6.2 The corporate bodies, structures and functions involved

The ICRMS is an integrated system that involves the entire organisational structure: both the corporate bodies and company structures are required to contribute to its operation, in a coordinated way, according to the diagram shown below, so as to ensure that the main risks relating to the Company and its Subsidiaries are correctly identified and adequately measured, managed and monitored in line with the strategic objectives identified.

(i) The Board of Directors

• As part of the preparation of the Snam Group’s 2017-2021 Strategic Plan, it defined the nature and the level of risk consistent with Snam’s strategic objectives - based on risk mapping carried out as part of the ERM System - including in its assessments all risks that might be significant in view of the medium/long-term sustainability of Snam’s activity
• Defines the ICRMS guidelines as part of the preparation of the Snam Group 2017-2021 Strategic Plan
• Assesses, on at least an annual basis (after consulting the Control, Risk and Related-Party Transactions Committee), the adequacy of the ICRMS with respect to the characteristics of the Company and the Group and the risk profile assumed

With regard to 2016, on 16 March 2016 the Board of Directors assessed, based on the preliminary work carried out by the Control , Risk and Related-Party Transactions Committee, the adequacy and effectiveness of the ICRMS. With regard to 2017, on 6 March 2017 the Board of Directors assessed, based on the preliminary work carried out by the Control, Risk and Related-Party Transactions Committee, the adequacy and effectiveness of the ICRMS

• Approves, on at least an annual basis, the Audit Schedule prepared by the Internal Auditor, after consulting the Control, Risk and Related-Party Transactions Committee and the Chairperson of the Board of Directors, the Director in Charge

The Board of Directors approved the Audit Schedule for 2016 on 16 March 2016 and the Audit Schedule for 2017 on 6 March 2017

• Assesses the adequacy of the ICRMS in relation to the characteristics of the company and the risk profile assumed, as well as its effectiveness

On 16 March 2016, with regard to 2016, and on 6 March 2017, with regard to 2017, the Board of Directors assessed the organisational, administrative and accounting structure, which had been prepared by the management and organisational functions that report to the CEO and had been first presented to the Control, Risk and Related-Party Transactions Committee and the Board of Statutory Auditors, as suitable for the size and types of activity carried out by Snam and the Subsidiaries

For further details on the remit for resolutions of the Board of Directors, please see Section III, Point 2.3.

(ii) Director in Charge

Pursuant to the Company’s governance rules, Snam’s CEO performs the role of Director in Charge.

• Identified the main corporate risks, in view of the characteristics of the activities carried out by Snam and the Subsidiaries, and took them into account in defining the 2017-2021 Strategic Plan approved by the Board of Directors
• Planned, created and managed the ICRMS, and checking its adequacy and effectiveness on an ongoing basis
• Adjusting the ICRMS to the dynamics of the operating conditions and the legislative and regulatory framework
• Has the power to request that the Internal Auditor perform checks on specific operational areas and on compliance with internal rules and procedures in the execution of corporate transactions, informing the Chairpersons of the Board of Directors, the Control, Risk and Related Transactions Committee and the Board of Statutory Auditors of said request
• Provided timely information, including through his structures, to the Control, Risk and Related-Party Transactions Committee about problems and issues arising during the course of his work or of which he had been made aware

(iii) Control, Risk and Related-Party Transactions Committee

The Control, Risk and Related-Party Transactions Committee is responsible for making appropriate enquiries to support assessments and decisions made by the Board of Directors concerning the internal control and risk management system, as well as those relating to the approval of financial reports.

For a more detailed description of the duties of the Control, Risk and Related-Party Transactions Committee, please see Annex 5 to this Report.

(iv) Board of Statutory Auditors

Also in its capacity as the Internal Control and Audit Committee pursuant to Legislative Decree No. 39/2010, the Board of Statutory Auditors oversees the effectiveness of the ICRMS.

For more information about the main duties performed by the Board of Statutory Auditors, please see Annex 6 to this Report.

