The Internal Control and Risk Management of the ERG Group

Guidelines

The Internal Control and Risk Management System of the ERG Group: general principles

The Internal Control and Risk Management System of the ERG Group (hereafter also "CIGR System") complies with the principles contained in the current edition of the Corporate Governance Code for Listed Companies promoted by Borsa Italiana S.p.A. (hereafter "Corporate Governance Code") and more in general with existing Italian and international best practices.

These Guidelines provide, on one hand, the general principles according to which the handling of the main risks is carried out in the Group, consistently with the identified strategic objectives, on the other hand the coordinating procedures between the parties listed below, in order to maximise the effectiveness and efficiency of the CIGR System.

The CIGR System, in particular, consists of a set of rules, procedures and organisational structures aimed at proactively contributing – through an adequate process of identifying, measuring, managing and monitoring the main risks – to the protection of the ERG Group's social heritage, to the efficient and effective management of the Group in line with the corporate strategies defined by the Board of Directors, to the trustworthiness, accuracy and reliability of the information provided to the corporate bodies and to the market and, more in general, to compliance with current laws and regulations.

The CIGR System of the ERG Group is defined on the basis of Italian and international leading practices, in particular of the International Framework known as "CoSO Internal Control — Integrated Framework 2013".

This Framework identifies a direct relation between the corporate objectives (efficiency and effectiveness of operations, reporting and compliance), the components of the CIGR System and the organisational structure adopted by the Group. The CIGR System, as an integral part of the enterprise activity, involves and therefore applies to the entire organisational structure of the ERG Group: from the Board of Directors of ERG S.p.A. and of its subsidiaries (hereafter "Subsidiaries"), to the Group Management (hereafter "Management") and to the company's personnel. The CIGR System, in line with reference regulations and best practices, comprises the following levels:
 
  • First level: entrusted to individual operating lines, it consists of the checks carried out by those who perform certain activities and by those who are responsible for their supervision; it also makes it possible to ensure the correct performance of the operating activities;
     
  • Second level: entrusted to structures other than line structures, it contributes to the definition of the risk measurement methods, to their identification, assessment and control (Risk Management); it also makes it possible to verify compliance with regulatory obligations (Compliance);
     
  • Third level: entrusted to Internal Audit, its purpose is to assess the functionality of the overall internal control and risk management system and to identify anomalous trends and violations of the procedures and regulations.

Persons and Bodies involved in the Internal Control and Risk Management System

The CIGR System is an integrated system implemented by a plurality of corporate bodies and functions, whose components are mutually coordinated and interdependent and characterised by complementarity in the pursued purposes, in the set-up characteristics and in the operating rules.

The summary representation of the players of the CIGR System, with respect to the corporate governance model and to the architecture based on the "three control levels" is shown below.
  • Board of Directors

    The Board of Directors carries out the role and the duties prescribed by the Corporate Governance Code and, within its main function of orienting and assessing the adequacy of the CIGR System, it is the central body of the System.

    To this end, the Board of Directors shall, in particular:

    • define these Guidelines of the CIGR System[1], so that the main risks[2] are correctly identified and adequately measured, managed and monitored, determining their compatibility with enterprise management that is consistent with the identified strategic objectives;
    • assess, at least once a year, the adequacy of the CIGR System with respect to the characteristics of the company and to the risk profile assumed, as well as its effectiveness;
    • at the proposal of the Executive Director in charge of the Internal Control and Risk Management System and after receiving the favourable opinion of the Internal Control and Risk Committee and the input of the Board of Statutory Auditors:
      - appoint (and revoke) the Chief Audit Officer and define his/her remuneration in accordance with corporate policies;
      - ensure that the Chief Audit Officer is provided with adequate resources to carry out his/her functions and meet his/her responsibilities;
    • approve, at least once a year, the working plan prepared by the Chief Audit Officer, with the input of the Board of Statutory Auditors and the Executive Director in charge of the Internal Control and Risk Management System, and review the results of the activity carried out, assessing their adequacy;
    • describe, in the report on corporate governance, the main features of the CIGR System and the coordinating procedures between the persons and bodies involved therein, expressing its own assessment of its adequacy; evaluate, with the input of the Board of Statutory Auditors, the results set out by the independent auditor in any letter of suggestions and in the report on the fundamental questions emerged in the course of the audit;
    • identify within it:
      - one or more directors appointed to set up and maintain an effective Internal Control and Risk Management System;
      - the Internal Control and Risk Committee;
      with whose support it carries out the assessments and makes the decisions pertaining to the CIGR System and assures that duties and responsibilities are allocated clearly and appropriately and that the Chief Audit Officer, the Supervisory Committee and the Manager responsible for preparing the company's financial reports, have adequate resources available for the performance of their duties and enjoy an appropriate level of autonomy within the organisation.

