matrix to any risk identified sets the level of priority/urgency of said risk. Logistable has set out guidelines for the actions proportionate and appropriate to the level of risk and the communication of said risks within Logistable.

7.Risk Treatment/Response

The response and treatment of the risks identified are dealt with by the development and implementation of specifically tailored cost-effective strategies in order to mitigate any potential costs and increase any potential benefits.

All Very High and High material risks identified require controls to be implemented in order to address and treat the risk so as to reduce it to an acceptable level that falls within the risk parameters set by the board of Logistable. Table 5 below illustrates the actions and reporting requirements associated with risk scores and risk ratings.

Table5. Actions and reporting requirements.

Logistable has three layers of protection against the emergence of a specific risk and its subsequent management. These are:

  • The day to day business operations that establishes on-going risk management activity following Logistable’s documented policies and procedures.
  • The existence of oversight functions within Logistable such as Financial Control, Compliance, the MLRO function and Risk management. These functions provide assurance that the relevant policies and procedures referred to above are working efficiently.
  • Finally, internal and external audits are the third layer of protection. They provide an independent challenge to the levels of assurance provided by the oversight functions referred to above. Examples include: the statutory external audit of financial statements and financial systems undertaken annually by PWC and the internal audits undertaken under the Proceeds of Crime Act 2015 by Mr Peter Wodtke in 2019 and PWC in 2021.

8.Risk Monitoring and Review

A Risk Register has been established in order to provide a single document that sets out the risks Logistable faces across the full range of its business activities.

The Risk Register, as described earlier in this policy and procedure document, is a “living document”. The Risk Register therefore includes the original risk rating assigned to a specific risk identified and provides a description of risk mitigation controls, plans and procedures in place and being implemented to address the said risk identified. A residual risk rating is then assigned to the said risk identified based on those mitigating plans and procedures.

The register is reviewed as and when deemed appropriate by the Head of Risk and at least annually. The review is designed to;

  • Assess the recorded risks and their ratings against Logistable’s evolving business and operational processes.
  • Examine how robust and effective the risk controls and the mitigation controls, plans and procedures in place continue to be.

The Head of Risk will undertake a monthly review of all risks reported in the risk log.

9.Risk Reporting

Material Business Risks:
All material business risks, be they a threat or an opportunity, must be reported as soon as possible to the Head of Risk.

Risk Incidents:
It is the responsibility of every Logistable employee to report any potential or actual risk incident as soon as it is identified. Employees should report the incident directly to their line manager and this should be passed on to the Head of Risk without delay.

A risk incident is:

  • the materialisation of a risk (whether anticipated/planned for or not),
  • the breakdown or absence of a risk control mechanism.

All incidents reported to the Head of Risk must be logged in a Risk Event Log and the level of risk posed the severity velocity and likelihood of it escalating also logged. The treatment end result and the implementation of solutions/new procedures must also be detailed.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.