(v) Executive Responsible For Preparing Corporate Accounting Documents

On 27 September 2016, the Board of Directors, at the CEO’s recommendation, with the agreement of the Chairperson and after consulting the Board of Statutory Auditors, appointed Franco Pruzzi – Senior Vice President Finance and Administration – as the Executive Responsible For Preparing Corporate Accounting Documents, replacing Antonio Paccioretti, who has left his position at the Group.

The Executive Responsible For Preparing Corporate Accounting Documents must not be a member of the administrative or control bodies or hold senior management positions at Eni S.p.A. and its Subsidiaries, nor may he/she have any direct or indirect professional or financial relationship with said companies³⁰. Pursuant to Article 16 of the Bylaws, the Executive Responsible For Preparing Corporate Accounting Documents must have spent at least three years performing one of the following activities:

1. administration, control or management activities at a company listed on regulated markets in Italy, other EU States or other OECD countries with share capital of no less than Euro 2 million;
2. external audit activities at the companies mentioned under a);
3. professional or university teaching in finance or accounting; and
4. managerial functions at public or private entities with financial, accounting or control responsibilities.

The Board of Directors checks annually that, based on the declaration made by the Executive Responsible For Preparing Corporate Accounting Documents, there are no grounds for the latter’s incompatibility pursuant to the Bylaws and that the Executive Responsible For Preparing Corporate Accounting Documents meets the integrity requirements provided for by the applicable regulations.

The Board of Directors performs an annual check on the adequacy of the powers and means available to the Executive Responsible For Preparing Corporate Accounting Documents pursuant to the law for the fulfilment of their duties, as well as a half-yearly check on compliance with existing administrative and accounting procedures.

These checks took place on 16 March 2016 for 2016 and on 6 March 2017 for 2017.

(vi) Internal Auditor

The Internal Audit function is centralised at Snam: its scope of intervention is Snam and, also by means of service agreements, the Subsidiaries.

The role, duties and responsibilities of Internal Audit are defined and formalised by the Board of Directors in the “Guidelines on internal audit activity” (the “Guidelines”).

The Internal Auditor is appointed by the Board of Directors subject to the favourable opinion of the Control, Risk and Related-Party Transactions Committee and after consulting the Board of Statutory Auditors, at the Director in Charge’s recommendation, with the agreement of the Chairperson³¹. The appointment of the Internal Auditor is open-ended and may be revoked by the Board of Directors. At least once during the term of office determined by the Shareholders’ Meeting, the Board of Directors assesses whether the Internal Auditor should be reappointed to the role, based, among other things, on rotation criteria.

The Internal Auditor, within the organisational structure that reports to the CEO, carries out auditing duties fully independently, pursuant to the instructions provided by the Board of Directors³²; the Control, Risk and Related-Party Transactions Committee supervises the Internal Auditor’s activities.

The Internal Auditor’s activities are performed ensuring the maintenance of the necessary independence requirements and the proper objectivity, competence and professional diligence set out in the international standards for the professional practice of Internal Audit and in the code of ethics issued by the Institute of Internal Auditors³³, as well as in the principles of the Code of Ethics³⁴.

Annually, the Board of Directors, within the process for the approval of the audit plan, approves the budget for the Internal Audit’s function to fulfil its duties. The Guidelines stipulate that the Internal Auditor shall have autonomous spending powers to scrutinise, analyse and assess the internal control and risk management system and/or perform related activities, and that the Internal Auditor, in exceptional and urgent situations that require the availability of funds exceeding the budget, may propose that the Board of Directors approve the extra budget of the Internal Audit department so that it may carry out the duties assigned to it.

The Director in Charge may request that the Internal Auditor perform checks on specific operational areas and on compliance with internal rules and procedures in the execution of corporate transactions, informing the Chairpersons of the Board of Directors, the Control, Risk and Related Transactions Committee and the Board of Statutory Auditors of said request.

The (fixed and variable) remuneration of the Internal Auditor is approved by the Board of Directors, at the proposal of the Director in Charge, with the agreement of the Chairperson of the Board of Directors, in line with the company policies, and with the favourable opinion of the Control, Risk and Related-Party Transactions Committee. The proposal is also subject to examination by the Compensation Committee.

