SNAM Annual Report 2018 - Management of risks and the control system

Although it has a limited economic and financial risk profile because most of its operations are in regulated business segments, Snam adopts a structured and systemic approach to governing all risks that could affect value creation.

The system we use across the Group to identify, assess, manage and control risk has three levels, each with different objectives and associated responsibilities. The Board of Directors charges the CEO with giving structure to and maintaining the entire system. We use an integrated, dynamic and group-wide method of assessing risk that evaluates the existing management systems in the individual corporate processes, starting with those relating to the prevention of fraud and corruption and health, safety, environment and quality.

These same controls form an integral part of the managerial processes. Management must therefore foster an environment that encourages controls, and must specifically manage “line controls”, consisting of all the control activities that individual operating units or companies perform over their own processes. Independent controls are performed by the Internal Audit department, which is responsible for checking that the system is functioning and adequate.

Management of risks and the control system (graphic)

In 2018, audit activities were performed by a dedicated team of an average of 10 auditors.

Download XLS (18 kB)

Activities performed by Internal Audit

(no.)

2016

2017

2018

(*)	The figure relating to 2017 has been amended to take into account the audits carried out in the reference calendar year.
(**)	The number of audits relating to independent monitoring activities has reduced on 2017 for the following reasons: (i) part of the control activities was carried ut by the Independent Auditing Firm and (ii) reports on control activities of the 2018 Independent Monitoring Programme will be produced in calendar year 2019.

Total number of audits performed (*)

- of which relative to planned and/or spot audit activities

- of which relative to independent monitoring activities (Law - 262/05) (**)

Reports received

- of which related to the internal control system

- of which concerning accountancy, audit, fraud, etc.

- of which concerning administrative liability pursuant to Legislative Decree 231/2001

- of which concerning breaches of anticorruption law

- of which concerning other matters (Code of Ethics, mobbing, theft, security, etc.)

Reports archived due to absence of elements or found to be untrue

Reports resulting in disciplinary or managerial interventions, and/or submitted to judicial authorities

Reports pending

In 2018, the Internal Audit activities were carried out by ensuring that the conditions of complete independence and autonomy are preserved, as well as the due professional diligence, objectivity, and competence, as provided for by the Mission of the Internal Audit and by the Mandatory Guidance of the Institute of Internal Auditors and by the principles contained in the Code of Ethics.

Internal Audit regularly carried out the programmed activities, which regarded: (i) the execution of the Audit Plan, approved by the Snam Board of Directors on 13 March 2018, after obtaining the favourable opinion of the Control, Risk and Related Party Transactions Committee and spot audits not envisaged on the plan; (ii) the carrying out of the independent monitoring programme defined with the Chief Financial Officer as part of the Snam Control System on the Corporate Disclose; (iii) named or anonymous reports of problems relating to the internal control and risk management system, to the Company’s administrative liability, irregularities or fraudulent acts (whistleblowing); (iv) the activities involving relations with the Independent Auditing Firm and those relating to the monitoring of the activities for the conferral of additional appointments on such.

Please also note the main activities carried out in methodology:

the implementation of an Internal Audit Manual, which, with a view to ensuring continuous improvement, aimed to update the methodologies and identify standard formats so as to increase the efficiency and simplify the internal audit process;
the development of a new tool to manage audit activities from the planning of interventions through to the follow-up of corrective action following the implementation of the Integrated Risk Assurance and Compliance Project;
the update of the Key Risk Indicators, as well as the implementation of new ones, as part of the continuous monitoring of the expenditure cycle with the desire to structure, in 2019, dedicated reports for the functions of the first and second level control;
the Internal Quality Review with the aim of monitoring the effectiveness and efficiency of the activities, the conformity, in going about operations, with the regulatory and operative tools of the Department and with respect to best practices and reference international standards for the profession.

The Enterprise Risk Management (ERM) process

The Snam group, in line with the indications of the Code of Corporate Governance and international best practices, has instituted, under the direct supervision of the General Counsel, the Enterprise Risk Management (ERM) unit, which operates within the wider Internal Control and Risk Management System, in order to manage the integrated management process of corporate risks for all Group companies.

The main objectives of ERM are to define a risk assessment model that allows risks to be identified, using standardised, group-wide policies, and then prioritised, to provide consolidated measures to manage these risks and to draw up a reporting system.

