Initial Public Offering (IPO)

Stock Information

Corporate Governance

Reports

Public Disclosures

Frequently Asked Questions

Popular

Information society services

Investor Relations Contact

Risk Policy

1 PURPOSE AND SCOPE

The purpose of this Policy is Çates Elektrik Üretim A.Ş. To explain the general principles and management principles regarding the risk management strategy and risk management framework. This policy covers the general principles and management principles regarding the risk management strategy and risk management framework.
The provisions of this Policy, Çates Elektrik Üretim A.Ş. Applies to all employees.

2 BASIS

Risk Management Policy, Capital Markets Board ("CMB") regulations, including the Capital Markets Law no. 6362, the Turkish Commercial Code no. 6102, the "Corporate Governance Communiqué" no. II-17.1 ("Communiqué") and the corporate governance principles included in its annex. , is regulated within the framework of other legal regulations and the relevant provisions of the Company's Articles of Association (“Articles of Association”).

3 RESPONSIBILITY

The Board of Directors, through the Early Detection of Risk Committee, is responsible for the creation of annual plans and policies regarding Risk Management activities; The Company's risk management manager/expert or legal and compliance manager is responsible for creating supporting documentation and implementing risk management activities in parallel with the plans and policies.

4 DEFINITIONS

Mentioned in this Policy;
Company; Çates Electricity Production Inc. .
Board of Directors; Çates Electricity Production Inc. Board of Directors,
Early Detection of Risk Committee; Hereinafter referred to as the Committee, both of them refer to the early risk detection committee established within the Company's Board of Directors.

5 RISK MANAGEMENT STRATEGY
To quickly identify, measure, manage, report and monitor risks that affect the achievement of the Company's strategic, operational and financial goals; To regulate the Company's risk profile in line with the Company's risk appetite in order to intervene in new threats and opportunities in order to benefit from returns at the maximum level; To ensure that risk management is effectively effective in the Company's strategy and decision-making processes; To protect the Company's capital by considering its compliance with the Company's risk appetite;
Achieving an optimal risk return profile by allocating capital effectively;
To provide sustainable financial performance, income and competitiveness to the Company,
Supporting decision-making processes by providing consistent, reliable and timely risk information;
To protect the reputation of the Company by reinforcing the Company's core values, increasing risk awareness, and developing a strong culture of disciplined and conscious risk taking.


5.1. Governance
Effectively structuring and implementing governance forms the basis of all other components of risk management.

5.1.1. Defense Areas

5.1.1.1. First Level Defense Area
Managers of business units have primary responsibility for effectively controlling the risks exposed to them by their activities (“first-level defensive area”). The parties in the first level defense area are responsible for the implementation of the risk regulations and implementation principles and procedures established by the parties in the second level defense area. Below are examples of the main activities of parties in the first level defense area:

To make risk assessments and to create and take the necessary actions against risks to ensure that only risks at acceptable levels remain, to implement the issues foreseen within the scope of Risk Management policies, regulations, application principles and procedures and processes, to ensure that key controls are effective.

5.1.1.2. Second Level Defense Area

The Company's manager/expert responsible for risk management or legal and compliance manager (“second level defense area”) supports the parties in the first level defense area regarding risk management activities.
Below are examples of the main activities of parties in the second-level defense area:
To act in accordance with the application principles, procedures and regulations regarding Risk Management and to ensure compliance by the relevant managements,
To make suggestions for improving controls,
Overseeing the effectiveness of controls,
Analyzing and reporting control weaknesses,
Creating methodologies for risk management,
Ensuring that risk management activities are carried out,
Helping to establish key control points,
Helping business units identify the risks they are exposed to and monitoring risks,
To ensure that responsibility for the actions to be taken against risks is determined,
Reporting the company's risk profile and issues other than risk appetite and escalating it to the next level when necessary.

5.1.1.3. Third Level Defense Area

Internal Audit serves as the third level defense area. Provides independent assurance on the effectiveness of the Risk Management system.

