Over the last decade, Terna has developed its own interpretation and adaptation of Risk Management theory, modelled on international best practices and refined in financial, insurance and industrial settings: Its objective is to identify, describe and analyse risk scenarios that have the potential to damage or undermine the achievement of corporate objectives.
Monitoring and effective management of corporate risk is enabled by adopting organisational measures (e.g. definition of specific management safeguards) and an Enterprise Risk Management (ERM) methodology, which is made-to-measure for Terna and aimed at the identification, evaluation, control and monitoring of risk.
In organisational terms, our Group is equipped with its own Risk Management division with policies and risk management provisions defined by the Chief Risk Officer (CRO).
Furthermore, the Risk Management division guarantees effective monitoring and coordination of the different risk safeguards, allowing activation of an integrated system of risk management.
The Risk Management division maps and manages risk through a methodology involving initial surveying by the risk manager of activities and associated risk for each process under analysis, followed by validation by the risk owner with subsequent risk evaluation.
This methodology is aimed at the integrated management of various types of risk faced by the company:
- Operating risks
- Risks associated with Legislative Decree 231/01
- Cyber Risk
- Risks connected to the qualification of suppliers
- Health, Safety & Environment Risk
- Physical Security & Emergency-Management Risk
- Risks related to the integrated management system
- Fraud Risk
- Italian Law no. 262/05 on risk
All identified risks are given a final rating, allowing them to be positioned within the MARCI matrix (mitigate, assure, redeploy and cumulative impact), thus providing the Risk Management division with an immediate overview of the risks requiring the most safeguarding and prioritisation. Furthermore, records are kept in an enterprise Governance, Risk and Compliance (eGRC) system established by the group which allows each party involved in the process to view information associated with their profile level. It also allows risks to be grouped according to macro categories and the results of Risk Management to be presented via integrated reporting.
The macro categories of risk identified are:
- Strategy & Financial
|Macro risk categories
This category refers to the processes, principles, policies and rules which together define the way in which an organisation is managed and controlled. It also covers the identification, in the context of achievement of corporate goals, of the boundaries of ethical/legal conduct and methods for the organisation to identify any violations of this conduct. Failure of the organisation to establish effective Corporate Governance or define and implement codes of conduct may:
- allow unethical/illegal conduct on the part of the BoD, Top Management and employees, leading to fraudulent conduct also in terms of external disclosure;
- hinder the establishment of an appropriate ethical company culture, and a high level of individual self-responsibility and integrity within the organisation.
This category covers the need for the organisation to adhere to applicable regulations (legislation, resolutions, AEEGSI provisions [Italian Regulatory Authority for Electricity, Gas and Water], labour standards, etc.). Applicable regulations establish a minimum set of rules for conduct which the organisation must integrate into their internal procedures. Many risks can also have significant consequences for the reputation of the organisation and impact stakeholder expectations.
This risk category refers to:
- processes, principles, policies and rules which together are necessary to safeguard and guarantee continuity of the service provided by Terna;
- management and safeguarding of corporate assets (tangible and intangible);
- policies, processes and systems regarding the management of human resources;
- incorrect implementation and incorrect management/maintenance of the technological infrastructure and IT processes supporting all business cycles as well as the confidentiality/integrity/availability of data; and the management of Cyber Security matters, guaranteed business continuity, etc.;
- management of purchasing, qualification of suppliers, planning and control of raw materials required for corporate activities;
- failure of the organisation to effectively safeguard legal and regulatory requirements which apply to it (e.g. inadequate management of litigation or active/passive contractual relationships);
- activities aimed at preventing potential reduced effectiveness or efficiency of corporate processes and subsequent maintenance of system certifications;
- management strategy of regulated and non-regulated activities, marketing and communication;
- management of product/service innovation provided by the company to Customers in the context of non-regulated activities.
|Strategy & Financial
This category refers to research, allocation and utilisation of financial resources and analysis supporting these decisions, in order to increase the value of the company and reduce the organisation’s financial risk.