ETHICS APPROVED ETHICS COMMITTEE (PEDRO MIRÓ)

Transcription

1 APPROVED SIGNED BY: COMMITTEE (PEDRO MIRÓ) DATE: SIGNATURE: JUNE-2014 The original document, approved by the person and on the date indicated above (by means of signature), is held by the CEPSA Organisation Unit in accordance with the regulations in force. PROCEDURE FOR MANAGEMENT, INVESTIGATION AND RESPONSE TO INCIDENTS AND ALLEGATIONS OF BREACH OF THE CEPSA GROUP CODE OF AND CONDUCT PR-114 Rev. 0 June 2014 Edited by: Org. and Processes Managed by: Ethics Committee Effective Date: June 2014 Page 1 of 10

2 CONTENTS PROCEDURE FOR MANAGEMENT, INVESTIGATION AND RESPONSE TO INCIDENTS AND ALLEGATIONS OF BREACH OF THE CEPSA GROUP CODE OF AND CONDUCT 1. INTRODUCTION Purpose Scope of application Concept of incident and breach Figures or elements of the system Responsibilities Guarantee of confidentiality REPORTING INCIDENTS AND ALLEGED BREACHES On the obligation to report incidents and breaches Methods for reporting incidents and breaches Reporting incidents and alleged breaches RECEIPT AND PRELIMINARY ANALYSIS OF REPORTS OF INCIDENTS OR ALLEGED BREACHES Acknowledgement of receipt Request for additional information Start of the preliminary analysis and possible accumulation of incidents and/or alleged breaches Conclusion of the preliminary analysis of the information received The informant or accuser is notified if the preliminary analysis is terminated Additional measures Protection of data of a personal nature INVESTIGATION Start of the investigation Notifying the subjects investigated Conducting the investigation Final report Final action RESOLVING THE CASE Responsible body Decisions of the Ethic Committee The hearing Disciplinary measures Other measures Communicating decisions MANAGEMENT OF THE PROCEDURE RELATIONSHIP WITH OTHER PLANNING AND CONTROL INSTRUMENTS...10 PR-114 Rev. 0 June 2014 Edited by: Org. and Processes Managed by: Ethics Committee Effective Date: June 2014 Page 2 of 10

3 PROCEDURE FOR MANAGEMENT, INVESTIGATION AND RESPONSE TO INCIDENTS AND ALLEGA- TIONS OF BREACH OF THE CEPSA GROUP CODE OF AND CONDUCT Compañía Española de Petróleos, S.A.U. and its group of companies (CEPSA Group) are committed to contributing to proving society with a secure source of energy by operating in the petroleum and gas value chain in an efficient, responsible, profitable manner. CEPSA's aims to be an integrated, high-performing, customer-focused and value-creating energy and petrochemical company, respectful to the environment and committed to society. CEPSA Group, taking this mission and vision as a starting point, has enshrined the Company's general operating guidelines and ethical values in its Code of Ethics and Conduct, which is mandatory and binding on all Persons Affected 1 by the CEPSA Group Code of Ethics and Conduct. It has also established an Ethics Committee within its organisational structure, whose function, among others, is to resolve any ethical conflicts that arise in the course of the business in a logical manner. It has also been deemed necessary and convenient to introduce an additional procedure to manage any incidents or allegations of breach of the CEPSA Group Code of Ethics and Conduct and to regulate the management, investigation and response to such incidents or breaches. It also safeguards the right to privacy, the presumption of innocence and to self-defence of the subjects of any investigations. 1. INTRODUCTION 1.1. Purpose The purpose of this procedure is to establish basic guidelines for the internal management, investigation and response system in the light of reports, incidents and allegations of breach of the CEPSA Group Code of Ethics and Conduct Scope of application This procedure applies to all Persons Affected by the CEPSA Group Code of Ethics and Conduct and all persons acting in the name, interest and benefit of the CEPSA Group, regardless of geographic location Concept of incident and breach For the purposes of this procedure, an incident is an action taken by an Affected Person that raises concerns in the application or interpretation of the CEPSA Group Code of Ethics and Conduct or which generate some kind of dilemma. An alleged breach is an action thought to infringe the general operating principles and the ethical value and rules of conduct by the Affected Persons. These include corruption, misappropriation, accounting malpractice and others. The definition of breach also includes any incidents that endanger the reputation of the image of the CEPSA Group. 1 The CEPSA Group Code of Ethics and Conduct defines "Affected Persons" as CEPSA Group directors, managers and employees and persons whose activities are expressly subject to the Code of Ethics and Conduct. PR-114 Rev. 0 June 2014 Edited by: Org. and Processes Managed by: Ethics Committee Effective Date: June 2014 Page 3 of 10

