Hera has adopted an organisational structure suited to adequately manage the exposure to risk inherent in its business. It has defined an integrated approach aimed at maintaining management effectiveness and profitability along the entire value chain.
The corporate governance system for risk management implemented in Hera allows management strategies to be addressed consistently. In this system:
- the Board of Directors steers and evaluates the adequacy of the internal control and risk management system;
- the Executive Chairman and the Managing Director monitor, within their competence, the operation of the internal control and risk management system;
- the Vice Chairman monitors the coordination between the Risk Committee and the Control and Risks Committee;
- the Control and Risks Committee supports the Board of Directors in defining the guidelines of the internal control and risk management system;
- the Risk Committee is the main body that steers, monitors and reports the risk management strategies adopted. It defines the general guidelines for the Risk Management process, guarantees the mapping and monitoring of corporate risks, assures the definition of the Risk Policies and defines the protocols for reporting to the Control and Risks Committee, the Internal Auditing Department and the Board of Statutory Auditors.
In Hera, there is an appropriate separation between the role of risk control and management (entrusted to the risk owners in the various organisational units) and of evaluation of the appropriateness of the risk management processes.
Specifically, the proper and effective operation of the internal control and risk management system is monitored at centralised level by the Internal Auditing Department, which reports directly to the Vice Chairman of the Board of Directors.
The two main corporate bodies in charge of supervising risks are described in greater detail below, according to their respective responsibilities.
Control and Risks Committee
The control and risks Committee’s duty, in application of Principle 7 of the Code of Conduct, is to monitor the functioning of the internal control system, the efficiency of corporate operations, the reliability of financial information, as well as compliance with the law and regulations and the protection of corporate assets. This Committee also has the task of supporting, with adequate investigations, the Board of Directors in its evaluations and decisions regarding the risk management system. The Chairman of the Board of statutory auditors or an auditor appointed by Chairman attends the committee’s meetings as well as the Managing Director and the Chairman of the Board of Directors, at the explicit request of the Chairman of the committee.
The Control and Risks Committee met 7 times in 2017.
The Risk Committee
The Risk Committee was appointer in April 2014 and is composed of the Executive Chairman, Vice Chairman and Managing Director of Hera Spa, the Administration, Finance and Control Director, the Market Central Director and the Enterprise Risk Manager. Furthermore, in relation to specific issues falling within their competence, the Legal and Corporate Central Director, the Corporate Services Central Director, the Innovation Central Director and the General Manager of Hera Trading may take part in the meetings.
The Risk Committee is the main body that steers, monitors and provides information about risk management strategies, and has the following tasks:
- defining general guidelines for the risk management process; ensuring corporate risk mapping and monitoring;
- ensuring the definition of risk policies and measurement parameters to be submitted for approval to the Board of Directors of Hera Spa;
- guaranteeing six-monthly reporting to the Board of Directors;
- defining and ensuring the submission of information protocols to the Control and Risks Committee, the Internal Auditing Division and the Board of Statutory Auditors.
The significant risks addressed within the Risk Committee refer to the following areas: strategic, energy, financial, credit, insurance, information and communication technology, safety and the environment, and business continuity.
In the meeting of 13 May 2015, the Board of Directors of Hera Spa approved the enterprise risk management process, and in the meeting of 15 February 2017 it approved Hera Group’s guidelines “Group risk management policy” aimed at outlining the Group’s risk management guidelines.
The Risk Committee met 4 times in 2017.
The Group’s risk management structure
In the overall design of the risk management process, Hera has adopted a structured approach, which is consistent with industry best practice, through the introduction of enterprise risk management (ERM). The aim is to define a systematic approach that is consistent with risk control and management, by creating an effective model with steering, monitoring and representation functions, oriented towards the adequacy of the management processes and their compliance with top management’s goals.
More specifically, the approach is intended to provide the Board of Directors with useful elements for assessing the nature and level of business risk, especially in the medium to long term, so as to enable the definition of a risk profile that is consistent with the group’s strategic objectives. The definition of this profile is expressed through the approval of the group risk management policy and of the risk limits set out in the policy which are defined by the Board of Directors.
