Iren Group has an Internal Control and Risk Management System, under the Corporate Governance Code for Listed Companies and the internal guidelines, which is configured as a transversal process that involves, with different roles and within the context of their respective competences, the administrative and control bodies of the Group, the Control, Risk and Sustainability Committee, the Directors of the parent company appointed for the internal control and management of risks and sustainability, the Head of the Internal Audit Unit, the Risk Management Manager and the Financial Reporting Manager, as well as all personnel of Iren Group companies. In particular, in compliance with the Corporate Governance Code, the Board of Directors assesses the adequacy of the Internal Control and Risk Management System compared to the characteristics of the Company and the indications expressed in the guidelines and carries out the following tasks, subject to the opinion of the Control, Risk and Sustainability Committee:
- defines the guidelines of the internal control and risk management system in line with the Company’s strategies, so that the main risks relevant to the Group result are correctly identified, as well as adequately measured, managed and monitored, also determining the level of compatibility of such risks with business management consistent with the strategic objectives identified;
- at least once a year, assesses the adequacy of the internal control and risk management system relevant to the characteristics of the business and the risk profile undertaken, as well as its efficacy;
- at least once a year, approves the work plan prepared by the Internal Audit Unit and presented by the competent Delegated Body, after consulting the Directors in charge of the internal control and risk management system and the Board of Statutory Auditors;
- evaluates the opportunity to take measures to ensure the effectiveness and impartiality of the corporate functions involved in the controls, verifying that they have adequate professionalism and resources;
- assigns – in Iren Group to a body made up of external parties – the oversight functions provided for by Italian Legislative Decree 231/2001;
- describes, in the corporate governance report, the main features of the internal control and risk management system, the methods of coordination among the subjects involved in it, indicating the models and national and international best practices of reference and expressing its assessment of its adequacy;
- assesses, after consultation with the Board of Statutory Auditors, the results presented by the statutory auditor in any letter of suggestions and in the additional report addressed to the control body;
- defines “sustainability” policies and conduct principles in order to ensure the creation of value over time for shareholders and for all other stakeholders;
- defines a plan (strategic priorities, commitments and objectives) for the sustainable development of the Group;
- appoints and dismisses, upon proposal of the Deputy Chairperson (competent Delegated Body), in agreement with the Chairperson, subject to the approval of the Control, Risk and Sustainability Committee and subject to the opinion of the Board of Statutory Auditors, the Head of the Internal Audit Unit ensuring that they are provided with the adequate resources for the fulfilment of their responsibilities and defines their remuneration in line with company policies.
Iren’s Board of Directors, through the CRSC, convenes the Risk Management Manager and the other control departments on at least a half-yearly basis for a report on Group risks in which the Risk Map is presented with the main risks in terms of impact and probability and any mitigation actions. In 2020, the Risk Management Department launched a project for the substantial revision of the Group’s Risk Map, which led to the construction of a very detailed risk map, with qualitative and quantitative assessments of each risk and details of the controls and mitigation actions in place or planned.
The outcome of the Internal Audits, any critical issues detected and the status of measures implemented following the recommendations issued in the audits of previous years (follow-up) are reported in the Internal Audit Manager’s six-monthly Report presented to the Risk, Control and Sustainability Committee, pursuant to the Corporate Governance Code for Listed Companies. In turn the Committee, on the basis of the information received, reports every six months to the BoD pointing out the critical areas identified and expressing its opinion of the Internal Control System.
With regard to any critical issues identified, the Head of Internal Audit prepares timely reports on particularly significant events for the Chairpersons of the Board of Statutory Auditors, the Control, Risk and Sustainability Committee and the Board of Directors.
Risk Management
Corporate risk management is an essential component of the Internal Control System, and the Corporate Governance Code for Listed Companies assigns specific responsibilities in this respect. The Enterprise Risk Management (ERM) model of Iren Group defines the methodological approach for the integrated management of the risks, which are broken down into the following phases:
Each process phase is performed in accordance with standards and references defined at Group level.
Risk governance is a strategic tool for sustainable development.
The Group’s Enterprise Risk Management model regulates the roles of the various parties involved in the risk management process, which is under the responsibility of the Board of Directors and envisages specific Committees that are responsible for the management of each type of risk.
