The Enterprise Risk Management Model

The Enterprise Risk Management (ERM) model, operating within the Iren Group, contains the methodological approach to integrated risk management and consists of the following phases: identification, assessment, treatment, control, and reporting.


The ERM model constitutes one of the main elements of the Internal Control and Risk Management System (ICRMS), which ultimately reports to the Board of Directors (BoD) with the role of guiding and assessing adequacy.


The ICRMS also involves other offices, each with their own responsibilities, and is carried out through three levels of control. For further discussion, please refer to the dedicated section.

A methodological approach

to identifying, assessing,

and managing risks

The activities

The Enterprise Risk Management model provides specific committees to manage the types of risks, with the primary objective of making explicit the strategic guidelines, organisational-management principles and techniques necessary for the active management of the relevant risks. A specific Risk Policy has been defined for each of the risk types:
  • Enterprise Risk Management Policy: regulates the approval process of Risk Policy and Risk Map, monitoring and evaluation of the risk management system, defines the management model;
  • Financial Risk Policy: regulates the process of managing financial risks related to interest rates, exchange rates, spreads;
  • Credit Risk Policy: regulates the process of managing credit risks, related to events that may negatively affect the achievement of credit management objectives;


  • Energy Risk Policy: regulates the process of managing energy risks, associated with energy and/or financial markets, such as market variables or pricing options;
  • Operational Risk Policy: regulates the process of managing operational and reputation risks, i.e. risk factors associated with asset ownership, involvement in business activities, processes, procedures and information flows, the corporate image;
  • Cyber Risk Policy: regulates the process of managing IT risks, attributable to threats that undermine cyber security, in particular data integrity, confidentiality and availability;


  • Climate Change Risk Policy: regulates the process of managing risks from climate change, attributable to acute and chronic physical risks and transition risks;
  • Tax Risk Policy/ Tax Control Model: regulates the process of managing tax risks, which can be traced back to the risk of operating in violation of tax regulations or in contrast with the principles and purposes of the tax system.


 The Risk Management Department is engaged in integrated management and monitoring of the ERM model and among other activities deals with:


  • the development of the Risk Map;


  • the monitoring of the proper application of the Risk Policies;


  • the development of the Risk Analysis of the Business Plan;


  • the preparation of Risk Reporting;


  • the management of insurance programs and active and passive claims.

The role of the Risk Management department

The Risk Management Department is responsible for verifying the integrated management of the Group's Enterprise Risk Management System through the development of a Risk Map and monitoring the correct application of the various Risk Policies listed above, as well as realise the Risk Analysis of the Business Plan and prepare Risk Reporting entrusted to the Risk Management Department, which at the same time is responsible for coordinating the various Risk Commissions: 


  • Financial Risk: analyses and monitors the Group's financial risk position and related risk limits;


  • Credit Risk: examines the status of credit risk, makes decisions on management methods advanced by Risk Owners, and proposes targeted intervention plans;


  • Energy Risk: reviews the status of Energy risks and makes management decisions advanced by Risk Owners, proposes Policy updates;


  • Cyber Risk: analyses and monitors the Group's Cyber risk position, with appropriate technical and organisational actions to be implemented;


  • Climate Risk: examines the status of the Group's Climate Change risks and makes decisions on how to manage them;


  • Tax Risk: analyses and monitors the Group's tax risks and the related controls put in place to mitigate them, providing any proposals to supplement the risk monitoring plan.


The Risk Management Department supports the Control Risk and Sustainability Committee (CRSC) in its semi-annual assessment of the adequacy of the ICRMS and conducts specific Risk Assessments related to strategic M&A or Industrial projects and the Business Plan. 


The Chief Risk Officer serves on the Related Party Transactions Evaluation Committee, supporting the Related Party Transactions Committee (RPTC).

Risk model

Risk Assessment is an integral part of the entire Risk Management System and consists of identifying and measuring the risks to which the organisation is exposed. Risks arise from events and variables that can adversely affect planned outcomes; they must therefore be monitored. A model capable of understanding the typical risks of the company and its environment is used to identify and classify the various types of risk.


