The Enterprise Risk Management model used by the Iren Group sets out the methodological approach for the identification, assessment and integrated management of Group risk and is divided into the following phases:
With specific reference to risk areas, the Enterprise Risk Management model is one of the main elements of the Internal Control and Risk Management System (ICRMS). The ICRMS, ultimately reporting to the Board of Directors (BoD), guides activity and assesses adequacy, involving the following parties, amongst others, each with their own duties:
- one or more ICRMS Directors, whose role includes establishing and maintaining an effective internal control and risk management system;
- the Control, Risk and Sustainability Committee (CRSC), with the general purpose of supporting the Board of Directors' assessments and decisions regarding the internal control and risk management system as well as decisions regarding approval of the periodic financial reports, via suitable analyses.
For further details, please consult the Corporate Governance section.
The ICRMS has three levels of controls:
- third-level controls performed by bodies within the company, i.e. the Internal Audit department, or external bodies, i.e. the Board of Statutory Auditors, the Independent Auditors and the Oversight Committee pursuant to Italian Legislative Decree 231/2001;
- second-level controls, assigned to specialised systems involving the Risk Management function, the Compliance department, the Financial Reporting Manager, the Data Protection Officer and the Management Controls function;
- first-line controls, assigned to the individual organisational structures or Group Companies, performed for respective processes; the responsibility for these controls is assigned to the Operational Management/Risk Owner and forms an integral part of every corporate process.
More specifically, the Risk Management department is responsible for the integrated management and monitoring of the ERM System through definition of the Risk Map, verification of correct application of the Risk Policy, definition of the Risk Analysis of the Business Plan and initiatives/projects of strategic significance, performance of Risk Reporting and management of insurance programmes and claims with/without liability.
The Iren Group's ICRMS is based on the Borsa Italiana Corporate Governance Code.
The Risk Management System defines specific Commissions for managing each type of risk for which a specific "Risk Policy" has been defined, with the primary aim of setting out the strategic guidelines, organisational/management principles, macro processes and techniques required for actively managing relevant risks.
The policies applied within the Iren Group are:
- Enterprise Risk Management Policy: governs the approval process for the Risk Policy and the Risk Map, monitors and assesses the risk-management system, and defines the management model;
- Financial Risk Policy: governs the process for managing financial risks linked to interest rates, exchange rates and spreads;
- Credit Risk Policy: governs the process for managing credit risk linked to events that may negatively impact the achievement of credit-management targets;
- Energy Risk Policy: governs the process for managing energy risks associated with energy and/or financial markets, such as market variables or pricing options;
- Operational Risk Policy: governs the process for managing operational and reputational risk, i.e. risk factors associated with asset ownership, involvement in business activities, processes, procedures and information flows and the corporate image;
- Cyber Risk Policy: governs the process for managing IT risks attributable to threats that undermine information security, particularly regarding completeness, confidentiality and availability of data;
- Climate Change Risk Policy: governs the process for managing climate change risks, linked to to acute and chronic physical risks and transition risks;
- Tax Risk Policy/ Tax Control Model: governs the process for managing tax risks, linked to the risk of operating in violation of tax laws or in contrast with the principles and purposes of the tax system.
The role of the Risk Management department
The Risk Management department coordinates Risk Commissions (quarterly):
- Financial Risk: analyses and monitors the financial-risk position (proposes updates);
- Credit Risk: reviews the credit-risk status and adopts management decisions proposed by Risk Owners, proposing targeted action plans;
- Energy Risk: reviews the energy-risk status and adopts management decisions proposed by the Risk Owners and proposes updates to the Policy;
- Cyber Risk: analyses and monitors the Group Cyber Risk position and the suitable technical and organisational actions to be adopted;
- Climate Risk: analyses the position of the Group about Climate Change Risk and decides on the actions to mitigate the risk;
- Tax Risk: analyses and monitors the position of the Group about Tax Risk and the actions to mitigate the risks.
Management supports the CRSC in half-yearly evaluation of the suitability of the Internal Control and Risk Management System (ICRMS) as applicable for its role, as well as performing specific risk assessments for strategic projects (M&A, industrial, etc.) and the Business Plan.
