Risk Management

Risk Management activities are key to use reaching our goals of growth, efficiency and risk mitigation. These activities strengthen our ability to create value for shareholders and stakeholders and allow us to ensure the sustainability of the business in the medium to long term. Enterprise Risk Management (ERM) is the Group's structure that supports management in identifying, assessing and monitoring risks, as well as defining the most effective response strategies for their mitigation.

The approach adopted by ERM is based on the 2018 edition of the CoSO framework "Enterprise Risk Management (ERM) - Integrating with Strategy and Performance", aimed at illustrating the nature and the profile associated with the main risks that may affect the achievement of business planning and sustainability objectives.

According to the ERM model, risk management in the ERG Group is a structured and continuous process, put in place in order to address the risks faced by the organisation with a united approach, and to provide management with the information necessary to consciously take the most appropriate decisions for the purpose of achieving the strategic growth objectives, creating value for the company, and safeguarding it. The process involves integrated risk management between the systems implemented at company process level based on the specific Risk Evaluation methods and tools.

The main goals of ERM are:

• obtaining an integrated and dynamic view of the main Group corporate risks that may affect the achievement of the objectives of the Business Plan;

• strengthening the corporate culture at all levels and the awareness that adequate risk assessment and management positively affect the achievement of goals, the creation of value for the company and medium-long term business sustainability;

• promoting the dissemination of risk management in business processes in order to ensure consistency in the methodologies and tools used to manage and control risks;

• developing a common language and disseminating an appropriate risk management culture;

• providing a consistent approach in order to identify events that may affect company activities; • ensuring the carrying out of activities, coordinating the Risk Specialists and the other persons involved in the process;

• strengthening of the strategic planning processes through "informed" decision-making processes in a "risk adjusted" approach.

The Enterprise Risk Management process provides for the involvement of all Group structures (from "Management level" up to  "Board Level"), passing through the second-level control structures (e.g. Compliance) and thirdlevel control structures (Internal Audit), which together with the ERM make up the Internal Control and Risk Management System.

To this end, the ERM model is developed by means of:

• identifying and assessing the Group's main risks and defining the necessary strategies to mitigate the risks and the relative control tools; continuously checking smooth operation and effectiveness of the risk management process, providing to management a clear representation of the "dynamic" evolution of risk mapping. More specifically, the Enterprise Risk Management methodology includes:

• integration between the ERM model and corporate strategies and, in particular, the "Plan and Budget" process, allowing the alignment between strategic planning and risk assessments; • creation of synergies with Company departments that carry out specific risk assessment activities (e.g. HSE, ICT);

• introduction of specific, quantitative and qualitative Key Risk Indicators (KRI) for the structured and dynamic monitoring of risk trends and the development of risks over time;

• a six-monthly reporting activity that provides information about the development of the main risks mapped. The ERM process is implemented with a Risk- Based approach contributing to the definition of our Business Plan through the identification of specific goals, the analysis of the risk profile associated with them, and the identification of management and monitoring strategies.

At an operational level, the Mangers - through the support of the Enterprise Risk Management Organisational Unit - identifies the risks under its responsibility and provides advice to mitigate the risks of current actions/projects.

The results of this process are consolidated through Group risk mapping where priorities are defined in order to support their coordination and integrated management. All risks mapped according to the ERM approach are included in an "ERG Group Risk Catalogue".

As is customary, the Group's Risk Universe (the standard catalogue of homogeneous risk classes) was updated in the first quarter of 2019, on the basis of an external benchmarking activity and of specialised publications, to include "Emerging Risks".
The tool supports Management:

• during the risk assessment (and especially risk identification) phase since it includes all areas where risks may arise;

• in the consolidation phase, by checking whether some risk areas have not been analysed/covered, allowing them to be examined in more depth, if necessary.

More specifically, during the most recent update we integrated the Risk Universe (which currently includes more than 60 risk classes) carrying out specific investigations focused in particular on the issues of Climate Change and Sustainability in general.

