The Group has adopted an Enterprise Risk Management (hereinafter ERM) Model which allows risks to be identified, assessed and managed uniformly, highlighting potential synergies between the parties involved in assessing the Internal Control and Risk Management System. The ERM process is designed to identify potential events that may influence the business, in order to manage risk within acceptable limits and provide a reasonable guarantee that business objectives will be achieved.
The process is managed by the ERM Steering Committee, which is chaired and coordinated by the head of the Administration, Finance and Control Department. The Steering Committee meets every three months (or when specifically required) and is intended to ensure the governing of the Group risk management process, which is designed to guarantee the operational continuity of the company’s business, monitoring the effectiveness of countermeasures adopted.
The process adopted is cyclical and includes the following stages:
- definition of the Risk Appetite and of the Risk Tolerances:
- Risk Appetite is the amount and type of Risk, overall, that a company is willing to accept in the creation of value, namely in the pursuit of its strategic objectives1. It is discussed and defined annually by the BoD at the sessions held to approve the Business Plan. The Risk Appetite is broken down into Risk Tolerances;
- the Risk Tolerances represent the level of risk the Company is willing to assume, with reference to the individual objective categories (strategic, operational, compliance, reporting)2.
Compliance with the Risk Tolerances and Risk Appetite is monitored quarterly and reported to the BoD, after the CRC has been informed.
- Risk Assessment: this phase covers the identification, definition and assessment of the risks. It starts with the fine-tuning of the Risk Universe, namely the document that contains the description of the main characteristics of all the risks identified; the risks are presented, in interviews, to the process owners who, together with Risk Management, assess their severity and document the mitigating actions in order to position them on a specific 3X3 matrix (Risk and Control Panel - R&CP). The matrix dimensions are:
- the “level of inherent risk”, namely the level of variance with respect to the Business Plan deriving from the occurrence of an event (risk);
- “monitoring level”, based on the evaluation of the mitigating actions implemented.
This matrix allows the action priorities for the mapped risks to be set. All the risks assessed as High in the R&CP matrix form the Corporate Risk Profile (CRP). The CRP risks that have a partial or non-existent monitoring level are subject to a Root Cause Analysis aimed at grouping related risks into homogeneous improvement areas. The positioning of the risk in the matrix described above is also the result of:
- collaboration with the Compliance department, which considers the monitoring level with regard to non-compliance aspects and
- synergies with the Audit Department relating to the evaluation analysis of the suitability and efficiency of the mitigating actions identified.
- Risk Response: the aim of this phase is to identify and implement the strategic options for responding to risk and to bring the risks back to or maintain them at acceptable levels.
The responsibility for identifying and implementing the risk response lies with the Process Owner, with the support of RM to overcome the monitoring gaps identified in the Risk Assessment phase. A suitable risk response must be defined for each risk, in line with the action priority represented by its positioning in the Risk & Control Panel. The Risk Response is broken down into the following “sub-phases”:
- stocktaking and measuring of the performances.
- processing of Reporting flows: when each ERM process cycle is completed, the overall risk profile is represented, with reference also to the effects of the mitigation actions. All this information represents an input for the new business planning and therefore the definition of the Risk Appetite and the related Risk Tolerances.
A brief summary of the main types of risk identified by the ERM system is contained in the Main Risks and Uncertainties chapter of the Annual Report.