The Enterprise Risk Management system focuses in particular on the management of:
- financial risks related to liquidity, interest rates, exchange rates and spreads;
- credit risks, related to events that may negatively affect the achievement of credit management objectives;
- IT risks (cyber risks), attributable to threats that undermine cyber security, in particular data integrity, confidentiality and availability;
- energy risks, attributable to the supply of gas for the thermoelectric generation and the commercialisation of electricity and gas, as well as the hedging derivatives markets;
- climate change risks, which include risks due to the transition to a low-carbon economy (transition risks) and physical risks that may arise from catastrophic environmental events (acute risks) or from medium- to long-term changes in environmental patterns (chronic risks);
- tax risks, which can be traced back to the risk of operating in violation of tax regulations or in contrast with the principles and purposes of the tax system;
- operational risks relating to asset ownership, the exercise of business activities, processes and procedures. Also included are the rules and regulatory risks, whose impact on the business is monitored on an ongoing basis;
- reputational risks related to the impacts of any malpractices on stakeholders.
Specific policies have been defined for each type of risk with the primary goal of meeting strategic guidelines, the organisational/managerial principles, the macro processes and techniques necessary for active management of the related risks.
The Group’s risk policies will be updated annually.
In 2020, the Iren’s Board of Directors, who is responsible for approving substantial changes, approved the Cyber Risk Policy, the Climate Change Risk Policy and the Tax Control Model, while the other policies underwent some substantial revisions to adapt them to the current organisational models and the evolution of risk factors.
For each risk category conceived in the risk model – which in 2020 was the subject of a major revision project as part of the review of the Group risk map – environmental, social and governance (ESG) impacts are assessed, including those arising from the Covid-19 emergency, as shown in the map below.
The assessment of ESG impacts shows a correlation between the priority topics defined in the materiality analysis process and the risks/opportunities, also with specific reference to the provisions of Italian Legislative Decree 254/2016 (Art. 3, paragraph 1, point c).
All priority topics are linked to one or more risks identified in the enterprise risk management model, as shown in the table below.
RISK FACTORS / OPPORTUNITIES
- Failure to meet the targets set out in the Business Plan and consequent negative impacts (operational, economic and reputational)
- Reduction in value distributed to stakeholders
- Negative ratings or downgrading in ratings
- Ineffective performance communication
- Business opportunities related to energy and environmental transition and technological and digital evolution
- Access to sustainable finance instruments
MANAGEMENT METHODS
- Planning and monitoring of Business Plan targets and sustainable finance instruments
- ERM system (Financial Risk Policy, Credit Risk Policy)
- Structured financial management for return on investment
- Structured traditional investor relationship system and ESG
- Adoption of sustainable finance instruments
- Transparent performance communications
- Medium and/or long-term objectives for management
RISK FACTORS / OPPORTUNITIES
- Failure to meet the targets set out in the Business Plan and consequent negative impacts (operational, economic and reputational)
- Loss of growth opportunities in business sectors
- Commercial practices inconsistent with the existing legal/regulatory framework
- Business opportunities related to energy and environmental transition and technological and digital evolution
MANAGEMENT METHODS
- Planning and monitoring of Business Plan targets
- Code of Ethics
- ARERA Code of Business Conduct
- ERM System
RISK FACTORS / OPPORTUNITIES
- Failure to meet the targets set out in the Business Plan and consequent negative impacts (operational, economic and reputational) also on accessibility to sustainable finance instruments
- Delay in technological change
- Accelerating digital transformation
- Business opportunities related to energy and environmental transition and technological evolution
- Participation in local systems to build resilient cities
MANAGEMENT METHODS
- Planning and monitoring of Business Plan targets and sustainable finance instruments
- Group innovation plan and related investments
Risk factors / Opportunities
- Failure to meet the targets set out in the Business Plan and consequent negative impacts (operational, economic and reputational) also on accessibility to sustainable finance instruments
- Malfunctions or business interruption of plants, networks and services
- Damage to third parties (persons and/or property) attributable to activities carried out by the Group
- Accidental spills impacting on soil or water
- Cyber risk or inadequacy of the ICT system
- Non-compliance in the processing of personal data
- Legal proceedings brought by consumers
Management methods
- Planning and monitoring of Business Plan targets and sustainable finance instruments
- ERM system (Operational Risk Policy, Climate Change Risk Policy and Cyber Risk Policy)
- Service and plant monitoring tools, remotely controlled systems for the safety of networks and plants
- Business continuity plan
- Emergency management planning