At its meeting of 14 December 2016, Snam’s Board of Directors, with the favourable opinion of the Control, Risk and Related-Party Transactions Committee and after consulting the Board of Statutory Auditors, at the recommendation of the Director in Charge and with the agreement of the Chairperson of the Board of Directors³⁵, appointed Lorenzo Alzati as the new Internal Auditor.

In particular, to ensure the independence and transparency of the process for selecting the Internal Auditor, Snam commissioned a specialist company to identify a shortlist of candidates with suitable personal and professional profile for the position. The applications were considered jointly by the Control, Risk and Related-Party Transactions Committee and the Board of Statutory Auditors, with the Chairperson of the Board of Directors and the Executive Vice President Human Resources & Organisation.

The appointment of Lorenzo Alzati as Internal Auditor is open-ended and may be revoked by the Board of Directors.

• Verifies, both on a continual basis and in relation to specific requirements, in compliance with international standards, the functioning and suitability of the ICRMS via an Audit Schedule, approved by the Board of Directors, based on a structured process of analysing and prioritising the main risks
• Is not responsible for operational areas and has direct access to all useful information for the performance of its duties
• Prepares periodic reports containing adequate information about his work, the way in which risk management is conducted and compliance with the plans established to contain risk, including an assessment of the suitability of the ICRMS, and sends these to the Chairs of the Board of Statutory Auditors, the Control, Risk and Related-Party Transactions Committee and the Board of Directors and to the Director in Charge
• Prepares timely reports on events of particular significance and sends them to the Chairs of the Board of Statutory Auditors, the Control, Risk and Related-Party Transactions Committee and the Board of Directors, and to the Director in Charge
• Verifies, in the context of the Audit Schedule, the reliability of the IT systems used, including the accounting systems
• Carries out other audit measures not set out in the Audit Schedule, as permitted by the available resources provided for in the Internal Audit schedule approved by the Board of Directors, based also on requests from: (i) the Board of Directors; (ii) the Control, Risk and Related-Party Transactions Committee and the Board of Statutory Auditors, with reciprocal communications; (iii) the Chairperson of the Board of Directors and the Director in Charge, ensuring communication to the Control, Risk and Related-Party Transactions Committee and the Board of Statutory Auditors; and (iv) the Supervisory Body

Main activities carried out in 2016

In 2016, the Internal Audit function performed its scheduled activities as expected, namely:

1. drawing up the draft Audit Schedule based on the identification and prioritisation of the main risks facing the Company, carried out by the ERM unit;
2. executing the Audit Schedule approved by Snam’s Board of Directors on 16 March 2016 following a favourable opinion from the Control, Risk and Related-Party Transactions Committee;
3. performing the independent-monitoring programme drawn up with the Executive Responsible For Preparing Corporate Accounting Documents as part of Snam’s Corporate Reporting Control System;
4. managing the channels used to provide notification, anonymous or otherwise, of problems relating to the internal control and risk management system, to corporate administrative responsibility of the Company, to irregularities or to fraud (whistleblowing); and
5. activities pertaining to relations with the External Auditors and the oversight of the procedure for the allocation of additional appointments by Snam Group companies on the allocation and management of appointments and the applicable regulatory provisions.

In addition, and at the instigation of the control bodies, a Quality Assurance Review (QAR) of the Internal Audit function was carried out by a leading specialised independent company. The review should take place every five years according to the international standards issued by the Institute of Internal Auditors (IIA), and includes benchmarking against entities similar to Snam in terms of business type and size. The analysis shows that the practices adopted by Snam’s Internal Audit function fully comply with the international audit standards.

(vii) Snam’s Enterprise Risk Management system

As part of the ICRMS, Snam has adopted the Enterprise Risk Management System (the “ERM System”), which consists of rules, procedures and organisational structures for identifying, measuring, managing and monitoring the main risks that may affect the achievement of strategic objectives.