For more information on Business Plan, please consult Risk profile
In addition, the Chief Risk Officer is on the Related-Party Transactions Assessment Board, supporting the Related-Party Transactions Committee (RPTC).
Below is the current Iren Group Risk Model:
For more information on risks and uncertainties affecting the Iren Group, please consult the Consolidated Financial Statements.
For more information on centralised monitoring of particular risk categories and operation of the Internal Control and Risk Management System, please consult the Report on Corporate Governance and Ownership Structures.
Details of the active management methods within the Group are provided below for the different types of risk.
The Iren Group’s business is exposed to various types of financial risks, including: liquidity risk, exchange rate risk and interest rate risk. As part of its Risk Management activities, the Group uses non‐speculative hedging contracts to limit exchange rate risk and interest rate risk.
a) Liquidity risk
Liquidity risk is the risk that financial resources available to the company will be insufficient to cover financial and trade commitments in accordance with the agreed terms and deadlines.
The procurement of financial resources has been centralised in order to optimise their use.
In particular, centralised management of cash flows in Iren makes it possible to allocate the funds available at the Group level according to the needs that from time to time arise among the individual Companies.
Cash movements are recognised in intra‐group accounts along with intra‐group interest income and expense. A number of investees have an independent ffinancial management structure in compliance with the guidelines provided by the Parent Company.
b) Exchange rate risk
Except as indicated in the section on energy risk, the Iren Group is not significantly exposed to exchange rate risk
c) Interest rate risk
The Iren Group is exposed to interest rate fluctuations especially with regard to the measurement of financial expenses related to indebtedness. The Iren Group’s strategy is to limit exposure to the risk of interest rate volatility, maintaining at the same time a low cost of funding.
Compliance with the limits imposed by the Policy are verified during the Financial Risk Commission meetings with regard to the main metrics, together with analysis of the market situation, interest rate trends, the value of hedges and confirmation that the conditions established in covenants have been met.
The Group’s credit risk is mainly related to trade receivables deriving from the sale of electricity, district heating, gas and the provision of energy, water and environmental services.
The receivables are spread across a large number of counterparties, belonging to non‐uniform customer categories (retail and business customers and public bodies); some exposures are of a high amount and are constantly monitored and, if necessary, covered by repayment plans.
The Iren Group’s Credit Management units devoted to credit recovery are responsible for this activity. In carrying on its business, the Group is exposed to the risk that the receivables may not be honoured on maturity with a consequent increase in their age and in insolvency up to an increase in receivables subject to arrangement procedures or unenforceable.
This risk reflects, among other factors, also the current economic and financial situation.
To limit exposure to credit risk, a number of tools have been activated.These include analysing the solvency of customers at the acquisition stage through careful assessment of their creditworthiness, transferring the receivables of discontinued and/or active customers to external credit recovery companies and introducing new recovery methods for managing legal disputes. In addition, methods of payment through digital channels are offered to Customers.
The receivable management policy and creditworthiness assessment tools, as well as monitoring and recovery activities differ in relation to the various categories of customers and types of service provided. Credit risk is hedged, for some types of business customers, with opportune forms of first‐demand bank or insurance guarantees issued by subjects of leading credit standing and with credit insurance for the reseller customer segment.
An interest‐bearing guarantee deposit is required for some types of services (water, natural gas, highly‐ protected electricity sectors) in compliance with regulations governing these activities.
This deposit is reimbursed if the customer uses payment by direct debit from a current account.
The payment terms generally applied to customers are related to the legislation or regulations in force or in line with the standards of the free market; in the event of non‐payment, default interest is charged for the amount indicated in the contracts or by the legislation. Provisions set aside for impairment of receivables reflect, carefully and in accordance with the current legislation (applying the IFRS 9 method), the effective credit risks, and are determined on the basis of the extraction from databases of the amounts making up the receivable and, in general, assessing any changes in the said risk compared to the initial measurement and, in particular for trade receivables, estimating the related expected losses determined on a prospective basis, taking into due consideration the historical series.