5.1.2. Early Detection of Risk Committee

The Early Detection of Risk Committee was established to be responsible and authorized within the framework of legal regulations, including the corporate governance principles in the Turkish Commercial Code No. 6102 and the Capital Markets Board ("CMB") regulations, and the relevant provisions of the Company's Articles of Association. Early Detection of Risk Committee; It operates for the purpose of early diagnosis of strategic, operational, financial and all kinds of risks that may endanger the existence, development and continuity of the Company and to manage risks by applying appropriate risk management strategies.

5.1.2.1. Responsibility

The duties and powers of the Early Detection of Risk Committee are as follows:
a. Establishing a company-wide Enterprise Risk Management approach and ensuring the establishment and maintenance of an effective risk management framework;
b. To prepare and present suggestions for the establishment of risk management systems and the establishment of organizational infrastructures related to risk management within the Company and the development of relevant systems to increase functionality;
c. To present an opinion to the Board of Directors to establish internal control systems, including risk management and information systems, processes that can minimize the effects of risks that may affect the Company's stakeholders, especially the shareholders;
D. To carry out studies to determine Risk Management Strategies, Policies and the relevant standards and methodologies used in managing risks within the Company and to submit them to the approval of the Board of Directors;
to. To carry out studies to prepare policies that define the Company's risk appetite and are compatible with the strategic plans and targets approved by the Board of Directors, and to submit the studies to the approval of the Board of Directors;
f. To carry out studies to create a proposal regarding the indicators and levels within the scope of risk appetite and to submit it to the approval of the Board of Directors; monitoring the indicators and presenting the results, evaluations and recommendations to the Board of Directors when necessary;
g. Ensuring that the Company's strategies and risk appetite are effectively implemented throughout the Company;
h. To adequately inform the members of the Board of Directors about the risk-creating activities of the Company, including strategic management, capital and resource management, risk profile, risk appetite, business activities, financial performance and reputation, and to provide suggestions to the Board of Directors in this context;
I. Capital and liquidity levels and asset-liability structure; Ensuring that internal processes are maintained, including stress testing where appropriate, to ensure compliance with the Company's normal and stressful conditions;
j. Ensuring the integration of risk management and internal control systems into the Company's corporate structure and business processes;
k. To identify, evaluate and monitor existing and potential risk elements that may affect the achievement of the Company's objectives within the framework of the corporate risk management systematic, and to ensure that the principles for managing the relevant risks are determined in accordance with the Company's risk-taking profile and used in decision-making mechanisms;
l. Evaluating and approving risk studies carried out within the company; To provide information and suggestions to the Board of Directors when necessary;
m. Evaluating and recommending risk management strategies for risks that will be accepted and managed, shared or completely eliminated in the Company regarding risks evaluated according to probability and impact calculations;
n. Evaluate the development and maintenance of management reporting to ensure that information is timely, accurate and relevant;
he. To follow the latest status of audit issues and findings, to evaluate the effectiveness and efficiency of the actions taken;
p. To supervise activities related to Business Continuity Management;
q. To review the risk management systems at least once a year and to ensure that the practices in the relevant departments that undertake risk management responsibility are carried out in accordance with the Committee decisions;
r. To detect technical bankruptcy early and to ensure that the Board of Directors is warned about this issue;
s. To submit reports to the Board of Directors every two months that evaluate the current situation, point out any dangers and include recommendations, and share the prepared reports with the audit committee and internal audit unit;
t. To prepare an annual evaluation report and submit it to the Board of Directors in order to form the basis for the Board of Directors' evaluation regarding the members of the Committee, the frequency of meetings, the working principles, including the activities carried out, and the effectiveness of the Committee, which will be included in the annual activity report,
u. To fulfill other duties assigned/to be assigned to the Committee by CMB regulations and the Turkish Commercial Code.
The Committee meets with the Audit Committee at least once a year to ensure compliance with audit results and risk determinations.
The Committee immediately notifies the Board of Directors in writing of its evaluations and important findings and recommendations regarding its field of duty and responsibility.
The decisions of the Committee are recommendations to the Board of Directors, and the final decision responsibility on relevant matters belongs to the Board of Directors.