The ERM System represents a method for identifying, evaluating, managing and controlling risk in line with existing international best practices and benchmark models (COSO Framework and ISO 31000). The ERM System therefore involves an integrated, cross-functional and dynamic risk assessment that makes the most of existing management systems in individual corporate processes, and is updated to ensure that it always acts as an effective risk management model.

As part of its Level Two controls, Snam has established an ERM function, the duties of which include:

• defining and updating Snam’s ERM System and providing specialist methodological support in identifying and evaluating Group risks;
• coordinating the overall ERM process, ensuring that the risks to Snam and its Subsidiaries are properly consolidated and prioritised;
• identifying enterprise risks and scoring them where appropriate;
• working with the competent corporate functions to consolidate strategies for managing the identified risks;
• coordinating the risk monitoring and control activities; and
• supervising periodic reporting and the management and updating of defined risk indicators.

The objective of the identification stage is to pinpoint elements of risk both within and outside the corporate processes of Snam and its Subsidiaries that might affect their attainment of corporate objectives. Risk is measured in an integrated and cross-functional manner using different scales of probability and impact, both in terms of quantitative (e.g., economic and financial) and more qualitative and intangible (e.g., reputational, health-related, safety-related and environmental) aspects.

Each event is given an enterprise score. For each risk, this score summarises the different evaluations performed by the risk owners and by the centralised units with specialist areas of expertise. Risks are prioritised according to a combination of impact and probability scores.

Management strategies are established for all risks and any specific interventions, as is a time frame for their implementation.

Risk mapping is dynamic and thus needs to be reviewed periodically. The enterprise score dictates how often these reviews take place, but they happen at least once a year, even for low-priority risks. Periodic reporting ensures that the information on risk management and monitoring activities is available and represented across the different levels of the Company.

In 2016, the ERM department verified the risk mapping and related risk mitigation measures, submitting the results to the Control, Risk and Related-Party Transactions Committee. At the end of 2016 approximately 310 enterprise risks divided into all the Company’s processes appear as mapped.

Apart from the ordinary check and control activity on risks mapped, further activities have been carried out for the purpose of continuously improving the model adopted and supporting risks managers. More in detail:

• certain risks mapped have been analysed for the purpose of identifying improvement proposal as for their operating management mechanisms, aiming at strengthening strategies and management interventions, systematic collection and consolidation of the Key Risk Indicators linked to the risks mapped;
• the ERM Risk Dashboard has been created and spread and the relevant dematerialization of the reporting process has been carried out.

During December 2016 “Progetto Simplify” was started, having the purpose of, among others, defining and implementing an integrated model of risk assurance integrating the different control models existing within the Group, with a synergistic approach aimed at the maximum rationalization and global efficiency, as well as drafting and implementing Snam’s new regulatory system with the view to simplification and greater usability.

The main corporate risks identified, monitored and, insofar as specified below, managed by Snam are as follows:

• regulatory risk;
• legal and non-compliance risk;
• cyclical risk;
• operating risks;
• market and competition risks;
• risks of a financial nature; and
• emerging risks.

For more details, please see the “Factors of uncertainty and risk management” chapter of the 2016 Report on Operations.

The graphic below illustrates the various operational phases of the ERM System.

(viii) 231 Model, Supervisory Body and Code of Ethics Supervisor

A. 231 Model

The Board of Directors adopted the 231 Model to prevent the crimes mentioned in the legislation on corporate administrative responsibility for crimes committed in the interest or to the advantage of the Company, and it has set up a Supervisory Body equipped with autonomous powers of initiative and control, in compliance with the law.

The 231 Model is a comprehensive set of principles, rules and provisions concerning, among other things, the management and control of each corporate process. Its aim is to protect the Company from any conduct that may incur its administrative responsibility, pursuant to Legislative Decree No. 231/2001, in relation to crimes or attempted crimes committed in the interest or to the advantage of the Company by persons holding a “senior” position within the entity or by those who are subject to the oversight and control of such persons.