In greater detail, the policy defines the group’s orientation towards risk issues and identifies the relevant risk management framework, comprising three fundamental elements:
- the risk model, which identifies the scope of reference for the risk management analysis carried out by the Group. It includes the definition of all risks, or rather the types of risk that the Group is potentially exposed to, which are periodically reviewed on the basis of any changes in the mission, strategic objectives and scope of the group’s business, as well as the social and economic context;
- the Group’s risk appetite, which defines the acceptable risk level in compliance with the risk management strategy. It is defined by identifying:
- key risk dimensions, i.e. the most relevant risk factors in respect of which the Group intends to express its risk appetite;
- risk metrics, necessary for measuring exposure arising from a specific risk factor;
- limits associated with each key risk dimension, which express the related maximum risk level tolerated by the Group in pursuing its goals;
- monitoring, escalation and updating processes, aimed at promptly identifying whether any defined risk limits have been exceeded, identifying and implementing corrective actions, correctly monitoring significant risk areas and aligning the limits to the group’s risk appetite;
- Risk Management activities, divided into:
- enterprise risk management, aimed at analysing the evolution of the Group’s overall risk profile, the results of which are the tool used to support informed risk-taking and define the strategic goals;
- ongoing risk management, which for specific risks requires continuous sector-based management procedures entrusted to special risk specialists/risk owners, based upon specifically developed processes and methods and formally defined within the risk policies of reference.
These activities guarantee an effective control of all the main risks to which the Group is potentially exposed, as well as the management of the Group’s overall exposure in keeping with the views expressed in the Group’s risk appetite and with the Business Plan objectives.
On 15 February 2017, the second Enterprise Risk Management report was submitted to the Board of Directors with the mapping of group risks, accompanied by appropriate evaluation measures for each risk and for the consolidated risk (impact, probability, severity, levels of control). The Board of Directors approved the 2017 Group Risk Management Policy and risk limits as of the same date. On 27 September 2017, the Board of Directors was presented with disclosure relating to the risk supervision activities within the Group. In detail, aspects pertaining to the following were looked at in-depth:
- the lines of defence of the risks and the governance structure.
- the compliance as per Italian Law 262/2005 and the compliance as per Italian Legislative Decree 231/2001 specifying the role of the Appointed Executive and the Supervisory Body in the respective disclosure to the Board of Directors;
- the governance risk management: specifying the role of the Risk Committee in particular in the communication of the information flows to the Board of Directors, the Board of Statutory Auditors, the Control and Risks Committee and the Internal Auditing unit and the governance system implemented by means of the adoption of the Enterprise Risk Management with the assignment of the role of strategic direction to the Board of Directors which is responsible with regard to the group risk profile and the approval of the Group risk management policy.
On 10 January 2018, the third Enterprise Risk Management report was submitted to the Board of Directors, with a further enlargement of the scope of reference, the risks subject to control and the risk types, as well as the maps of the Enterprise Risk Management structured by business sector; the limits for 2018 and the updating of the Group Risk Management Policy were approved as the same time.
Within the Enterprise Risk Management sphere, at the end of 2018 in-depth analysis was launched on the supply chain control system structured within the sphere of the certified management systems (including the SA8000:2014 standard, whose certification is held by four Group companies) with a view to the ERM assessment and identification of significant risk scenarios.
The nature of risks and their management
The risks related to the business in which Hera operates and manages from an enterprise risk management perspective are related to the following risk areas, classified as internal, strategic and external, based upon the risk model adopted by the Hera Group.
Nature: risks related to various types of risks – such as operational, organisational and ICT risks – are specifically related to the management of services which employ human, technological and environmental resources, and which can cause service interruptions, delays in the construction of new facilities or in the delivery of services, fraud, intrusions, accidents and disasters.
Activity areas: the risks belonging to this driver cut across the Group and regard a wide range of activities that are controlled and managed by specialist teams. The Group gives special focus to workplace safety, to compliance of plant and site operation with environmental legislation and to ICT risk control, especially risks that have an impact on the logical security of information, the security of information and communication networks, and the reliability of remote control, necessary to ensure adequate service levels to customers and operational safety to Hera’s fluid and electricity distribution networks.
Management levers: approach structured on the basis of specific areas in which operational risks arise. In general, a significant role is played by prevention investments to reduce the frequency of adverse events and by mitigation actions to reduce their severity.
