Risk Management

The Enterprise Risk Management model

The Enterprise Risk Management model used by the Iren Group sets out the methodological approach for the identification, assessment and integrated management of Group risk and is divided into the following phases:

  • identification
  • assessment
  • handling
  • checks
  • reporting.

With specific reference to risk areas, the Enterprise Risk Management model is one of the main elements of the Internal Control and Risk Management System (ICRMS). The ICRMS, ultimately reporting to the Board of Directors (BoD), guides activity and assesses adequacy, involving the following parties, amongst others, each with their own duties:

  • one or more ICRMS Directors, whose role includes establishing and maintaining an effective internal control and risk management system;
  • the Control, Risk and Sustainability Committee (CRSC), with the general purpose of supporting the Board of Directors' assessments and decisions regarding the internal control and risk management system as well as decisions regarding approval of the periodic financial reports, via suitable analyses.

For further details, please consult the  Corporate Governance section.

The ICRMS has three levels of controls:

  • third-level controls performed by bodies within the company, i.e. the Internal Audit department, or external bodies, i.e. the Board of Statutory Auditors, the Independent Auditors and the Oversight Committee pursuant to Italian Legislative Decree 231/2001;
  • second-level controls, assigned to specialised systems involving the Risk Management function, the Compliance department, the Financial Reporting Manager, the Data Protection Officer and the Management Controls function;
  • first-line controls, assigned to the individual organisational structures or Group Companies, performed for respective processes; the responsibility for these controls is assigned to the Operational Management/Risk Owner and forms an integral part of every corporate process.

More specifically, the Risk Management department is responsible for the integrated management and monitoring of the ERM System through definition of the Risk Map, verification of correct application of the Risk Policy, definition of the Risk Analysis of the Business Plan and initiatives/projects of strategic significance, performance of Risk Reporting and management of insurance programmes and claims with/without liability.

The Iren Group's ICRMS is based on the Borsa Italiana Corporate Governance Code.

The Risk Management System defines specific Commissions for managing each type of risk for which a specific "Risk Policy" has been defined, with the primary aim of setting out the strategic guidelines, organisational/management principles, macro processes and techniques required for actively managing relevant risks.

The policies applied within the Iren Group are:

  • Enterprise Risk Management Policy: governs the approval process for the Risk Policy and the Risk Map, monitors and assesses the risk-management system, and defines the management model;
  • Financial Risk Policy: governs the process for managing financial risks linked to interest rates, exchange rates and spreads;
  • Credit Risk Policy: governs the process for managing credit risk linked to events that may negatively impact the achievement of credit-management targets;
  • Energy Risk Policy: governs the process for managing energy risks associated with energy and/or financial markets, such as market variables or pricing options;
  • Operational Risk Policy: governs the process for managing operational and reputational risk, i.e. risk factors associated with asset ownership, involvement in business activities, processes, procedures and information flows and the corporate image;
  • Cyber Risk Policy: governs the process for managing IT risks attributable to threats that undermine information security, particularly regarding completeness, confidentiality and availability of data;
  • Climate Change Risk Policy: governs the process for managing climate change risks, linked to to acute and chronic physical risks and transition risks;
  • Tax Risk Policy/ Tax Control Model: governs the process for managing tax risks, linked to the risk of operating in violation of tax laws or in contrast with the principles and purposes of the tax system.

The role of the Risk Management department

The Risk Management department coordinates Risk Commissions (quarterly):

  • Financial Risk: analyses and monitors the financial-risk position (proposes updates);
  • Credit Risk: reviews the credit-risk status and adopts management decisions proposed by Risk Owners, proposing targeted action plans;
  • Energy Risk: reviews the energy-risk status and adopts management decisions proposed by the Risk Owners and proposes updates to the Policy;
  • Cyber Risk: analyses and monitors the Group Cyber Risk position and the suitable technical and organisational actions to be adopted;
  • Climate Risk: analyses the position of the Group about Climate Change Risk and decides on the actions to mitigate the risk;
  • Tax Risk: analyses and monitors the position of the Group about Tax Risk and the actions to mitigate the risks.

Management supports the CRSC in half-yearly evaluation of the suitability of the Internal Control and Risk Management System (ICRMS) as applicable for its role, as well as performing specific risk assessments for strategic projects (M&A, industrial, etc.) and the Business Plan.

For more information on Business Plan, please consult Risk profile

In addition, the Chief Risk Officer is on the Related-Party Transactions Assessment Board, supporting the Related-Party Transactions Committee (RPTC).

