Management of risks and the control system
Although it has a limited economic and financial risk profile because most of its operations are in regulated business segments, Snam adopts a structured and systemic approach to governing all risks that could affect value creation.
The system used across the Group to identify, assess, manage and control risk has three levels, each with different objectives and associated responsibilities. The Board of Directors charges the CEO with giving structure to and maintaining the entire system. We use an integrated, dynamic and group-wide method of assessing risk that evaluates the existing management systems in the individual corporate processes, starting with those relating to the prevention of fraud and corruption and health, safety, environment and quality.
These same controls form an integral part of the managerial processes. Management must therefore foster an environment that encourages controls, and must specifically manage “line controls”, consisting of all the control activities that individual operating units or companies perform over their own processes. Independent controls are performed by the Internal Audit department, which is responsible for checking that the system is functioning and adequate.
In 2019, audit activities were performed by a dedicated team of 10 auditors on average.
| Download XLS (22 kB) |
(no.) |
2017 |
2018 |
2019 |
||||
|---|---|---|---|---|---|---|---|
|
|||||||
Total number of audits performed |
42 |
22 |
29 |
||||
- of which relating to scheduled and/or spot audits |
8 |
14 |
15 |
||||
- of which relating to independent monitoring activities (Law no. 262/05) |
34 |
8 |
19 |
||||
Notifications received |
5 |
4 |
11 |
||||
- of which related to the internal control system |
- |
- |
1 |
||||
- of which concerning accountancy, audit, fraud, etc. |
- |
- |
- |
||||
- of which related to administrative responsibility pursuant to Legislative Decree 231/2001 |
- |
- |
- |
||||
- of which relating to breaches of the anti-corruption law |
1 |
- |
- |
||||
- of which related to other subjects (Code of Ethics, harassment, theft, security, etc.) (*) |
4 |
4 |
10 |
||||
Reports archived due to lack of proof or because untrue |
1 |
2 |
5 |
||||
Reports resulting in disciplinary or managerial interventions (**), and/or submitted to judicial authorities |
3 |
2 |
5 |
||||
Reports under examination |
3 |
- |
1 |
||||
In 2019 the Internal Audit activities are carried out by ensuring that the conditions of complete independence and autonomy are preserved, as well as the due professional diligence, objectivity, and competence, as provided for by the Mission of the Internal Audit and by the Mandatory Guidance of the Institute of Internal Auditors and by the principles contained in the Code of Ethics.
Internal Audit regularly carried out scheduled activities involving: i) the preparation of the proposed Audit Plan based on the measurement and prioritisation of the main corporate risks carried out by the ERM unit; ii) the execution of the Audit Plan, composed of 14 measures, approved by the Snam Board of Directors on 18 February 2019, following the favourable opinion of the Control and Risks and Related-Party Transactions Committee and carrying out two further audits not scheduled in the plan (spot audits); iii) carrying out the independent monitoring programme defined with the Chief Financial Officer under the scope of Snam’s Corporate Reporting Control System; iv) confirmations of reports, including anonymous ones, of problems relating to the internal control and risk management system, the company’s administrative responsibility, whistleblowing and v) activities inherent to relations with the External Auditors and those relating to monitoring activities for conferring additional tasks, as well as support, jointly with the legal and administrative departments, in the tender launched by CDP group aimed at identifying a single auditor for the Group for the years 2020-2028.
Below are the main activities carried out in terms of methodology:
- full operation of the new tool for the management of audit activities from the planning of interventions stage to the follow up of corrective actions. In this area, for the purpose of defining the audit plan, the audit universe was updated, also in order to consider the organisational changes that took place in 2019, in particular for Snam S.p.A. and to include the new processes resulting from the acquisition of companies in relation to the new businesses;
- implementation of improvement actions highlighted following the Internal Quality Review conducted at the end of 2018, including: i) the updating of the Key Risk Indicators, as well as the implementation of new ones, as part of the continuous monitoring of the passive cycle process, preparing, from the third quarter of 2019, a report with the outcomes of the analyses for the management of the competent functions, ii) the updating of the periodic reporting introducing Key Performance Indicators (KPIs) for the activities carried out by the function as well as with reference to issues of sustainability.
