The Internal Control and Risk Management System (“SCIGR”) of Enel and of the Group consists of the set of rules, procedures, and organizational entities aimed at allowing the main corporate risks within the Group to be identified, measured, managed, and monitored.
The SCIGR is an integral part of the more general organizational and corporate governance structures adopted by the Company and by the Group and is based on Italian and international best practices. In particular, the system takes into account the recommendations of the Corporate Governance Code and is consistent with the “Internal Controls – Integrated Framework” model issued by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO Report”), which constitutes the internationally recognized benchmark for the analysis and integrated assessment of the effectiveness of the SCIGR. The SCIGR provides for control actions at every operating level and clearly identifies duties and responsibilities, so as to avoid duplications of tasks and ensure coordination among the main persons involved in the SCIGR itself; it ensures the necessary separation of operating and control activities, so as to prevent or – if that is not possible – attenuate conflicts of interest; guarantees the traceability of the tasks of identifying, assessing, managing, and monitoring risks, ensuring over time the reconstruction of the sources and elements of information that support such tasks.
The SCIGR is divided into three distinct types of activities:
- “line” or “first level” controls,, consisting of all the control tasks that the individual operating units or companies of the Group perform on their processes in order to ensure that operations are carried out properly;
- “second level” controls, which are entrusted to specific corporate Functions and aimed at managing and monitoring typical categories of risk;
- internal audit activity (“third level” controls), aimed at checking the structure and overall functionality of the SCIGR, including by monitoring the line controls, as well as the second- level ones.
The SCIGR is subject to periodical tests and checks, taking into account the evolution of corporate operations and the situation in question, as well as current best practices.
For a detailed description of the tasks and responsibilities of the main persons involved in the SCIGR, as well as the coordination among such persons, please see the Guidelines of the Internal Control and Risk Management System available on the Company’s website (www. enel.com, “Investors” section).
Main risk types
Due to the nature of its business, the Group is exposed to various types of risks, indicated in the table below together with the activities aimed at mitigating their effects and ensuring their correct management.
In the risk-identification process, the results of the materiality assessment were also considered (see the “Setting priorities” chapter), as well as the data reported in the Global Risks Report 2018, produced by the World Economic Forum (WEF) and involving about 1,000 experts and leaders from around the world. The WEF report shows that environmental risks have increased both in terms of probability and potential impact: extreme weather events, natural disasters, as well as the possible failure of attempts to contain the consequences of climate change. The speed of technological development generates more and more challenges, and the frequency and intensity of cyber attacks are on the rise, as is the tendency to target critical infrastructures and strategic industrial sectors, highlighting a possible risk, in extreme cases, of companies’ and organizations’ normal operations grinding to a halt. From a social point of view, the risks related to water crises are significant.
The Precautionary Principle3 was also applied during the risk identification and assessment phase. This Principle was applied in particular to risks relating to the environment, health and safety. For each type of risk, specific actions have been identified to mitigate their effects and ensure their proper management.
Enel also applies this principle to risk management, especially as regards the development and introduction of new products/technologies, the planning of operating activities and the construction of new plants/assets.
|MAIN RISKS||REFERENCE SCENARIO AND DESCRIPTION OF RISK||MITIGATING ACTIONS AND ASSOCIATED STRATEGIC OBJECTIVES|
|Strategic risks connected with the evolution of the market, competition and regulation||The markets and the businesses where the Group operates are subject to a gradual and increasing competition and evolution, from a technological and regulatory standpoint, with different timings from country to country. As a result, the Group faces an increasing competitive pressure.
Furthermore, the Group operates in regulated markets or regimes. Thus, changes in the rules of functioning of those markets and regimes, as well as their provisions and obligations, can influence the management’s evolution and the Group’s results.
|The business risks stemming from the Group’s natural presence in competitive markets have been faced with a strategy of integration through the value chain, with a greater drive for technological innovation, diversification and geographical expansion. Specifically, the actions enacted have produced the evolution of the customer portfolio on the free market, in a downstream integration logic on the final markets, the optimization of the productive mix, by improving the competitiveness of the plants on the basis of a cost leadership, as well as the search for new markets with a high growth potential and the development of renewable sources through adequate investment plans in different countries.
In view of the risks deriving from regulatory factors, the Company has intensified the relations with local government and regulatory bodies, by adopting a transparent, collaborative and proactive approach to face and remove the sources of instability in the regulatory framework.
|Country risk||The strong international presence of the Group – with revenues which come from foreign countries for more than 50% by now – exposes the Group itself to possible negative impacts over income flows and over the protection of company assets arising from macro-economic, financial, geo-politics and social risks connected with the operations in a specific country||Definition and implementation of a strategy for geographical diversification, also supported by econometric models for the evaluation of the country risk.|
|Industrial and environmental risks||Within the current climatic scenario, extreme meteorological events and natural disasters expose the Group to the risk of damage to the assets and infrastructures with the consequent possibility of extended unavailability of the concerned assets.||In order to mitigate these risks, the Group adopts the best prevention and protection strategies also with the purpose of reducing the possible impacts on the communities and the areas surrounding the assets. Thus, constant monitoring activities and weather forecast as well as activities for the increase in the resilience for the more exposed assets are constantly carried out.