Below is the current Iren Group Risk Model:

For more information on risks and uncertainties affecting the Iren Group, please consult the Consolidated Financial Statements.                                                        

For more information on centralised monitoring of particular risk categories and operation of the Internal Control and Risk Management System, please consult the Report on Corporate Governance and Ownership Structures.

Details of the active management methods within the Group are provided below for the different types of risk.


The Iren Group’s business is exposed to various types of financial risks, including: liquidity risk, exchange rate risk and interest rate risk. As part of its Risk Management activities, the Group uses non‐speculative  hedging contracts to limit exchange rate risk and interest rate risk. 

a) Liquidity risk 

Liquidity risk is the risk that financial resources available to the company will be insufficient to cover financial and trade commitments in accordance with the agreed terms and deadlines. 

The procurement of financial resources has been centralised in order to optimise their use.

In particular, centralised management of cash flows in Iren makes it possible to allocate the funds available at the Group  level according to the needs that from time to time arise among the individual Companies.

Cash movements  are recognised in intra‐group accounts along with intra‐group interest income and expense. A number of investees have an independent ffinancial management structure in compliance with the  guidelines provided by the Parent Company. 

b) Exchange rate risk

Except as indicated in the section on energy risk, the Iren Group is not significantly exposed to exchange  rate risk

c) Interest rate risk 

The  Iren  Group  is  exposed  to  interest  rate  fluctuations  especially  with  regard  to  the  measurement  of  financial expenses  related  to indebtedness. The Iren Group’s  strategy is  to limit exposure  to  the  risk  of  interest rate volatility, maintaining at the same time a low cost of funding.

Compliance with the limits imposed by the Policy are verified during the Financial Risk Commission meetings with regard to the main metrics, together with analysis of the market situation, interest rate trends, the  value of hedges and confirmation that the conditions established in covenants have been met. 


The Group’s credit risk is mainly related to trade receivables deriving from the sale of electricity, district  heating, gas and  the provision of energy, water and environmental services.

The receivables are spread  across a large number of counterparties, belonging to non‐uniform customer categories (retail and business  customers and public bodies); some exposures are of a high amount and are constantly monitored and, if  necessary,  covered  by  repayment  plans. 

The  Iren  Group’s  Credit  Management  units  devoted  to  credit  recovery are responsible for this activity.  In carrying on its business, the Group is exposed to the risk that the receivables may not be honoured on  maturity with a consequent increase in their age and in insolvency up to an increase in receivables subject  to  arrangement  procedures  or  unenforceable. 

This  risk  reflects,  among  other  factors,  also  the  current  economic and financial situation. 

To limit exposure to credit risk, a number of tools have been activated.These include analysing the solvency  of customers at the acquisition stage through careful assessment of their creditworthiness, transferring the  receivables of discontinued and/or active customers to external credit recovery companies and introducing  new  recovery  methods  for  managing  legal  disputes.  In  addition,  methods  of  payment  through  digital  channels are offered to Customers.

The  receivable  management  policy  and  creditworthiness  assessment  tools,  as  well  as  monitoring  and  recovery activities differ in relation to the various categories of customers and types of service provided.  Credit risk is hedged, for some types of business customers, with opportune forms of first‐demand bank or  insurance guarantees issued by subjects of leading credit standing and with credit insurance for the reseller  customer segment.

An interest‐bearing guarantee deposit is  required  for some  types of services  (water, natural gas, highly‐  protected  electricity sectors)  in  compliance  with  regulations  governing  these  activities. 

This  deposit  is  reimbursed if the customer uses payment by direct debit from a current account. 

The payment terms generally applied to customers are related to the legislation or regulations in force or  in line with the standards of the free market; in the event of non‐payment, default interest is charged for  the amount indicated in the contracts or by the legislation.  Provisions  set  aside  for  impairment  of  receivables  reflect,  carefully  and  in  accordance  with  the  current  legislation (applying the IFRS 9 method), the effective credit risks, and are determined on the basis of the  extraction from databases of the amounts making up the receivable and, in general, assessing any changes  in the said risk compared to the initial measurement and, in particular for trade receivables, estimating the  related expected  losses  determined  on  a  prospective  basis,  taking  into  due  consideration  the  historical  series.

As mentioned, with regard to the Covid‐19 emergency context, and with specific reference to the  possible liquidity difficulties of the customer portfolio linked to the measures to combat the pandemic and  the regulatory and corporate measures to mitigate the economic and social impact of the crisis, the Group  increased the provision for bad and doubtful debts by € 25 million due to the assessment of expected losses,  particularly in the electricity and gas sales and integrated water service sectors.  The control of credit  risks is also strengthened by  the monitoring and  reporting procedures, in order  to  identify promptly possible countermeasures.  In addition, on a quarterly basis, the Risk Management Department collects and integrates the main data  regarding the evolution of the Group companies’ trade receivables, in terms of type of customers, status of  the contract, business chain and ageing band. Credit risk is assessed both at the consolidated and at the  Business Unit and company levels.  

