6.1 Internal control and risk management system

Snam adopts and undertakes to promote and maintain an adequate internal control and risk management system, to be understood as a set of rules, procedures and organisational structures aimed at permitting the identification, measurement, management and monitoring of the main risks faced.

The internal control and risk management system involves:

• the Board of Directors, which performs a guiding role and (having heard the opinion of the Control and Risk Committee) evaluates, at least once a year, the adequacy and effectiveness of the internal control and risk management system with regard to the characteristics of the Company and the Group and the risk profile adopted. To that end, the Board has named one of its members as the director in charge of the internal control and risk management system;
• the CEO of the Company in his capacity as Director in charge of the internal control and risk management system, who is required to establish and maintain an effective internal control and risk management system, in accordance with the corporate and procedural objectives, and is also responsible for ensuring that the risk management procedures correspond to the containment plans defined;
• the Control and Risk Committee, which is responsible for making suitable enquiries to support assessments and decisions made by the Board of Directors concerning the internal control and risk management system, as well as those relating to the approval of financial reports;
• the Internal Auditor, who is tasked with verifying that the internal control and risk management system is functional and adequate⁴⁶;
• the other corporate functions and roles with specific duties regarding internal control and risk management, structured according to the size, complexity and risk profile of the Company;
• in its capacity as the Internal Control and Audit Committee pursuant to Legislative Decree 39/2010, the Board of Statutory Auditors, which oversees the effectiveness of the internal control and risk management system.

In accordance with the Code of Corporate Governance, and on the basis of preliminary work by the Control and Risk Committee, on 16 March 2016 the Board of Directors evaluated the adequacy and effectiveness of the internal control and risk management system in relation to the characteristics and risk profile of Snam and its Subsidiaries.

The Director in charge of the internal control and risk management system notifies the Control and Risk Committee in good time of any issues and problems arising during the performance of his duties or brought to his attention. During 2015, the Director in charge of the internal control and risk management system provided timely information, including via his units, to the Control and Risk Committee in relation to events and problems that emerged.

(i) General principles and guidelines of the internal control and risk management system

The Code of Ethics defines the guiding principles on which the entire internal control and risk management system is based, including:

• the separation of activities between persons responsible for authorisation, executive or control procedures;
• the existence of company regulations that can provide general benchmark principles for governing corporate processes and activities;
• the existence of formal rules for the exercise of signatory powers and internal powers of authorisation; and
• traceability (guaranteed through the adoption of information systems that can identify and reconstruct sources, information and checks carried out in support of the formation and implementation of the Company’s decisions and financial resources management procedures).

The internal control and risk management system is audited and updated over time, to ensure that it is always appropriate and to oversee the main areas of corporate risk. In this context, and also to execute the provisions of the Code of Corporate Governance, Snam has adopted an ERM system⁴⁷.

At its meeting on 29 October 2013, the Board of Directors approved the “Board guidelines on internal audit activities” (the “Guidelines”), which define the internal control and risk management system as all the rules, procedures and organisational structures for identifying, measuring, managing and monitoring the main risks faced. An effective internal control and risk management system helps a company to conduct its business in line with the objectives it has set, facilitating informed decision-making.

(ii) The structure of the internal control and risk management system

The document entitled “Corporate System Framework” adopted by the Board of Directors presents the structure of the internal control and risk management system, which is organised in such a way that the main risks facing the Company and its Subsidiaries are correctly identified and adequately measured, managed and monitored, in line with the strategic objectives identified.

Snam’s internal control and risk management system is based on an integrated model of controls, with the duties of each body and department involved, and concrete procedures for coordination between these, clearly identified. Management is primarily responsible for applying the internal control and risk management system, since control activities are an integral part of managerial processes. Management must therefore foster an atmosphere that is actively orientated towards control and, in particular, oversee “line controls”, which are all the control activities that the individual operating units or companies carry out on their processes. There are various operating units involved in the internal control and risk management system, based on specific allocations of responsibility. These units are at three different levels of the corporate structure, and they interact as shown in the diagram below.

Enlarge image

Specifically, Snam’s risk management system comprises the following three levels of internal control:

• Level One: identification, evaluation and monitoring of risks inherent to the individual Group processes.
  
  The Snam Group departments that bear the individual risks, and are responsible for identifying, measuring and managing them as well as for implementing the necessary controls, are located at this level.
• Level Two: monitoring of the main risks to ensure that they are effectively and efficiently managed and processed, and monitoring of the adequacy and functioning of the controls put in place to protect against these risks; support for Level One in defining and implementing adequate management systems for the main risks and related controls.
  
  This level contains Group personnel charged with coordinating and managing the main control systems (e.g. Corporate Administrative Responsibility, Disclosure, Anti-corruption, Competition, etc.).
• Level Three: independent and objective verification of the operating effectiveness and adequacy of Levels One and Two, and in general of the overall risk management methods.
  
  This is carried out by the Internal Audit department, the activities of which are shaped by the Guidelines.