The totality of the Group areas is subject to ISO 14001 certification and the potential risk sources are monitored through the implementation of internationally-recognized Environmental Management Systems (EMS).
|Failure of mitigation and adaptation to climate change. Risks connected to:
||The Group is also engaged in a continuous improvement of the existing activities in terms of environmental impact, through its purposes of reducing emissions, primarily that of “zero-emission generation” by 2050, and adopts agrowth-oriented strategy through the development of increasingly low-carbon technologies and services in line with COP21 goals.
In order to mitigate the risks stemming from legal and regulatory aspects linked to climate change, the Group keeps relationships with the Authorities and local and international regulatory bodies characterized by a transparent and collaborative approach.
The Group also signed the letter supporting the implementation of the guidelines of the Task Force on Climate Related Financial Disclosure (TCFD), which has developed recommendations on the disclosure of financial impacts related to “non-financial” parameters concerning climate change. Therefore, Enel created a working group which is carrying out an analysis on the following three main lines:
|Cyber-attack risks||Rapid technological evolution, with an increasing exposure to cybernetic attacks.
More widespread cybernetic attacks and increasing level of sophistication also with regard to changes within the reference framework.
Organizational complexity of the Group and several environments (data, people and industrial world).
|Definition of a “Cyber Security Framework” to address and manage the cyber security activities with a “risk-based” approach and according to the “cyber security by design” principle. Such a framework provides for the involvement of business areas, the reception of legal and regulatory provisions, the use of the best possible technologies, the preparation of ad hoc business processes and the increase of human consciousness.
Creation of the Enel CERT (Cyber Emergency Readiness Team), which is active, recognized and accredited by national and international communities, in order to address an industrialized response to cyber threats and accidents.
|Water crises risk||The risks related to water crises are mainly due to changes in climate and levels of water use. With regard to climate change, the availability of water is strongly influenced by changes in precipitation, seasonal cycles of glaciers and evaporation. Impacts differ according to area, but the general tendency is a lower predictability of frequency and a greater rainfall intensity, with a consequent reduction in the availability of water.
With regard to the levels of use of water as a resource, the risk is linked to the competition between industrial production, agricultural use and use of drinking water. Due to the increase in population and agricultural needs, in some areas the demand for water can exacerbate this competition, with the resulting imposition of limits on the use of water in industrial and production activities.
|In order to manage these risks, Enel conducts meteorological analyses every 3-6 months and is developing long-term analyses in areas where production facilities are located, in particular hydroelectric plants, in order to anticipate possible variations in the availability of water. Important activities are also carried out in collaboration with the local basin management authorities, with the ongoing objective of adopting a shared water resources management strategy that also considers the needs of local communities.|
As part of its industrial activities, the Enel Group is also exposed to financial risks such as market risk (which includes risks related to interest rates, exchange rates and commodity prices), credit risk and liquidity risk. The type of governance adopted by the Group in relation to financial risks requires the presence of internal committees and the use of specific policies and operating limits.
In relation to the specific areas covered by Italian Legislative Decree 254/16 on the disclosure of non-financial information, the possible risks related to the management of human rights, the anti- corruption, people management and motivation, occupational health and safety, and relations with communities were also identified. The risk-identification process took place through an analysis of the main events from the last 3 years. The objectives set by the Strategic Plan for the 2018-2020 period were taken into consideration. With regard to human rights and anti-corruption, the provisions of the regulations in force (for example, Italian Legislative Decree 231/01 in Italy) and/or internationally recognized guidelines (United Nations’ Guiding Principles on Business and Human Rights) have been taken into account for the issues at hand.
Further details on the risks presented above are provided in the 2017 Annual Report and in the Consolidated Non-financial Statement pursuant to Italian Legislative Decree 254/16 made available on the Company’s website (www. enel.com).
The ability to adequately assess counterparties and to promptly intercept any threats and elements of risk is an increasingly essential requirement, not only for protecting an organization’s reputation, but for its very survival. In December 2016, the Security unit finalized the first edition of the operating instructions for the counterparty analysis, thus promoting shared criteria and models for these activities, which are performed by the Business Lines, Functions and services. These instructions were then further defined over the course of 2017.
The defined methodology ensures the application of a standard evaluation criterion, monitoring and reporting.
3 Rio Declaration on Environment and Development (Rio de Janeiro, June 3-14, 1992). Principle 15.