6.1 Code of Ethics and principles of the internal control and risk management system

Snam adopts and undertakes to promote and maintain an adequate system of internal control and risk management, i.e. all the necessary or useful tools for addressing, managing and checking activities in the company aimed at ensuring compliance with corporate laws and procedures, protecting corporate assets, efficiently managing activities and providing precise and complete accounting and financial information.

The Code of Ethics defines the guiding principles on which the entire internal control and risk management system is based, including: (i) the segregation of activities to separate the parties responsible for authorisation, execution and monitoring; (ii) the existence of suitable corporate provisions to provide the general principles of reference for governing corporate processes and activities; (iii) the existence of formalised rules for exercising powers of signature and internal authorisation; and (iv) traceability (guaranteed through the adoption of suitable information systems for identifying and reconstructing sources, information and checks performed to support the formation and implementation of the Company’s decisions and procedures for managing financial resources).

The internal control and risk management system is audited and updated over time, to ensure that it is always appropriate and to oversee the main areas of corporate risk. In this context, and also to execute the provisions of the Code of Corporate Governance, Snam has adopted an ERM system. For more information on the ERM system, see Paragraph 6.2 of the Report.

At its meeting on 29 October 2013, the Board of Directors approved the “Board guidelines on internal audit activities” (the “Guidelines”), which define the internal control and risk management system as all the rules, procedures and organisational structures for identifying, measuring, managing and monitoring the main risks faced. An effective internal control and risk management system helps a company to conduct its business in line with the objectives it has set, facilitating informed decision-making.

Responsibility for establishing and maintaining an effective internal control and risk management system that is in line with corporate and procedural targets and ensuring that risk management methods correspond to the risk reduction plans defined falls to the director in charge of the internal control and risk management system and those in charge of risk management. Snam’s Board of Directors has identified the Company’s CEO as the director in charge of the internal control and risk management system, performing the duties set forth in the Code of Corporate Governance.

Having heard the opinion of the Control and Risk Committee, the Board of Directors evaluates, at least once a year, the adequacy and effectiveness of the internal control and risk management system with regard to the characteristics of the Company and the Group and the risk profile adopted.

Having received the approval of the Control and Risk Committee and the opinion of the Board of Statutory Auditors, upon the proposal of the director in charge of the internal control and risk management system and in agreement with the Chairman, the Board of Directors appoints the Internal Auditor. For more information on the Internal Auditor, see Paragraph 6.4 of the Report.

In its capacity as the “internal control and audit committee” pursuant to Legislative Decree 39/2010, the Board of Statutory Auditors oversees the effectiveness of the internal control and risk management system.

The Corporate System Framework document adopted by the Board of Directors includes, among other things, the structure of the internal control and risk management system, which is organised in such a way that the main risks pertaining to the Company and its Subsidiaries are correctly identified and adequately measured, managed and monitored, in accordance with the strategic objectives identified.

Snam’s internal control and risk management system is based on an integrated model of controls, with the duties of each body and department involved, and concrete procedures for coordination between these, clearly identified. Management is primarily responsible for applying the internal control and risk management system, since control activities are an integral part of managerial processes. Management must therefore foster an atmosphere that is actively orientated towards control and, in particular, oversee “line controls”, which are all the control activities that the individual operating units or companies carry out on their processes. There are various business units involved in the internal control and risk management system, based on specific allocations of responsibility. These units are at three different levels of the corporate structure, and they interact as shown in the diagram below.

Specifically, Snam’s risk management system comprises the following three levels of internal control:

• Level One: identification, evaluation and monitoring of risks inherent to the individual Group processes. The Snam Group departments that bear the individual risks, and are responsible for identifying, measuring and managing them as well as for implementing the necessary controls, are located at this level.
• Level Two: Monitoring of the main risks to ensure that they are effectively and efficiently managed and processed, and monitoring of the adequacy and functioning of the controls put in place to protect against these risks; support for Level One in defining and implementing adequate management systems for the main risks and related controls. This level contains Group personnel charged with coordinating and managing the main control systems (Corporate Administrative Responsibility, Corporate Disclosure, Anti-corruption, Competition, etc.).
• Level Three: independent and objective verification of the operating effectiveness and adequacy of Levels One and Two, and in general of the overall risk management methods. This is carried out by the Internal Audit department, whose activities are shaped by the Guidelines.

In accordance with the Code of Corporate Governance, and on the basis of preliminary work by the Control and Risk Committee, on 11 March 2015 the Board of Directors evaluated the adequacy and effectiveness of the internal control and risk management system in relation to the characteristics and risk profile of Snam and its Subsidiaries.

The director in charge of the internal control and risk management system notifies the Control and Risk Committee in good time of any issues and problems arising during the performance of his duties or brought to his attention. During 2014, the director in charge of the internal control and risk management system provided timely information, including via the relevant structures, to the Control and Risk Committee in relation to events and problems that emerged.