Risk oversight and the control system
Although it has a limited economic and financial risk profile because most of its operations are in regulated business segments, Snam adopts a structured and systemic approach to governing all risks that could affect value creation. With the spin-off of Italgas, Snam’s risk profile changed as a result of the reduction of those risks connected with the specific nature of the distribution business, which is no longer consolidated within the corporate scope, and particularly in regard to uncertainties connected to sector tender processes and end-of-concession redemption values. The system we use across the Group to identify, assess, manage and control risk has three levels, each with different objectives and associated responsibilities. The Board of Directors charges the CEO with giving structure to and maintaining the entire system.
We use an integrated, dynamic and group-wide method of assessing risk that evaluates the existing management systems in the individual corporate processes, starting with those relating to the prevention of fraud and corruption and health, safety, environment and quality. These same controls form an integral part of the managerial processes. Management must therefore foster an environment that encourages controls, and must specifically manage “line controls”, consisting of all the control activities that individual operating units or companies perform over their own processes. Independent controls are performed by the Internal Audit department, which is responsible for checking that the system is functioning and adequate.
Enterprise Risk Management process (ERM)
The Snam group, in line with the indications of the Code of Corporate Governance and international best practices, has instituted, under the direct supervision of the General Counsel, the Enterprise Risk Management (ERM) unit, which operates within the wider Internal Control and Risk Management System, in order to manage the integrated management process of corporate risks for all Group companies.
The main objectives of ERM are to define a risk assessment model that allows risks to be identified, using standardised, group-wide policies, and then prioritised, to provide consolidated measures to mitigate these risks and to draw up a reporting system.
1. Identification and measurement:
of risk events relating to corporate processes and external risk factors that could influence the achievement of corporate goals, either through direct impacts on results and corporate finances (lower revenue or higher costs) or through intangible negative effects on other types of capital, especially the “licence to operate”.
2. Enterprise and prioritisation assessment:
each event is assigned an ‘enterprise measurement’, which summarises, for each risk, the different measurements carried out by the risk owner and by centralised units with specialist expertise. The prioritisation of risks is defined by combining the measurements of impact and probability.
3. Definition of the management strategy:
for all risks, management measures are identified, together with any specific interventions and the relevant implementation time frames, associated with a type of risk management from among those that have been codified. The management plans for the main risks are presented to the Control and Risk Committee.
4. Monitoring and reporting:
the risk mapping is periodically updated according to the enterprise measurement, and at least once a year, including for low-priority risks. Periodic reporting guarantees, at the various corporate levels, the availability and representation of information relating to the management and monitoring of the relevant risks.
One of the best features of Snam’s ERM model is the wide-ranging nature of its impact measurement.
Any risk event may have 10 different types of impact, some determined by the risk owners (operational impacts) and others by specialist departments (e.g. legal and financial impacts). This means risk measurement from different perspectives and team risk prioritisation.
The most common operational impact is industrial impact, consistent with the fact that risk identification begins with process analysis. The most prevalent specialist impacts include reputational and legal impacts, confirming the existence of an increasingly globalised external context subject to ever more complex regulations.
Using the model described above, the risk assessment cycles were performed on the entire Snam Group in 2016. As at the end of 2016, 310 enterprise risks had been mapped and broken down between all corporate processes.
In addition to the ordinary activities of checking and monitoring the risks mapped, other measures were carried out with a view to continually improving the model adopted and supporting the risk managers. Specifically:
- analysis of several of the mapped risks in order to identify recommendations for improvement in the operational management mechanisms of the same, with the purpose of enhancing strategies and actions for the management, systematic collection and consolidation of the Key Risk Indicators associated with mapped risks;
- final development and distribution of the ERM Risk Dashboard and the pertinent dematerialisation of the reporting process.
In December 2016, “Project Simplify” was launched which aims, inter alia, to define and implement an integrated risk assurance model that integrates different control models within the Group, using a synergistic approach aimed at the maximum rationalisation and overall efficiency, in addition to designing and implementing Snam’s new regulatory system with a view to simplification and greater usability.
The internal control and risk management system in relation to the Snam Group financial reporting process are components of the same “System” (Corporate Reporting Internal Control System), more specifically covered in the chapter “Elements of risk management and uncertainty”, to which reference is made.