Some of the above assessments are carried out at intervals of less than three months or when there is a  specific need.


The Iren Group is exposed to price risk on the energy commodities traded, these being electricity, natural  gas, environmental emission certificates, etc., as both purchases and sales are impacted by fluctuations in  the price of such commodities directly, or through indexing formulae. Exposure to foreign exchange rate  risk,  characteristic  of  oil‐based  commodities,  exists,  but  attenuated  thanks  to  the  development  of  the  European organised markets that trade the gas commodity in Euro and no longer indexed to oil products.

The Group’s policy is oriented to a strategy of active management of the positions to stabilise the margin  taking the opportunities offered by the markets; it is implemented by aligning the indexing of commodities  purchased and sold, through vertical and horizontal use of the various business chains, and operating on  the financial markets. 

For this purpose, the Group carries out planning of the production of its plants and purchases and energy  and natural gas sales, in relation to both volumes and price formulae. The objective is to obtain sufficient  stability in the margins through:

  • for  the electricity supply chain,  the opportune balancing of internal production and energy  from  the  futures  market  with  respect  to  the  demand  coming  from  the  Group’s  customers,  with  adequate  recourse to the spot market;
  • for the natural gas supply chain the priority of alignment of the indexing of the commodity in purchase and sale. 


For a more detailed analysis of the risks dealt with up to now, reference should be made to the paragraph  “Group Financial Risks Management” in the Notes to the Consolidated Financial Statements. 


During the year, Iren Group included in its Enterprise Risk Management system a Policy dedicated to climate  change risks, which are becoming increasingly important for organisations. Moreover, they affect the health  of  the  planet,  with  estimates  of  significant  effects  already  in  the  medium  term.

All companies, and in  particular those operating in significantly exposed sectors such as Iren Group, must consider the analysis of climate change risks as an emerging and determining factor in the definition of their medium and long‐term  strategies.  

The adoption of the Climate Change Risk Policy and the resulting risk analysis and management represent  the preliminary steps in a process that will enable the Group to provide even more effective control over  its exposure to damaging events and the opportunities that the external context and its changes may offer,  as well as its contribution to the achievement of sustainable development objectives defined at national  and international level. 

The document was written with the extensive involvement of the corporate functions involved in managing  these risks, with which a Climate Change Risk Assessment was carried out, based on which the Policy was  subsequently drafted.  The Policy analyses and  regulates,  focusing on  the applicability  to  the individual Business Units,  the  risk  factors related to climate change, distinguishing between physical risks and transition risks.

Physical risks  resulting  from  changing  climatic  conditions  are  divided  into  acute  physical  risks  ‐  if  related  to  local  catastrophic natural events (e.g. floods, heat waves, fires, etc.) ‐ and chronic physical risks ‐ if related to  long‐term climate change (e.g. global warming, rising sea levels, water scarcity, etc.).

The  transition  to  a  low‐carbon  economy  could  entail  extensive  changes  in  government  policies,  with  consequent regulatory, technological and market changes. Depending on the nature and speed of these  changes, transition risks may result in a varying level of financial and reputational risk for the Group.  The  Policy  requires  the  presence  of  a  Risk  Commission  to  periodically  review  the  Group's  risk  profile,  defining and proposing updates to the Chief Executive Officer on strategies for managing risk classes and  reporting any emerging critical issues to the Executive Bodies. The document also includes guidelines for  reporting, aimed at ensuring transparency of information to all stakeholders. 


Iren Group has adopted a specific internal control and tax risk management system, understood as the risk of operating in violation of tax regulations or in contrast with the principles or aims of the legal system. 

The tax risk control and management system, the "Tax Control Framework" (hereinafter "TCF"), enables the  Group to pursue the objective of minimising its exposure to tax risk by identifying, updating, assessing and  monitoring tax‐related governance, processes, risks and controls.  The Group is committed to managing its tax affairs in accordance with all applicable laws and regulations. 

For this reason, Iren has adopted the TCF as an internal control system that defines the governance for the  management  of  taxation  and  related  risk  in  line  with  the  principles  of  the  company  strategy  and,  in  particular, the Tax Strategy. 