- Annual customer satisfaction surveys and identification of improvement actions
- Insurance plans
- 27001 certification
- Personal data processing management system
RISK FACTORS / OPPORTUNITIES
- Failure to meet the targets set out in the Business Plan and consequent negative impacts (operational, economic and reputational) also on accessibility to sustainable finance instruments
- Impacts inconsistent with circular economy directives or negative environmental, health and safety impacts with consequent negative reputational and economic impacts
- Loss of environmental authorisations
- Incorrect handling of waste by employees or suppliers
- Favourable regulatory framework
- Growth opportunities in the domestic market
- Increased consumer awareness
MANAGEMENT METHODS
- Planning and monitoring of Business Plan targets and sustainable finance instruments
- ERM system (Operational Risk Policy and Climate Change Risk Policy)
- Certified Management System (risk assessment, containment measures and third-party audits)
- Adoption of best available technologies
- Organisational model 231
- Procedures: Environmental analysis, special waste management
- Environmental authorisations
- Requirements in the specifications regarding the tracing of waste and timely checks
- Qualification and monitoring of suppliers
- Audit of the most significant and potentially sensitive contracts concerning environmental protection
- Medium- and/or long-term objectives for management
RISK FACTORS / OPPORTUNITIES
- Failure to meet the targets set out in the Business Plan and consequent negative impacts (operational, economic and reputational) also on accessibility to sustainable finance instruments
- Impacts inconsistent with directives and guidelines on energy efficiency and production from renewable sources, resulting in negative economic and reputational impacts
- Shortage of water resources affecting hydropower generation
- Reduction in demand for district heating caused by the rise in average temperatures
- Extreme natural phenomena that may cause impacts on assets or the district heating network
- Changes in the legislative/regulatory framework regarding incentives for energy efficiency measures
- Growth opportunities in the energy efficiency sector
- Evaluation of possible external growth lines in the renewables sector
- Extendability of district heating systems in new geographical areas
MANAGEMENT METHODS
- Planning and monitoring of Business Plan targets and sustainable finance instruments
- ERM system (Operational Risk Policy and Climate Change Risk Policy)
- Certified Management System (risk assessment, containment measures and third-party audits)
- Procedures: Environmental analysis
- Temperature monitoring
- Adoption of state-of-the-art technologies
- Maintenance plans, including predictive plans
- Use of materials and components less subject to climate change
- Medium and/or long-term objectives for management
Risk factors / Opportunities
- Failure to meet the targets set out by the regulations and the Business Plan and consequent negative impacts (operational, economic and reputational) also on accessibility to sustainable finance instruments
- Negative impacts on environment, health and safety with consequent negative reputational and economic impacts
- Interruptions to the integrated water service
- Failure to meet regulatory water quality levels for distributed and discharged water
- Accidental spills impacting groundwater and surface water bodies
- Extreme or chronic natural phenomena that may cause impacts on assets or networks
- Shortage of water resources due to droughts and, in the longer term, climate change
- Access to reward systems linked to improved environmental performance
- Reduction of energy consumption related to the reduction of water resource leaks in the network
Management methods
- Planning and monitoring of Business Plan targets and sustainable finance instruments
- Investment plan for network replacement and division of the network into districts
- ERM system (Operational Risk Policy and Climate Change Risk Policy)
- Certified Management System (risk assessment, containment measures and third-party audits)
- Procedures: Environmental analysis, Management and control of water withdrawals and discharges, Management of accidental spills of hazardous and/or polluting substances
- Water resources monitoring plans with targets on water resource withdrawn
- Water conservation strategies
- Temperature monitoring
- Adoption of state-of-the-art technologies
- Maintenance plans, including predictive plans
- Medium- and/or long-term objectives for management
Risk factors / Opportunities
- Failure to meet the targets set out in the Business Plan and consequent negative impacts (operational, economic and reputational) also on accessibility to sustainable finance instruments
- Negative impacts on environment, health and safety with consequent negative reputational and economic impacts
- Unintentional exceeding of emission thresholds provided for by environmental authorisations or regulations
- Superamento accidentale delle soglie di emissione previste dalle autorizzazioni ambientali o dalle normative
- Loss of environmental certifications
- Tightening of emission constraints and need for adaptation of processes/plants
- Errors/omissions in the design/permit/implementation activities with subsequent impairment of plant operating continuity
Management methods
- Planning and monitoring of Business Plan targets and sustainable finance instruments
- ERM system (Operational Risk Policy and Climate Change Risk Policy)