The risk is defined as a result of the uncertainty over the objectives, and may be negative or positive (opportunity).

Enterprise Risk Management process (ERM) (graphic)

Cross-organisational nature

One of the best features of Snam’s ERM model is the wide-ranging nature of its impact measurement.

Any risk event may have eight different types of impact, some determined by the risk owners (operational impacts) and others by specialist departments (e.g. legal and financial impacts). This means risk measurement from different perspectives and team risk prioritisation.

The most common operational impact is industrial impact, consistent with the fact that risk identification begins with process analysis. The most prevalent specialist impacts include reputational and legal impacts, confirming the existence of an increasingly globalised external context subject to ever more complex regulations.

During 2018, the risk assessment cycles were completed and the first mapping of corporate opportunities performed, according to the model described above and the “Enterprise Risk Management” guidelines approved in March by the Board of Directors, which involved the whole of the Snam Group. As at the end of 2018 approximately 138 enterprise risks appeared to be mapped, distributed across all corporate processes. Moreover, the 2018 mapping of risks and opportunities considered the new activities under the scope of new unregulated businesses, as a result of acquisitions made during the year.

Opportunities (approximately 25) were identified using a similar method to that employed for the risks. In this case too, suitable metrics were used to measure the operative impacts (industrial/business and economic) by each owner and to have the specialised departments measure the other impacts (market, reputational, environment, financial).

In 2018, the Integrated Risk Assurance and Compliance project was trialled, with the aim of defining and implementing an integrated risk assessment model that, through a single IT tool and a single database, rationalises and integrates information flows of second-level controls with a synergistic approach aimed at maximum overall efficiency.

The main enterprise risks identified and monitored were classified as financial and non-financial (strategic risks, legal and non-compliance risk and operational risks).

The table below shows the mitigation and monitoring measures implemented for each type of risk.

Risk and opportunity measurement by impact (graphic)

More information on the main risk and uncertainty factors is given in the chapter entitled “Elements of risk and uncertainty” in this Report.

Classification	Description	Management actions	Impact on capitals
STRATEGIC RISKS	Macroeconomic and geo-political risk
	Risks associated with political, social and economic instability in natural gas supplier countries	Continuous monitoring of the political, social and macroeconomic framework
		Maintenance of constant relations with Authorities and Institutions responsible for managing possible crises in high-risk scenarios
	Regulatory and legislative risk
	Definition and updating of a regulatory framework in Italy and in the countries of interest that presents penalising parameters, in particular with regard to criteria for determining tariffs	Maintenance of ongoing constructive dialogue with the regulator that can contribute to the definition of a clear, transparent and stable framework in order to incentivise the sustainable development of the gas system
	Significant change in regulations and/or case law	Ongoing regulatory oversight through the monitoring of changes in laws and rulings, analysis of changes, and the dissemination of information and further details to business and commercial departments
	Risks related to climate change
	Reinforcement of the regulatory framework for greenhouse gas emissions Change of scenarios with impact on the demand for natural gas and transported volumes	Ongoing regulatory supervision with monitoring of the development of the greenhouse gas emissions authorisation system
		Target of -10% natural gas emissions from 2016 to 2021, with same scope Target of -15% natural gas emissions from 2016 to 2022, with same scope Target of -25% natural gas emissions from 2016 to 2025, with same scope
		Recovery of 33% of potential emissions deriving from maintenance activities, each year from 2017 to 2022
		Development of new business related to alternative uses of gas and implementation of the use of gas to support the energy transition (biomethane and other renewable gases, small scale LNG, CNG, gas heat-pumps and micro-cogeneration)
	Increase in the severity of extreme atmospheric phenomena, with impacts on continuity and quality of service	Adaptation of the recovery plan and business continuity management system to international best practices
		Technologically advanced tools for monitoring/controlling the status of infrastructure/plants and the areas affected
		Elaboration of corporate energy scenarios consistent with the national and European decarbonisation objectives developed for the containment of temperatures increase envisaged by the Paris agreements
		Ongoing, systematic maintenance and monitoring measures
	Growth in the sensitivity of public opinion on matters related to climate change	Adhesion to national and international initiatives aimed at strengthening the commitment to reduce methane emissions
		Adhesion to the TCFD “Task Force on Climate Related Financial Disclosure”
		Disclosure of multi-year targets defined to fight climate change

