2019-20 SaskEnergy Annual Report

Corporate Governance

responsibility and authority as required. Introduction of key risk assessment and disclosure reporting changes on processes related to climate change risks and oversight afforded to these risks are expected through additional governance guidance and training. Each year, the Board and senior management independently follow a process led by Internal Audit to identify and prioritize significant risks. The Director of Audit Services prepares a report summarizing the independent risk assessments completed by the Board and management. This report is discussed at a Board meeting where senior management and the Board align on corporate risks and the plans to mitigate or manage the residual risks. Through the Business Plan, the Corporation implements plans to address the key risks. The Board monitors the risk management programs and oversees the implementation of appropriate systems to manage identified risks either directly, or through the Audit and Finance Committee. The Audit and Finance Committee regularly reviews the Audit Services reports and discusses significant risk areas with the internal and external auditors. The sale of a variety of ‘non-core’ assets to streamline and focus corporate activity has also led to the transfer of environmental liabilities and risk mitigation. Cyber Security Risk SaskEnergy relies on its information and operations technology systems to safely and efficiently operate corporate assets, and to protect corporate data and personal information. These systems are subject to cyber security risks. Cyber security risks include but are not limited to targeted attacks, exposure to computer viruses, and breaches of corporate and personal information within technology systems managed by internal and external parties. A cyber security event could expose the Corporation to loss or misuse of critical data and information leading to property damage, disruptions to its operations, privacy breaches, loss of confidentiality and financial or reputational losses. In order to manage cyber security risk, SaskEnergy has developed a cyber security strategy whereby the Corporation tests its systems, builds controls and conducts investigations. In addition, the Corporation has added incremental resources to manage and evaluate cyber risks and privacy processes related to the growing adoption of cloud migration, data analytics and mobile technology. SaskEnergy proactively and continuously monitors its systems to identify and address malicious activity, as well as potential or emerging threats. Business continuity exercises are also conducted.

on the SaskEnergy intranet site for employees, and the Code and Whistleblower policies are on SaskEnergy’s website for public access. A process is also posted on the website for members of the public to contact the Chair of the Governance and Social Responsibility Committee of the Board, in confidence, to report any potential violation of the Code or Whistleblower Policy. Management monitors and reports on any issues arising under the Code annually, the Whistleblower Policy semi- annually, and the Reporting of Losses Policy quarterly, to the Governance and Social Responsibility and Human Resources and Safety committees, which are charged with oversight of compliance with these policies. In addition to the Code, SaskEnergy’s Directors are required to abide by CIC’s Directors’ Code of Conduct. The Governance and Social Responsibility Committee, appointed as Ethics Advisor for this purpose, is required to administer, monitor and enforce the Directors’ Code of Conduct, which includes reporting annually to the Board concerning compliance. It is also standard procedure to commence all Board and Committee meetings with an in-camera agenda item providing Directors with an opportunity to declare any conflicts of interest or any changes to outside employment or directorships they hold that may create a potential or perceived conflict of interest. Upon appointment, Directors declare directorships on, and material interests in, other business and any material contract entered into with SaskEnergy or its subsidiaries to the Governance and Social Responsibility Committee, which works proactively to address any potential conflicts of interest. Agenda items are monitored by management, and those containing any item that a Director has disclosed a material interest in are not distributed to the Director. Likewise, any Director subject to CIC’s Protocol Regarding Lawyers Serving on Subsidiary Crown Corporation Boards of Directors will recuse themselves from consideration of any item creating a potential conflict of interest. This reporting period there were no waivers granted by the Board to any Directors or Officers authorizing non-compliance with these policies. Risk Identification and Management SaskEnergy has a formal Enterprise Risk Management Policy that was developed by management and approved by the Board of Directors. SaskEnergy’s risk management process is designed to identify potential events that may impact SaskEnergy and manage the risk presented within accepted tolerance levels. Senior management holds primary responsibility for identifying inherent risks, and for designing and implementing mitigation initiatives. The Board expects management to use appropriate controls to manage risk and delegate

p.96

Made with FlippingBook Ebook Creator