Below is the Iren Group's Risk Model that examines external and internal factors by highlighting ESG (Environmental, Social and Governance) impacts, related to individual risk categories.


For each of the different types of risk shown in the table, it is possible to know the details of the active management methods within the Group.

As part of its Risk Management activities, the Group uses non-speculative hedging contracts to limit exchange rate risk and interest rate risk. The Iren Group’s business is exposed to various types of financial risks: 


  • Liquidity risk - is the risk that financial resources available to the company will be insufficient to cover financial and trade commitments in accordance with the agreed terms and deadlines. The procurement of financial resources has been centralised in order to optimise their use. In particular, centralised management of cash flows in Iren makes it possible to allocate the funds available at the Group level according to the needs that from time to time arise among the individual Companies.
  • Foreign exchange risk - except as indicated in the section on energy risk, the Iren Group is not significantly exposed to foreign exchange risk.


  • Interest rate risk - the Iren Group is exposed to interest rate fluctuations especially with regard to the measurement of borrowing costs. The Iren Group’s strategy is to limit exposure to the risk of interest rate volatility, maintaining at the same time a low cost of funding.


Compliance with the limits imposed by the Policy are verified during the Financial Risk Commission meetings with regard to the main metrics, together with analysis of the market situation, interest rate trends, the value of hedges and confirmation that the conditions established in covenants have been met.

The Group’s credit risk is mainly related to trade receivables deriving from the sale of electricity, district heating, gas and the provision of energy, water and waste management services. Receivables are spread over a large number of counterparties belonging to heterogeneous customer categories (retail, business, government agencies). Some exposures are large in amount and are constantly monitored and made the subject of repayment plans. Iren Group’s Credit Management units devoted to credit recovery are responsible for this activity.


In carrying on its business, the Group is exposed to the risk that assets may not be honoured on maturity with a consequent increase in their age and in insolvency up to an increase in assets subject to arrangement procedures or unenforceable. Among other factors, this risk is also affected by the economic and financial situation, which in 2022, led to a particularly significant increase in prices for end customers of gas, electricity and district heating.


To limit exposure to credit risk, a number of tools have been activated. These include analysing the solvency of customers at the acquisition stage through careful assessment of their creditworthiness, transferring the receivables of discontinued and/or active customers to external credit recovery companies and introducing new recovery methods for managing legal disputes. In addition, numerous payment methods are offered to customers through channels, including digital channels, and appropriately monitored payment plans are proposed.


The credit management policy and creditworthiness assessment tools, as well as monitoring and recovery activities, are managed through automated processes and integrated with company applications and differ in relation to the various categories of customers and types of service provided.


Credit risk is hedged, for some types of business customers, with opportune forms of first-demand bank or insurance guarantees issued by subjects of leading credit standing and with credit insurance for the reseller customer segment.


An interest-bearing guarantee deposit is required for some types of services (water, natural gas, highly- protected electricity sectors) in compliance with regulations governing these activities. This deposit is reimbursed if the customer uses payment by direct debit from a current account. The payment terms generally applied to customers are related to the legislation or regulations in force or in line with the standards of the free market; in the event of non-payment, default interest is charged for the amount indicated in the contracts or by the legislation.


The loss allowances impairment reflect, carefully and in accordance with the current legislation (applying the IFRS 9 method), the effective credit risks, and are determined on the basis of the extraction from databases of the amounts making up the receivable and, in general, assessing any changes in the said risk compared to the initial measurement and, in particular for trade receivables, estimating the related expected losses determined on a prospective basis, taking into due consideration the historical data.


The control of credit risks is strengthened by the monitoring and reporting procedures, in order to identify promptly possible countermeasures.


On a quarterly basis, the Risk Management Department collects and integrates the main data regarding the evolution of the Group companies’ trade receivables, in terms of type of customers, status of the contract, business chain and aging band. The assessment of credit risk is carried out both at the consolidated level and at the level of Business Units and companies. Some of the above assessments are carried out at intervals of less than three months or when there is a specific need.