As mentioned, with regard to the Covid‐19 emergency context, and with specific reference to the possible liquidity difficulties of the customer portfolio linked to the measures to combat the pandemic and the regulatory and corporate measures to mitigate the economic and social impact of the crisis, the Group increased the provision for bad and doubtful debts by € 25 million due to the assessment of expected losses, particularly in the electricity and gas sales and integrated water service sectors. The control of credit risks is also strengthened by the monitoring and reporting procedures, in order to identify promptly possible countermeasures. In addition, on a quarterly basis, the Risk Management Department collects and integrates the main data regarding the evolution of the Group companies’ trade receivables, in terms of type of customers, status of the contract, business chain and ageing band. Credit risk is assessed both at the consolidated and at the Business Unit and company levels.
Some of the above assessments are carried out at intervals of less than three months or when there is a specific need.
The Iren Group is exposed to price risk on the energy commodities traded, these being electricity, natural gas, environmental emission certificates, etc., as both purchases and sales are impacted by fluctuations in the price of such commodities directly, or through indexing formulae. Exposure to foreign exchange rate risk, characteristic of oil‐based commodities, exists, but attenuated thanks to the development of the European organised markets that trade the gas commodity in Euro and no longer indexed to oil products.
The Group’s policy is oriented to a strategy of active management of the positions to stabilise the margin taking the opportunities offered by the markets; it is implemented by aligning the indexing of commodities purchased and sold, through vertical and horizontal use of the various business chains, and operating on the financial markets.
For this purpose, the Group carries out planning of the production of its plants and purchases and energy and natural gas sales, in relation to both volumes and price formulae. The objective is to obtain sufficient stability in the margins through:
- for the electricity supply chain, the opportune balancing of internal production and energy from the futures market with respect to the demand coming from the Group’s customers, with adequate recourse to the spot market;
- for the natural gas supply chain the priority of alignment of the indexing of the commodity in purchase and sale.
For a more detailed analysis of the risks dealt with up to now, reference should be made to the paragraph “Group Financial Risks Management” in the Notes to the Consolidated Financial Statements.
CLIMATE CHANGE RISKS
During the year, Iren Group included in its Enterprise Risk Management system a Policy dedicated to climate change risks, which are becoming increasingly important for organisations. Moreover, they affect the health of the planet, with estimates of significant effects already in the medium term.
All companies, and in particular those operating in significantly exposed sectors such as Iren Group, must consider the analysis of climate change risks as an emerging and determining factor in the definition of their medium and long‐term strategies.
The adoption of the Climate Change Risk Policy and the resulting risk analysis and management represent the preliminary steps in a process that will enable the Group to provide even more effective control over its exposure to damaging events and the opportunities that the external context and its changes may offer, as well as its contribution to the achievement of sustainable development objectives defined at national and international level.
The document was written with the extensive involvement of the corporate functions involved in managing these risks, with which a Climate Change Risk Assessment was carried out, based on which the Policy was subsequently drafted. The Policy analyses and regulates, focusing on the applicability to the individual Business Units, the risk factors related to climate change, distinguishing between physical risks and transition risks.
Physical risks resulting from changing climatic conditions are divided into acute physical risks ‐ if related to local catastrophic natural events (e.g. floods, heat waves, fires, etc.) ‐ and chronic physical risks ‐ if related to long‐term climate change (e.g. global warming, rising sea levels, water scarcity, etc.).
The transition to a low‐carbon economy could entail extensive changes in government policies, with consequent regulatory, technological and market changes. Depending on the nature and speed of these changes, transition risks may result in a varying level of financial and reputational risk for the Group. The Policy requires the presence of a Risk Commission to periodically review the Group's risk profile, defining and proposing updates to the Chief Executive Officer on strategies for managing risk classes and reporting any emerging critical issues to the Executive Bodies. The document also includes guidelines for reporting, aimed at ensuring transparency of information to all stakeholders.
Iren Group has adopted a specific internal control and tax risk management system, understood as the risk of operating in violation of tax regulations or in contrast with the principles or aims of the legal system.