- Certified Management System (risk assessment, containment measures and third-party audits)
- Organisational model 231
- Procedures: Environmental analysis, Management of emissions from waste-to-energy plants and thermoelectric power stations, Management of emergencies aimed at returning within certain time-scales to the established emission thresholds, Management and maintenance of vehicle fleets
- Adoption of best available technologies
- Continuous emission monitoring systems and real-time connection with control bodies
- Periodic audits by control bodies
- Improvement plans and related investments
- Environmental authorisations
- Medium and/or long-term objectives for management
Risk factors / Opportunities
- Noise pollution related to the Group’s activities
- Odour emissions into the atmosphere
- Generation of electromagnetic fields
Management methods
- ERM system (Operational Risk Policy and Climate Change Risk Policy)
- Certified Management System (risk assessment, containment measures and third-party audits)
- Adoption of best available technologies
- Environmental authorisations
Risk factors / Opportunities
- Natural/accidental event affecting minimum vital water flow mechanisms according to regulations
- Possible gaps in monitoring the biodiversity impact of plants, activities or services
- Accidental spills impacting biodiversity
Management methods
- Business Plan
- ERM System
- Certified Management System (risk assessment, containment measures and third-party audits)
- Biodiversity policy
- Procedures: Environmental analysis
- Mapping of the Group’s plants and networks for biodiversity impacts assessment (to be completed)
- Plant equipment and monitoring systems to minimize possible impacts on biodiversity
- Contingency plans
- Collaboration with local protection agencies, institutions and associations
Risk factors / Opportunities
- Qualification in the Register of a supplier not complying with the Group’s quality/sustainability standards
- Occupational accidents and work-related illness of employees of third-party companies
- Non-compliance with health and safety regulations by suppliers, including in relation to pandemic events
- Violation of the Code of Ethics and current regulations by suppliers
- Supplier behaviours that disregard the values of diversity and inclusion
- Supplier behaviours that do not comply with the Group’s environmental regulations and policies
Management methods
- Code of Ethics
- Questionnaire for supplier qualification
- Score for qualification in the Supplier’s Register
- Monitoring of potentially sensitive contracts concerning environmental protection and health and safety at work
- Supply chain monitoring on workers’ rights
- Supply chain monitoring on human rights
- Contracts that enhance the work of disadvantaged personnel
- Contractual clauses with suppliers on Code of Ethics and social criteria
Risk factors / Opportunities
- Loss of customers
- Errors in service charges and credit management
- Reduction in customer satisfaction levels
- Delays/defaults by suppliers in the execution of outsourced activities
- Non-compliance with customer protection protocols and regulations
- Failure or improper management of customer relations
- Disputes with customers, Consumer Associations/Class action suits
- Loss of ISO 9001 certification and the subsequent inability to participate in tenders
- Market share development
Management methods
- Business Plan and related investments for service quality
- Code of Ethics
- Certified Management System (risk assessment, containment measures and third-party audits)
- ERM System
- Multi-channel CRM and caring initiatives
- Specific agreements with consumer organisations and constant monitoring of relations
- Protocols and regulations concerning customer protection via specific processes and procedures
- Annual customer satisfaction surveys and identification of improvement actions
- Monitoring activities and definition of corrective actions in case of claims/complaints
- Service charters and service specifications
- Joint conciliation
- Medium and/or long-term objectives for management
Risk factors / Opportunities
- Failure to meet Business Plan targets
- Loss of key skills
- Loss of talent
- Slowdown/interruption of operations and/or impairment of service quality level due to lack of personnel
- Outsourcing policies not adequately managed
- Labour disputes
- Sanctions and fines for non-compliance with labour laws
- Lack of attention to employees’ well-being
- Poor work-life balance
- Improving the internal climate
- Favourable legislative framework for better corporate welfare
Management methods
- Planning and monitoring of Business Plan targets
- Code of Ethics
- Certified Management System (risk assessment, containment measures and third-party audits)
- Talent acquisition initiatives
- Compensation & benefits policies
- Corporate retention and welfare programmes
- Monitoring of labour law developments and specific audits on regulatory compliance
- Procedures: Personnel recruitment and selection; Training and education
- Guidelines: Definition of key resources; Management by objectives; Economic and professional development
- Internal communication
- Career planning and merit enhancement systems
- Welfare plan
- Medium and/or long-term objectives for management
Risk factors / Opportunities
- Disruption of relations with trade unions and the subsequent negative operational and reputational impact
- Slowdown/interruption of operations due to workers’ strikes (e.g. on the occasion of renewal of the collective agreement, business transformation, organizational changes, etc.)