The 231 Model was recently updated in the light of the issuance of regulations that introduced additional offences, such as those mentioned under Law No. 186/2014 concerning “Provisions on money laundering”, Law No. 68/2015 concerning “Provisions on crimes against the environment”, and Law No. 69/2015 concerning “Provisions on crimes against government authorities, involving criminal organisations and involving falsified financial statements”.

The analysis of corporate processes and the comparative analysis of the existing control environment and the oversight measures are carried out based on the COSO Framework, which is the international benchmark model for the establishment, updating, analysis and assessment of internal control systems (the “COSO Framework”, published most recently in May 2013³⁶).

The Subsidiaries have also adopted a 231 Model commensurate with their own specific nature, appointing their own Supervisory Body to monitor the implementation and effective application of the model.

Snam has developed a specific training programme for all its employees. As well as being an important tool for making management and other employees aware about corporate ethics, prevention of the crimes mentioned in Legislative Decree No. 231/2001 and anti-corruption, this training activity encourages all staff members to play an active role in Snam’s system of ethics and values.

B. Supervisory Body and Code of Ethics Supervisor

On 26 July 2016, the Board of Directors changed the Supervisory Body by providing for the presence of only members external to the Company and the Group, partly to ensure sufficient separation of duties and partly to ensure the presence of members with specific areas of expertise, thereby enabling the body to perform its duties effectively.

The Supervisory Body currently comprises three external members, one of which acts as Chairperson, who are experts in legal and corporate matters, economics and corporate organisation. The table below shows the members of this body:

Among other things, the Supervisory Body oversees the effectiveness of the 231 Model and monitors how it is implemented and updated. It examines the 231 Model’s suitability to prevent unlawful conduct and manages the relevant information flows with the various corporate functions and supervisory bodies of the Subsidiaries. The Supervisory Body also acts as the Code of Ethics Supervisor.

The Supervisory Body has unlimited access to corporate information for investigation, analysis and control activities. Any Company department, employee and/or member of Company bodies is subject to a disclosure obligation in the event of any request by the Supervisory Body, or in the event of significant events or circumstances, for the performance of the activities falling within the field of competence of the Supervisory Body.

If any problems emerge, the Supervisory Body publishes the results of the activities carried out in the performance of its duties.

In 2016, the Supervisory Body met 12 times, with average attendance of 96.7% of members.

(ix) Functions with specific control duties

The ICRMS clearly positions the corporate functions within three levels of internal control.

In line with an evolutionary process designed to constantly improve the efficiency and effectiveness of the ICRMS and its enhanced integration, as well as the functions described above, the following organisational structures play an important role in identifying, measuring and monitoring risks associated with management of the Company’s business, as part of their own operational responsibilities, in a coordinated way and through continuous information flows.

In particular:

• the Compliance Function, among others: (i) promotes the compliance culture and the rationalization of the compliance models and the system of related rules and procedures, quantifying the effective risk in specific areas and monitoring their application; (ii) supervises the adequacy and compliance of the company system of principles and rules to laws, regulations and provisions in force, ensuring the connection, coordination and control of compliance activities; and (iii) ensures the definition and update of the necessary compliance programs. Additionally, an internal anti-corruption unit is established within the Legal & Corporate Affairs, Compliance and Enterprise Risk Management Direction; and
• the Planning, Administration, Finance and Control Function oversees financial risks; the Corporate Reporting Control System Function is set up internally.

x) Structure of the three levels of internal control

Identification, evaluation and monitoring of risks inherent to the individual Group processes

The Snam Group functions that bear the individual risk, are responsible for identifying, measuring and managing them and as for implementing the necessary controls within the processes within their remit, are located at this level

Monitoring of the main risks to ensure that they are effectively and efficiently managed and processed, and monitoring of the adequacy and functioning of the controls put in place to protect against these risks; support for Level One in defining and implementing adequate management systems for the main risks and related controls

This level contains Group personnel charged with coordinating and managing the main control systems (e.g., Corporate Administrative Responsibility, Disclosure, Anti-corruption, Competition, etc.)

Independent and objective verification of the operating effectiveness and adequacy of Levels One and Two, and in general of the overall risk management methods. Internal Audit operates on the basis of the Guidelines