Internal control System

Internal Control and Risk Management System

Although it has a limited economic and financial risk profile because most of its operations are in regulated business segments, Snam adopts a structured and systemic approach to governing all risks that could affect value creation.

Snam’s Internal Control and Risk Management System is one of the Group’s key elements and constitutes all the guidelines, regulations and organisational structures that allow for the identification, measuring, management and monitoring of the most significant risks, including those established under Art. 3, paragraph 1, of Legislative Decree 254/2016 (in relation to environmental, social and personnel-related issues, respect for human rights, and the fight against active and passive corruption), and the monitoring of managerial processes. This system is integrated into the organisational, management and accounting structure and, in general, into the corporate governance of Snam and is based on the Corporate Governance Code which Snam complies with, taking as references the national and international models and best practices.

The control system is divided into three levels, each with different objectives and associated responsibilities. The Board of Directors charges the CEO with giving structure to and maintaining the entire system. We use an integrated, dynamic and group-wide method of assessing risk that evaluates the existing management systems in the individual corporate processes, starting with those relating to the prevention of fraud and corruption and health, safety, environment and quality.

These same controls form an integral part of the managerial processes. Management must therefore foster an environment that encourages controls, and must specifically manage “line controls”, consisting of all the control activities that individual operating units or companies perform over their own processes. Independent controls are performed by the Internal Audit department, which is responsible for checking that the system is functioning and adequate.

The Internal Control and Risk Management System is based on guiding principles contained in the Code of Ethics:

• the segregation of the activities of the persons in charge of the authorisation, execution, or control procedures;
• the existence of company regulations that can provide general benchmark principles for governing corporate processes and activities;
• the existence of formal rules for the exercise of signatory powers and internal authorisation powers;
• traceability (guaranteed through the adoption of information systems that can identify and reconstruct sources, information and checks carried out in support of the formation and implementation of the Company’s decisions and financial resources management procedures).

The Internal Control and Risk Management System is audited and updated to ensure it is suited and appropriate to overseeing the main areas of corporate risk. In this context, and also in order to execute the provisions of the Code of Corporate Governance, Snam has adopted an ERM (Enterprise Risk Management) Model, considered in more detail in the “Risk Management” chapter of this document.

The corporate bodies, institutions and functions involved in the internal control system are the Board of Directors, the CEO who, employed by the BoD, is responsible for the structure that maintains the entire system, the Control, Risk and Related-Party Transactions Committee, the Board of Statutory Auditors, the Supervisory Body and the Guarantor of the Code of Ethics, the Officer responsible for the preparation of financial reports, and the Internal Audit Officer. In particular, the role carried out by the Internal Audit department is crucial in that it verifies the functionality and adequacy of the system, preparing periodic reports containing appropriate information regarding its own activities, the risk management procedures, and compliance with the plans defined to contain said information, as well as assuring the reliability of the information systems.

Risk Assurance & Integrated Compliance

Under the scope of the Internal Control and Risk Management System, Snam has approved “Risk Assurance & Integrated Compliance” Guideline with the aim to merge the second control level models and promote and facilitate compliance with the reference regulations and the prevention of offences. This is specifically achieved through the Compliance Programme for the Prevention of Offences (CPPI) that fully complies with the Code of Ethics and that is implemented and rendered operational through:

• the regulatory system;
• the corporate governance provisions adopted in conformity with applicable legislation and international best practices;
• the provisions, methodologies and activities of the models applied by the dedicated functions;
• an integrated Risk Assurance & Compliance process.

Under the scope of the CPPI, the elements significant for its implementation are the Risk Assurance & Integrated Compliance model, the reporting¹⁶, rewarding and penalty systems and training and communication.

The integrated Risk Assurance & Compliance model is intended to improve the perception of the checks by the various owners involved and to make the SCIGR even more efficient through better coordination and integration of the flows and interaction between the three lines of control, valuing the respective contributions.

Like in 2019, in 2020 Snam used the Risk Assurance & Integrated Compliance (RACI) information platform to coordinate and integrate the second level control information flows, maintaining the specific characteristics of the methodologies of each model¹⁷, with a synergistic approach, aimed at maximum rationalisation and overall efficiency. The RACI helped create an integrated data base (Risk & Control Register), where the models involved in the Risk Assurance & Integrated Compliance process share a single risk and control catalogue.

This repository makes it possible collect consistent and complete information and data in an integrated fashion to support the decision-making processes of the top management and corporate bodies which receive dedicated reports.

Organisational, management and control model pursuant to Legislative Decree 231/2001 (Model 231)

The organisational, management and control model pursuant to Legislative Decree 231/2001 (Model 231) constitutes an organic set of principles, rules and provisions concerning the control of each corporate process. The 231 Model plays a fundamental role in protecting the company from any conduct that may incur its administrative responsibility, pursuant to Legislative Decree 231/2001, in relation to offences committed or attempted in the interest or the benefit of the company by parties in so-called top management positions in the structure or by parties subject to their supervision and control.

Snam and subsidiaries adopted their own 231 Models¹⁸ to prevent the offences referred to in the legislation on corporate administrative liability for the offences committed in the interests or for the benefit of the company, and they identified and appointed a Supervisory Body, for each of them, with autonomous initiative and control powers, in compliance with the laws and regulations.