Iren Group is exposed to price risk on the energy commodities traded (electricity, natural gas, environmental emission certificates, etc.), as both purchases and sales are impacted by fluctuations in the price of such commodities directly, or through indexing formulae.


Currently no exposure to exchange rate risk, typical of oil-based commodities, is present, thanks to the development of the European organised markets that trade the gas commodity in the euro currency and no longer indexed to oil products.


The Group’s policy is geared toward an active position management strategy to stabilise the margin by seizing opportunities in the markets. It is achieved both through the alignment of commodity indexing in buying and selling, vertical and horizontal exploitation of various business chains, and by operating in financial markets.


For this purpose, the Group plans the production of its plants and purchases and sales of energy and natural gas, in relation to both volumes and price formulae. The objective is to achieve sufficient margin stability through a policy of indexed purchases and sales that achieves a high degree of natural hedging, with adequate recourse to futures and spot markets.

Iren Group has included in the Enterprise Risk Management system a Policy dedicated to climate change risks for the definition of its medium and long-term strategies.


The adoption of the Climate Change Risk Policy and the resulting risk analysis and management represent the preliminary steps in a process that will enable the Group to provide even more effective control over its exposure to damaging events and the opportunities that the external context and its changes may offer, as well as its contribution to the achievement of sustainable development objectives defined at national and international level. The Policy analyses and regulates, focusing on the applicability to the individual Business Units, the risk factors related to climate change, distinguishing between physical risks and transition risks.


Physical risks resulting from changing climatic conditions are divided into acute physical risks - if related to local catastrophic natural events (e.g. floods, heat waves, fires, etc.) - and chronic physical risks - if related to long-term climate change (e.g. global warming, rising sea levels, water scarcity, etc.). The transition to a low-carbon economy could entail extensive changes in government policies, with consequent regulatory, technological and market changes. Depending on the nature and speed of these changes, transition risks may result in a varying level of financial and reputational risk for the Group.


The Policy requires the presence of a Risk Commission to periodically review the Group’s risk profile, defining and proposing updates to the Chief Executive Officer on strategies for managing risk classes and reporting any emerging critical issues to the Executive Bodies. 


As part of the Climate Change Risk Policy, in 2021, Iren Group began implementing a tool that supports strategic decision-making. This tool has seen the development of a model based on three time horizons (2030, 2040 and 2050), identified in line with the objectives of the Group’s Strategic Plan and Sustainability Plan, and on the use of scenarios for the development of the main quantities underlying the analysis.


Climate data are based on scenarios published by the International Panel on Climate Change (IPCC), the so-called Representative Concentration Pathways (RCPs) where the number associated to each RCP indicates the “strength” of climate change generated by human activity by 2100 compared to the pre-industrial period. The climate scenarios taken into consideration in the analysis are the RCP 2.6 scenario (which envisages strong mitigation aimed at keeping global warming well below 2°C compared to pre-industrial levels while achieving the objectives defined by the Paris Agreement), the RCP 4.5 scenario (considered by Iren Group to be the most representative of the current global climate and political context), which envisages easing of objectives compared to the RCP 2.6 scenario and a stabilisation of emissions by 2100 at around double pre-industrial levels, and the RCP 8.5 scenario (commonly associated with the expression ‘Business-as-usual’, or ‘No mitigation’), which envisages no particular countermeasures and a growth in emissions at current rates.


Socio-economic data, on the other hand, are primarily based on the Sustainable Development Scenario (SDS) and Stated Policies Scenario (STEPS) scenarios from the World Energy Outlook (WEO) published by the International Energy Agency.


The model allows to quantify the variation of the economic-financial variables, through specific KPIs, for those assets that are potentially more exposed to climate change risks.


The application of the model showed that the actions introduced in the Business Plan have a mitigating effect on the impacts of climate change on the activities of Iren Group. Mitigation actions of a strategic nature, linked to investments, are flanked by others of an operational and insurance nature. 


