Elements of risk and uncertainty
Snam has established the Enterprise Risk Management (ERM) unit, which reports directly to the CEO and oversees the integrated process of managing corporate risk for all group companies. The main objectives of ERM are to define a risk assessment model that allows risks to be identified, using standardised, group-wide policies, and then prioritised, to provide consolidated measures to mitigate these risks, and to draw up a reporting system.
The ERM method adopted by the Snam Group to identify, measure, manage and control structured risks that apply to Snam and its subsidiaries is in line with benchmark models and existing international best practice (COSO Framework and ISO 31000).
The ERM unit operates as part of the wider Internal Control and Risk Management System of Snam.
Internal Control and Risk Management System
With the assistance of the Control and Risk Committee, the Board of Directors is responsible for the Internal Control and Risk Management System. The Board oversees the system and assesses its adequacy, identifying the Chief Executive Officer as the director in charge of establishing and maintaining an efficient internal control and risk management system.
The Board of Statutory Auditors and the Watch Structure monitor the effectiveness of the system.
Snam’s risk management process is broken down into three levels of internal control:
- Level One: identifying, assessing and monitoring relevant risks, within the context of individual group processes.
This level incorporates the group departments that own individual risks, are in charge of identifying, measuring and managing them, and are responsible for implementing the necessary controls. - Level Two: (i) monitoring the main risks in order to guarantee effectiveness and efficiency in relation to: (a) the management and handling of these risks; (b) the adequacy and functionality of the controls put in place to monitor the main risks; and (ii) support for Level One in defining and implementing adequate systems for managing the main risks and the relative controls.
This level incorporates the group departments in charge of coordinating and managing the main control systems (e.g. Corporate Administrative Responsibility, Corporate Reporting, Anti-Corruption and Antitrust). - Level Three: independent and objective assurance concerning the adequacy and effective functionality of Levels One and Two, and all risk management procedures in general.
This is carried out by Internal Audit, whose activities are directed and guided by the “Guidelines” defined and approved by Snam’s Board of Directors.
The following graphic gives an overview of how the entire System functions.
Snam’s Enterprise Risk Management process
Snam has always known and managed its risks, but through ERM it has chosen to adopt a structured, standardised method of identifying, assessing, managing and controlling risks for all group companies. The ERM model enables dynamic and integrated group-wide risk assessment that brings out the best of the existing management systems in individual corporate processes.
The findings, in terms of the main risks and the plans devised to manage them, are presented to the Control and Risk Committee so that an assessment can be carried out on the effectiveness of the Internal Control and Risk Management System in relation to Snam’s specific characteristics and the risk profile it has taken on.
Snam’s dedicated ERM department manages and oversees the following main activities:
- Risk identification and measurement;
- Enterprise valuation and risk prioritisation;
- Risk management strategy definition;
- Monitoring and reporting;
- Model maintenance and development.
The objective of the risk identification phase is to identify any risky events relating to the Snam group’s corporate processes and external processes that could affect the achievement of the corporate objectives.
Integrated group-wide risk measurement is carried out using scales for classifying probabilities and impacts concerning both quantitative aspects (e.g. economic and financial impacts) and more qualitative and intangible aspects (e.g. impacts relating to reputation, health, safety and environment).
Each event is assigned an “enterprise measurement”. This measurement summarises the various assessments for each risk carried out by the risk owners and by centralised units with specialist skills. Risk prioritisation, on the other hand, is defined by combining impact and probability measures.
Management actions and any specific measures to be taken are identified for all risks, together with the relevant implementation schedule, and each risk is allocated one of the codified risk management types. Risk mapping is dynamic and is therefore reviewed periodically. The frequency of these reviews depends on the enterprise valuation, but is at least annual, even for low-priority risks.
Periodic reporting ensures that information on the management and monitoring of the risks encountered at each level of the group is available and is disclosed.
The ERM model is maintained continuously and independently of the phases of the process, with the aim of constantly ensuring an effective model that reflects the technological and methodological progress made in the field of risk management.
Using the model described above, the ERM unit performed four risk assessment cycles on the Snam Group as a whole in 2014. An integrated programme of measures was also drawn up to identify the specific activities and related timeframes for managing and mitigating the main risks.
The results of the risk assessment and monitoring activities and the related mitigation measures were presented regularly to the Control and Risk Committee, the Board of Statutory Auditors and the Watch Structures of Snam and its subsidiaries. They were also used by the Internal Audit department to draw up the audit schedules.
The main corporate risks identified, monitored and, where specified below, managed by Snam are as follows: (i) market risk arising from exposure to fluctuations in interest rates and in the price of natural gas; (ii) credit risk arising from the possible default of a counterparty; (iii) liquidity risk arising from insufficient financial resources to meet short-term commitments; (iv) rating risk; (v) risk of default and debt covenants; (vi) operating risk; and (vii) risks specific to the business segments in which the group operates.