The CoSO Framework (most recently published in May 2013) provides a basis for the analysis of corporate processes and the comparative analysis of the existing control environment and of the control systems. The Framework is the international reference model for the establishment, updating, analysis and assessment of the internal control system.

At the end of 2019, risk assessment and gap analysis activities were carried out through the “Risk Assurance & Integrated Compliance” model, created with the intention of uniting the entire risk and control detection and management system supporting business operations, aimed at updating the 231 Model of Snam and the subsidiaries.

This update also involved the offences introduced by Law 39/2019 (Fraud in sporting competitions, illegal gambling or betting and the use illegal gambling devices) and by Legislative Decree 105/2019 (violation of national cybersecurity regulations).

According to the logic of the Risk Assurance & Integrated Compliance model, the scope of 231 was revised from an integrated logic which, starting from the specific nature of the original Sensitive Activities pursuant to the special part of the 231 Models, has made it possible to develop and apply an integrated analysis method for “Crime Risk” in line with the reference best practices.

The outcomes of these activities will make it possible to adapt the Special Part documents known as the “Processes, Sensitive Activities and Specific Control Standards of the 231 Model” for Group companies, giving evidence of the new 231 methodology applied.

Considering the importance of the principles of ethics and integrity, Snam dedicated a specific training programme to spreading the principles and content of Model 231 and Legislative Decree 231/2001. A Compliance Route was created and made available in the second half of 2019, aimed at the entire corporate population and arranged in 5 modules on the following themes: Model 231, Privacy, Market Abuse, Antitrust and Anti-corruption. Lastly, for some time Snam has been preparing, as part of the reporting management process (so-called whistleblowing)¹⁹, specific communication channels that the subsidiaries also refer to in addition to Snam.

Finally, under the scope of reporting management, the Group has, for some time, adopted specific communication channels, available to both Snam and subsidiaries. The management of the communication channels is entrusted to an external subject (Ombudsman), who ensures the receipt and analysis of each report received, applying criteria of maximum confidentiality suitable, among other things, for the protection of the integrity of the persons reported and the effectiveness of the investigations.

Internal Audit activities

In 2020 the Internal Audit activities are carried out by ensuring that the conditions of complete independence and autonomy are preserved, as well as the due professional diligence, objectivity, and competence, as provided for by the Mission of the Internal Audit and by the Mandatory Guidance of the Institute of Internal Auditors and by the principles contained in the Code of Ethics.

The Internal Audit regularly carried out scheduled activities involving:

1. preparation of the proposed Audit Plan based on the measurement and prioritisation of the main corporate risks carried out by the ERM unit;
2. execution of the Audit Plan, composed of 14 measures, approved by the Snam Board of Directors on 18 March 2020, following the favourable opinion of the Control, Risk and Related-Party Transactions Committee and after carrying out three further audits not scheduled in the plan (spot audits);
3. monitoring of the implementation of corrective actions based on the recommendations that were provided during the audit;
4. development of the independent monitoring programme defined with the Chief Financial Officer under the scope of Snam’s Corporate Reporting Control System;
5. confirmations of reports, including anonymous ones, of problems relating to the internal control and risk management system, the company’s administrative responsibility, whistleblowing and
6. activities involving relations with Independent Auditors, also following the identification of the new single auditor for the Group for the years 2020-2028, following the tender launched by the Group CDP S.p.A., and those relating to monitoring activities for conferring additional tasks.

Regarding point 5), in 2020, Snam received 10 reports, 4 of which were anonymous. The Internal Audit department was appointed by the Supervisory Body to verify nine of these, while the other one was assigned to the Human Resources department.

The main issues reported in 2020 were in relation to alleged irregularities in the administrative management of purchase contracts; potential conflicts of interest between employees and personnel from companies providing services to Snam and subsidiaries and alleged infringements of the Code of Ethics and corporate procedures. From the results of the analyses carried out on the 9 archived reports, and only with regards to substantiated and verifiable allegations, 7 of these were unfounded, according to the information reported, 1 was founded, and 1 was only partially founded. Moreover, actions to improve the Internal Control and Risk Management System were recommended for 6 reports (e.g., updating procedures, disciplinary provisions, communication and training).

Significant further actions carried out include:

• the implementation of the an external quality review, in compliance with International standards for the professional practice of Internal Auditing (so-called External Quality Review), to be carried out at least once every five years by an independent subject;
• the update of the relative Operating Manual to ensure it to be coherent with the amendments to the organisational structure of the unit and the new practices, also linked to the full operation of the IT tool for the management of audit activities;
• the update of the “audit universe” of audit objects, also in order to consider the organisational changes to the Snam Group that took place during 2020 and to include the new processes resulting from the acquisition of companies in relation to the new businesses;
• the adoption, with reference to the prevention of the Covid-19 emergency, of the necessary organisational and operational procedures to facilitate audit activities in the context of remote working, respecting the timeframes established and only implementing restrictions for on-site checks carried out during audits on operational processes;
• the management of specific requests came up during periodic meetings with Snam’s control bodies.

In 2020, audit activities were performed by a dedicated team of 11 auditors (average annual headcount):