      Specifically, the responsibilities connected with establishing and maintaining an effective Internal Control and Risk Management System are divided between the Chief Executive Officer and the Executive Director in charge of the Internal Control and Risk Management System.
     

    [1] With the opinion of the Internal Control and Risk Committee.

    [2] Including the risks that can become relevant with a view to medium-long term sustainability.

  • Chairman of the Board

    The Chairman of the Board shall supervise and oversee the activities of corporate affairs.

  • Executive Vice President

    The Executive Vice President shall supervise, in particular, the Group's strategic decisions and the definition of the organisational macro-structure. (S)he shall orient and coordinate the extraordinary transactions, including structure finance transactions. (S)he shall carry out the strategic coordination of the subsidiaries.

    The Executive Vice President shall also be the chairman of the Strategic Committee.

  • Chief Executive Officer

    The Chief Executive Officer has the powers necessary to carry out all actions pertaining to the company's business.

    Within ERG's organisational structure, the following report to the CEO: the Chief Human Capital Officer, the Chief Public Affairs & Communication Officer, the Head of Corporate Affairs, the Chief Financial Officer, the Renewables Business Unit (ERG Renew SpA), the Power Business Unit (ERG Power Generation SpA).

    The Chief Executive Officer handles the identification of the main corporate risks, taking into account the characteristics of the activities carried out by the issuer and by its subsidiaries and, with the input of the Executive Director in charge of the Internal Control and Risk Management System, periodically submits them to the Board of Directors for its review.

  • Executive Director in charge of the Internal Control and Risk Management System

    The Executive Director in Charge of the Internal Control and Risk Management System is delegated by the Board of Directors to oversee, through supervision, guidance and control tasks, the internal audit, risk management and compliance processes and (s)he shall ensure that the CIGR System's functionality and overall adequacy are maintained.

    For this purpose, the Executive Director in charge of the Internal Control and Risk Management System, in particular, shall:

    • implement the Guidelines defined by the Board of Directors, providing for the design, implementation and management of the Internal Control and Risk Management System and constantly verifying its adequacy and effectiveness;
    • manage the adaptation of this system to the dynamics of operating conditions and of the legal and regulatory environment;
    • verify, through the Internal Audit activity, that Management has identified the main risks, that the risks were assessed with consistent procedures, that the mitigating actions have been defined and are being carried out, and that the risks are managed in accordance with the decisions of the Board of Directors, taking into account the activities carried out by the ERG Group;
    • propose to the Board of Directors the appointment and compensation of the Chief Audit Officer[1] in accordance with corporate policies, assuring his/her independence and operating autonomy with respect to each manager in charge of operating areas and verifying that the Chief Audit Officer is provided with suitable means to perform his/her duties effectively;
    • rely on Internal Audit to perform audits on specific operating areas and on compliance with rules and internal procedures in the execution of corporate operations, concurrently notifying the Chairman of the Board of Directors, the Chairman of the Internal Control and Risk Committee and the Chairman of the Board of Statutory Auditors;
    • promptly report to the Internal Control and Risk Committee (or to the Board of Directors) on any problems and critical issues noted in the course of his/her activity, or of which (s)he has otherwise become aware, so that the Committee (or the Board of Directors) can undertake the appropriate initiatives.
     

    [1] With the favourable opinion of the Internal Control and Risk Committee and taking into consideration the input of the Board of Statutory Auditors.