4 1.4. Figures or elements of the system The following figures are involved in this procedure: Accuser - Person who reports an incident or breach of ethics in accordance with this procedure, alleging infringement of the provisions of the CEPSA Group Code of Ethics and Conduct. Accused - Person who is accused of infringing the provisions of the CEPSA Group Code of Ethics and Conduct in accordance with this procedure. Internal Control and Compliance Unit - This Unit takes action in accordance with the duties derived from this procedure described in the Duties Manual. Ethics Committee - In accordance with the Ethics Committee's Duties Manual, this body is responsible for driving, monitoring and controlling compliance with the values, principles and standards of conduct established in the Code of Ethics and Conduct, and for finding solutions to any ethical dilemmas that arise, dealing with allegations received and supporting the implementation of the necessary corrective measures in each case Responsibilities All Persons Affected by the CEPSA Group Code of Ethics and Conduct are required to ensure compliance and to use the Ethical Channel to report any acts that breach this code or the applicable law. Persons Affected are bound to collaborate with the analysis/investigation when asked to do so by the Ethical Committee. The accuser is responsible for submitting all the available proof and /or evidence. False accusations or allegations made with disdain for the truth may lead to criminal or civil liability in accordance with the law, or disciplinary proceedings as appropriate Guarantee of confidentiality The CEPSA Group undertakes to safeguard the confidentiality of the accuser and guarantees that there will be no reprisals. All persons 2, involved in the due processing of the incident or alleged breach who become aware of the content, never the authorship of the complaint, are subject to a confidentiality agreement. Notwithstanding the above, information identifying the accuser may be revealed to government authorities or courts, if requested. However, the law on protection of information of a personal nature will always be respected. 2 Ethics Committee, Internal Control Unit and other persons, as the Ethics Committee sees fit. PR-114 Rev. 0 June 2014 Edited by: Org. and Processes Managed by: Ethics Committee Effective Date: June 2014 Page 4 of 10

5 2. REPORTING INCIDENTS AND ALLEGED BREACHES 2.1 On the obligation to report incidents and breaches Any Person Affected by the CEPSA Group Code of Ethics and Conduct who learns of an incident or breach must immediately report this through the channels provided by the CEPSA Group for the purpose. These channels are available not only to Persons Affected by the CEPSA Group Code of Ethics and Conduct and all stakeholders with an interest in the CEPSA Group. 2.2 Methods for reporting incidents and breaches There are two different methods for reporting incidents and breaches: The Ethics Channel is provided by CEPSA Group for reporting incidents and breaches. This is accessed through the CEPSA website ( in the section on "About Us/Corporate Governance/Ethical Conduct". This Ethics Channel will be managed by the Internal Control Unit under the authority of the Ethics Committee. By internal transfer of incidents or allegations of breaches received by the different Business Units or Areas of the CEPSA Group. The person responsible for the Business Unit or Area informed, must immediately forward the information received to the Internal Control Unit, by meansof the Ethics Channel. In addition, the Internal Control Unit may ask persons responsible for Business Units or CEPSA Group Areas to use the communication channels it deems suitable for reporting incidents and/or reporting alleged breaches. 2.3 Reporting incidents and alleged breaches Incidents and alleged breaches must be reported either through the Ethics Channel or by internal communication, as explained in section 2.2.above. These reports must be true, clear and complete and must never be used for purposes other than those established in the CEPSA Group Code of Ethics and Conduct. 3. RECEIPT AND PRELIMINARY ANALYSIS OF REPORTS OF INCIDENTS OR ALLEGED BREACHES 3.1 Acknowledgement of receipt After receiving notification of an incident or alleged breach through the channels established in section 2.2., the person responsible for the Internal Control Unit will immediately acknowledge receipt of the information and inform the accuser that his or her personal information will be gathered and processed in compliance with applicable personal data protection law. PR-114 Rev. 0 June 2014 Edited by: Org. and Processes Managed by: Ethics Committee Effective Date: June 2014 Page 5 of 10