Enterprise Risk Management process (ERM)
The Snam group, in line with the indications of the Code of Corporate Governance and international best practices, has instituted, under the direct supervision of the General Counsel, the Enterprise Risk Management (ERM) unit, which operates within the wider Internal Control and Risk Management System, in order to manage the integrated management process of corporate risks for all Group companies.
The main objectives of ERM are to define a risk assessment model that allows risks to be identified, using standardised, group-wide policies, and then prioritised, to provide consolidated measures to manage these risks and to draw up a reporting system.
The risk is defined as an effect of the uncertainty on the targets and can be negative or positive in scope.
Cross-organisational nature
One of the best features of Snam’s ERM model is the wide-ranging nature of its impact measurement.
Any risk event may have 8 different types of impact, some determined by the risk owners (operational impacts) and others by specialist departments (e.g. legal and financial impacts). This means risk measurement from different perspectives and team risk prioritisation.
Operational impacts are dominated by economic and industrial impacts, consistent with the fact that identifying risks starts with the analysis of the processes and objectives of the corporate strategic plan. The most prevalent specialist impacts include reputational and legal impacts, confirming the existence of an increasingly globalised external context subject to ever more complex regulations.
Using the model described above and in accordance with the Enterprise Risk Management guideline, the risk assessment cycles were performed on the entire Snam Group in 2019. At the end of 2019 approximately 141 enterprise risks were mapped 28 of them distributed across all corporate processes.
The opportunities were identified with a similar methodology to that of the risks. In this case too, the operational impacts (industrial/business and economic) of each owner were measured, using suitable metrics, as well as the other impacts (market, reputational, environment, financial) by specialist functions.
In 2019 the mapping of risks and opportunities was updated through the Integrated Risk Assurance & Compliance (RACI) platform under the scope of the Integrated Risk Assurance & Compliance model, aimed at coordinating and integrating second level control information flows with a synergistic approach, aimed at maximum rationalisation and overall efficiency
Under the scope of business risks, the main risks identified, monitored and, as specified below, were broken down into financial and non-financial risks (strategic risks, legal and non-conformity risk and operational risks).
The table below shows the mitigation and monitoring measures implemented for each type of risk.
Classification |
Description |
Management actions |
Impact |
|---|---|---|---|
STRATEGIC RISKS |
Macroeconomic and geo-political risk |
|
|
Risks associated with political, social and economic instability in natural gas supplier countries |
|
|
|
|
|||
Regulatory and legislative risk |
|
|
|
Definition and updating of a regulatory framework in Italy and in the countries of interest that presents penalising parameters, in particular with regard to criteria for determining tariffs |
|
|
|
Significant change in regulations and/or case law |
|
||
|
|
|
|
Reinforcement of the regulatory framework for greenhouse gas emissions |
|
|
|
|
|||
|
|||
|
|||
Increase in the severity of extreme atmospheric phenomena, with impacts on continuity and quality of service |
|
|
|
|
|
||
|
|
||
|
|
||
Negative perception of the companies that operate in the fossil fuel sector by public opinion |
|
|
|
|
|||
|
|||
|
|||
|
Risks related to climate change
Classification |
Description |
Management actions |
Impact |
|---|---|---|---|
LEGAL AND NON-COMPLIANCE RISK |
|
|
|
|
|||
|
|||
|
|||
|
|||
|
|
|
|
|
|
||
|
|
||
Non-alignment of corporate governance and/or the internal control and risk system with regulations and/or best practices |
|
|
|
|
|
||
|
|
Classification |
Description |
Management actions |
Impact |
|---|---|---|---|
OPERATING RISKS |
Retaining gas storage concessions |
|
|
|
|
||
|
|||
|
|||
|
|
|
|
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
Computer threats (Cybersecurity) |
|
|
|
|
|
Classification |
Description |
Management actions |
Impact |
|||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
FINANCIAL RISKS |
Medium- and long-term debt rating downgrade |
|
|
|||||||||||||||||
Changes in the interest rate |
|
|||||||||||||||||||
Exchange rate changes |
|
|||||||||||||||||||
Inability to raise new funds (funding liquidity risk) or to liquidate assets on the market |
|
|||||||||||||||||||
Default |
|
|||||||||||||||||||
Receivables |
|
|||||||||||||||||||
|
||||||||||||||||||||
|
||||||||||||||||||||
|
|
|
|
|||||||||||||||||