     

  • Internal Control and Risk Committee

    The Internal Control and Risk Committee shall provide advice and recommendations to the Board of Directors, with the task of supporting it, through an adequate preliminary analysis activity, in its assessments and decisions pertaining to the CIGR System, as well as those pertaining to the approval of periodic financial reports.

    For this purpose, the Committee shall, in particular:

    • review the work plan and the periodic reports, pertaining to the assessment of the CIGR System and the identification, assessment, management and monitoring of the main risks, and those with particular relevance prepared respectively by the Chief Audit Officer and by the Head of Group Risk Management & Corporate Finance;
    • express opinions on specific aspects pertaining to the identification of the main corporate risks and support, with adequate preparatory analyses, the assessments and decisions of the Board of Directors relating to the management of risks deriving from prejudicial facts of which the Board of Directors has become aware;
    • report to the Board of Directors, on a half-yearly basis, on the activity performed and on the adequacy of the CIGR System;
    • express its own opinion on the appointment and revocation of the Chief Audit Officer as well as on the proposal of his/her remuneration formulated by the Executive Director in charge of the Internal Control and Risk Management System; monitor the autonomy, adequacy, effectiveness and efficiency of Internal Audit;
    • review the plan and the outcomes of the 262 compliance activities carried out by the Manager responsible for preparing the company's financial reports and/or by the Organisational Units tasked by him/her;
    • assess, together with the Manager responsible for preparing the company's financial reports, the proper use of the accounting standards[1] and their consistency for the preparation of the consolidated financial statements, of the statutory financial statements and of the condensed half-yearly report;
    • have the option of requesting the Internal Audit to carry out audits on specific operating areas, concurrently notifying the Chairman of the Board of Statutory Auditors;
    • review the plan and the outcome of the 231 compliance activities assured by Corporate Affairs;
    • maintain appropriate liaison with the Independent Auditors, with the Board Of Statutory Auditors, with the Executive Director in charge of the Internal Control and Risk Management System, with the Chief Audit Officer and with the other functions that, within the Group's organisational structure, have a role within the CIGR System, in order to contribute to a coordinated and effective performance of their respective activities within the areas of shared intervention.

    The Board of Statutory Auditors shall attend the meetings of the Internal Control and Risk Committee.

     

    [1] Together with the Manager responsible for preparing the company's financial reports and taking into consideration the opinion of the Independent Auditors and of the Board of Statutory Auditors.

  • Board of Statutory Auditors

    The Board of Statutory Auditors oversees compliance with the law and with the Articles of Incorporation, adherence with correct administration principles, the adequacy of the organisational structure (for aspects under its cognisance), of the CIGR System and of the administrative-accounting system, and its reliability in correctly representing operations, and the adequacy of the provisions imparted to the Subsidiaries for the proper fulfilment of the prescribed disclosure obligations.

    For this purpose, the Board of Statutory Auditors, in line with the role and the duties prescribed by the Corporate Governance Code:

    • shall exchange, in a timely manner, with the Internal Control and Risk Committee, the relevant information for the performance of their respective duties;
    • may rely on Internal Audit for the performance of audits on specific operating areas or company transactions.
  • Supervisory Committee

    The Supervisory Committee (hereafter "Committee") is appointed by the Board of Directors and it has adequate financial resources available for the performance of its duties, among which are:

    • to oversee compliance with the Code of Ethics;
    • to verify the effectiveness and adequacy of the Organisation and Management Model in accordance with Italian Legislative Decree no. 231/2001 (hereafter the "Model") or its suitability to prevent the occurrence of offences as per Italian Legislative Decree no. 231/2001 on the basis of an annual audit plan submitted to the Board of Directors;
    • to verify the adequacy of the organisational solutions adopted for the implementation of the Model;
    • to prepare a half-yearly report to the Internal Control and Risk Committee and to the Board of Directors about its activities, informing them of any violations it has observed with respect to the Model.