5.2. Goal Setting

The objectives of the parties involved in the first and second level defense field regarding risk management activities are established in accordance with the strategic objectives and risk appetite of the company.

5.2.1. Compliance with Activities

Risk management is fully integrated into the Company's daily activities and strategic planning to gain a sustainable competitive advantage.

5.2.2. Risk Management Principles

While ensuring that our daily activities are integrated with our strategic plans through the risk management function, the following principles are observed.

5.2.2.1. Flexibility

The company's risk management framework allows for acceptable flexibilities while maintaining the company's risk appetite.

5.2.2.2. risk appetite

Risk appetite is defined as the maximum level of acceptable and approved risk.
The acceptable risk appetite level is determined by the Board of Directors with the recommendations of the Early Detection of Risk Committee and is reviewed once a year or more frequently when necessary. Risk appetite is operationalized through the following items.
Risk Matrix - Risk Levels,
Limits or obligations,
Key Risk Indicators tolerance levels After the risk appetite is determined, the Company's risk profile is monitored periodically according to the risk appetite levels. If these levels have been exceeded or are likely to be exceeded, necessary precautions are taken by the relevant business units upon the recommendations of the Company's Committee and/or the manager/expert responsible for risk management or the legal and compliance manager.

5.2.2.3. risk awareness

It is aimed to create a culture with high 'risk awareness' within the company. This principle is implemented through regular meetings, training and reports.

5.3. Event Detection

Incident detection is done proactively and prior to risk assessment. There are different techniques for event detection.
For example:
Analysis of actual events,

Key Risk Indicator results,

External incidents.

5.4.Risk Assessment

The purpose of Risk Assessment is to identify important risks that may affect the company, processes, projects, products, services, or strategies. The focus of the Risk Assessments is to mitigate the risks to an acceptable (controllable) level and to keep unidentified risks to a minimum level. This goal can be achieved by performing risk identification, risk assessment and risk mitigation stages in the Risk Assessment process.

5.4.1. Risk Assessment Methodology

The aim of the Risk Assessment is to determine inherent risks and other risks in the processes of all business units within the company, together with the business units, to evaluate these risks and to suggest risk management actions.

The stages of the risk assessment process are as follows:

  • Identification of the risk (by specifying cause-event-result),
  • Determination of existing controls,
  • Assessing the impact and probability of the risk,
  • Acceptance, rejection, minimization, transfer of risk,
  • Determining the action plan and monitoring the action.

Within risk assessment activities business units will have the following opportunities:

  • Improving / developing processes,
  • Having faster and better risk analysis,
  • Being able to identify possible control deficiencies and weaknesses,
  • Being able to identify unacceptable risks for business units,
  • Measuring the quality of existing controls,
  • Being able to increase the efficiency of the operations to a better level,
  • Determining and follow up Key Risk / Performance indicators,
  • Being able to effective capital usage and allocation.

5.4.1.1. Risk Levels

The following classification of risk levels is used in risk assessment:

  • Critical: These risks are the risks which exceed the tolerance and their impacts to the Company’s goals and / or values are significant. Management should ensure that any incident to which the company has been exposed is identified and should, without any delay, develop a program that has been agreed upon to reduce risks promptly and permanently.
  • High: These risks are those that exceed the tolerance level. Resources should be determined to reduce risks within a proper timeframe.
  • Medium: These risks are important in terms of their impact to the Company’s goals and / or values. Management develops action plans to reduce risks in a timely manner. Prevention of the deterioration of the situation is achieved by effective monitoring.
  • Low: These risks are not significant in terms of their impact to the Company’s goals and / or values, but management should monitor the risks and take appropriate action to prevent the risks from becoming significant.

