Internal Control and Risk Management

 

The Internal Control and Risk Management System (ICRMS) is the set of people, tools, organisational structures and company regulations aimed at ensuring the correct management of company risks.

Detail of a man's hands leafing through a stack of documents while sitting at a desk Detail of a man's hands leafing through a stack of documents while sitting at a desk

An essential element of Acea’s Corporate Governance, the Internal Control And Risk Management System (ICRMS) makes it possible to identify, measure, manage and monitor the main risks pertaining to the business.

 

The ICRMS takes into account the recommendations of the Corporate Governance Code and is based on national and international best practices, in particular the CoSO Internal Control model and CoSO Framework, issued by the Committee of Sponsoring Organisations of the Treadway Commission.

An integrated approach

 

For the Acea Group, the correct functioning of the ICRMS plays an essential role not only for ensuring full compliance with the provisions set forth by the relevant rules and practices, but also as a means for effectively achieving business objectives.

 

The Group therefore promotes:

A risk-based approach to the business, designed to guarantee the achievement of plan objectives whilst observing the Group’s risk appetite;

Management consistent with sustainability strategies and policies, bearing in mind the significance of the Group’s activities and the nature of services provided;

An integrated and effective approach to compliance issues. 

“Risk management in the Acea Group is a structured, ongoing process, created in order to evaluate and handle, using integrated logic, the risks pertaining to the entire organisation, according to the risk appetite expressed, with a view to ensuring that management is provided with the information necessary for the achievement of strategic and business objectives.”

ICRMS objectives

 

The formulation of an appropriate ICRMS enables: 

Identification of risks that may impact the pursuance of goals set by the Board of Directors;

The taking of informed decisions that are consistent with business objectives, within the scope of a widespread awareness of risks and the related level of tolerance, legality and company values;

The safeguarding of the company’s assets, the efficiency and efficacy of processes, the reliability of information reported to the corporate bodies and to the market and compliance with internal and external regulations.

Reference principles

 

The ICRMS is based on the following principles:

 

    • Integrated model: the ICRMS components are reciprocally coordinated and interdependent and the overall system is integrated into the overall organisational, corporate governance, administrative and accounting structure

       

    • Management and coordination: Acea SpA, within the scope of its management and coordination activity vis-à-vis the subsidiaries, issues and disseminates the guidelines and related model for implementation to be adopted by the subsidiaries

       

    • Observance of legal requirements and consistency with best practices

       

    • Management accountability.
    • Consistency with business objectives.
    • Risk-Based approach. 
    • Importance of information flows.
    • Maximisation of efficiency and efficacy.
    • Ongoing and practical enhancement of excellency.
    • Traceability.
    • Separation of activities.
    • Transparency.

    ICRMS guidelines

     

    The "Internal Control and Risk Management System Guidelines " (Italian version), which describe the system, were revised in 2019 and were approved by the Board of Directors in January 2020. 

     

    The ICRMS guidelines, which are applicable to all the group’s companies, aim to:

    • provide guiding elements for the various ICRMS players, so as to ensure that the main risks, including those pertaining to medium-long term sustainability, are correctly identified and adequately measured, managed and monitored;
     
    • identify the principles and responsibilities pertaining to the governance, management and monitoring of risks associated with business activities;
     
    • introduce control activities at all operational levels and clearly identify tasks and responsibilities, in order to avoid possible duplication of actions and ensure coordination between the main parties involved in the ICRMS.

    Main protagonist of the SCIGR

     

     

    Board of Directors

     

    Determines the SCIGR guidelines so as to ensure that the main risks for Acea and its subsidiaries are identified, measured and managed.

     

    Board of Directors

     

     

    Internal Board Committees

     

    Ensure an adequate advisory, proactive and instruction activity to support assessments and decisions on the part of the Board of Directors in connection with the ICRMS.

     

    Internal Board Committees

     

     

    Company Staff

     

    Intervenes with varying responsibilities, from management to employees, to maintain an efficient process of risk identification and management, operating in observance of procedures and performing line control activities.

     

     

     

    Risk management, compliance & sustainability - ERM

     

    Defines the methodology for risk evaluation and prioritisation and coordinates management of the periodical Risk Assessment procedure. It is responsible, in particular, for identifying, describing and assessing the main risk factors that might potentially jeopardise the achievement of Group strategic and business objectives, proposing risk management policies and steering the implementation and evolution of the Group’s Enterprise Risk Management (ERM) framework. 

     

    Risk Management, Compliance & Sustainability - ERM

     

     

     

    Supervisory Body

     

    Responsible, with powers of initiative and intervention, for the functioning of the Organisational, Management and Control model (MOG 231).

     

     

    Supervisory Body

     

    Chief Executive Officer

     

    Implements the ICRMS guidelines and, also utilising the Audit and Risk Management, Compliance & Sustainability Departments, ensures identification of the main corporate risks and periodically brings them to the attention of the BoD.

     

     

     

    Board of Statutory Auditors

     

    Monitors the legislative and procedural compliance and correctness on the part of administration.

     

    Board of Statutory Auditors

     

     

    Manager responsible for Preparing the Company's Financial Reports

     

    Pursuant to Italian Law no. 262/05, he/she is responsible for setting up and maintaining the System for Internal Control over Financial Reporting and issuing appropriate certification, together with the Chief Executive Officer. 

     

     

    Specific Control Bodies

     

    These include, for example, the DPO (Data Protection Officer), responsible for monitoring the business organisation’s compliance with Regulation (EU) 2016/679; the Anti-corruption Manager, responsible for coordinating, developing and maintaining the corruption prevention Framework and management system; the Antitrust Contact Person, responsible for the planning, implementation and monitoring of the Antitrust Compliance Programme.

     

    Specific Control Bodies

     

     

     

    Internal audit

     

    Carries out independent audits on the operations and suitability of the IARMS, using a risk based audit plan approved by the BoD, and monitors execution of the action plans issued following the audits performed.

    The three levels of the SCIGR

     

    Risk management is a cross-cutting process, widespread responsibilities that involve all company levels.

     

    First level

    Second level

    Third level

    Conducted by those responsible for the operating activities where the risk lies. 

    Conducted by corporate structures, with the aim of ensuring that the first level, checks are adequate and operational.

    Independent checks conducted by the Audit function to verify the adequacy and operation of the SCIGR.

    Synthetic representation of the main parties/Models involved in the operation of the ICRMS

     

     

    Find out more

    Code of ethics

     

    The code of ethics represents our commitment to pursuing the highest levels of ethics in running the business.

    Whistleblowing

     

    The specific procedures and channels for receiving, analysing and processing reports of alleged violations. 

    Compliance models

     

    231/01 Model, Anti-corruption Framework, Antitrust & Consumer protection Compliance Programme and Privacy Governance Framework. 

    Management Systems

     

    The integrated system is expressed through specific controls and certifications.

    Enterprise Risk Management  

     

    The ERM framework enables identification, analysis and management of the main risks. 

    Handling of corporate information

     

    The specific rules and procedures for the handling and dissemination of privileged documents and information.