    The Committee shall be provided with all information that pertain, even indirectly, to the perpetration or attempted perpetration of offences and elusions of the Model and of the Code of Ethics as well as at-risk behaviours in general. For this purpose, the information described in the "Procedure for information flows to the Supervisory Committee" shall be sent according to the periodicity indicated therein.

  • Management of the ERG Group

    The Management of the ERG Group, at all levels of the organisation, has ultimate responsibility for internal control and risk management activities (first control level). In the course of daily operations, it is called upon to identify, measure or assess, monitor, attenuate and report the risks deriving from ordinary company activities in accordance with the risk management process and with the applicable internal procedures.

  • Second level control Functions

    Second level control functions have specific control duties and responsibilities on different areas/types of risk. These functions shall monitor the corporate risks, propose the guidelines on the related control systems and verify their adequacy in order to assure efficiency and effectiveness of the operations, adequate risk control, prudent conduct of the business, reliability of the information, compliance with laws, regulations and internal procedures.

    The functions tasked with providing these controls are autonomous and distinct from the operating functions; they contributed to the definition of the risk governance policies and of the risk management process.

  • Manager Responsible for preparing the Company's Financial Reports

    The Manager responsible for preparing the company's financial reports, whose activity is regulated by Italian Law no. 262/2005, shall:

    • prepare adequate administrative and accounting procedures for the preparation of financial disclosure documents;
    • monitor the enforcement of the procedures;
    • issue to the market the certification of the adequacy and effective enforcement of the administrative and accounting procedures for the purposes of the Group's financial disclosure.
  • Integrated Risk Management

    Within the structures of the Chief Financial Officer, the ERG Group has established the Group Risk Management & Corporate Finance function, which assures the process whereby the Group's risks are identified, assessed and monitored.

    In particular, the Group Risk Management & Corporate Finance function shall:

    • assure the definition of the methods and instruments that are functional for the Group's integrated risk management process to identify, measure, represent and monitor the main risks and the related treatment plans;
    • assure the integrated risk assessment and monitoring of the Group's main risks, supporting management in the identification, assessment and treatment of the risks and, when possible and advisable, in the definition of the related indicators and in the performance of quali-quantitative analyses and in-depth studies;
    • overseeing the preparation of the work plan and of periodic reporting to the Internal Control and Risk Committee in relation to the risk assessment and monitoring activities at the Group level and the preparation of the documentation drafted for the management committees and for the administration and control bodies.

    The Group Risk Management & Corporate Finance function shall prepare a summary of the activities carried out and the main corporate risks identified, assessed and monitored (Risk Reports). The results of these reports are presented, with defined periodicities, to the Chief Executive Officer, to the Executive Director in charge of the Internal Control and Risk Management System, to the Risk Committee, to the Internal Control and Risk Committee, as well as to the Board of Statutory Auditors and, lastly, to the Board of Directors. 

  • Compliance Functions

    Within the ERG Group there are second control level organisational structures, dedicated to overseeing compliance matters, with particular reference to protection against the legal and compliance risk, including the risk of perpetration of criminal offences to the detriment or in the interest of the ERG Group.

    All controls shall monitor specific compliance risks (e.g., workplace health and safety per Italian Legislative Decree no. 81/2008, Italian Legislative Decree no. 231/01, Italian Law 262/2005, EMIR, etc.), propose the guidelines on the related control systems and verify their adequacy in order to assure the efficiency and effectiveness of the operations, adequate risk control, reliability of the information, compliance with laws, regulations and internal procedures.

  • Corporate Committees with second level control roles

    Within the scope of the governance mechanisms and of the related operating procedures, the ERG Group has established dedicated committees, made up of corporate managers, which provide advice and recommendations with regard to specific risk matters.

  • Other second level controls

    Within the ERG Group, there are other second level controls, dedicated to this purpose either exclusively or non-exclusively.

    These second level controls (when existing) coordinate with the Group Risk Management & Corporate Finance function through operating procedures for the coordination and exchange of information flows.

  • Third level control functions

    Internal Audit is responsible for third level control activities and therefore it is recognised as having a relevant position in the CIGR System. As the third level control function, it is entrusted with the task of providing independent assurance on the CIGR System, directed at improving the organisation's effectiveness and efficiency.