The  Tax  Control  Framework  adopted  consists  of  a  set  of  rules,  guidelines,  tools  and  models  aimed  at  supporting the Group's employees in carrying out their daily activities, ensuring consistency on relevant tax  matters.  Therefore, the TCF’s structure provides for the presence of two pillars that outline its operating scheme:  the Tax Strategy and the Tax Compliance Model. 

The  Tax  Strategy  defines  the  objectives  and  the  approach  adopted  by  the  Group  in  managing  the  tax  variable. The purpose of this document is to establish the Principles of conduct in tax matters in order to i)  contain  tax  risk due  to exogenous and endogenous  factors, and ii) continue  to guarantee over  time  the  correct  and  timely  determination  and  settlement  of  taxes  due  by  law,  and  the  performance  of  related  obligations. The Tax Strategy has been approved and issued by the Board of Directors of Iren S.p.A.. 

The  Tax  Compliance  Model  is  an  element  of  the  Internal  Control  and  Risk  Management  System.  This  document  contains  the  detailed  description  of  the  phases  comprising  the risk  assessment,  control  and  periodic monitoring processes carried out by Iren, and the subsequent reporting on tax issues to the Chief  Executive  Officer  and  the  other  relevant  bodies  and  functions.  It  also  aims  to  summarize  the  main  responsibilities assigned to the various functions involved in tax‐relevant processes. The Tax Compliance  Model is prepared by the Tax and Compliance Function and is ultimately approved by the Board of Directors  of Iren S.p.A.. 

The project  to create a TCF aligned with  the best practices in the  field was concluded in  2020 with  the  submission of the application for access to the institution of Cooperative Compliance, a scheme between  the Revenue Agency and large companies, introduced by Legislative Decree No. 128 of 5 August 2015 in  order  to  promote  the implementation  of enhanced  forms  of  communication and cooperation  based  on horities  and  taxpayers,  and  to  encourage,  in  the  common  interest,  the  prevention and resolution of tax disputes.


This category includes all the risks which, in addition to those already noted in the previous paragraphs,  may  influence  achievement  of  the  targets,  i.e.  relating  to  the  effectiveness  and  efficiency  of  business  transactions, levels of performance, profitability and protection of the resources against losses. 

The  Group’s  Enterprise  Risk  Management  model  has  as  its  objective  the  integrated  and  synergistic  management of risks.  The  process  of  managing  the  Group’s  risks  entails  that,  for  each  business  line  and  operating  area,  the  activities performed are analysed and the main risk factors connected with achievement of the objectives  are identified.

Following the identification activity, the risks are assessed qualitatively and quantitatively (in  terms of magnitude and probability of occurrence), thus making it possible to identify the most significant  risks. The analysis also involves an assessment of the current and prospective level of control of the risk,  monitored by means of specific key risk indicators.  The above stages make it possible to structure specific treatment plans for each risk factor. 

Along all the management phases, each risk is subjected on a continuous basis to a process of control and  monitoring, which checks whether the treatment activities approved and planned have been correctly and  effectively  implemented,  and  whether  any  new  operational  risks have  arisen.

The  process  of managing  operational risks is associated with a comprehensive and structured reporting system for presenting the  results of the risk measurement and management activity.

Each process stage is performed in accordance  with standards and references defined at Group level. The Group’s risk position is updated at least quarterly,  indicating the extent and level of control of all risks monitored, including  financial, IT, credit and energy  risks. The  risk reporting is sent  to  the  top management and  to the  risk owners, who are involved in  the  management activity.

The risk analysis also supports the preparation of planning tools.  In 2020, a project was carried out to revise the Group Risk Map, which, through interviews with the Risk  Owners of Iren S.p.A. and the Group companies, and the subsequent sharing and fine‐tuning of the results,  led  to  the  construction  of  a  very  detailed  risk  map  that  corresponds  to  the  reality  of  the  Group,  with  qualitative and quantitative assessments of each individual risk and with details of controls and mitigation  actions existing or planned.

The identified risks have been associated with the ESG (Environmental, Social  and Governance) category to which they belong. It is noted that for each risk it was verified whether and  how it had been impacted by Covid‐19. 

Of particular note are: 

a. Legal and regulatory risks 

The legislative and regulatory framework is subject to possible future changes, and therefore is a potential risk.  In  this  regard  departments  operate,  reporting  directly  to  the  Chief  Executive Officer,  dedicated  to 
continual  monitoring  of  the  relevant  legislation  and  regulations  in  order  to  assess  their  implications, guaranteeing their correct application in the Group. 

b.  Plant‐related risks  

As regards the amount of the Group’s production assets, plant‐related risks are managed with the approach described  above  in  order  to  correctly  allocate  resources  in  terms  of  control  and  preventive  measures (preventive/predictive  maintenance,  control  and  supervisory  systems,  emergency  and  continuity  plans, etc.).