Classification	Description	Management actions	Impact on capitals
LEGAL AND NON-COMPLIANCE RISK	Possible violation of rules and regulations, with particular reference to Legislative Decree 231/2001 which provides for the company’s liability for malfeasances committed by management or by third parties in relation to certain cases (corruption, fraud, health and safety of workers, environment)	Updating and monitoring protocols of Model 231
		Awareness-raising initiatives and training on the prevention of corruption
		Analysis and evaluation of reports received through the channels provided for by the reporting procedure
		Adoption and maintenance of Health, Safety and Environment management systems certified according to ISO14001 and OSHAS18001 standards
		Awareness-raising and training initiatives on accident prevention for employees and contractors
	Maintaining an adequate reputational profile for suppliers and subcontractors	Introduction of additional measures to prevent corruption and criminal infiltration
		Obligation of suppliers and contractors to subscribe the Ethical and integrity Agreement
		Reputational checks on suppliers and subcontractors
	Non-alignment of corporate governance and/or the internal control and risk system with regulations and/or best practices	Periodic revision of employer model
		Updating of Model 231 and the Code of Ethics
		Analysis of updates to the latest version (July 2015) of the Borsa Italiana Code of Corporate Governance and to corporate governance best practices

Classification	Description	Management actions	Impact on capitals
OPERATING RISKS	Retaining gas storage concessions	Development of storage carried out in line with the most up-to-date technical and economic criteria and best practices in science and technology so as not to damage the deposit, not to cause harm to third parties or the environment and to guarantee the optimisation of capacity in compliance with the security of the national gas system
	Delays in the progress of infrastructure implementation programmes	Application of the strictest national and international environmental and safety standards during planning, with particular attention to safeguarding the natural value of the area and biodiversity
		Communication policy on the planned work, with a view to sharing projects with the local community and stakeholders from the outset
		Use of innovative construction technologies with low environmental impacts (e.g. trenchless technologies, use of turbo gas with low atmospheric emissions)
		Strict, structured system for selecting contractors and monitoring their performance
	Breakages or damages to pipelines/installations also upon exogenous events, which can cause malfunction and unexpected service interruption	Application of management systems and procedures that take into account the specific nature of Snam’s activities
		Recovery plan system and business continuity management in line w ith international best practices
		Communication initiatives aimed at providing information about the presence of infrastructure and behaviours to avoid/implement by third parties so as not to damage it
		Technologically advanced tools for monitoring/controlling the status of infrastructure/plants and the areas affected
		Continuous verification of insurance coverage in relation to the type of business and related risks
		Ongoing, systematic maintenance and monitoring measures
	Computer threats (Cybersecurity)	Adaptation of IT security and business continuity systems to the ISO/IEC 27001 and ISO22013 standards respectively, with provision for related certification
	Computer threats (Cybersecurity)	Definition of a model of security incident management team to respond promptly to events that may damage the integrity of the information and IT systems used

Classification

Description

Management actions

Impact
on
capitals

	FINANCIAL CAPITAL

	INFRASTRUCTURAL CAPITAL

	INTELLECTUAL CAPITAL

	HUMAN CAPITAL

	RELATIONAL CAPITAL

	NATURAL CAPITAL

FINANCIAL RISKS

Medium- and long-term debt rating down grade

Constant monitoring of rating indicators and availability of long-term credit lines

(icon)
(icon)

Changes in the interest rate

Monitoring cash-flow-at-risk using an asset and liability management (ALM) model

Exchange rate changes

Minimisation of transaction risk, through measures such as the use of derivatives

Inability to raise new funds (funding liquidity risk) or to liquidate assets on the market

Minimisation of opportunity cost and maintaining a balance in terms of debt duration and composition

Default

Monitoring of the contractual protection clauses in loan agreements

Receivables

Periodic monitoring of the situation of receivables and systematic management at set deadlines of reminders and any action necessary to collect on overdue debt

Evaluation of the authenticity and validity of guarantees

Reporting of any issues with the regulatory system that may lead to opportunistic/fraudulent behaviour by operators

CONSENT TO USE OF COOKIES ON INITIAL ACCESS TO THE WEB SITE

Management of risks and the control system

The Enterprise Risk Management (ERM) process

Cross-organisational nature