6.1 Code of Ethics and principles of the internal control and risk management system
Snam has adopted and is committed to promoting and maintaining an adequate internal control and risk management system, to be understood as a set of all of the tools necessary or useful in order to direct, manage and monitor business activities with the objective of ensuring compliance with laws and company procedures, protecting corporate assets, managing activities in the best and most efficient manner and providing accurate and complete accounting and financial data.
The Code of Ethics defines the guiding principles that serve as the basis for the entire internal control and risk management system, including: (i) the segregation of duties among the entities assigned to the processes of authorisation, execution or control; (ii) the existence of corporate determinations capable of providing the general standards of reference to govern corporate activities and processes; (iii) the existence of formal rules for the exercise of signatory powers and internal powers of authorisation; and (iv) traceability (ensured through the adoption of information systems capable of identifying and reconstructing the sources, the information and the controls carried out to support the formation and implementation of the decisions of the Company and the methods of financial resource management).
Over time, the internal control and risk management system has been subjected to verification and updating in order to continually ensure its suitability and to protect the main areas of risk in business activities. In this context, as well as for the purpose of implementing the provisions of the Corporate Governance Code, Snam has adopted an Enterprise Risk Management system ("ERM"). Further information on the ERM system can be found in Chapter 6.2 of the Report.
The Board of Directors, in its most recent meeting of 29 October 2013, approved the “Guidelines of the Board of Directors on Internal Auditing” (the “Guidelines”) that define the system of internal control and risk management as a set of organisational structures, rules and procedures to enable the identification, measurement, management and monitoring of the main risks. An effective system of internal control and risk management assists in leading the Company in line with pre-established goals, promoting reasoned decision-making.
The internal control and risk management system director and those appointed to manage it are responsible for establishing and maintaining an effective internal control and risk management system, in line with corporate and procedural objectives, ensuring that risk management procedures correspond to the risk containment plans defined. Snam’s Board of Directors has identified the Company’s Chief Executive Officer as the director responsible for the internal control and risk management system, performing the duties set forth in the Code of Corporate Governance.
The Board of Directors, subject to the opinion of the Control and Risk Committee, assesses, at least annually, the adequacy of the internal control and risk management system with regard to the characteristics of the Company and of the Group and the risk profile assumed, as well as its efficacy.
The Board of Directors – subject to the favourable opinion of the Control and Risk Committee and considering the opinion of the Board of Statutory Auditors, upon the proposal of the internal control and risk management system director, in agreement with the Chairman of the Board of Directors – appoints the Internal Auditor. Further information on the Internal Auditor can be found in Chapter 6.4 of the Report.
In its capacity as the “internal control and audit committee” pursuant to Legislative Decree 39/2010, the Board of Statutory Auditors oversees the effectiveness of the internal control and risk management system.
During 2013, the Board of Directors undertook initiatives aimed at the analysis and subsequent formalization of guidelines for the internal control and risk management system, containing the rules best organisational structures, procedures and organizational structure rules for identifying, measuring, monitoring and managing risks, consistently in accordance with strategic objectives identified.
Snam’s internal control and risk management system is based on an integrated model of controls, with the identification duties of each body and department involved and concrete methods of coordination between themof each body and department involved clearly identified. Management is primarily responsible for applying the internal control and risk management system, since control activities are an integral part of management processes. Management must therefore foster an environment positively oriented that promotes to the controls and must specifically manage “line controls”, consisting of all the control activities that individual operating units or companies perform on their own processes. There are various operating units involved in the internal control and risk management system, based on specific allocations of responsibility. These units are set within the corporate structure at three different levels of the corporate structure, and they interact as shown in the diagram below.
Specifically, Snam’s risk management system comprises the following three levels of internal control:
- Level One: identification, evaluation and monitoring of risks inherent to the individual Group processes. The Group departments that bear the individual risks, and are responsible for identifying, measuring and managing them as well as for implementing the necessary controls, are located at this level.
- Level Two: monitoring of the main risks to ensure that they are effectively and efficiently managed and processed, and monitoring of the adequacy and functioning of the controls put in place to protect against the main risks; support for Level One in defining and implementing adequate management systems for the main risks and related controls. This level contains Group personnel charged with coordinating and managing the main control systems (e.g. Corporate Administrative Liability, Disclosure, Anti-Corruption, Antitrust, etc.).
- Level Three: independent and objective verification of the operating effectiveness and adequacy of Levels One and Two, and in general of all risk management methods. This activity is performed by the Internal Audit department, which performs his activity under the direction and guidance of the Guidelines.
In accordance with the Code of Corporate Governance, and on the basis of preliminary activity of the Control and Risk Committee, on 27 February 2014 the Board of Directors evaluated the adequacy and effectiveness of the internal control and risk management system in relation to the characteristics of Snam and its Controlled Companies and the risk adopted.
The internal control and risk management system director timely reports the Control and Risk Committee any problems and critical issues and arisen during the performance of his/her activity of which he/she has been made aware. During the 2013 financial year there were no events or facts for which such timely information was necessary.