The tax risk control and management system, the "Tax Control Framework" (hereinafter "TCF"), enables the Group to pursue the objective of minimising its exposure to tax risk by identifying, updating, assessing and monitoring tax‐related governance, processes, risks and controls. The Group is committed to managing its tax affairs in accordance with all applicable laws and regulations.
For this reason, Iren has adopted the TCF as an internal control system that defines the governance for the management of taxation and related risk in line with the principles of the company strategy and, in particular, the Tax Strategy.
The Tax Control Framework adopted consists of a set of rules, guidelines, tools and models aimed at supporting the Group's employees in carrying out their daily activities, ensuring consistency on relevant tax matters. Therefore, the TCF’s structure provides for the presence of two pillars that outline its operating scheme: the Tax Strategy and the Tax Compliance Model.
The Tax Strategy defines the objectives and the approach adopted by the Group in managing the tax variable. The purpose of this document is to establish the Principles of conduct in tax matters in order to i) contain tax risk due to exogenous and endogenous factors, and ii) continue to guarantee over time the correct and timely determination and settlement of taxes due by law, and the performance of related obligations. The Tax Strategy has been approved and issued by the Board of Directors of Iren S.p.A..
The Tax Compliance Model is an element of the Internal Control and Risk Management System. This document contains the detailed description of the phases comprising the risk assessment, control and periodic monitoring processes carried out by Iren, and the subsequent reporting on tax issues to the Chief Executive Officer and the other relevant bodies and functions. It also aims to summarize the main responsibilities assigned to the various functions involved in tax‐relevant processes. The Tax Compliance Model is prepared by the Tax and Compliance Function and is ultimately approved by the Board of Directors of Iren S.p.A..
The project to create a TCF aligned with the best practices in the field was concluded in 2020 with the submission of the application for access to the institution of Cooperative Compliance, a scheme between the Revenue Agency and large companies, introduced by Legislative Decree No. 128 of 5 August 2015 in order to promote the implementation of enhanced forms of communication and cooperation based on horities and taxpayers, and to encourage, in the common interest, the prevention and resolution of tax disputes.
This category includes all the risks which, in addition to those already noted in the previous paragraphs, may influence achievement of the targets, i.e. relating to the effectiveness and efficiency of business transactions, levels of performance, profitability and protection of the resources against losses.
The Group’s Enterprise Risk Management model has as its objective the integrated and synergistic management of risks. The process of managing the Group’s risks entails that, for each business line and operating area, the activities performed are analysed and the main risk factors connected with achievement of the objectives are identified.
Following the identification activity, the risks are assessed qualitatively and quantitatively (in terms of magnitude and probability of occurrence), thus making it possible to identify the most significant risks. The analysis also involves an assessment of the current and prospective level of control of the risk, monitored by means of specific key risk indicators. The above stages make it possible to structure specific treatment plans for each risk factor.
Along all the management phases, each risk is subjected on a continuous basis to a process of control and monitoring, which checks whether the treatment activities approved and planned have been correctly and effectively implemented, and whether any new operational risks have arisen.
The process of managing operational risks is associated with a comprehensive and structured reporting system for presenting the results of the risk measurement and management activity.
Each process stage is performed in accordance with standards and references defined at Group level. The Group’s risk position is updated at least quarterly, indicating the extent and level of control of all risks monitored, including financial, IT, credit and energy risks. The risk reporting is sent to the top management and to the risk owners, who are involved in the management activity.
The risk analysis also supports the preparation of planning tools. In 2020, a project was carried out to revise the Group Risk Map, which, through interviews with the Risk Owners of Iren S.p.A. and the Group companies, and the subsequent sharing and fine‐tuning of the results, led to the construction of a very detailed risk map that corresponds to the reality of the Group, with qualitative and quantitative assessments of each individual risk and with details of controls and mitigation actions existing or planned.
The identified risks have been associated with the ESG (Environmental, Social and Governance) category to which they belong. It is noted that for each risk it was verified whether and how it had been impacted by Covid‐19.