Following the update of the Risk Universe, we carried out ERM risk assessment activities and the Group's Risk Catalogue was updated. More specifically, two assessment cycles were carried out during 2019, which involved all Group companies in Italy and abroad, for the identification of "TOP Risks" and "Gold Risks".

The results of the ERM process are periodically reported to:

• the Management/CFO/CEO, who assess the appropriateness of the risk profile in relation to the goals set and the actions taken to mitigate the risks;

• the Board Committees, which are tasked with the assessment of the overall effectiveness of the Integrated Risk Management process. During 2019, we integrated the risk reporting activity with the Group's "ERM Risk Dashboard" which monitors the risk variations of the ERM Risk Catalogue by comparing the results obtained in the current half year with those of the previous half year.

Monitoring involves two indicators:

• the risk profile, which is monitored by shifting the residual risk in the likelihood-impact matrix: any change in Likelihood and/or Impact that affects the risk profile makes it possible to measure the trend compared to the previous half year (increase, stable, decrease);

• the Key Risk Indicator: a specific risk indicator that only shows the quantitative changes and the trend of changes compared to the previous half year of the specific indicator monitored. More specifically, the main risks run by the ERG Group are listed in the "Risk and Uncertainties" chapter of the Report on Operations, to which reference may be made for further details.
A brief description of the main risks identified in the Enterprise Risk Management process follows.
1 - Natural
variability of
renewable sources
The production volumes are subject to variability due to the natural mutability of renewable sources
(water, wind and sun) which, in the event of lower contributions, may adversely affect the production
of renewable plants and, subsequently, Group results.

 • Diversification of the generation portfolio from both a technological (Wind/ Solar/Hydro/Thermo) and geographical (at European level) point of view in order to compensate for changes in the various renewable sources (Wind/Solar/Hydro).

 • Use of highly accurate forecasting systems to draw up a plan for production and short-term operational activities.

 • Scheduling the plant downtime according to the periods when the renewable sources' contribution is lower.

 • Use of industrial control systems (SCADA) for the continuous monitoring of the performance of plants – through specific KPI indicators – and of their status, which make it possible to intervene promptly in the event of accidental failure and to reduce machinery downtime.

 • Programmes for the continuous improvement of the processes for managing and maintaining assets in order to ensure their increased efficiency.

 • Insurance coverage to mitigate the risks related to Business Interruption and Property Damage in the generation portfolio.

2 - Price Risk Risk linked to the volatility of market prices of commodities (in particular electricity and gas),
which can affect Group's results.
• Definition of risk exposure limits and their regular monitoring.

 • Escalation process if the approved limits are exceeded.

 • Use of financial instruments to hedge the price risk only if there is an underlying asset.

 • Contractualisation of indexed sales formulas, if possible, to transfer risks to customers.
3 - Regulatory
Possible worsening of the national and international legislative/ regulatory framework
in the countries in which the Group operates that may negatively impact the achievement of
business targets.

 • Legislative and regulatory monitoring through institutional relations, related channels, comparison with operators in the sector, and the specialised press.

 • Active participation in consultations to protect the Group's interests.

 • Maintenance of effective and long-lasting relations with local stakeholders in the countries in which the Group operates (e.g. through territorial development and sustainability projects).

 • Sensitivity Analysis to assess the effect of the main regulatory evolutions on the Group's results.

 • Periodical reporting to Management.

4 - Downgrade rating

Risk linked to potential downgrading by the Rating Agency that could limit the ability to access the capital market and/or increase
the cost of funding with negative effects on the Group's operating results, financial position and cash flows, and on its reputation.

The risk mitigation strategy, which is aimed at preventing the occurrence of "crisis" situations (e.g. liquidity; breach of financial covenants) that could lead to a downgrade of the rating, is structured over various levels and involves the pursuit of:
 • a balanced financial structure in terms of duration and composition;
 • the continuous monitoring of the final and expected results and of the financial balances;
 • investment planning consistent with existing financial covenants and associated risks;
 • the search for a business portfolio that ensures stable cash generation from its business activities, including through the geographical and technological diversification of its plants.

