Management of risks and the control system

Although it has a limited economic and financial risk profile because most of its operations are in regulated business segments, Snam adopts a structured and systemic approach to governing all risks that could affect value creation.

The system we use across the Group to identify, assess, manage and control risk has three levels, each with different objectives and associated responsibilities. The Board of Directors charges the CEO with giving structure to and maintaining the entire system.

We use an integrated, dynamic and group-wide method of assessing risk that evaluates the existing management systems in the individual corporate processes, starting with those relating to the prevention of fraud and corruption and health, safety, environment and quality.

These same controls form an integral part of the managerial processes. Management must therefore foster an environment that encourages controls, and must specifically manage “line controls”, consisting of all the control activities that individual operating units or companies perform over their own processes. Independent controls are performed by the Internal Audit department, which is responsible for checking that the system is functioning and adequate.

In 2017, audit activities were performed by a dedicated team of 8 auditors.

 Download XLS (17 kB)
Activities performed by Internal Audit

(€ million)




Total number of audits performed




Reports received




- of which related to the internal control system




- of which related to accounting, auditing, fraud, etc.




- of which related to administrative responsibility pursuant to Italian Legislative Decree 231/2001




- of which relating to breaches of the anti-corruption law




- of which related to other subjects (Code of Ethics, harassment, theft, security, etc.)




Reports shelved due to lack of proof or because untrue (no.)




Reports resulting in disciplinary or managerial interventions, and/or submitted to judicial authorities




Reports under examination (no.)




In 2017, all internal audit activities were carried out in accordance with the international standards issued by the Institute of Internal Auditor (IIA) and, following the 2016 Quality Assurance Review (QAR) (whose final summary opinion is one of general compliance of the structure and Internal Audit activities of Snam S.p.A. with IIA Standards and Code of Ethics), the Internal Audit department has prepared and launched a program to implement the improvement actions highlighted by the QAR. In particular, the main actions implemented by the function include:

  • Review and approval of the Guidelines for the Board regarding internal audit activities. The changes took into consideration:(i) the update of IIA international standards (effective January 2017), (ii) the update of the Italian Stock Exchange Code (published in July 2015), and (iii) the change in the scope of audit activities following organisational changes and the updating the company procedural framework;
  • the updating of the operating guides through the preparation of an Internal Audit Manual, which, with a view to continuous improvement, seeks to increase the process efficiency and make information easier to consume.

These activities were performed with the support of an independent specialist consultant, who also carried out a benchmark relative to similar companies in terms of size and operation; this work did not reveal any non-compliance with the standards, whilst ensuring that changes made were in line with IIA International Standards and best practices.

Enterprise Risk Management process (ERM)

The Snam group, in line with the indications of the Code of Corporate Governance and international best practices, has instituted, under the direct supervision of the General Counsel, the Enterprise Risk Management (ERM) unit, which operates within the wider Internal Control and Risk Management System, in order to manage the integrated management process of corporate risks for all Group companies.

The main objectives of ERM are to define a risk assessment model that allows risks to be identified, using standardised, group-wide policies, and then prioritised, to provide consolidated measures to mitigate these risks and to draw up a reporting system.

Directors' time in office in the bod (Pie chart)

Identification and measurement: of risk events relating to corporate processes and external risk factors that could influence the achievement of corporate goals, either through direct impacts on results and corporate finances (lower revenue or higher costs) or through intangible negative effects on other types of capital, especially the licence to operate.

Definition of the management strategy: for all risks, management measures are identified, together with any specific interventions and the relevant implementation time frames, associated with a type of risk management from among those that have been codified. Management plans for the main risks are presented to the Control and Risk Committee.

Enterprise and prioritisation assessment: each event is assigned an ‘enterprise measurement’, which summarises, for each risk, the different measurements carried out by the risk owner and by centralised units with specialist expertise. The prioritisation of risks is defined by combining the measurements of impact and probability.

Monitoring and reporting: the risk mapping is periodically updated according to the enterprise
measurement, and at least once a year, including for low-priority risks. Periodic reporting guarantees, at the various corporate levels, the availability and representation of information relating to the management and monitoring of the relevant risks.

Cross-organisational nature

One of the best features of Snam’s ERM model is the wide-ranging nature of its impact measurement.

Any risk event may have 10 different types of impact, some determined by the risk owners (operational impacts) and others by specialist departments (e.g. legal and financial impacts). This means risk measurement from different perspectives and team risk prioritisation.

The most common operational impact is industrial impact, consistent with the fact that risk identification begins with process analysis. The most prevalent specialist impacts include reputational and legal impacts, confirming the existence of an increasingly globalised external context subject to ever more complex regulations.

Using the model described above, the risk assessment cycles were performed on the entire Snam Group in 2017.As at the end of 2017, 136 enterprise risks had been mapped and broken down between all corporate processes.

A project was also launched in 2017 to define and implement an integrated risk assessment model that, through a single IT tool and a single database, rationalises and integrates all information flows of second-level controls with a synergistic approach aimed at maximum overall efficiency.

