ENTERPRISE RISK MANAGEMENT SYSTEM
[G4-2], [G4-14] The Group has adopted an Enterprise Risk Management (hereinafter ERM) Model which allows risks to be identified, assessed and managed uniformly, highlighting potential synergies between the parties involved in assessing the Internal Control and Risk Management System. The ERM process is designed to identify potential events that may influence the business, in order to manage risk within acceptable limits and provide a reasonable guarantee that business objectives will be achieved.
The process is managed by the ERM Steering Committee, which is chaired and coordinated by the head of the Administration, Finance and Control Department. The Steering Committee meets every three months (or when specifically required) and is intended to ensure the governing of the Group risk management process, which is designed to guarantee the operational continuity of the company’s business, monitoring the effectiveness of countermeasures adopted.
The process adopted is cyclical and includes the following stages:
- definition of the Risk Appetite and of the Risk Tolerances:
- Risk Appetite is the amount and type of Risk, overall, that a company is willing to accept in the creation of value, namely in the pursuit of its strategic objectives1. It is discussed and defined annually by the BoD at the sessions held to approve the Business Plan. The Risk Appetite is broken down into Risk Tolerances;
- the Risk Tolerances represent the level of risk the Company is willing to assume, with reference to the individual objective categories (strategic, operational, compliance, reporting)2.
- Risk Assessment: this phase covers the identification, definition and assessment of the risks. It starts with the fine- tuning of the Risk universe, namely the document that contains the description of the main characteristics of all the risks identified. The risks are presented, in interviews, to the process owners who, together with Risk Management, assess their severity and document the mitigating actions in order to position them on a specific 3X3 matrix (Risk and Control Panel - R&CP). The matrix dimensions are:
- the “level of inherent risk”, namely the level of variance with respect to the Business Plan deriving from the occurrence of an event (risk);
- “monitoring level”, based on the evaluation of the mitigating actions implemented.
- collaboration with the Compliance department, which considers the monitoring level with regard to non- compliance aspects and
- synergies with the Audit Department relating to the evaluation analysis of the suitability and efficiency of the mitigating actions identified.
- Risk Response: the aim of this phase is to identify and implement the strategic options for responding to risk and to bring the risks back to or maintain them at acceptable levels. The responsibility for identifying and implementing the risk response lies with the Process Owner, with the support of AFC-Risk Management to overcome the monitoring gaps identified in the Risk Assessment phase. A suitable risk response must be defined for each risk, in line with the action priority represented by its positioning in the Risk & Control Panel. The Risk Response is broken down into the following “sub-phases”:
- stocktaking and measuring of the performances.
- Drawing up the Reporting Flow: at the end of each ERM process cycle, the AFC-RM department, together with the AFC-Planning and Control department, outlines the overall risk profile, also making reference to the effects of the mitigation actions, in order to support the new strategic planning cycle and the subsequent Risk Analysis linked to the Plan. All this information represents an input for the new business planning and therefore the definition of the Risk Appetite and the related Risk Tolerances.
A brief summary of the main types of risk identified by the ERM system is contained in the Main Risks and Uncertainties chapter of the Annual Report.
1 2013 CoSO Definition “The Committee of Sponsoring Organisations of the Tradeway Commission”.
2 According to the CoSO definition.