The Enterprise Risk Management model used by the Iren Group sets out the methodological approach for the identification, assessment and integrated management of Group risk and is divided into the following phases:
With specific reference to risk areas, the Enterprise Risk Management model is one of the main elements of the Internal Control and Risk Management System (ICRMS). The ICRMS, ultimately reporting to the Board of Directors (BoD), guides activity and assesses adequacy, involving the following parties, amongst others, each with their own duties:
- one or more ICRMS Directors, whose role includes establishing and maintaining an effective internal control and risk management system;
- the Control, Risk and Sustainability Committee (CRSC), with the general purpose of supporting the Board of Directors' assessments and decisions regarding the internal control and risk management system as well as decisions regarding approval of the periodic financial reports, via suitable analyses.
For further details, please consult the Corporate Governance section.
The ICRMS has three levels of controls:
- third-level controls performed by bodies within the company, i.e. the Internal Audit department, or external bodies, i.e. the Board of Statutory Auditors, the Independent Auditors and the Oversight Committee pursuant to Italian Legislative Decree 231/2001;
- second-level controls, assigned to specialised systems involving the Risk Management function, the Compliance department, the Financial Reporting Manager, the Data Protection Officer and the Management Controls function;
- first-line controls, assigned to the individual organisational structures or Group Companies, performed for respective processes; the responsibility for these controls is assigned to the Operational Management/Risk Owner and forms an integral part of every corporate process.
More specifically, the Risk Management department is responsible for the integrated management and monitoring of the ERM System through definition of the Risk Map, verification of correct application of the Risk Policy, definition of the Risk Analysis of the Business Plan and initiatives/projects of strategic significance, performance of Risk Reporting and management of insurance programmes and claims with/without liability.
The Iren Group's ICRMS is based on the Borsa Italiana Corporate Governance Code.
The Risk Management System defines specific fees for managing each type of risk for which a specific "Risk Policy" has been defined, with the primary aim of setting out the strategic guidelines, organisational/management principles, macro processes and techniques required for actively managing relevant risks.
The policies applied within the Iren Group are:
- Enterprise Risk Management Policy: governs the approval process for the Risk Policy and the Risk Map, monitors and assesses the risk-management system, and defines the management model;
- Energy Risk Policy: governs the process for managing energy risks associated with energy and/or financial markets, such as market variables or pricing options;
- Operational Risk Policy: governs the process for managing operational and reputational risk, i.e. risk factors associated with asset ownership, involvement in business activities, processes, procedures and information flows and the corporate image;
- Financial Risk Policy: governs the process for managing financial risks linked to interest rates, exchange rates and spreads;
- Credit Risk Policy: governs the process for managing credit risk linked to events that may negatively impact the achievement of credit-management targets;
- Cyber Risk Policy: governs the process for managing IT risks attributable to threats that undermine information security, particularly regarding completeness, confidentiality and availability of data;
The role of the Risk Management department
The Risk Management department coordinates Risk fees (at least quarterly):
- Financial Risk: analyses and monitors the financial-risk position (proposes updates);
- Energy Risk: reviews the energy-risk status and adopts management decisions proposed by the Risk Owners and proposes updates to the Policy;
- Credit Risk: reviews the credit-risk status and adopts management decisions proposed by Risk Owners, proposing targeted action plans;
- Cyber Risk: analyses and monitors the Group Cyber Risk position and the suitable technical and organisational actions to be adopted.
Management supports the CRSC in half-yearly evaluation of the suitability of the Internal Control and Risk Management System (ICRMS) as applicable for its role, as well as performing specific risk assessments for strategic projects (M&A, industrial, etc.) and the Business Plan.
In addition, the Chief Risk Officer is on the Related-Party Transactions Assessment Board, supporting the Related-Party Transactions Committee (RPTC).
Below is the current Iren Group Risk Model:
For more information on risks and uncertainties affecting the Iren Group, please consult the 2019 Consolidated Financial Statements.
For more information on centralised monitoring of particular risk categories and operation of the Internal Control and Risk Management System, please consult the Report on Corporate Governance and Ownership Structures.