The main corporate risks identified, monitored and, insofar as specified below, have been classified into the following categories:

  • strategic risks
  • legal and non-compliance risk
  • operating risks
  • financial risks

The table below shows the mitigation and monitoring measures implemented for each type of risk.

 Download XLS (17 kB)



Mitigation and monitoring measures implemented

Impact on capitals

Strategic risks




Macroeconomic and geo-political risk:

Risks associated with political, social and economic instability in natural gas supplier countries

  • Continuous monitoring of the political, social and macroeconomic framework

  • Maintenance of constant relations with Authorities and Institutions responsible for managing possible crises in high-risk scenarios

Regulatory and legislative risk:

Definition and updating of a regulatory framework in Italy and in the countries of interest that presents penalising parameters, in particular with regard to criteria for determining tariffs

  • Maintenance of ongoing constructive dialogue with the regulator that can contribute to the definition of a clear, transparent and stable framework in order to incentivise the sustainable development of the gas system

Significant change in regulations and/or case law

  • Ongoing regulatory oversight through the monitoring of changes in laws and rulings, analysis of changes, and the dissemination of information and further details to business and commercial departments

Risks related to climate change:

Reinforcement of the regulatory framework for greenhouse gas emissions

  • Ongoing regulatory supervision with monitoring of the development of the greenhouse gas emissions authorisation system

  • Target of -10% of natural gas emissions from 2016 to 2021, for the same perimeter
  • Recovery of 33% of potential emissions deriving from maintenance activities, each year from 2017 to 2022

Change of scenarios with impact on the demand for natural gas and transported volumes

  • Development of new business related to alternative uses of gas and implementation of the use of gas to support the energy transition (biomethane and other renewable gases, small scale LNG, CNG, gas heat-pumps and micro-cogeneration)

Increase in the severity of extreme atmospheric phenomena, with impacts on continuity and quality of service

  • Adaptation of the recovery plan and business continuity management system to international best practices
  • Technologically advanced tools for monitoring/controlling the status of infrastructure/plants and the areas affected
  • Elaboration of corporate energy scenarios consistent with the national and European decarbonisation objectives developed for the containment of temperatures increase envisaged by the Paris agreements.
  • Ongoing, systematic maintenance and monitoring measures
 Download XLS (17 kB)
 Download XLS (17 kB)



Mitigation and monitoring measures implemented

Impact on capitals

Operating risks




Retaining gas storage concessions

  • Development of storage carried out in line with the most up-to-date technical and economic criteria and best practices in science and technology so as not to damage the deposit, not to cause harm to third parties or the environment and to guarantee the optimisation of capacity in compliance with the security of the national gas system

Delay to the progress of programmes involving the construction of large transportation and storage infrastructure

  • Application of the strictest national and international environmental and safety standards during planning, with particular attention to safeguarding the natural value of the area and biodiversity
  • Communication policy on the planned work, with a view to sharing projects with the local community and stakeholders from the outset.
  • Use of innovative construction technologies with low environmental impacts (e.g. trenchless technologies, use of turbo gas with low atmospheric emissions)
  • Strict, structured system for selecting contractors and monitoring their performance

Breakages or damages to pipelines/installations also upon exogenous events, which can cause malfunction and unexpected service interruption

  • Application of management systems and procedures that take into account the specific nature of Snam’s activities
  • Recovery plan system and business continuity management in line with international best practices
  • Communication initiatives aimed at providing information about the presence of infrastructure and behaviours to avoid/implement by third parties so as not to damage it
  • Technologically advanced tools for monitoring/controlling the status of infrastructure/plants and the areas affected
  • Continuous verification of insurance coverage in relation to the type of business and related risks
  • Ongoing, systematic maintenance and monitoring measures

Computer threats (Cybersecurity)

  • Adaptation of IT security and business continuity systems to the ISO / IEC 27001 and ISO22013 standards respectively, with provision for related certification
  • Definition of a model of security incident management team to respond promptly to events that may damage the integrity of the information and IT systems used
 Download XLS (17 kB)



Mitigation and monitoring measures implemented

Impact on capitals

Financial risks




Medium- and long-term debt rating downgrade

  • Constant monitoring of rating indicators and availability of long-term credit lines

Changes in the interest rate

  • Monitoring cash-flow-at-risk using an asset and liability management (ALM) model

Exchange rate changes

  • Minimisation of transaction risk, through measures such as the use of derivatives

Inability to raise new funds (funding liquidity risk) or to liquidate assets on the market

  • Minimisation of opportunity cost and maintaining a balance in terms of debt duration and composition


  • Monitoring of the contractual protection clauses in loan agreements

Bad debts

  • Scoring system for evaluation and segmentation of customers (creditworthiness), and systematic management of requests upon specific maturities
  • Evaluation of the authenticity and validity of guarantees
  • Reporting of any issues with the regulatory system that may lead to opportunistic/fraudulent behaviour by operators

For more information on all the main risk and uncertainty factors, please refer to chapter “Elements of risk and uncertainty” of this Report.

to pagetop