The risk level should be evaluated according to the 3 situations described below:

  1. Inherent Risk (Gross Risk): The risks are evaluated by assuming that there is no control.
  2. Managed Risk: It is the assessment of risks in current control environment. Assessing managed risks requires identifying all relevant controls and assessment of the effectiveness of the controls. Analysis of differences between inherent risks and managed risks provides a good understanding of the effectiveness of current controls.
  3. Residual (Remaining) Risk: It is the assessment of risks after risk mitigation actions. Benefit / cost analysis can be conducted for possible risk mitigation actions. Residual risks at critical and high risk levels are considered as unacceptable risk levels. Medium risks are tolerated in exceptional cases and can be considered within the scope of an “acceptable” risk area. Low risks are considered in the “acceptable” risk area. Residual risk should be in the “acceptable” (medium or low) risk area.

Risk appetite risk map and scales to be used in risk assessment studies shall be set by the Board of Directors with the recommendation of the Early Risk Detection Committee.

5.4.1.2. Risk Categories

Company risks are classified into 6 main risk categories. Descriptions regarding each risk category are given below.

5.4.1.2.1. Strategic Risk

Strategic risk category shall include, but not limited to:

  • Strategic plans are not evaluated effectively,
  • Implementing strategic plans inappropriately,
  • Unexpected changes in assumptions,
  • Risks related to mergers / acquisitions (M&A),
  • Risks arising from capital structure preferences,
  • Risks arising from governance and organizational design,
  • Risks arising from strategic issues, such as risk appetite.

5.4.1.2.2. Operational Risk

They are the risks related to the system, process, human and external incidents. Operational risk category shall include, but not limited to:

  • Control risks arising from unwritten procedures / processes and noncompliant with internal regulations;
  • Unauthorized activity risks arising from unauthorized employee activities, including but not limited to unauthorized approval or excess of power;
  • Process risks which arise during a process, which are not intentional, which result from transaction processes failed due to human error, or from process management;
  • Information technology risks arising from loss of confidentiality and / or integrity and / or accessibility of information and insufficient information security;
    • Internal and external fraud risks including incidents of misappropriation the Company’s procedures, systems, assets, products and / or services by providing financial benefits to the personnel or external third parties by abusing the company with illegal and illegal methods.

    5.4.1.2.3. Employment Practices, Security, Business Continuity and Environmental Risks

    Employment Practices, Security, Business Continuity and Environmental Risks category shall include, but not limited to:

    • Representative relations risks, employee relations risks and employee safety risks arising from employment, health, employee safety, practices contrary to labour laws or agreements, payment of claims related to actions involving personnel injuries or discrimination;
    • Personal and physical security risks that threaten the safety and security of people;
    • Risks threatening business continuity arising from human, process, system and external events, such as natural disasters, climate changes, terrorism incidents, crisis management risks;
    • Risks arising from activities that may threaten the environment directly or indirectly, and may even involve an element of crime.

    5.4.1.2.4. Regulation Risks

    Regulation risks shall include, but not limited to:

    • Compliance risks that may cause damage to the Company’s reputation, legal or regulatory sanctions or financial loss as a result of failure (perceived unsuccessful) to comply with applicable laws, legal legislations and regulations.

    5.4.1.2.5. Market Risk

    Market risk category shall include, but not limited to:

    • Asset-liability risks arising from the mismatch between company assets and liabilities, uncertain asset / liability items, maturity/ duration/ currency mismatch of assets and liabilities;
    • Risks arising from changes in interest rates;
    • Risks arising from changes in foreign exchange rates;
    • Risks arising from liquidity management;
    • Risks arising from investment strategies that result in returns less than expected amount;
    • Risks related to capital adequacy and management;
    • Risks regarding portfolio management;
    • Risks from derivative products;
    • Risks arising from fluctuations in commodity values;
    • Risks arising from cost/price fluctuations;
    • Supply / demand mismatch risks;
    • Risks regarding funding sources and funding capacity.