6 3.2 Request for additional information If the Internal Control Unit reviews the information but deems it unclear or incomplete, it will ask the accuser for more detailed information about specific aspects of the information for which more detail is required. If incomplete information is provided, even after these additional details have been requested, the Internal Control Unit cannot guarantee that there will be an investigation. At this point, there is no need for very detailed information about the incident or alleged breach. All that is needed are the details deemed strictly necessary to make a preliminary analysis. 3.3 Start of the preliminary analysis and possible accumulation of incidents and/or alleged breaches The Internal Control Unit will make a preliminary analysis with the information received and the corresponding acknowledgement of receipt which will be numbered for identification purposes. If several incidents or alleged breaches are received in connection with a single event or connected events, the Internal Control Unit may accumulate different cases. 3.4 Conclusion of the preliminary analysis of the information received The Internal Control Unit will make a preliminary analysis of the incident or alleged breach to verify that it is true, clear and complete, and the importance of the events alleged. According to the result of this analysis, one of the following decisions may be taken: a) Acceptance of the report or complaint and start of an investigation into the facts alleged. b) Acceptance of the report or complaint and immediate termination of the preliminary analysis when the content thereof is obviously irrelevant, when the information is insufficient to take any additional action or when the information does not comply with the requirements for truthfulness, completeness or clarity. c) Rejection of the report or complaint and immediate termination of the preliminary analysis when the facts reported do not fall within any of the cases referred to in section 2.1 above. 3.5 The informant or accuser is notified if the preliminary analysis is terminated When a preliminary analysis has been carried out as a result of a report or alleged breach received through the CEPSA Group Ethics Channel, in the cases described in a) and b) of the above section, the Internal Control Unit notifies the informant or accuser that the claim has been rejected and that the preliminary analysis has been abandoned according to the case, and any other measures that have been taken. 3.6 Additional measures Parallel to the adoption of the decisions described in sections 3.4.a) and 3.4.b) above, the Internal Control Unit is able to adopt additional emergency measures to prevent certain consequences, in coordination with the corresponding functional bodies. In any case, the Internal Control Unit informs the informant or accuser of the decision taken, according to the case, and any additional measures that have been taken. PR-114 Rev. 0 June 2014 Edited by: Org. and Processes Managed by: Ethics Committee Effective Date: June 2014 Page 6 of 10

7 3.7 Protection of data of a personal nature Use by any person of the Ethical Channel obliges CEPSA Group to guarantee that the information with which it is provided is kept confidential and is protected. The data will be included in a databased owned by Compañía Española de Petróleos, S.A.U. (CEPSA) for the purpose of conducting such investigations as it deems necessary. CEPSA undertakes to use the necessary technical measures to guarantee the security, integrity, to guarantee that it is not altered or processed and to prevent unauthorised access to the data provided. The data in the Ethics Channel will be cancelled after the analysis when they will no longer be used, provided the data will not be required for administrative or judicial procedures. CEPSA will keep the data while the action taken by the accuser or by the CEPSA group may potentially lead to liability. Users of the Ethics Channel may exercise their rights to access, correct, erase or object to any personal data gathered by writing to CEPSA at its registered address, enclosing proof of identity with an identity number, foreigner's identity number or valid passport number. 4. INVESTIGATION 4.1 Start of the investigation The purpose of the investigation is to determine the facts of the case and who is responsible for them. According to the area, scope and persons presumably involved in the incident, the person responsible for the Internal Control Unit will assess the investigation strategy in each specific case. The following options may be chosen: a) The investigation will be fully designed, led and managed by the head of the Internal Control Unit, notwithstanding consultations or ad hoc support required from other departments to substantiate the case. b) The investigation will be designed, led and managed by a team designed for the purpose by the Internal Control Unit, whose members may include representatives of any CEPSA Group unit which may know the facts that have presumably occurred or whose intervention may be relevant to the investigation. c) The investigation may be delegated to a specific CEPSA Group body or internal department when this is recommendable due to their speciality or specific knowledge of the area to investigate. d) The investigation may be dealt with partly or entirely externally, if the details of the case make this advisable. In any case, the Internal Control Unit, according to the importance of the facts under investigation, may, in extraordinary circumstances, submit the facts to the Committee in a pre-emptive manner, which will determine the action to take. All collaboration in the investigation by any Person Affected by the CEPSA Group Code of Ethics and Conduct will be subject to the duty of confidentiality with regard to the information they may learn. The person PR-114 Rev. 0 June 2014 Edited by: Org. and Processes Managed by: Ethics Committee Effective Date: June 2014 Page 7 of 10