    Internal Audit is tasked with verifying that the CIGR System is functioning and adequate with respect to the dimensions and operations of the ERG Group, verifying, in particular, that the Management has identified the main risks, that the risks have been assessed with consistent procedures and that the appropriate mitigating actions have been defined and carried out. In addition, it shall verify that risks are managed consistently with the resolutions of the Board of Directors, with external regulations and with the Group's internal rules.

    The Chief Audit Officer is not responsible for any operating area, has direct access to all information useful for the performance of his/her activities, hierarchically reports to the Board of Directors through the Executive Director in charge of the Internal Control and Risk Management System and assures the information due to the Internal Control and Risk Committee and to the Board of Statutory Auditors.

Implementation of the Internal Control and Risk Management System

ERG considers proper risk management and mitigation to be of fundamental importance: for this reason, Top Management has deemed it appropriate to define a risk management Policy able to explain the relationships between risk management and processes to identify objectives and management plans, in order to define the procedures to select the different strategies and risk protection techniques, assigning formal management responsibilities within the organisation.

This framework has entailed the preparation, on one hand, of an organisation able to provide a clear allocation of the governance, monitoring and reporting responsibilities, on the other hand to institute an inter-relationship between the functions and the bodies assigned to carry out risk management and control activities. More in detail, the Corporate Governance system adopted by ERG entails the institution of specific committees within the Board of Directors (e.g. Strategic Committee) and outside the Board of Directors (e.g. Investment Committee, Risk Committee, Human Capital Committee, Business Review Committee, Sustainability Committee), tasked with studying issues, providing advice and/or making proposals in relation to particular "sensitive" and economically, financially and strategically relevant matters, so that on such issues it will be possible both to conduct a debate and a series of checks that will lead to the adoption, by the Board of Directors, of knowledgeable, clearly represented decisions. Some of the aforesaid committees concur in the definition of the methods for measuring, identifying, assessing and controlling risks, and they provide advice and make proposals to the Chief Executive Officer in relation to:
  • definition of risk management strategies and policies;
  • assessment of the most relevant transactions and analysis of the associated risks;
  • monitoring the progress of the most relevant transactions and verification of the enforcement of risk management policies.
Within this scope, the risk management process develops through:
  • the identification and assessment of the main strategic risks tied to the Business Plan and to extraordinary transactions, as well as the definition of the policies required to mitigate them;
  • the identification and assessment of the main risks tied to business processes, as well as the definition of the procedures to manage them and the control instruments;
  • the continuous verification of the operation and effectiveness of the risk management process.
The aforementioned steps are described in detail below.
  • Management of Strategic and Discontinuity Risks

    In relation to the management of the risks tied to the Business Plan and to extraordinary transactions, decisions of a strategic nature are made by the Board of Directors on the basis of a risk assessment carried out with the support of the Strategic Committee and of the Investment Committee. The Executive Vice President and the Chief Executive Officer, members of these Committees, periodically report to the Board of Directors also with regard to the main prospective risks, in terms of strategic and investment decisions.

    The process, aimed at the definition of the strategic risks related to the Group's investments and to significant transactions, initially involves the Investment Committee, which expresses a technical and economic-financial opinion on them, and subsequently the Strategic Committee, which assesses the desirability of proceeding with them. The process, following these assessment steps, enables the Board of Directors to carry out its role concerning the strategic decisions, and in relation to the significant investments the Group intends to make. The Board of Directors decides both with respect to investments and in relation to the risks to be assumed, overseeing the ex post management of the transactions and of the related risks.

    The Chief Executive Officer has responsibility and ownership of the management of corporate risks and is supported by the Management (Risk Owner) in the identification, assessment and monitoring of risks and in the definition of management policies and of treatment actions. In this regard, (s)he is also supported by the Strategic Committee and by the Investment Committee.

