The A2A risk model
PDF (259.54 Kb)
Download
The A2A Group has a risk assessment and reporting process based on the Enterprise Risk Management method of the Committee of Sponsoring Organizations of the Treadway Commission (COSO report) whose purpose is to make business risk management an integral and systematic part of management processes. This process is also driven by other international frameworks.
Such activities are carried out in accordance with the Guidelines for the Internal Control and Risk Management System approved by the Board of Directors and adopted by the Group companies with significant strategic value. The Enterprise Risk Management (ERM) process and methodology are an integral part of the Guidelines and are formalized in the internal regulatory document "Enterprise Risk Management Policy".
Risk assessment and management process
Through the involvement of all corporate structures, the risk identification and evaluation process is regularly activated, enabling the monitoring of the most significant critical issues, the measures to control them and the mitigation plans.
The risk profile of the Group and its companies, identified in the periodic (half-yearly) assessment process, are analysed by the respective Boards of Directors.
The ERM process takes into account all possible risks that affect the achievement of the objectives of the Group and assesses their impact on the company, as regards both the financial and reputational aspects.
The Enterprise Risk Management methodology and process implemented by the Group also include the identification and management of opportunities, understood as scenarios with positive uncertainty linked to a risk and whose expected benefit constitutes a possible favourable effect on the achievement of the objectives of the Group.
Types of risk
The following tables provide a summary of the main types of risk which are part of the assessment and reporting process, grouped together on the basis of their main features:
Competitive environment - regulatory
Changes in laws and regulations
DESCRIPTION:
Changes in laws and regulations and the measures introduced by national regulatory bodies or local administrations can modify the competitive context in which the Group operates. Changes to the legislative or regulatory framework can lead to additional costs and/or lower revenues, hold back the Group’s strategies, cause an increase in competitive pressure and/or have a considerable effect on the Group’s profitability.
CONTROL:
A control exists within the Group, operating at various levels, which envisages collaborative dialogue with government institutions and bodies and those regulating the sector, active participation in sector associations and workgroups set up within these bodies and an analysis of changes in laws and regulations and provisions issued by the sector authority.
Macro-economic situation
DESCRIPTION:
The Group’s activities are sensitive to the economic cycles and general economic conditions of the countries in which it operates. An economic slowdown could, for example, lead to a fall in consumption or industrial production by the Group’s customers, with negative effects on the demand for electricity and/or the other goods and services provided by the Group.
CONTROL:
The risk is controlled by having schemes scheduling the use of and managing the Group’s plants, which are designed to optimize the hours in which they operate with respect to market conditions, as well as by taking specific commercial steps.
Fiscal and tax-related
DESCRIPTION:
The risk is related to all acts, events or circumstances that, from a probabilistic standpoint, are in contrast with the fiscal obligations and can potentially be detrimental to the Group, not only of financial and economic nature, but also reputational.
CONTROL:
The control of this risk is delegated to specific business units dedicated to the constant monitoring of the legislation in force concerning fiscal and tax-related matters, as well as to the support to Group companies for the correct fulfillment of corresponding duties.
Legal disputes
DESCRIPTION:
This risk refers to potential losses deriving from law or regulatory violations, from contractual or extra-contractual responsibility, as well as other disputes.
CONTROL:The control of this risk is delegated to specific business unit dedicated to the management of legal issues inside the Group (national and international contracts, civil, penal and administrative disputes, legal advisory in general).
Social and environmental context
DESCRIPTION:
The plants’ and infrastructures’ activities, their profitability, the achievement of the plants’ upgrade and/or conversion targets, the planned business growth could be affected by the opposition carried out by stakeholders that aren’t favorable to the presence of that facilities on the territory or that have a negative perception about the Group activities themselves.
CONTROL:
The policy adopted by the Group in order to control these risks is to dialogue with the stakeholders at different levels, involving both the communications and business departments, e.g. with the local communities through public debates and press conferences, with the institutions by contributing to technical working groups, etc.
Natural events
Climate Change - Physical
DESCRIPTION:
Acute meteorological phenomena and chronic climate change may affect the assets, the hydroelectric production, the consumption of the products supplied by the Group (e.g. natural gas, district heating) the quality of the services provided (e.g. power and drinking water supply) and, more generally, the business of the Group.
CONTROL:
The control of this risk is delegated to specific business units in charge of managing insurance, creating engineering models supporting the scheduling of the use of hydroelectric plants, as well as managing/optimizing the production and the supply of products and services, also in relation to trends in demand. The Strategic Plan take into consideration the mitigation of that risk.
For more details see the A2A Integrated Report aligned with the Recommendations of the Task Force on Climate-related Financial DisclosureClimate Change - Transition
DESCRIPTION:
Transitioning to a lower-carbon economy may entail extensive policy, legal, technology and market change. Depending on the nature, speed and focus of these changes, transition risks may pose varying levels of financial and reputational risk to the Group.