8 collaborating is also obliged to abstain from being part of the investigating team in the event of a conflict of interest or on just grounds. 4.2 Notifying the subjects investigated During the course of the investigation, the investigator will contact the subjects under investigation, identifying him/herself as the person responsible for the investigation and giving a brief explanation of the allegations made and the main steps that may take place during the investigation process. However, in cases where this notification may lead to manipulation or elimination of the evidence necessary for the investigation by the accused, the notification may be delayed for a maximum of three months from receipt of the complaint. 4.3 Conducting the investigation The file must include the documentation listing all the action taken and the documents gathered to obtain sufficient, suitable evidence. To obtain this evidence the investigator may take such action as it sees fit such as, for example, examining documents and records, analysing processes and procedures or conducting interviews, among others. CEPSA Group guarantees the integrity of the evidence obtained and that this will not be manipulated. 4.4 Final report Once all the investigations are complete, the Internal Control Unit will write a report of conclusions addressed to the Ethics Committee, which will contain a description of the following items: a) Nature of the incident or breach. - Details of the identities of the parties involved. b) A list of relevant facts and discoveries. c) Conclusions and assessment of the facts, with two possible actions proposed: i. The case is filed if the Ethics Committee considers that the fact is not a possible breach. ii. Proposal to the Ethics Committee to pursue the case, in accordance with section 5.3 of this procedure, if the investigation conducted reveals sufficient evidence to suggest that there has been a breach of the general operating principles and ethical values contained in the CEPSA Group Code of Ethics and Conduct. d) Proposed measures, controls and/or action to be taken by CEPSA Group to prevent the breach for recurring. 4.5 Final action As soon as the report of the findings of the investigation is finalised, it is submitted to the Ethics Committee. The personal details of those involved will be kept only for as long as is strictly necessary, in accordance with section 3.7 above. PR-114 Rev. 0 June 2014 Edited by: Org. and Processes Managed by: Ethics Committee Effective Date: June 2014 Page 8 of 10

9 5. RESOLVING THE CASE 5.1 Responsible body The Ethics Committee is responsible for responding to incidents and alleged breaches of the CEPSA Group Code of Ethics and Conduct, resolving proposals submitted by the Internal Control Unit. In cases of the incompatibility of a member of the Ethics Committee for the processing of a specific matter, such member will be excluded from all steps taken with regard to said matter. 5.2 Decisions of the Ethic Committee The Ethics Committee may adopt one of the following resolutions: a) Ask for additional investigations to be conducted. b) File the matter due to lack of sufficient evidence or because the incidents involved are not relevant. In this case the case is sent back to the Internal Control Unit for processing. c) Declare that there has been an incident with regard to the CEPSA Group Code of Ethics and Conduct or that this has been breached. The Business Unit or Area will then be asked to take the appropriate disciplinary measures and adopt any additional measures, as described in the following sections. d) Provide the competent court with details of any breaches identified. CEPSA Group will inform the competent authorities as soon as it becomes aware of any cases of corruption or money laundering. 5.3 The hearing Once the final result of the investigation is received, the Ethics Committee (in the circumstances described in sections 5.2.c) and 5.2.d) will send this to the subjects under investigation, who will be given five working days to submit written comments for consideration and to submit such documents as they see fit. The Ethics Committee may invite any employees, internal bodies or units or external advisers they deem appropriate, based on their specific knowledge, to participate in the hearing. 5.4 Disciplinary measures Disciplinary measures will be taken in each case according to the offender's employment relationship with the company. Such measures shall be graduated in line with the seriousness of the acts committed, and may take into consideration circumstances such as recidivism, damages caused, the circumstances of the victims, if any, etc. For this purpose, when mandatory disciplinary procedures are necessary, the investigator's final report shall be attached to the file to avoid the duplication of work. 5.5 Other measures In case of paragraph c) of section 5.2 above, the Ethics Committee may take additional measures to react and respond, such as: PR-114 Rev. 0 June 2014 Edited by: Org. and Processes Managed by: Ethics Committee Effective Date: June 2014 Page 9 of 10

10 a) Notify any competent administrative or legal authority. b) Civil action for damages taken by a person, entity or stakeholder who has suffered as a result of the incident. c) Take decisions to communicate, provide training or internally disseminate the facts to any CEPSA Group body or unit and in general to all People Affected by the Code of Ethics and Conduct, when this is considered an effective tool to prevent the recurrence of similar incidents or irregularities in the future, always in scrupulous compliance with the law on personal data protection and safeguarding confidentiality and secrecy. d) Propose organisational and preventive measures of any kind. 5.6 Communicating decisions. The Business Units or areas responsible for applying the approved measures are immediately notified of the decisions of the Ethics Committee. The accuser is also notified of these decisions. 6. MANAGEMENT OF THE PROCEDURE Responsibility for managing this internal procedure lies with the Ethics Committee, which must therefore interpret any questions that may arise as to the application of the same and shall revise it whenever necessary in order to update its content. 7. RELATIONSHIP WITH OTHER PLANNING AND CONTROL INSTRUMENTS This regulation document is mainly related to the following CEPSA Group regulations: DI-001 CEPSA Group Code of Ethics and Conduct. Group Ethics Committee Duties Manual PR-114 Rev. 0 June 2014 Edited by: Org. and Processes Managed by: Ethics Committee Effective Date: June 2014 Page 10 of 10