The effective management of risk is central to the ongoing success and resilience of Coca‑Cola Hellenic Bottling Company (CCHBC).

CCHBC recognises that risk management is an integral part of both sound management practice and good corporate governance as it improves decision making, enhances outcomes, and strengthens management accountability.

Enterprise risk management (ERM), that is culturally embedded, is also a means for achieving competitive advantage and is pivotal to driving ongoing business growth in what continues to be a complex and continually transforming operating environment.

This policy details the both overall approach to risk management in CCHBC together with the Company’s commitment to the process which has an overriding purpose of assisting in the responsible achievement of the Company’s strategic and operational objectives.

This policy has been adopted by CCHBC’s Audit Committee.

This is a group-wide policy and applies to all employees, functions and business operations in every country in which CCHBC operates. This policy is supported by our ERM Framework.

We understand that risk and opportunity are dynamic and ever present in our complex internal and external operating environments. This creates the need for us to manage risk in an informed way.

Effective risk management, that is culturally embedded, provides the business with insight and competitive advantage and the program of forward looking risk management is a cornerstone to decision making. CCHBC is committed to the ongoing development of the enterprise wide approach to risk management ensuring that it is underpinned by a strong risk aware culture.

Everyone in the business plays a role in managing risk by identifying opportunities and minimising uncertainty in a way that enables the Company to achieve its common goals – growing the business; remaining resilient; enhancing stakeholder value; and contributing to the communities and future of every country in which CCHBC operates.

The underlying risk principles that are applied are consistent with ISO31000 (Risk Management – Principles and Guidelines). The strategy is supportive of the UK Corporate Governance Code (Guidance on Risk Management, Internal Control and Related Financial and Business Reporting).

The enterprise risk management program of CCHBC has a number of objectives:

• Recognises that risk is imbedded in all activities and that the underlying risk culture and approach is key to effective decision making
• Promotes an enterprise wide approach through strong functional collaboration by integrating risk management processes with business strategy, project management, process and decision making
• Promotes consistency and transparency in methodology, assessment and management processes
• Promotes proactive recognition of external factors, opportunities, and anticipates uncertainties that could affect the achievement of the Company’s strategies and objectives
• Sponsors innovation through cultural acceptance thereby maximising value from assets, ventures and opportunities
• Enables the design and implementation of controls that:
  • Are structured to promote effective realisation of objectives
  • Provide appropriate assurance
  • Are cost effective
• Recognises that timely and accurate monitoring, review, communication and reporting of risk is critical to providing:
  • Early warning mechanisms for the effective management of risk occurrences
  • Assurance to management, the Board and shareholders
  • A solid platform for growth
  • A sound business resilience platform.

The Board and Audit Committee

The Board of Directors, via the Audit Committee, oversees the establishment and implementation of the risk management system and annually reviews the effectiveness of the system. The Committee considers on an ongoing basis whether:

• The ongoing program identifies material areas of risk and business opportunities
• Adequate risk mitigation strategies have been designed and implemented to manage all identified material risks
• A strong risk management culture is imbedded in the Company across business levels and functions
• The program is compliant with the requirements of the UK Corporate Governance Code (Guidance on Risk Management, Internal Control and Related Financial and Business Reporting).

Operating Committee

The Operating Committee (OPCO) has overall responsibility for risk management at CCHBC including:

• Strategic risk
• Operational and business risk
• Project risk
• Financial risk

They are provided specialist support in this regard by the Group Chief Risk Officer (CRO).

Group Risk Function

The Group Risk Management function, led by the Group CRO, resides within the Company’s Business Resilience function. The team is responsible for:

• Promoting and facilitating a standardised approach to effective risk management
• Reviewing, updating and maintaining the ERM Framework
• Assisting the business to understand and manage risks and facilitate the integration of the approved ERM Framework and Processes for managing risks across the operations
• Supporting the business in identifying and implementing risk management improvement processes
• Coordinating the functions of the Group Risk Forum in analysing operational and strategic risks
• Developing and implementing strategies to strengthen risk management awareness and cultural acceptance
• Monitoring factors in the internal and external environments that may affect our ability to achieve strategic objectives and/or operating targets
• Reporting to the OPCO at regular intervals on material risks, opportunities and emerging issues
• Reporting to the Audit Committee on a half yearly basis on risks, mitigations, program maturity and compliance with the UK Corporate Governance Code (Guidance on Risk Management,Internal Control and Related Financial and Business Reporting).

Group Risk Forum

The Group Risk Forum (GRF) comprises senior managers from the business and acts as both a strategic risk ‘think tank’ and independent review mechanism for risks and opportunities escalated by the country operations and functions. The forum specifically:

• Reviews the aggregated and escalated risks and opportunities and considers their relevance against the broader Group operations and objectives
• Evaluates and discusses these risks and opportunities, together with identified aggregated or strategic risks observed by the GFC members across countries and functions, within the context of the broader Company risk universe and strategic/operational objectives
• Evaluates the risks and opportunities for escalation to the OPCO, the Audit Committee and the Board
• Monitors that clearly articulated and adequate mitigation and response plans are in place.

Internal Audit Department

CCHBC’s Internal Audit Department is separate from the Group Risk Management function. It provides assurance over the effective operation of risk management processes, methodologies, internal controls and compliance with the required elements of the UK Corporate Governance Code (Guidance on Risk Management, Internal Control and Related Financial and Business Reporting). It independently evaluates the maturity of the ERM program against industry best practice.

External Audit

External Audit, as part of their audit processes, review CCHBC’s controls in the area of risk management and will report on them in line with annual reporting procedures.

Management

Every manager is responsible for:

• Promoting the risk management policy, framework and expectations for the management of risk
• Provision and support of appropriate resources to manage risk in accordance with the framework
• Escalating risks and opportunities in accordance with the requirements of the ERM Framework
• The implementation of cost effective risk management and internal control systems in accordance with guidelines, in order to manage risk, encourage efficiencies and take advantage of opportunities
• Continuous monitoring and reporting of the effectiveness of risk controls.

Employees

Every employee is responsible for looking for opportunities to improve operational efficiencies and optimise outcomes. They must also report immediately to management any real or perceived risks that become apparent and may significantly impact our:

• Commercial viability
• Profitability
• Assets
• Customers
• Consumer or employee safety
• Regulatory or Legal obligations
• Environment
• Sustainability Programs
• Community

Risk management obligations

• Countries and key functions are accountable for managing their risks and must maintain a register of risks to their business objectives
• Risk registers will be created through a thorough risk identification and assessment process following the CCHBC ERM Framework
• Key markets and functions will participate in annual facilitated risk review sessions
• Strategic Risk Review sessions will be conducted with the OPCO and the Audit Committee on an annual basis
• Risks and key mitigations will be documented by country and functions as part of the Annual Business Planning Process
• Reviews of risk registers are to be conducted quarterly by the Group Risk function and key risks and trends are reported by the Group CRO to the Audit Committee in June and December.

This Risk Management Policy is supported by other CCHBC policies and standards as issued from time to time. These documents include, but are not limited to:

• Business Continuity Management Policy Chart of Authority
• Code of Business Conduct
• Enterprise Risk Management Framework
• Fraud Control Policy
• Group Asset Protection and Security Guidelines
• Health and Safety Policy
• Treasury Policy

The Policy is administered by the Group CRO. The Policy is to be reviewed every two years and any changes to the Policy require Audit Committee approval.