Risks related to legislation on environmental impact: the Group’s activities are subject to several environmental statutes, laws and regulations, including those on CO2 emissions, sewage, and hazardous and solid waste management. The Group is able to tackle environmental risks both through ongoing monitoring of potential pollution factors so as to ensure the transparency of measurements, and through major investments in purification and reclamation plants that guarantee better quality of water compared to the limits provided for by law. The waste collection system seeks to increase the percentage of waste treated at selection, recovery and composting plants, and reduce the use of landfills, in line with the provisions of national and European legislation. Environmental analysis of the sites has been improved to allow more effective data collection and determine the significance of environmental aspects in both normal and emergency conditions.
Risks associated with regulations on health and safety of workers: the risk related to accidents has seen a steady reduction in accident rates thanks to the initiatives aimed at better monitoring and improving the protection and prevention processes intended to continually reduce the frequency and the severity of accidents, as evidenced by the lower number of accidents, the frequency rate and the lower number of days of absence due to injury.
Risks associated with logical and physical security: the Group carries out constant monitoring of its IT security risk level, with targeted interventions to ensure the availability, integrity and confidentiality of information managed by the Group. In 2017, measures continued to be introduced to improve the level of security as regards the control of logical access, as well as measures aimed at ensuring the integrity and availability of Hera systems, with significant value in terms of risk reduction.
Risks related to the interruption of services: many risk factors may influence the regular supply of energy and water due to damages to the network, water shortage or possible contamination of water reserves, thus leading to interruption of the service or significant damages both of an environmental and economic or social nature. In order to tackle these risks, the Group makes important investments designed to guarantee the effectiveness and efficiency of the distribution system. It also carries out constant monitoring and maintenance of its networks in order to guarantee safety, quality and that services are supplied constantly even in the presence of temporary interruptions on one or several distribution lines. Furthermore, growing attention to the physical safety of plant sites reduces the likelihood of damage to them. Within this sphere, as from 2018 the intention is to look in-depth at the resilience of the Group water supply and distribution system in terms of a medium/long-term perspective having taken into account the possible effects which the climate change process underway may produce also in the pertinent areas
Nature: these risks pertain to the formulation of long-term planning, to the implications regarding the Group’s financial sustainability, to the decisions to take part in activities of strategic importance and to appropriate investment decisions.
Activity areas: strategic risks involve the Hera Group in its entirety. They affect the soundness of the strategic planning results envisaged for the various sectors and business units. Achievement of these results is conditioned by various internal and external risks that are appropriately simulated, measured and checked.
Management levers: In 2015, Hera developed a structured model of strategic risk analysis designed to measure the soundness of its business plan. Many adverse risk scenarios were considered, contributing to an integrated view of risks with an enterprise-wide logic. The system allows the performance of scenario analysis, stress testing, and possible ‘what if’ events (macroeconomic scenario, competitive environment, internal levers and this also allowing the analysis of relevant internal and external risks), carried out by formulating deterministic and stochastic scenarios through an adequate analysis of risk factors and variables associated to them, and appropriate assessment of the riskiness of the different business sectors. This also allows the evaluation and preparation of alternative strategies aimed at mitigating the adverse effects identified.
These risks are related to all external drivers that may affect the achievement of the Group’s objectives. They are especially related to financial and commodity risks and to regulatory risks resulting in interventions on the tariffs and on the market structure established by the Authorities and by the law, including changes in tax regulations, government incentives on renewable sources, sector-related laws, and climate/catastrophic events.
Given their complex structure, each risk will be examined individually.
Nature: risks related to regulatory interventions by sector authorities and the law (particularly on tariffs and market structure), to government incentives on renewable sources and sector-related laws, regulated businesses related to the concessions of local and national authorities, failure to obtain authorisations, permits and licences, as well as the impact expected from changes in the macroeconomic environment, the market structure and its liberalisation, the development in supply and demand in energy and environment sectors and possible impact on the group’s business.
Activity areas: with regard to the macroeconomic and market scenario, risks mainly affect the Market Department, which is exposed due to its sale of electricity and gas to the competitive dynamics and to the development of demand, and Herambiente, which is exposed to the variability of the economic cycle. With regard to the regulatory component, competitive-regulatory risks affect network business (water, gas and electricity distribution) and market business (sale of electricity and gas). They occur during the introduction or the modification of economic, organisational and IT requirements which Hera must comply with, as well as during possible changes in the market structure caused by them.