CONTROL:
The control of this risk is delegated to specific business units in charge of managing the strategic planning, the changes in regulation, the relationships with the stakeholders, the scenario analysis, the innovation processes, etc. The Strategic Plan take into consideration the mitigation of that type of risks.
For more details see the A2A Integrated Report aligned with the Recommendations of the Task Force on Climate-related Financial DisclosureOther natural events
DESCRIPTION:
Natural phenomena, such as earthquakes or pandemics, may affect the assets and the business. The risk is related with the effectiveness of contingency plans for the mitigation of impacts on health and safety, on the environment, on business operations and on the continuity of services.
CONTROL:
The control of this risk consists of crisis and emergency plans, procedures governing the operations of the plants, the presence of emergency response teams, central control for the Group for issues of Quality, Environment and Safety, insurance coverage for direct or indirect damages.
Financial
Commodity
DESCRIPTION:
As part of its industrial activities the A2A group is subject to fluctuations in commodity market prices (gas, coal, energy, etc.). These fluctuations contribute to making it difficult to determine the A2A Group’s margin, thus exposing the Group to potential decreases in expected margins.
CONTROL:
The risk is controlled through constant monitoring of prices by a specific organizational unit, with the support of systems and procedures which govern the means of managing the risk and intervening in the event that approved limits are exceeded.
Interest rate
DESCRIPTION:
The Group is exposed to fluctuations in interest rates which could lead to changes in the value of fixed rate financial assets and liabilities and changes in the cash flows associated with floating rate financial assets and liabilities.
CONTROL:
The operational unit actively manages the debt instrument portfolio, assesses the need for risk hedging strategies and performs specific analyses of interest rates.
Liquidity
DESCRIPTION:
The Group is exposed to the risk that it will not be able to meet its payment commitments on a timely and effective basis, impairing its daily activity or its financial situation. This case may arise as a result of a portfolio of investments/transactions that generate outgoing cash flow and/or a plan of payment deadlines not aligned with the incoming cash flow forecasts.
CONTROL:
The control and management of such risk scenarios are assigned to the finance organizational unit, which mitigates the risk by arranging contracts for suitable credit facilities, carrying out early planning of financial requirements and holding constant discussions with a large number of banks.
Counterparty
DESCRIPTION:
This type of risk regards the possibility that one of the Group’s direct counterparties (financial or industrial) fails to meet the obligations it has assumed in the established time and by the agreed means.
CONTROL:
This risk is controlled through constant monitoring by specific organizational units, supported by information systems, policies and procedures designed to regulate the various stages in the credit process. The risk is also mitigated by resorting to the use of suitable collateral (credit insurance, receivables sales, bank guarantees, etc.).
Default e covenants
DESCRIPTION:
The theoretical possibility exists whereby the cost of procuring debt capital may reach levels which put the Group’s financial stability and solidity at risk, up to the point of a possible default. The cost of capital is strictly linked to the Group’s rating.
CONTROL:
This risk is controlled by structuring the financial position, which enables the Group to significantly limit the effect of any changes in rating on borrowing costs, as well as by holding constant discussions with the ratings agencies.
Direction
Strategic and business plan initiatives
DESCRIPTION:
Any ineffective implementation of the Group’s initiatives could jeopardize achieving targets that have been set. This risk exists both for short-term initiatives (budgets) and long-term initiatives (business plans), as well as for development and investment activities.
CONTROL:
Control is assured through suitable organizational structures and workgroups dedicated to developing and monitoring the targets that have been set and whether they have been achieved.
Investments and divestments
DESCRIPTION:
The risk type is linked both to the investment and disinvestment process and to the related monitoring activities.
CONTROL:
Control is assured through organizational structures and workgroups dedicated to the evaluation of the extraordinary operations, internal procedures that regulate the Merger & Acquisition activities, project management approach for the main operations and the presence of a coordinator for each operation.
Operational
Environmental
DESCRIPTION:
In the course of its business the Group could be supposed to fail to fulfill environmental legislation or could accidentally cause damage to the environment becoming exposed to possible penalties inflicted by the competent authorities. The Group could also be exposed to the payment of considerable amounts of money to third parties as the result of the harm caused to persons and/or things, or of such a nature as to significantly impair the Group’s image. More over the risk type take into consideration the uncertainty of changes in the legislation This risk is of significant importance in the sector in which the Group operates, and A2A has accordingly adopted a rigorous Quality, Environment and Safety Policy and is highly committed to the subject of sustainability in general.