    To provide operational support to the Chief Executive Officer and the Management in the performance of these activities, the ERG Group has established an integrated risk management process, characterised by a structured, systematic approach, which provides for the main risks connected with the strategic and operational objectives, including risks connected with extraordinary transactions and with significant investments, to be effectively identified, assessed, managed, monitored and represented. For this purpose, the person in charge of the Group Risk Management & Corporate Finance function shall present the results of the activities performed and the summary of the Group's main risks and of the related treatment and monitoring plans to the Chief Executive Officer, to the Executive Director in charge of the Internal Control and Risk Management System, to the Risk Committee, to the Internal Control and Risk Committee, to the Board of Statutory Auditors and to the Board of Directors.

  • Management of Process Risks

    The management of process risks is performed by the company's Management, which is responsible for their assessment and for the definition of the mitigating instruments. In this sense, the Management is responsible for monitoring the riskiest areas on the basis of an assessment of the level of adequacy of the design of the controls, in order to mitigate the associated risks, pointing out areas deserving attention, towards which the most appropriate action plans should be adopted. The entire Management of the ERG Group is involved in the identification of the process risks (business and corporate) and of the related associated controls. 

  • Continuous verification of the effectiveness of the CIGR System

    The continuous verification of the effectiveness of the CIGR System is a fundamental element to assure its continuous improvement, constituting an opportunity to verify both the degree of achievement of the objectives, and the correct implementation of the selected management procedures. Every deviation from the objectives and policies is subjected to analysis, to review the decision-making processes adopted and to identify the factors that hinder the success of the identified solutions. Based on the results of these analyses, if necessary, the redefinition of the management programmes can start.

    In addition, Internal Audit, within the scope of the Mandate approved by the Board of Directors, is called to assess the adequacy of the CIGR System, of which it is an integral part, with respect to the reference context in which the Group operates. In this sense, the Internal Audit, in performing its role, shall verify the operation and suitability of the CIGR System and, in particular, whether the management has identified the main risks, that the risks were assessed consistently, and that the mitigation actions were defined and implemented. In addition, it shall verify that the identified risks are managed consistently with the decisions of the Board of Directors, with external regulations and with the Group's internal rules. 

  • Coordination and information flows between the Persons and Bodies envolved in the CIGR System

    The correct operation of the CIGR System is based on the advantageous interaction in the performance of the duties among the involved corporate functions.

    An efficient System is directed at achieving the following objectives:

    eliminating methodological / organisational overlaps between the different control functions;
    sharing the methods whereby the different control functions carry out the assessments;
    improving communication between control functions and corporate bodies;
    reducing the risk of "partial" or "misaligned" information;
    capitalising the information and the assessments of the different control functions.

    The definition of procedures for coordination and collaboration between the corporate control functions facilitates the overall operation of the CIGR System, as well as a univocal, consistent representation to the Top Management and to the corporate bodies of the risks to which the ERG Group is exposed.

    For this purposes, there are procedures for coordination and collaboration between the persons and bodies involved in the CIGR System, including:

    a) Information flows

    To enable the Management and the management and control bodies to perform their roles within the CIGR System, specific information flows are defined between the control functions and the competent management and control bodies; the information flows are coordinated and adequate in terms of contents and times.

    Within the CIGR System, information flows are provided:

    • from line management to second level control functions;
    • between second level control functions;
    • from second level control functions to Internal Audit;
    • from Internal Audit to second level control functions.

    There are also information flows, with defined procedures and times, from the control functions to the administration and control bodies with regard to the main activities carried out and to their results.

    b) Intra-functional roundtable

    Within the ERG Group, periodic intra-functional meetings are held between the corporate Organisational Units involved in the CIGR System and more in general in the risk management, compliance and control activities with the objective of facilitating:

    • the mutual coordination and interdependence between the CIGR System and its components;
    • a real integration of the CIGR System in the general organisational structure of the ERG Group;
    • the constant exchange of information between the functions involved in the CIGR System;
    • the development of operational synergies through the sharing of methodologies and instruments;
    • the reduction of the risk of "partial" or "misaligned" information. 
The Internal Control and Risk Management System of the ERG Group - Guidelines
Approved by the Board of Directors of ERG S.p.A. on 13 July 2016