Liberalisation of the market: over the years, free-market business has become increasingly important in Hera Group’s portfolio, significantly contributing today to the Group’s financial results. On the one hand, it has reduced the importance of regulated business in the Group’s results, while on the other, it has exposed the Group to increasing competitive pressure due to the entry of new operators and to the development of organised markets. In Italy, especially for the electricity business, the Group competes with other national/international producers and traders that sell electricity on the Italian market to industrial, commercial and residential customers. Even as regards the methane business, the Group must tackle increasing competition both nationally and internationally which could lead to a drop in its sales margins. In order to mitigate this risk, the Group has addressed the challenge of liberalisation. On the one hand, it has innovated its commercial offer and improved the timeliness of its offers by increasing its presence and its customer base on the free market through cross-selling activities. On the other, it has gained an increasing proactive approach towards customer management and satisfied its expectations in terms of service quality, by completing the range of services offered to customers and strengthening loyalty. These activities have improved quality and post-sales management service costs for customers and at the same time have reduced new customer acquisition costs.
Risk connected to the macro-economic context: the Group operates mainly in Italy, where the economic scenario is still difficult featuring a slowdown in the consumption of energy and in the volumes of waste disposed of. The decline in energy demands leads to pressure on trading margins that, added to the greater competition on the free market, may impact the Group’s profitability. Furthermore, changes in the levels of retail energy consumption could require Hera to acquire or sell additional energy at unfavourable conditions. To this end, in selling energy, the Group has maintained flexible supply sources of energy commodities. At the same time, it has developed hedging activities to minimise exposure to operational electricity generation risks (not included in the Group’s core activities) and to long-term contractual gas supply formulas (“Take or Pay” clauses). Regarding waste disposal activities, some old plants were replaced with new generation plants provided with more efficient and top-performing technologies also in terms of environmental impact.
Changes in the legislative and regulatory framework and revision of tariffs in the regulated waste, water and energy sectors: the Group operates in regulated markets or regulated schemes in which there is a regulatory risk connected to the definition of the tariff criteria by the national Authority (Aeegsi). A change in the legislative and regulatory framework, both at national and European level, could have a significant impact on the Group’s business thus influencing the profitability of the sectors in which Hera carries out its business directly or through its subsidiaries. Furthermore, the regulated tariff regime and the Authority’s regulatory interventions could establish, across several businesses, the application of tariffs to final customers and of remuneration mechanisms on the invested capital. This could affect the Group’s operating performance and results negatively. In order to address this risk, the Group has adopted an organisational structure that manages its relations with national and local Authorities. The structure carries out extensive consultation activities with institutional stakeholders, taking active part in the work groups set up by the Authorities and adopting a transparent, collaborative and proactive approach towards any situations of instability in the regulatory framework.
Regulated business risks associated with the concessions of local and national authorities: the regulated activities pertaining to waste collection, gas and electricity distribution, integrated water and public lighting services are the result of existing concessions with local authorities (in the case of the integrated water service, gas distribution, waste management and public lighting) or national authorities (in the case of electricity distribution). The Group is subject to the risk that the concessions may not be renewed when they expire or, should they be renewed, that conditions at least comparable to those currently available are not maintained. This risk, however, is mitigated by the presence of a mechanism for reimbursement to be paid to the outgoing operator equal to the industrial residual value of the concession.
Risks connected to failure to obtain authorisations, permits and licences: the Group’s ability to achieve its strategic objectives could be adversely affected if it is not able to maintain or obtain the required licences, authorisations or permits for the regular performance of its business. This risk is mitigated by constantly supervising the authorisation processes and taking part actively in working tables in order to achieve relevant permits, licences and authorisations.
Risks related to weather and climate variability
Nature: risks related to the impact on the Group due to the variability in weather and climate conditions on the electricity and gas demand.
Activity areas: with regard to the meteorological component, risks mainly affect the Central Market Department, which is exposed due to its sale of electricity, gas and heat to the variability of demand arising from the various meteorological scenarios.
