6.2 Snam’s enterprise risk management system
Partly in order to execute the provisions of the Code of Corporate Governance, Snam has adopted an enterprise risk management (ERM) system comprising organisational structures, procedures and rules for identifying, measuring, managing and monitoring the main risks that could affect whether or not it achieves its strategic objectives.
In 2013, the ERM system provided Snam and its Subsidiaries with a common and structured method for identifying, evaluating, managing and controlling risk in line with existing international best practices and benchmark models (COSO Framework and ISO 31000). The ERM system therefore involves an integrated, cross-functional and dynamic risk assessment that makes the most of existing management systems in individual corporate processes, and is updated to ensure that it always acts as an effective risk management model.
The results in relation to the main risks and the related plans for managing said risks are submitted to the Control and Risk Committee, which assesses the effectiveness of the internal control and risk management system in relation to the specific features of Snam and its risk profile.
Snam has an ERM department, the duties of which include:
- defining and updating Snam’s ERM model and providing specialist methodological support in identifying and evaluating Group risks;
- coordinating the overall ERM process, ensuring that the risks to Snam and its Subsidiaries are properly consolidated and prioritised;
- identifying enterprise risks and scoring them where appropriate;
- working with the competent corporate departments to consolidate strategies for managing the identified risks;
- coordinating the risk monitoring and control activities;
- supervising periodic reporting and the management and updating of defined risk indicators.
The objective of the identification stage is to pinpoint elements of risk both within and outside the corporate processes of Snam and its Subsidiaries that might affect their attainment of corporate objectives. Risk is measured in an integrated and cross-functional manner using different scales of probability and impact, both in terms of quantitative (e.g. economic and financial) and more qualitative and intangible (e.g. reputational, health-related, safety-related and environmental) aspects.
Each event is given an enterprise score. For each risk, this score summarises the different evaluations performed by the risk owners and by the centralised units with specialist areas of expertise. Risks are prioritised according to a combination of impact and probability scores.
Management strategies are identified for all risks, as well as any specific interventions and a time frame for their implementation.
Risk mapping is dynamic and thus needs to be reviewed periodically. The enterprise score dictates how often these reviews take place, but they happen at least once a year, even for low-priority risks. Periodic reporting ensures that the information on risk management and monitoring activities is available and represented across the different levels of the Company.
In 2015, the ERM department verified the risk mapping and related risk mitigation measures on a quarterly basis, submitting the results to the Control and Risk Committee.
The main corporate risks identified, monitored and, insofar as specified below, managed by Snam are as follows:
- regulatory, legal and non-compliance risk;
- operating risks;
- market and competition risks;
- financial and liquidity risks.
For more detail, please see the “Factors of uncertainty and risk management” chapter of the 2015 Report on Operations.
The graphic below illustrates the various operational phases of the ERM system.