Management methods
- Management of industrial relations articulated on 3 levels: Group, Company, local areas
- Studies for the renewal of the reference National Collective Labour Agreements and participation in their work at national level
Risk factors / Opportunities
- Risk Occupational accidents and work-related illness of employees
- Epidemic events affecting workers’ health
- Civil and/or criminal liability of persons covered by Italian Legislative Decree 81/08
- Loss of ISO 18001 certification and the subsequent loss of the INAIL award
- Non-compliance with health and safety standards
- Negative operational, economic and reputational impact related to the failure to protect the health and safety of workers
- Technological innovations that make operations safer
Management methods
- Planning and monitoring of Business Plan targets
- Code of Ethics
- Prevention and protection service
- Specific personnel training
- ERM system
- Certified Management System (risk assessment, containment measures and third-party audits)
- Procedures: Management of occupational health and safety aspects; PPE management; Management of accidents and injuries; Protection of the health and safety of pregnant workers, those who have recently given birth and those who are breastfeeding
- Emergency management planning
- Health monitoring plans
- Insurance plans
- Organisational model 231 and information flows to the Health and Safety Supervisory Bodies
- “Near miss” analysis and subsequent actions
- Medium and/or long-term objectives for management
Risk factors / Opportunities
- Failure to meet Business Plan targets
- Collective/individual policies/behaviours that disregard the values of diversity and inclusion
- Advertising content perceived as discriminatory
Management methods
- Planning and monitoring of Business Plan targets
- Code of Ethics
- Diversity management programmes and initiatives
- “Futuro D” Project
- Hiring of disadvantaged personnel
- Medium and/or long-term objectives for management
Risk factors / Opportunities
- Violation of conduct criteria of the Code of Ethics and current regulations by employees
- Discriminatory actions against customers and employees
- Violation of the rights of people with disabilities
- Violation of the rights of employees and contractors in the supply chain
- Negative operational, economic and reputational impacts of human rights violations
Management methods
- Code of Ethics
- System for reporting to the Supervisory Bodies
- National Collective Labour Agreements
- Service charters
- Removal of architectural barriers in Group buildings
- Accessibility of services for people with disabilities
Risk factors / Opportunities
- Disruption of relations with Public Authorities with subsequent negative reputational impact
- Ineffective communication with institutions
- Disputes with Public Authorities
- Commission of offences against the Public Administration
Management methods
- Code of Ethics
- Organisational model 231
- Organisational and managerial oversight
- Local Committees
Risk factors / Opportunities
- Disruption of relations with the representative subjects of the local areas with subsequent negative reputational impact
- Negative perception by the community related to the presence of Group’s plants or managed activities
- Lack of perception of the Group’s investments for the development/modernisation of regional infrastructures
- Next Generation EU investment plan
- Policy and legislative framework increasingly oriented towards sustainable development
- Participation in national and international networks for sustainable development
Management methods
- Business Plan and related investments for regional infrastructures
- Structured communication plans on strategies, objectives, plants and services
- Local Committees
- EduIren educational programme
- Sustainability awareness programmes
- Monitoring activities and definition of corrective actions in case of claims/complaints
- Procedures: Sponsorship management, Media Relations management
- Plants open to visitors
Risk factors / Opportunities
- Commission of offences related to Italian Legislative Decree 231/2001
- Non-compliance with tax regulations
- Company’s administrative responsibility for violation of rules and regulations
- Criminal liability of management for violation of regulations
- Violation of the Code of Ethics conduct criteria
- Negative operational, economic and reputational impact deriving from conduct contrary to company ethics, rules and regulations
Management methods
- ERM system (Tax Risk Policy/Tax Control Model)
- Organisational model 231
- Code of Ethics
- Internal Audit Plan
- Supervisory Bodies
- Employee training on Model 231 and Code of Ethics
- Procedures: Whistleblowing
- Sanctioning system
Risk factors / Opportunities
- Ineffective communication with local communities and institutions resulting in negative reputational impact
- Infringement of confidentiality or abuse of privileged information
- Errors/omissions in the contents of a product/service communication campaign
- Ineffective communication towards employees
- Violation of the Code of Ethics conduct criteria
- Brand promotion
Management methods
- Structured communication plans on strategies, objectives, plants and services
- Code of Ethics
- Employee training on Code of Ethics
- Procedures: Management of Media Relations, Whistleblowing, Internal dealing, Management of relevant and privileged information, Internal management and external communication of relevant information and/or privileged information
- Sanctioning system
The Group Risk Management Department, which reports to the Deputy Chairperson, is responsible, among other things, for the audit of the ERM integrated management system of the Group, in terms of methodological approach, definition of policies and monitoring of the system and, in collaboration with the Chief Executive Officer, for taking out and managing insurance policies with the support of the Procurement, Logistics and Services and Legal Affairs Departments. A periodic assessment process is also in place with regard to adverse events in the various sectors and across all Group’s operational areas in order to describe in detail their causes and implement the most suitable methods for preventing and/or limiting the impacts of the events.