Management levers: the Group is provided with demand forecasting tools that optimise the use of available sources, and with adequate flexibility in the supply sources of energy commodities. It is also highlighted that within the context of the long-term trend of climate change, the Hera Group is committed to contributing to its mitigation by complying with energy efficiency goals set by the law, by continuing to constantly improve production and by encouraging virtuous and responsible consumption by customers to reduce CO2 emissions and, specifically, to minimise environmental impact. In this regard, Hera has created a special Esco (Energy Service Company) which has among its objectives the development of initiatives for both business and domestic customers, aimed at promoting the use of efficient energy production with environmental benefits in terms of CO2 reduction, and the use of efficient and energy-saving technologies designed to ensure optimal use of energy resources with significant advantages both for consumers and the environment. Lastly, the electricity requirements needed to operate the Group’s production sites are met entirely by means of energy from renewable sources.
Financial risks related to the energy market
Nature: risks relating to variations in the prices of energy, gas and other fuels.
Activity areas: the energy market risks are concentrated in the Central Market Direction where the buying and selling of electricity and gas determine risk positions arising from the volatility of energy commodity prices.
Management levers: processes have been set up allowing efficient management of procurement and hedging activities, with specific focus on skills. The approach adopted by the Group involves a single interface for managing risk with regard to the market: Hera Trading, which provides hedging of the Group’s risk positions through specific portfolios dedicated to fuel and electricity, allowing for unified management of risks in compliance with the policies assigned. The approach has many advantages, such as the achievement of higher hedging levels, optimisation of costs since resorting less to the market through the use of netting positions, greater structuring flexibility with regard to procurement and supply to customers. Even in 2017, the process proved to have adequate strength in terms of risk assessment and control, ensuring compliance with the limits assigned.
Financial risks related to the debt market
Nature: risks related to variations in interest rates, liquidity, credit spread and exchange rates.
Activity areas: the Group’s financial management is centralised in the Administration, Finance and Control Department which meets the financing needs and cash management for the Group.
Management levers: structuring and implementation of processes for the control and optimal management of financial risks, which makes use of close monitoring of the Group’s significant financial indicators and of ongoing presence on the reference markets. The best opportunities are seized in order to minimise the impact of interest rate volatility and ensure an efficient debt service through the optimisation of its structure. The procedures for complying with the requirements under Italian Law 262/2005 to ensure that the accounting documents are drafted in a trustworthy manner, are adequately structured and implemented.
Financial risks related to counterparties
Nature: risks relating to the counterparty’s inability to fulfil the obligations undertaken, either in compliance with the economic conditions or in the execution of the contractual provisions (delivery of good/service).
Activity areas: the credit risk has an impact across the Group in the various areas where business is conducted: the sale of electricity, gas, heat, waste management recovery and disposal services, and telecommunications services
Management levers: a structured origination process has been set up in Hera, which is used for specific procedures of credit risk management and allows adequate selection of counterparties through credit check and/or request for guarantees where appropriate. Positions with customers and counterparties are also monitored constantly and structured actions are planned which provide proactive management; where appropriate, the Group resorts to external transfer of risk through the optimised use of credit assignment.
The prevention of and the fight against corruption within the Hera Group
The handling and prevention of fraud
During 2017, a process was launched for the self-assessment of the maturity of the internal control system with regard to contrasting fraud. The reconnaissance was carried out taking as reference the Hera Divisions which handle the main elements of the Group’s control system significant for the matter of anti-fraud. The main improvement action identified was that of organising a fraud prevention and handling guideline for the purpose of facilitating the further development and co-ordination of the internal control system supporting the prevention and handling of fraud.
The Hera Group, via the divulgation of the guideline, set itself the objective of assigning roles and responsibilities within the sphere of the prevention, detection and investigation of potential frauds and furthering conduct within the organisation consistent and in line with the principles expressed.
The procedure also envisages how the whistleblowing activities for suspected fraud must take place; this must occur via e-mail or hardcopy mail sent to the Ethics Committee or to Hera’s Legal and Corporate Affairs Division. All the divisions involved must ensure the confidentiality of the information received and handle it in a strictly confidential manner protecting the identity of the whistle-blower, without prejudice to the legal obligations.
The Guideline has been applied since 15 February 2018 and envisage the establishment of a cross-divisional work group made up of the Administration, Finance and Control Division, the Legal and Corporate Affairs Division, the HR and Organisation Division, the Enterprise Risk Manager and the Internal Audit Division whose main tasks include:
- defining an approach for identifying and assessing the risk which is appropriate and efficient for each company Division;
- providing method-based technical support for the company Divisions for the purpose of ensuring a standardised approach and treatment.