CONTROL:
The Group controls this type of risk through the certified Environment Management Systems, accordingly to the ISO 14001 and EMAS standards, and trough an organizational controls carried out by the Quality, Environment and Safety Department, which among other things performs environmental analyses and regular audits.
Systems are in place at all of the Group’s plants for monitoring emissions and filters capable of changing the characteristics of the emitted fumes. The Group has also a organizational, management and control model based on the Italian decree n. 231/2001.Business interruption
DESCRIPTION:
The Group is exposed to the risk arising from business interruption or critical matters regarding managing the maintenance and the prevention of outages. These scenarios are typically critical for the sectors in which the Group operates. In addition, events such as fires and terrorist attacks may affect the Group’s production/operational capacity and are also taken into consideration.
CONTROL:
This risk is controlled by introducing and constantly updating scheduled maintenance procedures of an ordinary or preventive nature, carrying out periodic revisions of plants and networks and providing specific training courses. The use of instruments for the control and remote control of technical parameters (capable of enabling any faults to be suitably monitored and detected on a timely basis) is also widespread, in addition, where possible, to the keeping of spare parts for the components required to ensure the continuity of production processes.
Customer service level
DESCRIPTION:
These are risks arising from the failure of the Group to meet customer expectations as part of selling activities, with possible consequences in terms of the loss of market share and a deterioration in results.
CONTROL:
The Group controls these risks by means of constantly updated processes and procedures, staff training plans for sales activities, customer satisfactions analysis, a constant analysis of customer complaints and the implementation of corrective measures, and active collaboration with consumers’ associations.
Credit collection precesses
DESCRIPTION:
These are the risks related to an inefficient process of managing credit that result in delays in the activity of collection, valuation problems on the state of the credit and difficulties in the process and evaluation of the possible sale of a portion of the loan portfolio.
CONTROL:
The Group oversees these risks through specific Credit Policies, monitoring tools and reporting of credit exposure, optimization of the credit recovery process and close operational coordination between the commercial areas and the credit area.
Procurement
DESCRIPTION:
The risk type takes into consideration the impacts of potential inefficiency in the procurement process, from the settlement of the materials and services requirements, to the selection, management and payment of the suppliers. The type also includes the potential impacts for the Group linked with the reputation and legality of its suppliers.
CONTROL:
To control these risks there is a dedicated department that is in charge of managing the whole procurement process.
Security
DESCRIPTION:
The risk type takes into consideration unauthorized access, sabotages, terrorism acts, etc. that may threaten/endanger the human and material resources and the industrial assets of the Group.
CONTROL:
To control these risks there is a dedicated department that is in charge of the definition of the security strategy for the Group and the coordination of the security activities and investments.
Compliance
DESCRIPTION:
The risk type includes the risks of failing to comply with the laws, regulations, guidelines, statutes, codes of conducts etc.
CONTROL:
To control these risks there is a dedicated department that is in charge of the identification of the law requirements and of supporting the business units of the Group in carrying out the activities needed to comply with the regulations.
Human resources
Internal skills
DESCRIPTION:
The risk exists whereby by pursuing its development policies the Group will fail to have suitable human resources for ensuring the effectiveness and efficiency of its structure and hence for achieving its targets.
CONTROL:
Assessment programs, career paths for professional families based on specific courses, job rotation and annual performance appraisals are regularly carried out.
Health and safety
DESCRIPTION:
Any detriment to the health and safety of workers could expose the Group to significant risk affecting its reputation and as well as to costs for settling damage claims. To these effects should also be added the costs and consequences arising from the failure to comply with laws and regulations.
CONTROL:
This risk is controlled by: health and safety management systems meeting standard ISO 45001; procedures to implement laws and regulations regarding health and safety prevention and protection; employees health and safety training and updating; regular audits; a homogeneous and aligned organizational, management and control model based on Italian decree n. 231/2001. Summing up, the Group’s prevention and protection policy aims at “zero risk”.
Information Technology
ICT infrastructure
DESCRIPTION:
The Group’s ICT structure could be inadequate, with reference to both present and future needs, and incapable of efficiently supporting business activities. These components are also associated with aspects of the process related to development consistent with the objectives of the Group.
CONTROL:
This risk is controlled by using back-up technological infrastructures capable of ensuring service continuity in the event of any breakdowns or unpredicted events, and by having a disaster recovery system. Specific policies are also in place that regulate access to information, as well as ICT systems controlling access and preventing any external attacks.
Cyber-security
DESCRIPTION:
The completeness, accuracy and authorized access to the data processed by electronic means from the various applications and systems used by the Group may not be adequate, allowing inappropriate access to confidential data and information.
CONTROL:
This risk is controlled through specific operational policies for access to information and data, review of access profiles for a large number of applications, establishment of a composite team with the task of preventing and monitoring external attacks.