Elbette, metni çıkarıyorum:

5.4.1.2.6. Credit Risk

Credit risk category shall include, but not limited to:

  • Risks regarding the management and monitoring of the receivables;
  • Concentration risks;
  • Risks related to the determination of customer credit ratings;
  • Risks regarding the distribution and changes of customer credit ratings;
  • Risks related to collateral management and levels;
  • Risks related to the adequacy and level of credit risk mitigation techniques.

5.5.Action Taking

Based on the results of the risk assessment, the actions to be taken and plans to be made for the risks other than the risk appetite are determined.

The risk assessment process results in a report that reflects all risks and controls. It is determined which of the selected risk reduction methods will be applied, including the person to take the action and the deadline for the action to be completed. Risk actions are taken by the relevant managements.

It is possible that various combinations of risk mitigation strategies may be used when taking an action. These strategies are given below:

Various combinations of risk reduction strategies can be used in the process of taking action. These strategies are given below:

  • Reducing the probability of event occurrence (e.g. implementation of process controls, audit),
  • Reducing the impact (example: limits, legal methods),
  • Avoiding the risk (by stopping the risk-creating activity if possible),
  • The risk acceptance (if the identified risk is within the “acceptable” risk profile),
  • Transfer risk (example: through insurance).

5.6.Controlling

Controls are determined for each risk identified within the scope of the risk assessments. Risk owners are responsible for ensuring that adequate controls are in place to mitigate any risk detected. Control activities are valid in the whole organization, at all levels and in all functions. Action plans are created in cases where an existing control cannot adequately manage the risk or needs to be developed to reduce the residual risk to a more reasonable level.

The control activities aim at:

  • Monitoring of all identified risks and controls related to them,
  • Progressing of action plans made according to the program to minimize the risk or to strengthen the existing control, 
    • Identifying the action plans that are not completed within the stated timeframe and notifying the related management authorities when necessary,
    • Managing all risks appropriately.

    5.7.Information and Communication

    Risks should be identified, analysed and all authorized parties should be contacted regarding the identified risks. The managers at all levels and the Board of Directors should be informed of the risks in their area of responsibility and take responsibility to manage the risks.

    5.7.1. Risk Awareness Culture

    The risk awareness culture needs to be improved through communication and training.

    5.8.Risk Monitoring

    Monitoring is the assessment of whether the company manages its risks effectively. Monitoring is a continuous process to measure and evaluate the effectiveness of controls, to determine whether the risks are within the risk appetite norms and in line with the targeted risk level, and their compliance with policies, regulations, implementation principles and regulations.

    Monitoring can be carried out using a variety of techniques, either systematized or supported by other tools.

    The basis of the monitoring function is based on the updating of risk assessment studies, as well as monitoring risk appetite, limits and key risk indicators, action monitoring, control tests, review of written regulations, stress tests and other examples on this subject.

    5.8.1. First Line of Defence Monitoring Function: Business Units

    Business units are responsible for the effective and comprehensive structuring and proper execution of their processes. Risks should be properly mitigated to ensure an effective and comprehensive structuring. In addition, processes should be structured in such a way that the effectiveness of all controls can be continuously monitored, thereby overseeing the relevant application. This primary monitoring function should be added to the daily operations of the departments included in the 1st line of defence. The execution of basic controls should always be documented and provable.

    5.8.2. Second Line of Defence Monitoring Function: Risk Management

    Within the scope of risk management activities, the Company’s manager / expert or legal and compliance officer in charge of risk management is responsible for the monitoring of the compliance of the departments in the first line of defence with the risk appetite, policies and regulations, and for monitoring whether or not the management performs its control activities properly. It regularly provides management with risk management reports on the results of monitoring activities. The risk reports should have sufficient details and scope. The Company’s manager / expert or the legal and compliance officer responsible for risk management and / or the Committee determine the details and scope.

    5.8.3. Third Line of Defence Monitoring Function: Internal Audit

    The Internal Audit Unit is responsible for evaluating the effectiveness of the design and functionality of the risk control structure established by the 1st and 2nd line of defence. It submits the audit reports to the Board of Directors.

Corporate

Investor Relations

Sustainability

Career

Contact