The responsibility for defining and enacting suitable fraud prevention and detection mechanisms primarily lies within each competent company Division.
The activities of the Risk Committee with regard to contrasting fraud
The Risk Committee, in addition to the direction, monitoring and disclosure activities relating to the risk management strategies, play a fundamental role supporting the Board of Directors in the activities aimed to preventing and handling any fraud by means of an anti-fraud programme which includes the following principal activities:
- ensuring that the fraud risk has been identified and considered, as part of the more extensive risk management process at company level, by the competent Divisions and oversee these fraud risk assessment activities established by the competent Divisions;
- monitor the control procedures established by the competent company Divisions;
- gain awareness of any fraud situations occurring within the Group, and the related investigations and corrective action;
- periodically assess the current and expected level of maturity of the Group’s internal control System within the sphere of preventing and handling fraud, and further the related improvement action:
- periodically review the new anti-fraud prevention guideline, as well as the other procedures designed to mitigate the risk of fraud.
The organisational model for prevention of crimes which the Company is responsible for
Italian Legislative Decree No. 231/2001 introduced a regime of administrative liability into the Italian legal structure. These measures are applied to entities which commit crimes in their own interest or to their own advantage. These crimes may be committed by natural persons acting as representatives, directors or managers on behalf of the entities, or by natural persons acting under the supervision of such persons or subjected to supervision on their part.
The Board of Directors of Hera Spa and the main subsidiaries of the Group have adopted an organisation, management and control model (231 Model) to ensure conditions of correctness and transparency in conducting business and company activities. The model includes the principles of conduct formalised in the Code of Ethics.
The companies provided with a “231 Model” are: Hera Spa, Acantho, Amga Calore & Impianti, Amga Energia & Servizi, Asa, Fea, Feronia, Hera Comm, Hera Luce, Hera Servizi Energia, Hera Trading, HERAtech, Herambiente, Herambiente Servizi Industriali, Hestambiente, Inrete Distribuzione Energia, Medea, Uniflotte and Waste Recycling. Furthermore, AcegasApsAmga, AcegasApsService, Aliplast, Sinergie (now AcegasApsAmga Servizi Energetici Spa) and Marche Multiservizi are provided with their own “Model 231”. All these 24 companies (62% of the total of the companies) include 97.6% of Group employees.
Following the mapping of sensitive company activities, at risk of the offences included in Italian Legislative Decree 231/2001, the Group companies defined specific protocols to be followed in carrying out certain activities, and made the consequent information flows available on a periodic basis. These protocols are circulated to the entire workforce through the corporate intranet. Their application is monitored during the audit phase. During 2017, the following protocols were up-dated: Formalities regarding conduct and handling of the activities for the purpose of health and safety in the workplace, Sales activities with reference to Hera Comm, Handling of the accounts for the tender and supply agreements, Separate financial statements of Hera SpA and Consolidated financial statements of the Group and, in conclusion, handling of the Purchase of services supporting the sale of waste treatment on a free market basis.
The Internal Auditing Department ensures assistance to the various company units in drawing up and implementing necessary corrective action following the audits and, for the purpose of raising the awareness of and training the beneficiaries of the 231 Model it held specific courses for the sales units and the units tasked with the purchasing activities which, besides the specific focus relating to the activities performed, concerned aspects of general importance such as the 231 Model of the Hera Group, the Group Protocols, the Internal Control System and the corporate governance set-up.
Risk analysis for definition of the internal audit plan
The internal auditing Department’s activities focused on the sectors with the highest risk levels in the Risk Assessment, a document that identifies and weighs – through assessment of the Group’s business areas and of the infrastructure processes – any risk factors and critical points, including the risks of fraud, providing details on the level of risk determined for each segment. On the basis of the Audit Plan for the 2016-2018 period previously approved by the Board of Directors of Hera SpA, the consequent internal audit plan was brought to a close over the course of the year.
With reference to the specific risks related to the topics included within the scope of Italian Legislative Decree no. 231/2001, identified in the 231 Risk Assessment for the 2016-2018 period, the Supervisory Body in turn carried out the activities set out in the Audit Plan, drawn up on the basis of the risk assessments, coverage of new processes, regulatory developments and the extension of the scope of activities of the companies.