In the course of 2022, a further project phase was developed to complete the assessment model, which included the inclusion of the most significant plants/activities for the risk under consideration that were not included in the 2021 analysis, also updating the model with respect to the new regulatory and climatic scenarios.

Iren Group has adopted a specific internal control and tax risk management system, understood as the risk of operating in violation of tax regulations or in contrast with the principles or aims of the legal system.

The tax risk control and management system, the “Tax Control Framework” (TCF), enables the Group to pursue the objective of minimising its exposure to tax risk by identifying, updating, assessing and monitoring tax-related governance, processes, risks and controls. The Group is committed to managing its tax affairs in accordance with all applicable laws and regulations.

For this reason, Iren has adopted the TCF as an internal control system that defines the governance for the management of taxation and related risk in line with the principles of the company strategy and, in particular, the Tax Strategy.


The Tax Control Framework adopted consists of a set of rules, guidelines, tools and models aimed at supporting the Group's employees in carrying out their daily activities, ensuring consistency on relevant tax matters.

Therefore, the TCF’s structure provides for the presence of two pillars that outline its operating scheme: the Tax Strategy and the Tax Compliance Model.


The Tax Strategy defines the objectives and the approach adopted by the Group in managing the tax variable. The purpose of this document is to establish the Principles of conduct in tax matters in order to i) contain tax risk due to exogenous and endogenous factors, and ii) continue to guarantee over time the correct and timely determination and settlement of taxes due by law, and the performance of related obligations. The Tax Strategy is approved and issued by the Board of Directors of Iren S.p.A.

The Tax Compliance Model is an element of the Internal Control and Risk Management System. This document contains the detailed description of the phases comprising the risk assessment, control and periodic monitoring processes carried out by Iren, and the subsequent reporting on tax issues to the Chief Executive Officer and the other relevant bodies and functions. It also aims to summarize the main responsibilities assigned to the various functions involved in tax-relevant processes. The Tax Compliance Model is prepared by the Tax and Compliance Function and is ultimately approved by the Board of Directors of Iren S.p.A.


The project for the creation of a TCF aligned with the best practices in the matter took shape with the presentation by IREN Spa and IREN Energia Spa of the application for access to the Collaborative Compliance institution, a regime between the Revenue Agency and the large companies introduced by Legislative Decree No. 128 of 5 August 2015 in order to promote the implementation of enhanced forms of communication and cooperation based on mutual trust between tax authorities and taxpayers, and to encourage, in the common interest, the prevention and resolution of tax disputes. The preliminary investigation for admission was successfully concluded in December 2021 with the admission of the two companies.

This category includes all the risks which may influence achievement of the targets, i.e. relating to the effectiveness and efficiency of business transactions, levels of performance, profitability and protection of the resources against losses.


The process of managing the Group’s risks entails that, for each business line and operating area, the activities performed are analysed and the main risk factors connected with achievement of the objectives are identified. Following the identification activity, the risks are assessed qualitatively and quantitatively, thus making it possible to identify the most significant risks. The analysis also involves an assessment of the current and prospective level of control of the risk, monitored by means of specific key risk indicators.


Along all the management phases, each risk is subjected on a continuous basis to a process of control and monitoring, which checks whether the treatment activities approved and planned have been correctly and effectively implemented, and whether any new operational risks have arisen.


The process of managing operational risks is associated with a comprehensive and structured reporting system for presenting the results of the risk measurement and management activity. Each process stage is performed in accordance with standards and references defined at Group level.


The Group’s risk position is updated at least quarterly, indicating the extent and level of control of all risks monitored, including financial, IT, credit and energy risks. The risk reporting is sent to the top management and to the Risk Owners, who are involved in the management activity.

The risk analysis also supports the preparation of planning tools. In this regard, Iren has equipped itself with a very detailed risk map that corresponds to the reality of the Group, with qualitative and quantitative assessments of each individual risk and with details of the controls and mitigation actions in place or planned. For each risk identified, the relevant ESG (Environmental, Social and Governance) impacts are associated.


