147
2021 INTEGRATED MANAGEMENT REPORT
OPERATIONAL RISKS
Associated with value chain management, the effectiveness and efficiency of operations, management of resources and people, safety of people and facilities, the environment and asset integrity.
RISKS DESCRIPTION AND CONTROL MEASURES
Process, personnel and environmental safety
Cepsa's activities could be exposed to operational risks leading to incidents or accidents affecting assets or, in the worst case, damage to third parties or the environment.
Actions undertaken to manage this risk include:
Implementing a safety management system that integrates safety at all levels of the organisation based on the international OHSAS 18001:2007 standard, in addition to ISO 14001 certification.
Operating our industrial plants in a way that guarantees the integrity of operations, hazard control and risk mitigation measures necessary to minimise the consequences of possible serious accidents, and the highest level of protection and safety both for the people who work for the Cepsa Group and for the assets, processes, environments and populations near to our facilities, an aspect that is reflected in the 'HSEQ Policy' updated in 2021.
Renewing the integrated environmental authorisations at all our plants in Spain to comply with the principles of prevention and control of all processes to minimise environmental impacts.
Implementing a company-wide 'Safety Culture Action Plan' and implementing a strategic plan to maintain and improve safety standards.
Information security
Cepsa's business processes are substantially supported by digital systems, both in the field of information technology (IT) and in operational technology (OT) in our industrial environments. So a potential cyber-attack affecting systems that support critical processes could result in an operational disruption impacting the relevant business units.
The company manages this risk by:
a) Organising the cybersecurity function based on international standards and best practices.
b) Cybersecurity Governance, consisting of:
a. Scorecard management and regular reporting to Comex.
b. Promoting a cybersecurity culture through training and awareness-raising activities, including mandatory cybersecurity training and actions simulating real multi-channel attacks.
c. OT Information Systems and Cybersecurity regulations, under the umbrella of Cepsa's Cybersecurity Policy and developed by means of specific standards and procedures.
d. Third-party cybersecurity risk management.
c) Secure architectures implemented in IT and OT environments: strengthening access controls through two-factor authentication and device validation in VPN access.
d) Hardening procedures: removal of obsolete protocols / updating of patches.
e) Cyber insurance providing sufficient coverage for the risk scenarios identified.
f) Cyber resilience: cyber security incident response procedure, including escalation to the highest corporate crisis management body (4C). There is also an ISO 20000-certified continuous improvement process related to Cepsa's technology 'Contingency Plan'.