For the most important plants the Risk Management Department periodically conducts surveys, from which it can accurately detail the events to which such plants could be exposed and consequent preventive action. The risk is also hedged by insurance policies designed considering the situation of the single plants. 

c.  IT risks

IT Risks (Cyber Risks) are defined as the set of internal and external threats which can compromise business  continuity or cause civil liability damage to third parties in the event of loss or disclosure of sensitive data. 

From an internal point of view, the operational risks regarding information technology are closely related  to the business of the Iren Group, which operates network infrastructures and plants, including through  remote control, accounting operational management and invoicing systems and energy commodity trading  platforms.

The Iren Group is, in fact, one of the leading Italian operators on the Power Exchange and any  accidental unavailability of the system could have considerable economic consequences, connected with  the non‐submission of energy sale or purchase offers. At the same time, problems related to supervision  and  data  acquisition  on  physical  systems  could  cause  plant  shutdowns  and  collateral  and  even  serious  damage. A  breakdown  of  invoicing  systems  could  also  determine  delays  in  issuing  bills  and  the  related  collections, as well as damage to reputation. 

To mitigate such risks, specific measures have been adopted, such as redundancies, highly‐reliable systems  and  appropriate  emergency  procedures,  which  are  periodically  subject  to  simulations,  to  ensure  their  effectiveness.

The Iren Group is also exposed to the risk of cyber attacks aimed both at acquiring sensitive  data  and  at  stopping  operations,  causing  damage  to  plants  and  networks  and  compromising  service  continuity. Market benchmarks also show that attacks aimed at acquiring companies’ and third‐party data  are  increasingly  frequent,  with  consequent  civil  liability  and sanctions,  including  serious  ones,  and  at  acquiring industrial secrets.

The perimeter security technologies have been updated.

The data network has  been further segregated according to the functional use; in addition a vulnerability management system  has  been  introduced,  and  extended  also  to  suppliers  that  process  sensitive  corporate  data  for  various  reasons.

The support of an external Security Operation Centre (SOC) has been launched for 24h monitoring,  with the use of Iren security platforms. Policies have been adopted to strengthen system access passwords,  increase workstation security with the introduction of systems featuring behavioural analysis capabilities  and automated and remote response execution.

A Cyber Threat Intelligence (CTI) platform has also been introduced in order to capture evidence of attackers and threats potentially impacting corporate assets. On 23 January 2020, the Board of Directors of Iren S.p.A. approved the Cyber Risk Policy, which – similar to the  other main  risk  Policies –  provides  for  the  convocation  of  specific  Risk  Commissions,  the monitoring  of  performance indicators and dedicated reporting. 

On January 23, 2020, the Board of Directors of Iren S.p.A. approved the Cyber Risk Policy, which - similarly to the other main risk policies - provides for the convening of specific Risk Committees, the monitoring of performance indicators and dedicated reporting.

The operational risk management process also aims at optimising the Group’s insurance programmes. 


The  Iren  Group  has  adopted  a  Business  Plan  with  a  time  horizon  at  2025  which  defines  its  strategic  orientations  and  the  related  industrial  objectives  from  which  the  economic  and  financial  figures  of  reference derive.

The said objectives refer to: 

a) making the Group’s organisation and processes more efficient;

b) development (investments in regulated and quasi‐regulated sectors, increase of customer base, energy  efficiency);

c) consolidation of regulated sectors (renewal of concessions: gas distribution, integrated water cycle and  environment sector); d) external growth;

e) energy scenario;

f) sustainability and ESG (Environment, Social, Governance) targets.

In application of  the Group’s  policies,  the  Plan was  subject  to a risk  assessment carried  out  by  the  Risk  Management Department and  to  the  related  stress  tests, which  showed  substantial  resilience including  when  facing  adverse  events  characterised  by  specific sensitivities. 

On  the  basis  of  the  aforementioned  project to revise the Risk Map, a specific Risk Map relating to the risks of the Industrial Plan was prepared  in  parallel  with  the risk  assessment  ,  with  the  same  time  horizon.  The  development  of  this  Risk  Map, together with the construction of quantitative stresses, constitutes an important point of integration with  the  Strategic  Planning  function. 

In  addition  to  the  risk  analysis  associated  with  the  Plan,  the  Risk  Management Department contributes risk assessments specific to merger & acquisition transactions and  the main strategic plans concerning Iren Group.