5 - New

Possible uncertain events originating from various factors, for example, scenario (micro/
macro-economic, political, regulatory, business-related), technical, operational, financial,
organisational, etc. which may have an impact on the decision of a new investment and/or its success.

 • Specific Organisational Units tasked with ensuring the achievement of growth objectives through new investments (organic growth and/or M&A).

 • Structured processes for the selection of investments consisting of subsequent project examination and approval activities including, inter alia, internal and external supporting studies, benchmark analysis, legal and regulatory analysis, sustainability models and financial assessment/planning.

 • Timely analysis for risk-relevant projects which include:
(i) Potential impact and strategy/actions to contain/eliminate the risk;
(ii) Follow-up items for mitigation process monitoring.

 • Periodic WACC/HR updating, also through benchmarking, to ensure an adequate return with respect to the expected risk profile.

6 - Cyber
against production
industrial systems

Potential cyber-attacks that exploit vulnerabilities may bring industrial production systems to a standstill and, subsequently, affect Group's results (e.g. Revenue).

 • Security assessment to identify system criticalities and supporting

 • Definition and implementation of a Security Program to adapt processes, systems and infrastructure to best practices aimed at increasing levels of safety.

 • Development of security awareness plans and training to users.

 • Use of automatic instruments (e.g. Intrusion Detection Systems) for prevention, detection and accident management purposes.

 • Cyber Crime insurance coverage.

7 - Failure to
protect the

Internal/external events which may negatively affect the reputation of the ERG Group (amongst the different factors: financial performance, Ethics and Integrity,Social Responsibility, HSE Policies,ICT Security, crisis management,

 • Specific communication and information activities aimed at maintaining the Group's high level of reputation among stakeholders, which include, among other things, a structured Corporate Social Responsibility process with specific social
responsibility initiatives and dissemination of Non-Financial Information;

 • Active relationships with all the main stakeholders and media, and monitoring of stakeholder perception;

 • Communication activities through website/social media and continuous monitoring of the perception of the ERG brand by stakeholders.

 • Structured process of Reputational Crisis Management, which makes it possible to promptly manage and limit the effects of crisis, in order to protect the reputation of the ERG Group.

8 - Anti-Corruption

The possibility that one of the Companies in the Group and/ or a director, representative or
employee of the same, could be involved in proceedings for offences committed in breach
of anti-corruption laws that may involve the application of sanctions against the aforementioned
persons (both physical and legal persons) and negative repercussions in terms of reputation.

 • Adoption of a system of behavioural rules (Code of the Ethics and Anti- Corruption Policy) valid for all the Group.

 • Adoption of an "Integrated Anti-Corruption Model", for all Italian and foreign Companies in line with best practices.

 • Definition of information flows for Anti-Corruption System monitoring.

 • Regular training on anti-corruption matters and ongoing efforts to raise awareness among management on the culture of ethics and of business integrity.

 • Adoption of the "Significant Third Party Due Diligence Procedure", provided for by the Anti-corruption System and Policy.

 • Definition and implementation of Compliance Programmes to check compliance with the Anti-Corruption Policy.

9 - Industrial risks
and HSE
Risks due to the malfunctioning of plants, which may cause problems in production processes and/or
negatively affect HSE.

 • Technological and geographical diversification of the generation portfolio in order to limit negative impacts.

 • Constant supervision by Management and implementation of a Business Continuity Management/Asset Integrity Management process that ensures the proper maintenance of production assets.

 • Technological development of plants and emergency management plans; specialist HSE audit and monitoring of plants.

 • Adoption of certified Management Systems (ISO 14001 and OHSAS 18001-ISO 45001) and continuous training for all the staff performing activities inside the plants.

 • Specific insurance coverage levels for business interruption, property damage and injuries to the personnel.