Of particular note are:
a. Legal and regulatory risks
The legislative and regulatory framework is subject to possible future changes, and therefore is a potential risk. In this regard departments operate, reporting directly to the Chief Executive Officer, dedicated to
continual monitoring of the relevant legislation and regulations in order to assess their implications, guaranteeing their correct application in the Group.
b. Plant‐related risks
As regards the amount of the Group’s production assets, plant‐related risks are managed with the approach described above in order to correctly allocate resources in terms of control and preventive measures (preventive/predictive maintenance, control and supervisory systems, emergency and continuity plans, etc.).
For the most important plants the Risk Management Department periodically conducts surveys, from which it can accurately detail the events to which such plants could be exposed and consequent preventive action. The risk is also hedged by insurance policies designed considering the situation of the single plants.
c. IT risks
IT Risks (Cyber Risks) are defined as the set of internal and external threats which can compromise business continuity or cause civil liability damage to third parties in the event of loss or disclosure of sensitive data.
From an internal point of view, the operational risks regarding information technology are closely related to the business of the Iren Group, which operates network infrastructures and plants, including through remote control, accounting operational management and invoicing systems and energy commodity trading platforms.
The Iren Group is, in fact, one of the leading Italian operators on the Power Exchange and any accidental unavailability of the system could have considerable economic consequences, connected with the non‐submission of energy sale or purchase offers. At the same time, problems related to supervision and data acquisition on physical systems could cause plant shutdowns and collateral and even serious damage. A breakdown of invoicing systems could also determine delays in issuing bills and the related collections, as well as damage to reputation.
To mitigate such risks, specific measures have been adopted, such as redundancies, highly‐reliable systems and appropriate emergency procedures, which are periodically subject to simulations, to ensure their effectiveness.
The Iren Group is also exposed to the risk of cyber attacks aimed both at acquiring sensitive data and at stopping operations, causing damage to plants and networks and compromising service continuity. Market benchmarks also show that attacks aimed at acquiring companies’ and third‐party data are increasingly frequent, with consequent civil liability and sanctions, including serious ones, and at acquiring industrial secrets.
The perimeter security technologies have been updated.
The data network has been further segregated according to the functional use; in addition a vulnerability management system has been introduced, and extended also to suppliers that process sensitive corporate data for various reasons.
The support of an external Security Operation Centre (SOC) has been launched for 24h monitoring, with the use of Iren security platforms. Policies have been adopted to strengthen system access passwords, increase workstation security with the introduction of systems featuring behavioural analysis capabilities and automated and remote response execution.
A Cyber Threat Intelligence (CTI) platform has also been introduced in order to capture evidence of attackers and threats potentially impacting corporate assets. On 23 January 2020, the Board of Directors of Iren S.p.A. approved the Cyber Risk Policy, which – similar to the other main risk Policies – provides for the convocation of specific Risk Commissions, the monitoring of performance indicators and dedicated reporting.
The operational risk management process also aims at optimising the Group’s insurance programmes.
The Iren Group has adopted a Business Plan with a time horizon at 2025 which defines its strategic orientations and the related industrial objectives from which the economic and financial figures of reference derive.
The said objectives refer to:
a) making the Group’s organisation and processes more efficient;
b) development (investments in regulated and quasi‐regulated sectors, increase of customer base, energy efficiency);
c) consolidation of regulated sectors (renewal of concessions: gas distribution, integrated water cycle and environment sector); d) external growth;
e) energy scenario;
f) sustainability and ESG (Environment, Social, Governance) targets.
In application of the Group’s policies, the Plan was subject to a risk assessment carried out by the Risk Management Department and to the related stress tests, which showed substantial resilience including when facing adverse events characterised by specific sensitivities.
On the basis of the aforementioned project to revise the Risk Map, a specific Risk Map relating to the risks of the Industrial Plan was prepared in parallel with the risk assessment , with the same time horizon. The development of this Risk Map, together with the construction of quantitative stresses, constitutes an important point of integration with the Strategic Planning function.
In addition to the risk analysis associated with the Plan, the Risk Management Department contributes risk assessments specific to merger & acquisition transactions and the main strategic plans concerning Iren Group.