Of particular note are:

a. Legislative and regulatory risks - The legislative and regulatory framework is subject to possible future changes, and therefore is a potential risk. In this regard departments operate, reporting directly to the Chief Executive Officer, dedicated to continual monitoring of the relevant legislation and regulations in order to assess their implications, guaranteeing their correct application in the Group.


b. Plant-related risks - As regards the amount of the Group’s production assets, plant‐related risks are managed in order to correctly allocate resources in terms of control and preventive measures (preventive/predictive maintenance, control and supervisory systems, emergency and continuity plans, etc.). For the most important plants the Risk Management Department periodically conducts surveys, from which it can accurately detail the events to which such plants could be exposed and consequent preventive action. The risk is also hedged by insurance policies designed considering the situation of the single plants.


c. Cyber risks - defined as the set of internal and external threats which can compromise business continuity or cause civil liability damage to third parties in the event of loss or disclosure of sensitive data. From an internal point of view, the operational risks regarding information technology are closely related to the business of Iren Group, which operates network infrastructures and plants, including through remote control, accounting operational management and invoicing systems and energy commodity trading platforms.


Iren Group is one of the leading Italian operators on the Power Exchange and any accidental unavailability of the system could have considerable economic consequences. At the same time, problems related to supervision and data acquisition on physical systems could cause plant shutdowns and collateral and even serious damage. A breakdown of invoicing systems could also determine delays in issuing bills and the related collections, as well as damage to reputation.


To mitigate such risks, specific measures have been adopted, such as redundancies, highly‐reliable systems and appropriate emergency procedures, which are periodically subject to simulations, to ensure their effectiveness. The Group has adopted a Cyber Risk Policy, approved by the Board of Directors of Iren S.p.A., which provides for the convening of specific Risk Commissions, the monitoring of performance indicators and dedicated reporting.

The Risk Management Department actively participated in the development of the new 2030 Business Plan and structured three distinct areas of analysis: a qualitative-quantitative risk assessment, a specific focus on Plan investments and a focus on climate change risks.


The qualitative Risk Assessment was based on an analysis of industry trends, the Group’s exposure to related strategic risks and the related ability of the Business Plan to mitigate these risks. Consequently, for the risk categories and related elementary risks mapped as part of the Group’s Risk Map, a detailed analysis of the quantitative drivers relating to the risks with an impact in the years of the Plan was carried out.


Once these risks have been identified - with the support of the Risk Owners and the Planning and Control Department - the relative impacts, probability of occurrence and mitigation actions have been quantified in order to quantify both the inherent and residual risk value. This assessment led to the enhancement of the Plan’s stress test and related rating indices. The Risk Management Department also investigated a second line of analysis, which concerned the analysis of the Plan’s investments, identifying both the capital expenditures with a mitigating effect on risks and those whose implementation may represent a possible source of risk, with possible repercussions in economic and financial terms, so-called “execution risks”.


Finally, an analysis of the risk factors from climate change impacting the Group was carried out, with modelling of the most significant assets and risk factors for different energy scenarios and time horizons. Model results were analysed and investments to mitigate climate change risks were evaluated.


M&A transactions and other initiatives of a strategic nature, which were assessed during the year, were also subject to detailed analysis, with a particular focus on the impact of these transactions on the Group’s sustainability objectives (environmental indicators, where significant, and social indicators relating, for example, to compliance with labour, health and safety regarding the target and governance policies) and consistency with the EU Taxonomy.

ESG and Climate Risks

For each risk category, provided in the Group's Risk Map, environmental, social and governance (ESG) impacts but also climate change impacts are assessed.

Risk profile 

Learn more about the strategic risks implicit in the trends and mitigation actions proposed in the 2021-2030 Business Plan for each Business Unit.

Business continuity management

The Iren Group pays great attention and commitment to the enhancement and protection of corporate assets that ensure business continuity. The main objective of Business Continuity Management (BCM) is to ensure business resilience in the face of unforeseen events by ensuring the continuity of business processes deemed critical.


Risk Management Director

Fabrizio Tucci

Head of Enterprise Risk Management System

Paolo Cova

Head of Insurance Programs and Active and Passive Claims

Sergio Agresti