Risk management

Iren Group has an Internal Control and Risk Management System, under the Corporate Governance Code for Listed companies and the internal guidelines, which is configured as a transversal process that involves, with different roles and within the context of their respective competences, the administrative and control bodies of the Group, the Control, Risk and Sustainability Committee, the Directors of the Parent Company appointed for the internal control and management of risks and sustainability, the Head of the Internal Audit Unit, the Chief Risk Management Officer and the Manager in charge of drawing up the corporate accounting documents, as well as all personnel of Iren Group companies. In particular, the Board of Directors assesses the adequacy of the Internal Control and Risk Management System compared to the characteristics of the company and the indications expressed in the guidelines and carries out the following tasks, subject to the opinion of the Control, Risk and Sustainability Committee:

  • defines the guidelines of the internal control and risk management system in line with the strategies, so that the main risks are correctly identified, as well as adequately measured, managed and monitored, also determining the level of compatibility of such risks with business management consistent with the strategic objectives identified;
  • at least once a year, assesses the adequacy of the internal control and risk management system relevant to the characteristics of the business and the risk profile undertaken, as well as its efficacy;
  • at least once a year, approves the work plan prepared by the Internal Audit Unit and presented by the competent Delegated Body, after consulting the Directors in charge of the internal control and risk management system and the Board of Statutory Auditors;
  • evaluates the opportunity to take measures to ensure the effectiveness and impartiality of the corporate functions involved in the controls, verifying that they have adequate professionalism and resources;
  • assigns – in Iren Group to a body made up of external parties – the oversight functions provided for by Legislative Decree 231/2001;
  • describes, in the corporate governance report, the main features of the internal control and risk management system, the methods of coordination among the subjects involved in it, indicating the models and national and international best practices of reference and expressing its assessment of its adequacy;
  • assesses, after consultation with the Board of Statutory Auditors, the results presented by the statutory auditor in any letter of suggestions and in the additional report addressed to the control body;
  • defines sustainability policies and conduct principles in order to ensure the creation of value over time for shareholders and for all other stakeholders;
  • defines a plan (strategic priorities, commitments and objectives) for the sustainable development of the Group;
  • appoints and dismisses, upon proposal of the Deputy Chairperson (competent Delegated Body), in agreement with the Chairperson, subject to the approval of the Control, Risk and Sustainability Committee and subject to the opinion of the Board of Statutory Auditors, the Head of the Internal Audit Unit ensuring the adequate resources for the fulfilment of responsibilities and defines remuneration in line with company policies.

Iren’s Board of Directors, through the Control, Risk and Sustainability Committee (CRSC), convenes the Chief Risk Management Officer and the other control departments on at least a half-yearly basis for a report on Group risks in which the risk map is presented with the main risks in terms of impact and probability and any mitigation actions, and provides the results of specific analyses, such as the results of the Risk Commissions and specific risk assessments.

The Risk Management Department periodically updates the Group’s risk map by interviewing all risk owners, sharing and fine-tuning the results. The risk map is very detailed and contains qualitative and quantitative assessments of each individual risk with the specification of controls and mitigation actions in place or planned.

For specific projects of a strategic nature – such as, for example, the Business Plan, acquisition transactions or investments of an industrial nature – CRSC requests a specific risk assessment from the Risk Management Department.

The outcome of the Internal Audits, any critical issues detected and the status of measures implemented following the recommendations issued in the audits of previous years (follow-ups) are reported in the Internal Audit Manager’s six-monthly Report presented to the Risk, Control and Sustainability Committee, pursuant to the Corporate Governance Code for Listed Companies. The Committee, based on the information received, reports every six months to the BoD pointing out the critical areas identified expressing its opinion on the adequacy of the Internal Control and Risk Management System. With regard to any critical issues identified, the Head of Internal Audit prepares reports on particularly significant events for the Chairpersons of the Board of Statutory Auditors, the Control, Risk and Sustainability Committee and the Board of Directors.

Corporate risk management is an essential component of the Internal Control System, and the Corporate Governance Code for Listed Companies assigns specific responsibilities in this respect. The Enterprise Risk Management (ERM) model of Iren Group defines the methodological approach for the integrated management of the risks, which are broken down into the following phases:

Risk management

Risk governance is a pivotal tool in sustainability governance

Each process stage is performed in accordance with standards and references defined at Group level.

The Group’s Enterprise Risk Management model regulates the roles of the various parties involved in the risk management process, which is under the responsibility of the Board of Directors, envisages specific Committees that are responsible for the management of each type of risk and focuses in particular on the management of:

  • financial risks related to liquidity, interest rates, exchange rates and spreads;
  • credit risks, related to events that may negatively affect the achievement of credit management objectives;
  • IT risks (cyber risks), attributable to threats to cyber security, in particular data integrity, confidentiality and availability;
  • energy risks, attributable to the supply of gas for the thermoelectric generation and the commercialisation of electricity and gas, as well as the hedging derivatives markets;
  • climate change risks, which include risks due to the transition to a low carbon economy (transition risks) and physical risks that may arise from catastrophic environmental events (acute risks) or from medium- to long-term changes in environmental patterns (chronic risks) (see page 80);
  • tax risks, which can be traced back to the risk of operating in violation of tax regulations or in contrast with the principles and purposes of the tax system;
  • operational risks, relating to asset ownership, the exercise of business activities, processes and procedures. Also included are the rules and regulatory risks, whose impact on the business is monitored on an ongoing basis;
  • reputational risks related to the impacts of any malpractices on stakeholders.

For each type of risk, specific Risk Policies have been defined – approved by the Board of Directors on the proposal of the Director in charge of the Internal Control and Risk Management System with delegated powers in the field of Risk Management (Deputy Chairperson) in agreement with the Chairperson and the CEO (also identified as Directors in charge of the Internal Control and Risk Management System), to the extent of their respective competences, subject to the favourable opinion of the CRSC and reporting to the Board of Statutory Auditors – with the primary objective of explaining the strategic guidelines, the organisational/management principles, the macro- processes and the techniques necessary for the active management of the related risks.

The Group’s risk policies will be updated annually. The body responsible for approving substantive changes is the BoD.